Firmware hangout
La base
Il s'agit du fichier smtS7800RelUSB.img
ubuntu@develop:~/horizon$ binwalk smtS7800RelUSB.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
228 0xE4 uImage header, header size: 64 bytes, header CRC: 0xEE79DA0E, created: Mon Nov 7 13:55:52 2011, image size: 3609769 bytes, Data Address: 0x80800000, Entry Point: 0x80801000, data CRC: 0xD73D5AFE, OS: Linux, CPU: SuperH, image type: OS Kernel Image, compression type: gzip, image name: "Linux 2.6"
292 0x124 gzip compressed data, maximum compression, has original file name: "vmlinux.bin", from Unix, last modified: Mon Nov 7 13:55:51 2011
4194432 0x400080 Squashfs filesystem, little endian, version 3.0, size: 17997506 bytes, 1785 inodes, blocksize: 65536 bytes, created: Fri Aug 31 11:20:09 2012
Extraction de chaque partie donne
# dans un gzip, les octets qui pourrait suivre sont ignorés lors de la décompression je ne définis donc pas de count= ...
ubuntu@develop:~/horizon$ dd bs=1 skip=292 if=smtS7800RelUSB.img of=vmlinux.bin.gz
4194140+0 records in
4194140+0 records out
4194140 bytes (4.2 MB) copied, 6.16165 s, 681 kB/s
ubuntu@develop:~/horizon$ dd bs=1 skip=4194432 if=smtS7800RelUSB.img of=squash.fs
17998016+0 records in
17998016+0 records out
17998016 bytes (18 MB) copied, 25.8338 s, 697 kB/s
ubuntu@develop:~/horizon$ gzip -d vmlinux.bin.gz
gzip: vmlinux.bin.gz: decompression OK, trailing garbage ignored
ubuntu@develop:~/horizon$ ls -l
-rw-rw-r-- 1 ubuntu ubuntu 17998016 Oct 21 11:57 squash.fs
-rw-rw-r-- 1 ubuntu ubuntu 5664068 Oct 21 11:59 vmlinux.bin
Bilan intérmédiaire
ubuntu@develop:~/horizon$ file squash.fs
squash.fs: Squashfs filesystem, little endian, version 3.0, 17997506 bytes, 1785 inodes, blocksize: 65536 bytes, created: Fri Aug 31 11:20:09 2012
ubuntu@develop:~/horizon$ file vmlinux.bin
vmlinux.bin: data
J'ai donc un FS de type squashfs, et un fichier binaire. Avec un utilitaire je peux extraire le système de fichier
ubuntu@develop:~/horizon$ ls -l squashfs-root/
total 60
drwxr-xr-x 2 ubuntu ubuntu 4096 Aug 31 2012 bin
drwxr-xr-x 13 ubuntu ubuntu 4096 Aug 31 2012 dev
drwxr-xr-x 8 ubuntu ubuntu 4096 Aug 31 2012 etc
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 3 2010 home
drwxr-xr-x 2 ubuntu ubuntu 4096 Aug 31 2012 lib
lrwxrwxrwx 1 ubuntu ubuntu 11 Oct 21 12:08 linuxrc -> bin/busybox
drwxr-xr-x 10 ubuntu ubuntu 4096 Aug 31 2012 mnt
drwxr-xr-x 4 ubuntu ubuntu 4096 Aug 31 2012 opt
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 3 2010 proc
drw-r--r-- 2 ubuntu ubuntu 4096 Aug 31 2012 resources0
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 3 2010 root
drwxr-xr-x 2 ubuntu ubuntu 4096 Aug 31 2012 sbin
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 3 2010 sys
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 3 2010 tmp
drwxr-xr-x 6 ubuntu ubuntu 4096 Mar 16 2010 usr
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar 4 2010 var
Et apparemment dans l'autre fichier, on retouve
ubuntu@develop:~/horizon$ binwalk vmlinux.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
918184 0xE02A8 CramFS filesystem, little endian size 589833 version #2 CRC 0x2fc62fb6, edition 1833119702, 1641230310 blocks, 1903972130 files
3526656 0x35D000 Linux kernel version "2.6.23.17_stm23_A19-MB680_7105-STSDK (root@build01) (gcc versioSTSDK (root@build01) (gcc version 4.2.4 (snapshot) (STMicroelec"
4446948 0x43DAE4 ELF 32-bit LSB shared object, Hitachi SH, version 1 (SYSV)
4464640 0x442000 gzip compressed data, maximum compression, from Unix, last modified: Mon Nov 7 13:51:27 2011
- Le premier (CramFS) doit être un "faux-positif" car je doute que le système de fichier comporte 1'903'972'130 files.
- Par contre, il s'agit sûrement d'un noyau Linux prévut pour une architecture SH4.
