hiwifi极路由固件结构分析

一、引言

新的一年,有新的气象,去年研究了很多的技术,今年继续努力。

上一篇文章《hiwifi极路由开启隐藏ssh探秘》,我们对极路由的隐藏功能-ssh进行了探秘,最终也知道了其开启ssh的方法,本次我们分析一下它的固件。

二、初步分析

官网已经不能使用了,所以只能从其他方式下载固件,还好之前有存储,所以这里直接提供下载链接。本次分析的型号依然是HC5861,选取的版本为20180310版本

拿到固件之后,首先使用binwalk初步分析一次。

$ binwalk HC5861-sysupgrade-20180310-c38d25c4.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
117520        0x1CB10         U-Boot version string, "U-Boot 1.1.3 (Mar 10 2018 - 04:33:21)"
120824        0x1D7F8         Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
124887        0x1E7D7         HTML document header
127941        0x1F3C5         Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
133533        0x2099D         HTML document footer
133635        0x20A03         HTML document header
136689        0x215F1         Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
142960        0x22E70         HTML document footer
143059        0x22ED3         HTML document header
146113        0x23AC1         Unix path: /ixkdiBM86Bo8Y2SbxNkrbmPPd/JSOFpt1CMgDW/np3ALiwCRmsr/4/rsIYFFOfATnQTxfHgkWaXadlIa5/CBw9dveJyTkAZellnuk/7g8T5wagt3+70e3kJAKEMozUR
151298        0x24F02         HTML document footer
151411        0x24F73         HTML document header
151699        0x25093         HTML document footer
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x44132B81, created: 2018-03-09 20:51:37, image size: 1121959 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0xC34344A2, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "HC5861"
327744        0x50040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3333004 bytes
1507454       0x17007E        xz compressed data
1614226       0x18A192        xz compressed data
1707378       0x1A0D72        xz compressed data
1787038       0x1B449E        xz compressed data
1874598       0x1C9AA6        xz compressed data
1912210       0x1D2D92        xz compressed data
1972038       0x1E1746        xz compressed data
2065050       0x1F829A        xz compressed data
2119486       0x20573E        xz compressed data
2184202       0x21540A        xz compressed data
2265186       0x229062        xz compressed data
2352382       0x23E4FE        xz compressed data
2437818       0x2532BA        xz compressed data
2474314       0x25C14A        xz compressed data
2551354       0x26EE3A        xz compressed data
2634134       0x283196        xz compressed data
2714682       0x296C3A        xz compressed data
2794698       0x2AA4CA        xz compressed data
2874706       0x2BDD52        xz compressed data
2974722       0x2D6402        xz compressed data
3042010       0x2E6ADA        xz compressed data
3097838       0x2F44EE        xz compressed data
3172558       0x3068CE        xz compressed data
3250498       0x319942        xz compressed data
3320062       0x32A8FE        xz compressed data
3382130       0x339B72        xz compressed data
3441506       0x348362        xz compressed data
3502130       0x357032        xz compressed data
3528258       0x35D642        xz compressed data
3587042       0x36BBE2        xz compressed data
3640398       0x378C4E        xz compressed data
3722554       0x38CD3A        xz compressed data
3759254       0x395C96        xz compressed data
3822314       0x3A52EA        xz compressed data
3872758       0x3B17F6        xz compressed data
3943650       0x3C2CE2        xz compressed data
4001634       0x3D0F62        xz compressed data
4065350       0x3E0846        xz compressed data
4121126       0x3EE226        xz compressed data
4145078       0x3F3FB6        xz compressed data
4185990       0x3FDF86        xz compressed data
4242082       0x40BAA2        xz compressed data
4298442       0x4196CA        xz compressed data
4356554       0x4279CA        xz compressed data
4422030       0x43798E        xz compressed data
4482610       0x446632        xz compressed data
4561710       0x459B2E        xz compressed data
4649802       0x46F34A        xz compressed data
4726642       0x481F72        xz compressed data
4752770       0x488582        xz compressed data
4809818       0x49645A        xz compressed data
4885530       0x4A8C1A        xz compressed data
4913702       0x4AFA26        xz compressed data
4988382       0x4C1DDE        xz compressed data
5046818       0x4D0222        xz compressed data
5104826       0x4DE4BA        xz compressed data
5183306       0x4F174A        xz compressed data
5200246       0x4F5976        xz compressed data
5250450       0x501D92        xz compressed data
5317526       0x512396        xz compressed data
5400066       0x526602        xz compressed data
5481882       0x53A59A        xz compressed data
5561922       0x54DE42        xz compressed data
5657854       0x5654FE        xz compressed data
5680554       0x56ADAA        xz compressed data
5745878       0x57ACD6        xz compressed data
5796210       0x587172        xz compressed data
5811838       0x58AE7E        xz compressed data
5881994       0x59C08A        xz compressed data
5931070       0x5A803E        xz compressed data
6015930       0x5BCBBA        xz compressed data
6051794       0x5C57D2        xz compressed data
6122394       0x5D6B9A        xz compressed data
6209642       0x5EC06A        xz compressed data
6281278       0x5FD83E        xz compressed data
6363926       0x611B16        xz compressed data
6451210       0x62700A        xz compressed data
6544886       0x63DDF6        xz compressed data
6553122       0x63FE22        xz compressed data
6642202       0x655A1A        xz compressed data
6726130       0x66A1F2        xz compressed data
6816170       0x6801AA        xz compressed data
6832550       0x6841A6        xz compressed data
6902442       0x6952AA        xz compressed data
6964826       0x6A465A        xz compressed data
7062162       0x6BC292        xz compressed data
7163282       0x6D4D92        xz compressed data
7215738       0x6E1A7A        xz compressed data
7290014       0x6F3C9E        xz compressed data
7361134       0x70526E        xz compressed data
7437002       0x717ACA        xz compressed data
7523642       0x72CD3A        xz compressed data
7543710       0x731B9E        xz compressed data
7620994       0x744982        xz compressed data
7669778       0x750812        xz compressed data
7725446       0x75E186        xz compressed data
7782626       0x76C0E2        xz compressed data
7800938       0x77086A        xz compressed data
7861094       0x77F366        xz compressed data
7939310       0x7924EE        xz compressed data
7982402       0x79CD42        xz compressed data
8072586       0x7B2D8A        xz compressed data
8137838       0x7C2C6E        xz compressed data
8229502       0x7D927E        xz compressed data
8323522       0x7F01C2        xz compressed data
8406834       0x804732        xz compressed data
8420130       0x807B22        xz compressed data
8458702       0x8111CE        xz compressed data
8538090       0x8247EA        xz compressed data
8631054       0x83B30E        xz compressed data
8696738       0x84B3A2        xz compressed data
8785162       0x860D0A        xz compressed data
8869314       0x8755C2        xz compressed data
8903194       0x87DA1A        xz compressed data
8938982       0x8865E6        xz compressed data
8973934       0x88EE6E        xz compressed data
9009914       0x897AFA        xz compressed data
9041822       0x89F79E        xz compressed data
9072350       0x8A6EDE        xz compressed data
9099786       0x8ADA0A        xz compressed data
9128934       0x8B4BE6        xz compressed data
9160710       0x8BC806        xz compressed data
9177994       0x8C0B8A        xz compressed data
9216194       0x8CA0C2        xz compressed data
9307058       0x8E03B2        xz compressed data
9394034       0x8F5772        xz compressed data
9475834       0x9096FA        xz compressed data
9563966       0x91EF3E        xz compressed data
9661986       0x936E22        xz compressed data
9751714       0x94CCA2        xz compressed data
9819538       0x95D592        xz compressed data
9882642       0x96CC12        xz compressed data
9928298       0x977E6A        xz compressed data
9981802       0x984F6A        xz compressed data
10024974      0x98F80E        xz compressed data
10093114      0x9A023A        xz compressed data
10169386      0x9B2C2A        xz compressed data
10188074      0x9B752A        xz compressed data
10254398      0x9C783E        xz compressed data
10322218      0x9D812A        xz compressed data
10406250      0x9EC96A        xz compressed data
10477366      0x9FDF36        xz compressed data
10545650      0xA0E9F2        xz compressed data
10619082      0xA208CA        xz compressed data
10642982      0xA26626        xz compressed data
10687418      0xA313BA        xz compressed data
10757270      0xA42496        xz compressed data
10824678      0xA52BE6        xz compressed data
10893662      0xA6395E        xz compressed data
10968398      0xA75D4E        xz compressed data
11006298      0xA7F15A        xz compressed data
11078478      0xA90B4E        xz compressed data
11140254      0xA9FC9E        xz compressed data
11227334      0xAB50C6        xz compressed data
11291642      0xAC4BFA        xz compressed data
11383342      0xADB22E        xz compressed data
11435410      0xAE7D92        xz compressed data
11491898      0xAF5A3A        xz compressed data
11553018      0xB048FA        xz compressed data
11618982      0xB14AA6        xz compressed data
11668838      0xB20D66        xz compressed data
11750014      0xB34A7E        xz compressed data
11828006      0xB47B26        xz compressed data
11838110      0xB4A29E        xz compressed data
11917558      0xB5D8F6        xz compressed data
11963014      0xB68A86        xz compressed data
11993878      0xB70316        xz compressed data
12073382      0xB839A6        xz compressed data
12113798      0xB8D786        xz compressed data
12165350      0xB9A0E6        xz compressed data
12336518      0xBC3D86        xz compressed data
12500206      0xBEBCEE        xz compressed data
12527814      0xBF28C6        xz compressed data
12542198      0xBF60F6        xz compressed data
12571442      0xBFD332        xz compressed data
12594570      0xC02D8A        xz compressed data
12648910      0xC101CE        xz compressed data
12698910      0xC1C51E        xz compressed data
12729226      0xC23B8A        xz compressed data
12742834      0xC270B2        xz compressed data
12745348      0xC27A84        xz compressed data
12747286      0xC28216        xz compressed data
12749344      0xC28A20        xz compressed data
12751302      0xC291C6        xz compressed data
12753616      0xC29AD0        xz compressed data
12755822      0xC2A36E        xz compressed data
12757872      0xC2AB70        xz compressed data
12760398      0xC2B54E        xz compressed data
12762324      0xC2BCD4        xz compressed data
12764342      0xC2C4B6        xz compressed data
12766080      0xC2CB80        xz compressed data
12767842      0xC2D262        xz compressed data
12770252      0xC2DBCC        xz compressed data
12771722      0xC2E18A        xz compressed data
12776184      0xC2F2F8        xz compressed data
12780642      0xC30462        xz compressed data
12784872      0xC314E8        xz compressed data
12789218      0xC325E2        xz compressed data
12793120      0xC33520        xz compressed data
12795818      0xC33FAA        xz compressed data
12798844      0xC34B7C        xz compressed data
12803150      0xC35C4E        xz compressed data
12804576      0xC361E0        xz compressed data
12805242      0xC3647A        xz compressed data
12807268      0xC36C64        xz compressed data
12809162      0xC373CA        xz compressed data
12811112      0xC37B68        xz compressed data

