破解完光猫不过隐,继续琢磨,查了些智能设备安全的教程,分析智能设备或嵌入式设备安全,第一步是要提取固件,所以接下来要提取固件了。
通过/proc虚拟文件系统读取MTD分区表:
/ # cat /proc/mtd
dev: size erasesize name
mtd0: 08000000 00020000 "whole flash"
mtd1: 00200000 00020000 "u-boot"
mtd2: 00400000 00020000 "parameter tags"
mtd3: 01400000 00020000 "kernel0"
mtd4: 00400000 00020000 "middleware"
mtd5: 00800000 00020000 "usercfg"
mtd6: 01400000 00020000 "kernel1"
mtd7: 00600000 00020000 "others"
mtd8: 00400000 00020000 "wlan"
这就是所有的分区内容了
需要使用 dd 命令依次取出这些分区里的内容
光猫自带的busybox 没有 dd 命令,所以需要去busybox官网下载一个
查看光猫 CPU 信息
/ # cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 1599.07
Features : swp half fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
Hardware : HGU
Revision : 0000
Serial : 0000000000000000
/ #
注意到 Processor 为 ARMv7 Processor rev 1 (v7l)
因此得下载 arm v7l 版本的 busybox
下载了官网最新版本的busybox传上去发现运行不了
最后发现 1.21.1 版本可用
下载下来以后,在文件所在目录开启 HTTP Server
python3 -m http.server 9001
然后把 busybox 下载进光猫里
cd /tmp
wget http://192.168.1.3:9001/busybox-armv7l
chmod +x busybox-armv7l
mv busybox-armv7l busybox看看下载进去的 busybox 和自带的差别:
这是自带的
/ # busybox
BusyBox v1.01 (2016.02.25-00:51+0000) multi-call binary
Usage: busybox [function] [arguments]...
or: [function] [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!
Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, cp, cut, date, df, echo,
egrep, free, fuser, getty, grep, hexdump, hostname, ifconfig,
init, insmod, kill, killall, linuxrc, ln, login, ls, lsmod, mkdir,
mknod, mount, mv, passwd, ping, ping6, ps, pwd, reboot, rm, rmdir,
rmmod, sed, sh, sleep, sync, test, tftp, top, traceroute, umount,
wget
/ #
这是下载进去的
/ # cd /tmp
/var/tmp # ./busybox
BusyBox v1.21.1 (2013-07-08 10:26:30 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2,
cal, cat, catv, chat, chattr, chgrp, chmod, chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw,
cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole,
fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd,
hdparm, head, hexdump, hostid, hostname, httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice, iostat, ip,
ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont,
loadkmap, logger, login, logname, logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makedevs, makemime, man,
md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount,
mountpoint, mpstat, mt, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od, openvt, passwd, patch, pgrep, pidof,
ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev,
readahead, readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake,
run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid,
setuidgid, sh, sha1sum, sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top,
touch, tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand, uniq, unix2dos, unlzma, unlzop, unxz, unzip,
uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat,
zcip
/var/tmp #
自带的 busybox 命令真是少的可怜~
我本机是 MacOS,MacOS 自带 tftp
Macos搭建 tftp 服务器教程:https://www.tunnelsup.com/using-the-built-in-macos-ftp-tftp-sftp-and-http-servers/
根据 /proc/mtd 文件的内容依次拷贝
第一个/dev/mtd0 为80M
看下文件系统的大小
/var/tmp # df -k
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/mtdblock2 4096 448 3648 11% /tagparam
tmpfs 15360 1204 14156 8% /var
/dev/mtdblock5 8192 1036 7156 13% /userconfig
/dev/mtdblock4 4096 384 3712 9% /usr/local/ct
/dev/mtdblock8 4096 388 3708 9% /wlan/tmp 目录才15Mib,因此 /dev/mtd0 得分割后才能提取
从/dev/mtd1开启拷贝
cd /tmp
dd if=/dev/mtd1 of=/tmp/u-boot.bin # 打包分区
tftp -l u-boot.bin -p 192.168.1.3 # 上传打包的分区到本地 tftp 服务器
rm u-boot.bin # 空间太小,每次传输完都得删除
dd if=/dev/mtd1 of=/tmp/parameter-tags.bin
tftp -l parameter-tags.bin -p 192.168.1.3
rm parameter-tags.bin
...至此,除了 mtd0 其他的都已传输完毕
现在来分割拷贝并传输 mtd0
从/proc/mtd 文件里看到 mtd0 文件大小为 80 Mib, 因此分割成8块,每块 10 Mib
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=0 of=/tmp/wf-0-10M.bin
tftp -l wf-0-10M.bin -p 192.168.1.3
rm wf-0-10M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=10000 of=/tmp/wf-10-20M.bin
tftp -l wf-10-20M.bin -p 192.168.1.3
rm wf-10-20M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=20000 of=/tmp/wf-20-30M.bin
tftp -l wf-20-30M.bin -p 192.168.1.3
rm wf-20-30M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=30000 of=/tmp/wf-30-40M.bin
tftp -l wf-30-40M.bin -p 192.168.1.3
rm wf-30-40M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=40000 of=/tmp/wf-40-50M.bin
tftp -l wf-40-50M.bin -p 192.168.1.3
rm wf-40-50M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=50000 of=/tmp/wf-50-60M.bin
tftp -l wf-50-60M.bin -p 192.168.1.3
rm wf-50-60M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=60000 of=/tmp/wf-60-70M.bin
tftp -l wf-60-70M.bin -p 192.168.1.3
rm wf-60-70M.bin
./busybox dd if=/dev/mtd0 bs=1000 count=10000 skip=70000 of=/tmp/wf-70-80M.bin
tftp -l wf-70-80M.bin -p 192.168.1.3
rm wf-70-80M.bin然后对这8个文件在本地对文件进行合并
cat wf-0-10M.bin wf-10-20M.bin wf-20-30M.bin wf-30-40M.bin wf-40-50M.bin wf-50-60M.bin wf-60-70M.bin wf-70-80M.bin > whole-flash.bin
这下所有的固件都齐了,放进kali开始分析
以下是我在Kali下的操作记录
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ ls -l
total 124784
-rw-r----- 1 root root 8155136 Dec 1 00:47 kernel0.bin
-rw-r----- 1 root root 10256384 Dec 1 00:56 kernel1.bin
-rw-r----- 1 root root 4194304 Dec 1 00:49 middleware.bin
-rw-r----- 1 root root 6291456 Dec 1 00:58 others.bin
-rw-r----- 1 root root 4194304 Dec 1 00:44 parameter-tags.bin
-rw-r----- 1 root root 2097152 Dec 1 00:41 u-boot.bin
-rw-r----- 1 root root 8388608 Dec 1 00:53 usercfg.bin
-rw-r----- 1 root root 80000000 Dec 1 12:42 whole-flash.bin
-rw-r----- 1 root root 4194304 Dec 1 00:59 wlan.bin
使用 binwalk 分析 whole-flash.bin
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ binwalk whole-flash.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1689 0x699 Certificate in DER format (x509 v3), header length: 4, sequence length: 5396
159612 0x26F7C CRC32 polynomial table, little endian
2097408 0x200100 uImage header, header size: 64 bytes, header CRC: 0x332602C5, created: 2016-02-25 00:59:49, image size: 12144690 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x20BB2B28, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "Linux Kernel Image"
2097472 0x200140 gzip compressed data, maximum compression, has original file name: "Image", from Unix, last modified: 2016-02-25 00:59:43
23068928 0x1600100 uImage header, header size: 64 bytes, header CRC: 0x332602C5, created: 2016-02-25 00:59:49, image size: 12144690 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x20BB2B28, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "Linux Kernel Image"
23068992 0x1600140 gzip compressed data, maximum compression, has original file name: "Image", from Unix, last modified: 2016-02-25 00:59:43
54263808 0x33C0000 JFFS2 filesystem, little endian
最后一行显示是 JFFS2 文件系统,我们需要对固件里的文件进行分析,因此需要提取出此块里的文件。
这时用 binwalk 分析 usercfg.bin 发现
usercfg.bin 就是这个文件系统
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ binwalk usercfg.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
786432 0xC0000 JFFS2 filesystem, little endian
提取 usercfg.bin 里的文件
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ binwalk -Me usercfg.bin
Scan Time: 2018-12-01 12:54:13
Target File: /root/Router/ZTE-F460-V6.0.0P11T2sc/usercfg.bin
MD5 Checksum: 83fe2ce976b1382b84503de6b748b1ef
Signatures: 386
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
786432 0xC0000 JFFS2 filesystem, little endian
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ ls
kernel0.bin kernel1.bin middleware.bin others.bin parameter-tags.bin u-boot.bin usercfg.bin _usercfg.bin.extracted whole-flash.bin wlan.bin
提取到 _usercfg.bin.extracted 目录里了
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc
╰─➤ ls _usercfg.bin.extracted
C0000.jffs2 jffs2-root
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ file C0000.jffs2
C0000.jffs2: Linux jffs2 filesystem data little endian
使用 jffs2_mount_mtdram.sh 在 Kali 挂载 C0000.jffs2 文件
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ vim jffs2_mount_mtdram.sh
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ chmod +x jffs2_mount_mtdram.sh 130 ↵
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ ./jffs2_mount_mtdram.sh C0000.jffs2 /mnt/jffs2 256 130 ↵
/mnt/jffs2 is not a valid mount point
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ mkdir -p /mnt/jffs2 1 ↵
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ ./jffs2_mount_mtdram.sh C0000.jffs2 /mnt/jffs2 256
14848+0 records in
14848+0 records out
7602176 bytes (7.6 MB, 7.2 MiB) copied, 0.103973 s, 73.1 MB/s
Successfully mounted C0000.jffs2 on /mnt/jffs2
提取成功,进目录里看下有哪些文件
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ ls /mnt/jffs2
cfg env_param flag_type onurestartcnt.txt slog Vlog
╭─root@kali ~/Router/ZTE-F460-V6.0.0P11T2sc/_usercfg.bin.extracted
╰─➤ cd /mnt/jffs2
╭─root@kali /mnt/jffs2
╰─➤ ls
cfg env_param flag_type onurestartcnt.txt slog Vlog
╭─root@kali /mnt/jffs2
╰─➤ ls -R
.:
cfg env_param flag_type onurestartcnt.txt slog Vlog
./cfg:
db_backup_cfg.xml db_default_cfg.xml db_user_cfg.xml log logconf
./slog:
tr069
./slog/tr069:
itms_record1-50.txt.zlib itms_record1-70.txt.zlib itms_record1-78.txt.zlib itms_record1-83.txt.zlib
itms_record1-59.txt.zlib itms_record1-74.txt.zlib itms_record1-79.txt.zlib itms_record1-90.txt
╭─root@kali /mnt/jffs2
╰─➤
里面文件很少,比 telnet 里看到的还要少,我估计是因为系统正在运行提取不完吧!
does this also apply to firmware 5 and below?