PFS文件系统
PFS文件系统,一般用在一些嵌入式设备里,如Benq ESG 103、NDC NWH8018、Belkin F5D7632-4等,不过现在的嵌入式设备更多地会使用Squashfs、UBI等文件系统,PFS文件系统会慢慢被替代。
我们以Belkin F5D7632-4路由器固件为例,首先使用binwalk分析固件,取出pfs.img这个PFS文件系统映像,使用hexdump查看文件结构:
00000000 50 46 53 2f 30 2e 39 00 00 00 00 00 00 00 0d 01 |PFS/0.9.........|
00000010 77 77 77 5c 63 67 69 2d 62 69 6e 5c 61 61 64 73 |www\cgi-bin\aads|
00000020 6c 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00 |l.exe...........|
00000030 00 00 00 00 00 00 00 00 40 34 65 ab 00 00 00 00 |........@4e.....|
00000040 00 00 00 00 77 77 77 5c 63 67 69 2d 62 69 6e 5c |....www\cgi-bin\|
00000050 61 63 5f 63 6f 6e 74 72 6f 6c 2e 65 78 65 00 00 |ac_control.exe..|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 40 34 65 ab |............@4e.|
00000070 00 00 00 00 00 00 00 00 77 77 77 5c 63 67 69 2d |........www\cgi-|
00000080 62 69 6e 5c 61 64 64 5f 63 75 72 5f 6d 61 63 2e |bin\add_cur_mac.|
00000090 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 |exe.............|
000000a0 40 34 65 ab 00 00 00 00 00 00 00 00 77 77 77 5c |@4e.........www\|
000000b0 63 67 69 2d 62 69 6e 5c 61 64 6d 7a 2e 65 78 65 |cgi-bin\admz.exe|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 40 34 65 ab 00 00 00 00 00 00 00 00 |....@4e.........|
...
00001ef0 77 77 77 5c 64 6f 63 5c 63 5f 61 64 73 6c 5f 73 |www\doc\c_adsl_s|
00001f00 74 61 74 75 73 2e 73 74 6d 00 00 00 00 00 00 00 |tatus.stm.......|
00001f10 00 00 00 00 00 00 00 00 4a 34 65 ab ef 94 00 00 |........J4e.....|
00001f20 b4 11 00 00 77 77 77 5c 64 6f 63 5c 64 61 74 61 |....www\doc\data|
00001f30 2e 6a 73 00 00 00 00 00 00 00 00 00 00 00 00 00 |.js.............|
00001f40 00 00 00 00 00 00 00 00 00 00 00 00 4a 34 65 ab |............J4e.|
00001f50 a3 a6 00 00 59 23 00 00 77 77 77 5c 64 6f 63 5c |....Y#..www\doc\|
00001f60 64 64 6e 73 2e 73 74 6d 00 00 00 00 00 00 00 00 |ddns.stm........|
00001f70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001f80 92 3c 0d ac fc c9 00 00 ea 1f 00 00 77 77 77 5c |.<..........www\|
00001f90 64 6f 63 5c 65 6e 67 69 6e 65 65 72 2e 73 74 6d |doc\engineer.stm|
...
00003650 69 6d 61 67 65 73 5c 73 70 61 63 65 72 2e 67 69 |images\spacer.gi|
00003660 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |f...............|
00003670 00 00 00 00 51 34 65 ab a2 1b 0d 00 2b 00 00 00 |....Q4e.....+...|
00003680 77 77 77 5c 69 6d 61 67 65 73 5c 74 69 74 6c 65 |www\images\title|
00003690 2e 67 69 66 00 00 00 00 00 00 00 00 00 00 00 00 |.gif............|
000036a0 00 00 00 00 00 00 00 00 51 34 65 ab cd 1b 0d 00 |........Q4e.....|
000036b0 ba 04 00 00 34 12 01 00 83 a8 d9 81 3f 61 23 4b |....4.......?a#K|
000036c0 b3 2d 2d b7 cc b7 f8 7e 0e 54 22 81 d0 03 00 00 |.--....~.T".....|
000036d0 00 00 00 00 d4 03 00 00 00 00 00 00 78 fc e5 7b |............x..{|
000036e0 01 00 00 00 d5 03 00 00 00 00 00 00 78 fc e5 7b |............x..{|
...
0000cba0 3e 0d 0a 3c 21 2d 2d 23 65 78 65 63 20 63 6d 64 |>..<!--#exec cmd|
0000cbb0 3d 22 4e 64 63 55 70 64 61 74 65 22 20 2d 2d 3e |="NdcUpdate" -->|
0000cbc0 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e |..<html>..<head>|
0000cbd0 0d 0a 3c 74 69 74 6c 65 3e 53 74 61 74 75 73 3c |..<title>Status<|
0000cbe0 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 |/title>..<meta h|
0000cbf0 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 |ttp-equiv="Conte|
...
0000dd20 74 3d 22 32 35 22 3e 26 6e 62 73 70 3b 3c 2f 74 |t="25"> </t|
0000dd30 64 3e 0d 0a 20 20 3c 2f 74 72 3e 0d 0a 3c 2f 74 |d>.. </tr>..</t|
0000dd40 61 62 6c 65 3e 0d 0a 3c 2f 42 4f 44 59 3e 0d 0a |able>..</BODY>..|
0000dd50 3c 2f 48 54 4d 4c 3e 76 61 72 20 74 63 70 5f 70 |</HTML>var tcp_p|
0000dd60 72 6f 74 6f 20 3d 20 36 3b 0d 0a 76 61 72 20 75 |roto = 6;..var u|
0000dd70 64 70 5f 70 72 6f 74 6f 20 3d 20 31 37 3b 0d 0a |dp_proto = 17;..|
0000dd80 76 61 72 20 62 6f 74 68 5f 70 72 6f 74 6f 20 3d |var both_proto =|
0000dd90 20 30 3b 0d 0a 76 61 72 20 69 63 6d 70 5f 70 72 | 0;..var icmp_pr|
0000dda0 6f 74 6f 20 3d 20 31 3b 0d 0a 0d 0a 2f 2f 20 61 |oto = 1;....// a|
...
结构分析:
| 偏移 | 字节 | 功能 | 数值 |
| 0x00-0x07 | 8 | PFS标志,版本0.9 | PFS/0.9\x00 |
| 0x08-0x0D | 6 | 填充 | 0 |
| 0x0E-0x0F | 2 | 文件数量 | 0x10d(269个文件) |
| 0x10-0x37 | 40 | 文件路径 | www\cgi-bin\ac_control.exe |
| 0x38-0x3B | 4 | 未知 | \x40\x34\x65\xAB |
| 0x3C-0x3F | 4 | 文件偏移 | 0,表示没有这个文件? |
| 0x40-0x43 | 4 | 文件大小 | 0 |
| ... | |||
| 0x1EF0-0x1F17 | 40 | 文件路径 | www\doc\c_adsl_status.stm |
| 0x1F18-0x1F1B | 4 | 未知 | \x4A\x34\x65\xAB |
| 0x1F1C-0x1F1F | 4 | 文件偏移 | 0x94EF |
| 0x1F20-0x1F23 | 4 | 文件大小 | 0x11B4(4532字节) |
| ... | |||
| 0xCBA3-0xDD56 | 4532 | www\doc\c_adsl_status.stm 文件内容,对应偏移 | 0xCBA3= 0x36B4(最后一个文件结构末尾)+0x94EF |
| ... |
参考链接: