binwalk
获得了奇怪的输出。这是
binwalk
输出(已上传到pastebin):http://pastebin.com/raw.php?i=yVZFGZT6
您可以看到有很多行,包括mcrypt,RSA和其他行,但是固件未加密。同样检查文件的十六进制,我可以看到以下内容:据我所知,这与UBoot有关。
000006f0 55 55 55 55 66 66 66 66 77 77 77 77 88 88 88 88 |UUUUffffwwww....|
这另外两行显示了一些squashfs标头:
0151d040 45 3d cd 28 88 4f 39 80 68 73 71 73 bc 4f 39 80 |E=.(.O9.hsqs.O9.|
02557250 8a f3 0d 00 68 73 71 73 90 f3 0d 00 72 65 65 62 |....hsqs....reeb|
此外,我可以看到其他与CPIO相关的行,但我不知道如何分隔此文件成可提取的片段。
可在此处下载固件映像:http://software.gopro.com/Firmware/HD2/HD2-firmware.bin
#1 楼
字符串表明这是在使用UbiFS文件系统:$ strings HD2-firmware.bin | grep -i ubifs
console=tty0 lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs
LNX_VIF="../../../src/linuxinfo/ubifs.info"
CONFIG_BOSS_SECONDARY_CMDLINE="console=tty0 lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs"
console=tty0 lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs
在只有两个地方可以看到UbiFS超级魔术字节(0x24051905,请参见http://www.blogs.com。 cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ubifs/ubifs.h):
$ binwalk -m ubifs.sig HD2-firmware.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
23734456 0x16A28B8 UbiFS, little endian
23741868 0x16A45AC UbiFS, little endian
作为参考,其内容ubifs.sig的特征是:
0 lelong 0x24051905 UbiFS, little endian
0 belong 0x24051905 UbiFS, big endian
编辑:
以上似乎是错误的肯定。创建我自己的UbiFS映像后,十六进制显示如下:
00000000 31 18 10 06 dc 6a 3b 2d 4e 00 00 00 00 00 00 00 |1....j;-N.......|
00000010 00 10 00 00 06 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 02 00 00 00 00 02 00 0d 00 00 00 64 00 00 00 |............d...|
00000030 00 00 16 00 00 00 00 00 04 00 00 00 02 00 00 00 |................|
00000040 01 00 00 00 01 00 00 00 08 00 00 00 00 01 00 00 |................|
00000050 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 ca 9a 3b fb 7e 13 36 |...........;.~.6|
00000070 91 29 47 3b 8b dd 46 95 27 cc 8a 30 00 00 00 00 |.)G;..F.'..0....|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00020000 31 18 10 06 4a 3d 6b 5a 4f 00 00 00 00 00 00 00 |1...J=kZO.......|
00020010 00 02 00 00 07 00 00 00 45 00 00 00 00 00 00 00 |........E.......|
00020020 00 00 00 00 00 00 00 00 02 00 00 00 03 00 00 00 |................|
00020030 0c 00 00 00 d8 05 00 00 bc 00 00 00 0b 00 00 00 |................|
00020040 0c 00 00 00 00 08 00 00 98 06 00 00 00 00 00 00 |................|
00020050 00 26 05 00 00 00 00 00 38 03 00 00 00 00 00 00 |.&......8.......|
00020060 30 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |0...............|
00020070 00 24 00 00 00 00 00 00 07 00 00 00 2a 00 00 00 |.$..........*...|
00020080 07 00 00 00 00 02 00 00 07 00 00 00 36 00 00 00 |............6...|
00020090 00 00 00 00 00 00 00 00 0a 00 00 00 01 00 00 00 |................|
000200a0 01 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 |................|
000200b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00020200 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
请注意每个节点开头的小端魔术数字:
0x06101831
。 此模式出现在GoPro固件中,看起来UbiFS映像可能始于
0x22C6100
;但是,我无法挂载我的UbiFS映像(使用mkfs.ubifs
创建)或GoPro固件中的映像,因此无法验证这是正确的。#2 楼
Binwalk总是会出现误报,尤其是对于Lzma等。您可以做的是使用-M
选项尝试对多个图层进行binwalk,还可以使用-r
选项删除解压缩效果不佳的文件。 评论
我已经尝试过了,但是除了两个文件夹/ root(空)和/ dev之外,它给了我未知的文件。我还找到了此脚本gist.github.com/nezza/2394361,该脚本将固件拆分为多个无法解压缩的映像。根据一些字符串,GoPro Hero3 +使用了该技术,其处理器是ARM ambarella.com/uploads/docs/A7LS-Brief-121713.pdf
– Nucklear
2014年11月3日12:52
评论
很棒的答案。我可以在原始gopro固件上识别出2次“ 31 18 10 06”,但在0x22C6100上看不到那些引用。另外,从固件中提取了UbiFS映像后,我尝试按照此说明elinux.org/UBIFS#Mounting_UBI_Image_on_PC_using_nandsim对其进行破坏,但没有成功。
– Nucklear
2014年11月3日在16:18