Skip to content

Instantly share code, notes, and snippets.

@Malayke
Last active July 6, 2022 16:19
Show Gist options
  • Save Malayke/2f4d2177949614a888c573703822913f to your computer and use it in GitHub Desktop.
Save Malayke/2f4d2177949614a888c573703822913f to your computer and use it in GitHub Desktop.
中兴 F460 电信光猫固件提取

破解完光猫不过隐,继续琢磨,查了些智能设备安全的教程,分析智能设备或嵌入式设备安全,第一步是要提取固件,所以接下来要提取固件了。

通过/proc虚拟文件系统读取MTD分区表:

/ # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 08000000 00020000 "whole flash"
mtd1: 00200000 00020000 "u-boot"
mtd2: 00400000 00020000 "parameter tags"
mtd3: 01400000 00020000 "kernel0"
mtd4: 00400000 00020000 "middleware"
mtd5: 00800000 00020000 "usercfg"
mtd6: 01400000 00020000 "kernel1"
mtd7: 00600000 00020000 "others"
mtd8: 00400000 00020000 "wlan"

这就是所有的分区内容了

需要使用 dd 命令依次取出这些分区里的内容

1. 下载较新版本的busybox

光猫自带的busybox 没有 dd 命令,所以需要去busybox官网下载一个

查看光猫 CPU 信息

/ # cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 1 (v7l)
BogoMIPS        : 1599.07
Features        : swp half fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x4
CPU part        : 0xc09
CPU revision    : 1

Hardware        : HGU
Revision        : 0000
Serial          : 0000000000000000
/ #

注意到 ProcessorARMv7 Processor rev 1 (v7l)

因此得下载 arm v7l 版本的 busybox

下载了官网最新版本的busybox传上去发现运行不了

最后发现 1.21.1 版本可用

下载下来以后,在文件所在目录开启 HTTP Server

python3 -m http.server 9001

然后把 busybox 下载进光猫里

cd /tmp
wget http://192.168.1.3:9001/busybox-armv7l
chmod +x busybox-armv7l
mv busybox-armv7l busybox

看看下载进去的 busybox 和自带的差别:

这是自带的

/ # busybox
BusyBox v1.01 (2016.02.25-00:51+0000) multi-call binary

Usage: busybox [function] [arguments]...
   or: [function] [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        [, ash, awk, brctl, busybox, cat, chmod, cp, cut, date, df, echo,
        egrep, free, fuser, getty, grep, hexdump, hostname, ifconfig,
        init, insmod, kill, killall, linuxrc, ln, login, ls, lsmod, mkdir,
        mknod, mount, mv, passwd, ping, ping6, ps, pwd, reboot, rm, rmdir,
        rmmod, sed, sh, sleep, sync, test, tftp, top, traceroute, umount,
        wget

/ #

这是下载进去的

/ # cd /tmp
/var/tmp # ./busybox
BusyBox v1.21.1 (2013-07-08 10:26:30 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2,
        cal, cat, catv, chat, chattr, chgrp, chmod, chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw,
        cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
        dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole,
        fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd,
        hdparm, head, hexdump, hostid, hostname, httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice, iostat, ip,
        ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont,
        loadkmap, logger, login, logname, logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makedevs, makemime, man,
        md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount,
        mountpoint, mpstat, mt, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od, openvt, passwd, patch, pgrep, pidof,
        ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev,
        readahead, readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake,
        run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid,
        setuidgid, sh, sha1sum, sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
        sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top,
        touch, tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand, uniq, unix2dos, unlzma, unlzop, unxz, unzip,
        uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat,
        zcip

/var/tmp #

自带的 busybox 命令真是少的可怜~

2. 本地搭建 tftp 服务

我本机是 MacOSMacOS 自带 tftp

Macos搭建 tftp 服务器教程:https://www.tunnelsup.com/using-the-built-in-macos-ftp-tftp-sftp-and-http-servers/

