我正在尝试提取GoPro hero 3+相机固件,但从binwalk获得了奇怪的输出。

这是binwalk输出(已上传到pastebin):

http://pastebin.com/raw.php?i=yVZFGZT6

您可以看到有很多行,包括mcrypt,RSA和其他行,但是固件未加密。同样检查文件的十六进制,我可以看到以下内容:据我所知,这与UBoot有关。

000006f0  55 55 55 55 66 66 66 66  77 77 77 77 88 88 88 88  |UUUUffffwwww....|


这另外两行显示了一些squashfs标头:

0151d040  45 3d cd 28 88 4f 39 80  68 73 71 73 bc 4f 39 80  |E=.(.O9.hsqs.O9.|
02557250  8a f3 0d 00 68 73 71 73  90 f3 0d 00 72 65 65 62  |....hsqs....reeb|


此外,我可以看到其他与CPIO相关的行,但我不知道如何分隔此文件成可提取的片段。

可在此处下载固件映像:http://software.gopro.com/Firmware/HD2/HD2-firmware.bin

#1 楼

字符串表明这是在使用UbiFS文件系统:

$ strings HD2-firmware.bin | grep -i ubifs
console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs
LNX_VIF="../../../src/linuxinfo/ubifs.info"
CONFIG_BOSS_SECONDARY_CMDLINE="console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs"
console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs


在只有两个地方可以看到UbiFS超级魔术字节(0x24051905,请参见http://www.blogs.com。 cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ubifs/ubifs.h):

$ binwalk -m ubifs.sig HD2-firmware.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
23734456      0x16A28B8       UbiFS, little endian
23741868      0x16A45AC       UbiFS, little endian


作为参考,其内容ubifs.sig的特征是:

0   lelong  0x24051905      UbiFS, little endian
0   belong  0x24051905      UbiFS, big endian


编辑:

以上似乎是错误的肯定。创建我自己的UbiFS映像后,十六进制显示如下:

00000000  31 18 10 06 dc 6a 3b 2d  4e 00 00 00 00 00 00 00  |1....j;-N.......|
00000010  00 10 00 00 06 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 02 00 00 00 00 02 00  0d 00 00 00 64 00 00 00  |............d...|
00000030  00 00 16 00 00 00 00 00  04 00 00 00 02 00 00 00  |................|
00000040  01 00 00 00 01 00 00 00  08 00 00 00 00 01 00 00  |................|
00000050  04 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 ca 9a 3b fb 7e 13 36  |...........;.~.6|
00000070  91 29 47 3b 8b dd 46 95  27 cc 8a 30 00 00 00 00  |.)G;..F.'..0....|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00020000  31 18 10 06 4a 3d 6b 5a  4f 00 00 00 00 00 00 00  |1...J=kZO.......|
00020010  00 02 00 00 07 00 00 00  45 00 00 00 00 00 00 00  |........E.......|
00020020  00 00 00 00 00 00 00 00  02 00 00 00 03 00 00 00  |................|
00020030  0c 00 00 00 d8 05 00 00  bc 00 00 00 0b 00 00 00  |................|
00020040  0c 00 00 00 00 08 00 00  98 06 00 00 00 00 00 00  |................|
00020050  00 26 05 00 00 00 00 00  38 03 00 00 00 00 00 00  |.&......8.......|
00020060  30 d0 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
00020070  00 24 00 00 00 00 00 00  07 00 00 00 2a 00 00 00  |.$..........*...|
00020080  07 00 00 00 00 02 00 00  07 00 00 00 36 00 00 00  |............6...|
00020090  00 00 00 00 00 00 00 00  0a 00 00 00 01 00 00 00  |................|
000200a0  01 00 00 00 0d 00 00 00  00 00 00 00 00 00 00 00  |................|
000200b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00020200  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|


请注意每个节点开头的小端魔术数字:0x06101831

此模式出现在GoPro固件中,看起来UbiFS映像可能始于0x22C6100;但是,我无法挂载我的UbiFS映像(使用mkfs.ubifs创建)或GoPro固件中的映像,因此无法验证这是正确的。

评论

很棒的答案。我可以在原始gopro固件上识别出2次“ 31 18 10 06”,但在0x22C6100上看不到那些引用。另外,从固件中提取了UbiFS映像后,我尝试按照此说明elinux.org/UBIFS#Mounting_UBI_Image_on_PC_using_nandsim对其进行破坏,但没有成功。

– Nucklear
2014年11月3日在16:18

#2 楼

Binwalk总是会出现误报,尤其是对于Lzma等。您可以做的是使用-M选项尝试对多个图层进行binwalk,还可以使用-r选项删除解压缩效果不佳的文件。

评论

我已经尝试过了,但是除了两个文件夹/ root(空)和/ dev之外,它给了我未知的文件。我还找到了此脚本gist.github.com/nezza/2394361,该脚本将固件拆分为多个无法解压缩的映像。根据一些字符串,GoPro Hero3 +使用了该技术,其处理器是ARM​​ ambarella.com/uploads/docs/A7LS-Brief-121713.pdf

– Nucklear
2014年11月3日12:52