hiwifi极路由固件结构分析
一、引言
新的一年,有新的气象,去年研究了很多的技术,今年继续努力。
上一篇文章《hiwifi极路由开启隐藏ssh探秘》,我们对极路由的隐藏功能-ssh进行了探秘,最终也知道了其开启ssh的方法,本次我们分析一下它的固件。
二、初步分析
官网已经不能使用了,所以只能从其他方式下载固件,还好之前有存储,所以这里直接提供下载链接。本次分析的型号依然是HC5861,选取的版本为20180310版本。
拿到固件之后,首先使用binwalk初步分析一次。
$ binwalk HC5861-sysupgrade-20180310-c38d25c4.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
117520 0x1CB10 U-Boot version string, "U-Boot 1.1.3 (Mar 10 2018 - 04:33:21)"
120824 0x1D7F8 Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
124887 0x1E7D7 HTML document header
127941 0x1F3C5 Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
133533 0x2099D HTML document footer
133635 0x20A03 HTML document header
136689 0x215F1 Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
142960 0x22E70 HTML document footer
143059 0x22ED3 HTML document header
146113 0x23AC1 Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
151298 0x24F02 HTML document footer
151411 0x24F73 HTML document header
151699 0x25093 HTML document footer
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x44132B81, created: 2018-03-09 20:51:37, image size: 1121959 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0xC34344A2, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "HC5861"
327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3333004 bytes
1507454 0x17007E xz compressed data
1614226 0x18A192 xz compressed data
1707378 0x1A0D72 xz compressed data
1787038 0x1B449E xz compressed data
1874598 0x1C9AA6 xz compressed data
1912210 0x1D2D92 xz compressed data
1972038 0x1E1746 xz compressed data
2065050 0x1F829A xz compressed data
2119486 0x20573E xz compressed data
2184202 0x21540A xz compressed data
2265186 0x229062 xz compressed data
2352382 0x23E4FE xz compressed data
2437818 0x2532BA xz compressed data
2474314 0x25C14A xz compressed data
2551354 0x26EE3A xz compressed data
2634134 0x283196 xz compressed data
2714682 0x296C3A xz compressed data
2794698 0x2AA4CA xz compressed data
2874706 0x2BDD52 xz compressed data
2974722 0x2D6402 xz compressed data
3042010 0x2E6ADA xz compressed data
3097838 0x2F44EE xz compressed data
3172558 0x3068CE xz compressed data
3250498 0x319942 xz compressed data
3320062 0x32A8FE xz compressed data
3382130 0x339B72 xz compressed data
3441506 0x348362 xz compressed data
3502130 0x357032 xz compressed data
3528258 0x35D642 xz compressed data
3587042 0x36BBE2 xz compressed data
3640398 0x378C4E xz compressed data
3722554 0x38CD3A xz compressed data
3759254 0x395C96 xz compressed data
3822314 0x3A52EA xz compressed data
3872758 0x3B17F6 xz compressed data
3943650 0x3C2CE2 xz compressed data
4001634 0x3D0F62 xz compressed data
4065350 0x3E0846 xz compressed data
4121126 0x3EE226 xz compressed data
4145078 0x3F3FB6 xz compressed data
4185990 0x3FDF86 xz compressed data
4242082 0x40BAA2 xz compressed data
4298442 0x4196CA xz compressed data
4356554 0x4279CA xz compressed data
4422030 0x43798E xz compressed data
4482610 0x446632 xz compressed data
4561710 0x459B2E xz compressed data
4649802 0x46F34A xz compressed data
4726642 0x481F72 xz compressed data
4752770 0x488582 xz compressed data
4809818 0x49645A xz compressed data
4885530 0x4A8C1A xz compressed data
4913702 0x4AFA26 xz compressed data
4988382 0x4C1DDE xz compressed data
5046818 0x4D0222 xz compressed data
5104826 0x4DE4BA xz compressed data
5183306 0x4F174A xz compressed data
5200246 0x4F5976 xz compressed data
5250450 0x501D92 xz compressed data
5317526 0x512396 xz compressed data