- C'est une librairie Hitachi SH4
- C'est un fichier cpio
ubuntu@develop:~/horizon$ binwalk cpio
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ASCII cpio archive (SVR4 with no CRC), file name: "/dev", file name length: "0x00000005", file size: "0x00000000"
116 0x74 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/console", file name length: "0x0000000D", file size: "0x00000000"
240 0xF0 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/ttyAS0", file name length: "0x0000000C", file size: "0x00000000"
364 0x16C ASCII cpio archive (SVR4 with no CRC), file name: "/dev/root", file name length: "0x0000000A", file size: "0x00000000"
484 0x1E4 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/null", file name length: "0x0000000A", file size: "0x00000000"
604 0x25C ASCII cpio archive (SVR4 with no CRC), file name: "/dev/sda2", file name length: "0x0000000A", file size: "0x00000000"
724 0x2D4 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/bml0", file name length: "0x0000000A", file size: "0x00000000"
844 0x34C ASCII cpio archive (SVR4 with no CRC), file name: "/dev/bml0/4", file name length: "0x0000000C", file size: "0x00000000"
968 0x3C8 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/bml0/6", file name length: "0x0000000C", file size: "0x00000000"
1092 0x444 ASCII cpio archive (SVR4 with no CRC), file name: "/root", file name length: "0x00000006", file size: "0x00000000"
1208 0x4B8 ASCII cpio archive (SVR4 with no CRC), file name: "/sbin", file name length: "0x00000006", file size: "0x00000000"
1324 0x52C ASCII cpio archive (SVR4 with no CRC), file name: "/bin", file name length: "0x00000005", file size: "0x00000000"
1440 0x5A0 ASCII cpio archive (SVR4 with no CRC), file name: "/lib", file name length: "0x00000005", file size: "0x00000000"
1556 0x614 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/modules", file name length: "0x0000000D", file size: "0x00000000"
1680 0x690 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/busybox", file name length: "0x0000000D", file size: "0x00083D24"
541744 0x84430 ASCII cpio archive (SVR4 with no CRC), file name: "/init", file name length: "0x00000006", file size: "0x000001AD"
542292 0x84654 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/libc-2.6.1.so", file name length: "0x00000013", file size: "0x0012F1C2"
1783964 0x1B389C ASCII cpio archive (SVR4 with no CRC), file name: "/lib/ld-2.6.1.so", file name length: "0x00000011", file size: "0x0001C2CC"
1899496 0x1CFBE8 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/libcrypt.so.1", file name length: "0x00000013", file size: "0x0000559A"
1921544 0x1D5208 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/modules/xsr.ko", file name length: "0x00000014", file size: "0x00033FF4"
2134656 0x209280 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/modules/xsr_stl.ko", file name length: "0x00000018", file size: "0x0001F70C"
2263572 0x228A14 ASCII cpio archive (SVR4 with no CRC), file name: "/lib/ld-linux.so.2", file name length: "0x00000013", file size: "0x00000011"
2263724 0x228AAC ASCII cpio archive (SVR4 with no CRC), file name: "/lib/libc.so.6", file name length: "0x0000000F", file size: "0x00000013"
2263872 0x228B40 ASCII cpio archive (SVR4 with no CRC), file name: "/sbin/init", file name length: "0x0000000B", file size: "0x0000000D"
2264012 0x228BCC ASCII cpio archive (SVR4 with no CRC), file name: "/bin/sh", file name length: "0x00000008", file size: "0x0000000D"
2264148 0x228C54 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/mknod", file name length: "0x0000000B", file size: "0x0000000D"
2264288 0x228CE0 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/cut", file name length: "0x00000009", file size: "0x0000000D"
2264424 0x228D68 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/mount", file name length: "0x0000000B", file size: "0x0000000D"
2264564 0x228DF4 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/insmod", file name length: "0x0000000C", file size: "0x0000000D"
2264704 0x228E80 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/ls", file name length: "0x00000008", file size: "0x0000000D"
2264840 0x228F08 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/mkdir", file name length: "0x0000000B", file size: "0x0000000D"
2264980 0x228F94 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/pivot_root", file name length: "0x00000010", file size: "0x0000000D"
2265124 0x229024 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/rm", file name length: "0x00000008", file size: "0x0000000D"
2265260 0x2290AC ASCII cpio archive (SVR4 with no CRC), file name: "/bin/cat", file name length: "0x00000009", file size: "0x0000000D"
2265396 0x229134 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/umount", file name length: "0x0000000C", file size: "0x0000000D"
2265536 0x2291C0 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/kill", file name length: "0x0000000A", file size: "0x0000000D"
2265672 0x229248 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/ps", file name length: "0x00000008", file size: "0x0000000D"
2265808 0x2292D0 ASCII cpio archive (SVR4 with no CRC), file name: "/bin/switch_root", file name length: "0x00000011", file size: "0x0000000D"
2265952 0x229360 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
Dans le fichier présent dans le système de fichier squashfs-root, on trouve ceci:
strings ./squashfs-root/usr/bin/Application.elf
blablabla
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDaMIJrUzOKQ0OiaNvAdHi11h7wOxFmF84sWLB7dKu2Y1yHPPiU
...
...
eg+4DhvSK5fwgb4JnaBPDl0FYz+qvP6Vd/YYhsgSqc7n
-----END RSA PRIVATE KEY-----
C'est moi qui ai mis les ..., la clé est complète. !?
Comment le protocole uPnP peut-il ouvrir des ports sur ma borne WiFi ?