3. 拷贝固件

根据 /proc/mtd 文件的内容依次拷贝

第一个/dev/mtd080M

看下文件系统的大小

/var/tmp # df -k
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/mtdblock2            4096       448      3648  11% /tagparam
tmpfs                    15360      1204     14156   8% /var
/dev/mtdblock5            8192      1036      7156  13% /userconfig
/dev/mtdblock4            4096       384      3712   9% /usr/local/ct
/dev/mtdblock8            4096       388      3708   9% /wlan

/tmp 目录才15Mib,因此 /dev/mtd0 得分割后才能提取

/dev/mtd1开启拷贝

cd /tmp
dd if=/dev/mtd1 of=/tmp/u-boot.bin    # 打包分区
tftp -l u-boot.bin -p 192.168.1.3     # 上传打包的分区到本地 tftp 服务器
rm u-boot.bin                         # 空间太小,每次传输完都得删除

dd if=/dev/mtd1 of=/tmp/parameter-tags.bin
tftp -l parameter-tags.bin -p 192.168.1.3
rm parameter-tags.bin

...

至此,除了 mtd0 其他的都已传输完毕

现在来分割拷贝并传输 mtd0

/proc/mtd 文件里看到 mtd0 文件大小为 80 Mib, 因此分割成8块,每块 10 Mib

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=0  of=/tmp/wf-0-10M.bin
tftp -l wf-0-10M.bin -p 192.168.1.3
rm wf-0-10M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=10000  of=/tmp/wf-10-20M.bin
tftp -l wf-10-20M.bin -p 192.168.1.3
rm wf-10-20M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=20000  of=/tmp/wf-20-30M.bin
tftp -l wf-20-30M.bin -p 192.168.1.3
rm wf-20-30M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=30000  of=/tmp/wf-30-40M.bin
tftp -l wf-30-40M.bin -p 192.168.1.3
rm wf-30-40M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=40000  of=/tmp/wf-40-50M.bin
tftp -l wf-40-50M.bin -p 192.168.1.3
rm wf-40-50M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=50000  of=/tmp/wf-50-60M.bin
tftp -l wf-50-60M.bin -p 192.168.1.3
rm wf-50-60M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=60000  of=/tmp/wf-60-70M.bin
tftp -l wf-60-70M.bin -p 192.168.1.3
rm wf-60-70M.bin

./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=70000  of=/tmp/wf-70-80M.bin
tftp -l wf-70-80M.bin -p 192.168.1.3
rm wf-70-80M.bin

然后对这8个文件在本地对文件进行合并

cat wf-0-10M.bin wf-10-20M.bin wf-20-30M.bin wf-30-40M.bin wf-40-50M.bin wf-50-60M.bin wf-60-70M.bin wf-70-80M.bin > whole-flash.bin

这下所有的固件都齐了,放进kali开始分析

以下是我在Kali下的操作记录

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  ls -l          
total 124784
-rw-r----- 1 root root  8155136 Dec  1 00:47 kernel0.bin
-rw-r----- 1 root root 10256384 Dec  1 00:56 kernel1.bin
-rw-r----- 1 root root  4194304 Dec  1 00:49 middleware.bin
-rw-r----- 1 root root  6291456 Dec  1 00:58 others.bin
-rw-r----- 1 root root  4194304 Dec  1 00:44 parameter-tags.bin
-rw-r----- 1 root root  2097152 Dec  1 00:41 u-boot.bin
-rw-r----- 1 root root  8388608 Dec  1 00:53 usercfg.bin
-rw-r----- 1 root root 80000000 Dec  1 12:42 whole-flash.bin
-rw-r----- 1 root root  4194304 Dec  1 00:59 wlan.bin