5400066 0x526602 xz compressed data
5481882 0x53A59A xz compressed data
5561922 0x54DE42 xz compressed data
5657854 0x5654FE xz compressed data
5680554 0x56ADAA xz compressed data
5745878 0x57ACD6 xz compressed data
5796210 0x587172 xz compressed data
5811838 0x58AE7E xz compressed data
5881994 0x59C08A xz compressed data
5931070 0x5A803E xz compressed data
6015930 0x5BCBBA xz compressed data
6051794 0x5C57D2 xz compressed data
6122394 0x5D6B9A xz compressed data
6209642 0x5EC06A xz compressed data
6281278 0x5FD83E xz compressed data
6363926 0x611B16 xz compressed data
6451210 0x62700A xz compressed data
6544886 0x63DDF6 xz compressed data
6553122 0x63FE22 xz compressed data
6642202 0x655A1A xz compressed data
6726130 0x66A1F2 xz compressed data
6816170 0x6801AA xz compressed data
6832550 0x6841A6 xz compressed data
6902442 0x6952AA xz compressed data
6964826 0x6A465A xz compressed data
7062162 0x6BC292 xz compressed data
7163282 0x6D4D92 xz compressed data
7215738 0x6E1A7A xz compressed data
7290014 0x6F3C9E xz compressed data
7361134 0x70526E xz compressed data
7437002 0x717ACA xz compressed data
7523642 0x72CD3A xz compressed data
7543710 0x731B9E xz compressed data
7620994 0x744982 xz compressed data
7669778 0x750812 xz compressed data
7725446 0x75E186 xz compressed data
7782626 0x76C0E2 xz compressed data
7800938 0x77086A xz compressed data
7861094 0x77F366 xz compressed data
7939310 0x7924EE xz compressed data
7982402 0x79CD42 xz compressed data
8072586 0x7B2D8A xz compressed data
8137838 0x7C2C6E xz compressed data
8229502 0x7D927E xz compressed data
8323522 0x7F01C2 xz compressed data
8406834 0x804732 xz compressed data
8420130 0x807B22 xz compressed data
8458702 0x8111CE xz compressed data
8538090 0x8247EA xz compressed data
8631054 0x83B30E xz compressed data
8696738 0x84B3A2 xz compressed data
8785162 0x860D0A xz compressed data
8869314 0x8755C2 xz compressed data
8903194 0x87DA1A xz compressed data
8938982 0x8865E6 xz compressed data
8973934 0x88EE6E xz compressed data
9009914 0x897AFA xz compressed data
9041822 0x89F79E xz compressed data
9072350 0x8A6EDE xz compressed data
9099786 0x8ADA0A xz compressed data
9128934 0x8B4BE6 xz compressed data
9160710 0x8BC806 xz compressed data
9177994 0x8C0B8A xz compressed data
9216194 0x8CA0C2 xz compressed data
9307058 0x8E03B2 xz compressed data
9394034 0x8F5772 xz compressed data
9475834 0x9096FA xz compressed data
9563966 0x91EF3E xz compressed data
9661986 0x936E22 xz compressed data
9751714 0x94CCA2 xz compressed data
9819538 0x95D592 xz compressed data
9882642 0x96CC12 xz compressed data
9928298 0x977E6A xz compressed data
9981802 0x984F6A xz compressed data
10024974 0x98F80E xz compressed data
10093114 0x9A023A xz compressed data
10169386 0x9B2C2A xz compressed data
10188074 0x9B752A xz compressed data
10254398 0x9C783E xz compressed data
10322218 0x9D812A xz compressed data
10406250 0x9EC96A xz compressed data
10477366 0x9FDF36 xz compressed data
10545650 0xA0E9F2 xz compressed data
10619082 0xA208CA xz compressed data
10642982 0xA26626 xz compressed data
10687418 0xA313BA xz compressed data
10757270 0xA42496 xz compressed data
10824678 0xA52BE6 xz compressed data
10893662 0xA6395E xz compressed data
10968398 0xA75D4E xz compressed data
11006298 0xA7F15A xz compressed data
11078478 0xA90B4E xz compressed data
11140254 0xA9FC9E xz compressed data
11227334 0xAB50C6 xz compressed data
11291642 0xAC4BFA xz compressed data
11383342 0xADB22E xz compressed data
11435410 0xAE7D92 xz compressed data
11491898 0xAF5A3A xz compressed data
11553018 0xB048FA xz compressed data
11618982 0xB14AA6 xz compressed data
11668838 0xB20D66 xz compressed data
11750014 0xB34A7E xz compressed data
11828006 0xB47B26 xz compressed data
11838110 0xB4A29E xz compressed data
11917558 0xB5D8F6 xz compressed data
11963014 0xB68A86 xz compressed data
11993878 0xB70316 xz compressed data
12073382 0xB839A6 xz compressed data
12113798 0xB8D786 xz compressed data
12165350 0xB9A0E6 xz compressed data
12336518 0xBC3D86 xz compressed data
12500206 0xBEBCEE xz compressed data
12527814 0xBF28C6 xz compressed data
12542198 0xBF60F6 xz compressed data
12571442 0xBFD332 xz compressed data
12594570 0xC02D8A xz compressed data
12648910 0xC101CE xz compressed data
12698910 0xC1C51E xz compressed data
12729226 0xC23B8A xz compressed data
12742834 0xC270B2 xz compressed data
12745348 0xC27A84 xz compressed data
12747286 0xC28216 xz compressed data
12749344 0xC28A20 xz compressed data
12751302 0xC291C6 xz compressed data
12753616 0xC29AD0 xz compressed data
12755822 0xC2A36E xz compressed data
12757872 0xC2AB70 xz compressed data
12760398 0xC2B54E xz compressed data
12762324 0xC2BCD4 xz compressed data
12764342 0xC2C4B6 xz compressed data
12766080 0xC2CB80 xz compressed data
12767842 0xC2D262 xz compressed data
12770252 0xC2DBCC xz compressed data
12771722 0xC2E18A xz compressed data
12776184 0xC2F2F8 xz compressed data
12780642 0xC30462 xz compressed data
12784872 0xC314E8 xz compressed data
12789218 0xC325E2 xz compressed data
12793120 0xC33520 xz compressed data
12795818 0xC33FAA xz compressed data
12798844 0xC34B7C xz compressed data
12803150 0xC35C4E xz compressed data
12804576 0xC361E0 xz compressed data
12805242 0xC3647A xz compressed data
12807268 0xC36C64 xz compressed data
12809162 0xC373CA xz compressed data
12811112 0xC37B68 xz compressed data
通过初步的分析结果可以看出,前部分为uboot,其次为Kernel(uImage格式),后面是大量xz压缩数据块。以下为整理的固件结构初步分析情况:
序号 | 偏移 | 说明 |
1 | 0-0x4FFFF | Uboot |
2 | 0x50000-0x17007D | Kernel,uImage格式 |
3 | 0x17007E-末尾 | 大量xz压缩数据块,怀疑是某文件系统 |
三、再次分析
根据之前的文章《OpenWrt固件结构分析(uImage格式)》可以知道Kernel的大小为0x111EA7。
到达kernel的末尾,发现后面很多都是0x00。
再往下寻找非零数据(或者通过binwalk的结果也可以推测到附近),最终找到有数据的内容,可以看到0x170000开始的标志位hsqs,如果看过《Squashfs文件系统》这篇文章,可以很容易知道它应该与squashfs文件系统标志位一致,但是为啥binwalk无法正确识别出来呢?
我们把从0x170000到末尾的固件单独提取出来,再使用binwalk进行一次识别,可惜结果还是一样。
通过查看binwalk的配置(binwalk安装路径/binwalk/magic文件)
当有{invalid}的区块的时候,它将不被识别为Squashfs文件系统,其中文件系统的版本0x1C-0x1F应该有问题,这里手动将它改为最常见的4.0版本的结构(FBFFFFFF -> 04000000)。
然后再用binwalk分析,可以识别出来了,但还是无法解包。
经过对比正常的解包Squashfs文件系统的操作,本文件应该还是存在问题的:
1、没有识别出压缩算法
2、inodes数量为负数
四、最终分析
1、压缩算法-字段修复
因为开始分析的时候发现固件文件系统存在大量xz压缩数据块,基本可以断定压缩算法为xz,那么进过修改对应的数据0x14-0x15(FBFF -> 0400)。
再通过binwalk分析,可以识别压缩算法。
2、inodes数量-字段修复
根据Squashfs文件系统的结构,0x04-0x07处为inodes数量,这里为0xFFFFF39B(binwalk识别的值-3173),一般情况数量不应该为负数。
通过分析之前修改的2个地方,04对应的都是FB,00对应的都是FF。
(1)文件系统版本(FBFFFFFF -> 04000000)
(2)压缩方式(FBFF -> 0400)
可以猜想作者应该是作了简单的xor操作(key=0xFF)。
那么我们把inodes数量(9BF3FFFF)也同样xor操作一下,得出来的数据为640C0000,因为对应的值为小端存储,实际值应该为0x00000C64,然后再用binwalk进行分析,应该就正确了:
但是使用binwalk -e依然无法解开,或者使用unsquashfs(4.3版本)也无法解开,提示压缩选项不支持
3、最终解决
既然知道了固件是squashfs文件系统,那么具体是哪个版本压缩的其实并没有确定,我们使用firmware-mod-kit工具,进行穷举验证能够解包的版本,最终能够正常解开,其使用的版本为squash-4.2-official。
4、其他方法
开源的7z工具支持多种压缩方式,squashfs也不例外,使用windows版本的7zip,直接就能识别并解开文件
五、参考链接
https://github.com/rampageX/firmware-mod-kit/blob/master/src/others/squashfs-4.2/README