通过初步的分析结果可以看出,前部分为uboot,其次为Kernel(uImage格式),后面是大量xz压缩数据块。以下为整理的固件结构初步分析情况:

序号偏移说明
10-0x4FFFFUboot
20x50000-0x17007DKernel,uImage格式
30x17007E-末尾大量xz压缩数据块,怀疑是某文件系统

三、再次分析

根据之前的文章《OpenWrt固件结构分析(uImage格式)》可以知道Kernel的大小为0x111EA7。

到达kernel的末尾,发现后面很多都是0x00。

再往下寻找非零数据(或者通过binwalk的结果也可以推测到附近),最终找到有数据的内容,可以看到0x170000开始的标志位hsqs,如果看过《Squashfs文件系统》这篇文章,可以很容易知道它应该与squashfs文件系统标志位一致,但是为啥binwalk无法正确识别出来呢?

我们把从0x170000到末尾的固件单独提取出来,再使用binwalk进行一次识别,可惜结果还是一样。

通过查看binwalk的配置(binwalk安装路径/binwalk/magic文件)

当有{invalid}的区块的时候,它将不被识别为Squashfs文件系统,其中文件系统的版本0x1C-0x1F应该有问题,这里手动将它改为最常见的4.0版本的结构(FBFFFFFF -> 04000000)。

然后再用binwalk分析,可以识别出来了,但还是无法解包。

经过对比正常的解包Squashfs文件系统的操作,本文件应该还是存在问题的:

1、没有识别出压缩算法

2、inodes数量为负数

四、最终分析

1、压缩算法-字段修复

因为开始分析的时候发现固件文件系统存在大量xz压缩数据块,基本可以断定压缩算法为xz,那么进过修改对应的数据0x14-0x15(FBFF -> 0400)。

再通过binwalk分析,可以识别压缩算法。

2、inodes数量-字段修复

根据Squashfs文件系统的结构,0x04-0x07处为inodes数量,这里为0xFFFFF39B(binwalk识别的值-3173),一般情况数量不应该为负数。

通过分析之前修改的2个地方,04对应的都是FB,00对应的都是FF。

(1)文件系统版本(FBFFFFFF -> 04000000)

(2)压缩方式(FBFF -> 0400)

可以猜想作者应该是作了简单的xor操作(key=0xFF)

那么我们把inodes数量(9BF3FFFF)也同样xor操作一下,得出来的数据为640C0000,因为对应的值为小端存储,实际值应该为0x00000C64,然后再用binwalk进行分析,应该就正确了:

但是使用binwalk -e依然无法解开,或者使用unsquashfs(4.3版本)也无法解开,提示压缩选项不支持

3、最终解决

既然知道了固件是squashfs文件系统,那么具体是哪个版本压缩的其实并没有确定,我们使用firmware-mod-kit工具,进行穷举验证能够解包的版本,最终能够正常解开,其使用的版本为squash-4.2-official。

4、其他方法

开源的7z工具支持多种压缩方式,squashfs也不例外,使用windows版本的7zip,直接就能识别并解开文件

五、参考链接

https://github.com/rampageX/firmware-mod-kit/blob/master/src/others/squashfs-4.2/README

留下评论

您的电子邮箱地址不会被公开。 必填项已用*标注