使用 binwalk 分析 whole-flash.bin

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  binwalk whole-flash.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1689          0x699           Certificate in DER format (x509 v3), header length: 4, sequence length: 5396
159612        0x26F7C         CRC32 polynomial table, little endian
2097408       0x200100        uImage header, header size: 64 bytes, header CRC: 0x332602C5, created: 2016-02-25 00:59:49, image size: 12144690 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x20BB2B28, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "Linux Kernel Image"
2097472       0x200140        gzip compressed data, maximum compression, has original file name: "Image", from Unix, last modified: 2016-02-25 00:59:43
23068928      0x1600100       uImage header, header size: 64 bytes, header CRC: 0x332602C5, created: 2016-02-25 00:59:49, image size: 12144690 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x20BB2B28, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "Linux Kernel Image"
23068992      0x1600140       gzip compressed data, maximum compression, has original file name: "Image", from Unix, last modified: 2016-02-25 00:59:43
54263808      0x33C0000       JFFS2 filesystem, little endian

最后一行显示是 JFFS2 文件系统,我们需要对固件里的文件进行分析,因此需要提取出此块里的文件。

这时用 binwalk 分析 usercfg.bin 发现

usercfg.bin 就是这个文件系统

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  binwalk usercfg.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
786432        0xC0000         JFFS2 filesystem, little endian

提取 usercfg.bin 里的文件

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  binwalk -Me usercfg.bin 

Scan Time:     2018-12-01 12:54:13
Target File:   /root/Router/ZTE-F460-V6.0.0P11T2sc/usercfg.bin
MD5 Checksum:  83fe2ce976b1382b84503de6b748b1ef
Signatures:    386

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
786432        0xC0000         JFFS2 filesystem, little endian

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  ls
kernel0.bin  kernel1.bin  middleware.bin  others.bin  parameter-tags.bin  u-boot.bin  usercfg.bin  _usercfg.bin.extracted  whole-flash.bin  wlan.bin

提取到 _usercfg.bin.extracted 目录里了

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc  
╰─➤  ls _usercfg.bin.extracted 
C0000.jffs2  jffs2-root
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  file C0000.jffs2  
C0000.jffs2: Linux jffs2 filesystem data little endian

4. Linux 系统挂载 jffs2 格式的文件

使用 jffs2_mount_mtdram.shKali 挂载 C0000.jffs2 文件

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  vim jffs2_mount_mtdram.sh
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  chmod +x jffs2_mount_mtdram.sh                                                                                                                                           130 ↵
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  ./jffs2_mount_mtdram.sh C0000.jffs2 /mnt/jffs2 256                                                                                                         130 ↵
/mnt/jffs2 is not a valid mount point
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  mkdir -p /mnt/jffs2                                                                                                                                          1 ↵
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  ./jffs2_mount_mtdram.sh C0000.jffs2 /mnt/jffs2 256
14848+0 records in
14848+0 records out
7602176 bytes (7.6 MB, 7.2 MiB) copied, 0.103973 s, 73.1 MB/s
Successfully mounted C0000.jffs2 on /mnt/jffs2

提取成功,进目录里看下有哪些文件

╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  ls /mnt/jffs2
cfg  env_param  flag_type  onurestartcnt.txt  slog  Vlog
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted  
╰─➤  cd /mnt/jffs2 
╭─root@kali /mnt/jffs2  
╰─➤  ls
cfg  env_param  flag_type  onurestartcnt.txt  slog  Vlog
╭─root@kali /mnt/jffs2  
╰─➤  ls -R
.:
cfg  env_param  flag_type  onurestartcnt.txt  slog  Vlog

./cfg:
db_backup_cfg.xml  db_default_cfg.xml  db_user_cfg.xml  log  logconf

./slog:
tr069

./slog/tr069:
itms_record1-50.txt.zlib  itms_record1-70.txt.zlib  itms_record1-78.txt.zlib  itms_record1-83.txt.zlib
itms_record1-59.txt.zlib  itms_record1-74.txt.zlib  itms_record1-79.txt.zlib  itms_record1-90.txt
╭─root@kali /mnt/jffs2  
╰─➤  

里面文件很少,比 telnet 里看到的还要少,我估计是因为系统正在运行提取不完吧!

@novriyantoAli
Copy link

does this also apply to firmware 5 and below?

@Malayke
Copy link
Author

Malayke commented Apr 23, 2022

does this also apply to firmware 5 and below?

Sorry for late reply, I’m not sure version 5 and below work or not

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment