■ firmware-mod-kit의 펌웨어(bin) 추출과정 설명 firmware-mod-kit(https://code.google.com/archive/p/firmware-mod-kit/downloads)의 extract-firmware.sh의 동작과정을 설명한다. ■ 필요한 프로그램 fmk/src/binwalk-1.0/src/bin/binwalk-script fmk/unsquashfs_all.sh ■ 추출 과정 1. 쉘스크립트 변수 정의 BINWALK="/opt/fmk/src/binwalk-1.0/src/bin/binwalk-script -v -m /opt/fmk/src/binwalk-1.0/src/binwalk/magic/binwalk" UNSQUASHFS="/opt/fmk/unsquashfs_all.sh" 2. 펌웨어 정보 추출 ${BINWALK} -f bininfo.txt test.bin test.bin의 정보를 bininfo.txt로 출력한다. 정상적으로 실행되면 아래와 같은 내용이 bininfo.txt에 들어있다. Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake Preparing tools ... Scanning firmware... Scan Time: 2014-05-31 14:34:31 Signatures: 193 Target File: /opt/fmk/test.bin MD5 Checksum: e9c185bc0ee5dc3fec3ba5cd65ef9918 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 3.12.19, image version: "ver. 1.0", product ID: 0x34200001, product version: 1, kernel load address: 0x80002000, kernel entry point: 0x801C4000, kernel offset: 512, kernel length: 873337, rootfs offset: 1048576, rootfs length: 2883584, bootloader offset: 0, bootloader length: 0 512 0x200 gzip compressed data, was "vmlinux.bin", from Unix, last modified: Mon Aug 1 16:11:04 2011 1048576 0x100000 Squashfs filesystem, big endian, lzma signature, version 3.1, size: 2406755 bytes, 687 inodes, blocksize: 65536 bytes, created: Fri Nov 23 17:23:06 2012 HEADER_IMAGE_OFFSET: 0 FS_OFFSET: 1048576 HEADER_IMAGE_SIZE: 1048576 3. HEADER(Linux 커널 부분) 부분을 추출한다. 이미지 파일의 처음부터 HEADER_IMAGE_SIZE만큼이 헤더이다. dd if="test.bin" bs=${HEADER_IMAGE_SIZE} skip=${HEADER_IMAGE_OFFSET} count=1 of="header.img" 4. ROOT 파일시스템 부분을 추출한다. FS_OFFSET 부터 파일 끝까지가 ROOT File System 이다. dd if="test.bin" bs=${FS_OFFSET} skip=1 of="rootfs.img" 5. 아래와 같은 로직으로 검사하여 FOOTER(NVRAM)가 필요하면 추출한다. for LINE in $(hexdump -C ${IMG} | tail -11 | head -10 | sed -n '1!G;h;$p' | sed -e 's/^*/FILLER/') do if [ "${LINE}" = "FILLER" ]; then break else FOOTER_SIZE=$((${FOOTER_SIZE}+16)) fi done # If a footer was found, dump it out if [ "${FOOTER_SIZE}" != "0" ]; then FOOTER_OFFSET=$((${FW_SIZE}-${FOOTER_SIZE})) echo "Extracting ${FOOTER_SIZE} byte footer from offset ${FOOTER_OFFSET}" dd if="${IMG}" bs=1 skip=${FOOTER_OFFSET} count=${FOOTER_SIZE} of="${FOOTER_IMAGE}" else FOOTER_OFFSET=${FW_SIZE} fi 6. ROOT 파일시스템의 SquashFS을 추출한다. mkdir rootfs ${UNSQUASHFS} rootfs.img rootfs Attempting to extract SquashFS .X file system... Trying ./src/squashfs-2.1-r2/unsquashfs-lzma... Trying ./src/squashfs-2.1-r2/unsquashfs... Trying ./src/squashfs-3.0/unsquashfs-lzma... Trying ./src/squashfs-3.0/unsquashfs... Trying ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma... Trying ./src/others/squashfs-2.0-nb4/unsquashfs... Trying ./src/others/squashfs-3.0-e2100/unsquashfs-lzma... Trying ./src/others/squashfs-3.0-e2100/unsquashfs... Trying ./src/others/squashfs-3.2-r2/unsquashfs... Trying ./src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs... Trying ./src/others/squashfs-3.2-r2-hg612-lzma/unsquashfs... Trying ./src/others/squashfs-3.2-r2-wnr1000/unsquashfs... Trying ./src/others/squashfs-3.2-r2-rtn12/unsquashfs... Trying ./src/others/squashfs-3.3/unsquashfs... Trying ./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs... created 522 files created 38 directories created 59 symlinks created 0 devices created 0 fifos File system sucessfully extracted! ※ config.log FW_SIZE='3932160' HEADER_TYPE='tp-link' HEADER_SIZE='0' HEADER_IMAGE_SIZE='1048576' HEADER_IMAGE_OFFSET='0' FOOTER_SIZE='0' FOOTER_OFFSET='3932160' FS_TYPE='squashfs' FS_OFFSET='1048576' FS_COMPRESSION='lzma' FS_BLOCKSIZE='65536' ENDIANESS='-be' MKFS="./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/mksquashfs"