Site updated: 2019-03-16 15:29:02
This commit is contained in:
Cool-Y
parent
766528e785
commit
8a57d81e97
@ -79,14 +79,17 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<meta name="description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
|
||||||
<meta property="og:type" content="article">
|
<meta property="og:type" content="article">
|
||||||
<meta property="og:title" content="My First Post">
|
<meta property="og:title" content="小米固件工具mkxqimage">
|
||||||
<meta property="og:url" content="https://cool-y.github.io/2019/03/16/My-First-Post/index.html">
|
<meta property="og:url" content="https://cool-y.github.io/2019/03/16/My-First-Post/index.html">
|
||||||
<meta property="og:site_name" content="混元霹雳手">
|
<meta property="og:site_name" content="混元霹雳手">
|
||||||
|
<meta property="og:description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
|
||||||
<meta property="og:locale" content="zh-Hans">
|
<meta property="og:locale" content="zh-Hans">
|
||||||
<meta property="og:updated_time" content="2019-03-16T06:57:56.054Z">
|
<meta property="og:updated_time" content="2019-03-16T07:28:51.888Z">
|
||||||
<meta name="twitter:card" content="summary">
|
<meta name="twitter:card" content="summary">
|
||||||
<meta name="twitter:title" content="My First Post">
|
<meta name="twitter:title" content="小米固件工具mkxqimage">
|
||||||
|
<meta name="twitter:description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -122,7 +125,7 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<title>My First Post | 混元霹雳手</title>
|
<title>小米固件工具mkxqimage | 混元霹雳手</title>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -246,7 +249,7 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h1 class="post-title" itemprop="name headline">My First Post</h1>
|
<h1 class="post-title" itemprop="name headline">小米固件工具mkxqimage</h1>
|
||||||
|
|
||||||
|
|
||||||
<div class="post-meta">
|
<div class="post-meta">
|
||||||
@ -296,6 +299,19 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line"> [-x file]</span><br><span class="line"> [-I]</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包,在解包前先检查Checksum是否正确,然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名,这两个步骤通过后,根据[0x0C]的固件类型,以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p>
|
||||||
|
<h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名,小米路由器下载固件后用RSA公钥来验证RSA签名,有效地防止固件被篡改。</p>
|
||||||
|
<h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>第1~4字节:ASCII字符串“HDR0”,作为固件的标识;<br>第5~8字节:4字节整型数0x0311D464,表示固件的大小:51500132字节;<br>第9~12字节:固件的检查和;<br>第13~14字节:0x0005,表示固件中包含哪些部分;<br>第15~16字节:0x0002,表示固件格式版本号;<br>第17~20字节:0x00000020,表示固件第一部分在整个固件中的偏移量,0.4.85固件的第一部分是brcm4709_nor.bin,也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像;<br>第21~24字节:0x00FE0020,表示固件第二部分在整个固件中的偏移量,0.4.85固件的第二部分是root.ext4.lzma,也就是硬盘中128M固件的压缩包;<br>第33字节开始是固件的正式内容开始。</p>
|
||||||
|
<h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>(现在会提示秘钥不存在)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>如果能解包应该可以得到脚本文件upsetting.sh</p>
|
||||||
|
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure>
|
||||||
|
<p>执行脚本文件upsetting.sh后,将ssh_en设置为1,同时设置了flag_init_root_pwd项。当正式启动时,/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时,自动修改root用户密码,具体脚本为:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ "$flg_init_pwd" = "1" ]; then</span><br><span class="line"> init_pwd=`mkxqimage -I`</span><br><span class="line"> (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line"> nvram unset flag_init_root_pwd</span><br><span class="line"> nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>初始密码是mkxqimage -I的结果,实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上,12位数字,如:561000088888</p>
|
||||||
|
<p>初始密码计算算法为:</p>
|
||||||
|
<p><code>substr(md5(SN+"A2E371B0-B34B-48A5-8C40-A7133F3B5D88"), 0, 8)</code></p>
|
||||||
|
<p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>
|
||||||
|
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
@ -380,8 +396,17 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul class="sidebar-nav motion-element">
|
||||||
|
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
|
||||||
|
文章目录
|
||||||
|
</li>
|
||||||
|
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
|
||||||
|
站点概览
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
<section class="site-overview-wrap sidebar-panel sidebar-panel-active">
|
|
||||||
|
<section class="site-overview-wrap sidebar-panel">
|
||||||
<div class="site-overview">
|
<div class="site-overview">
|
||||||
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
||||||
|
|
||||||
@ -424,6 +449,22 @@
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|
||||||
|
<!--noindex-->
|
||||||
|
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
|
||||||
|
<div class="post-toc">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#小米固件工具mkxqimage"><span class="nav-number">1.</span> <span class="nav-text">小米固件工具mkxqimage</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#固件解包"><span class="nav-number">1.1.</span> <span class="nav-text">固件解包</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#固件打包"><span class="nav-number">1.2.</span> <span class="nav-text">固件打包</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#固件格式"><span class="nav-number">1.3.</span> <span class="nav-text">固件格式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#小米开启ssh工具包"><span class="nav-number">1.4.</span> <span class="nav-text">小米开启ssh工具包</span></a></li></ol></li></ol></div>
|
||||||
|
|
||||||
|
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
<!--/noindex-->
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -338,8 +338,8 @@
|
|||||||
|
|
||||||
<div class="post-nav-prev post-nav-item">
|
<div class="post-nav-prev post-nav-item">
|
||||||
|
|
||||||
<a href="/2019/03/16/My-First-Post/" rel="prev" title="My First Post">
|
<a href="/2019/03/16/My-First-Post/" rel="prev" title="小米固件工具mkxqimage">
|
||||||
My First Post <i class="fa fa-chevron-right"></i>
|
小米固件工具mkxqimage <i class="fa fa-chevron-right"></i>
|
||||||
</a>
|
</a>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@ -253,7 +253,7 @@
|
|||||||
|
|
||||||
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
||||||
|
|
||||||
<span itemprop="name">My First Post</span>
|
<span itemprop="name">小米固件工具mkxqimage</span>
|
||||||
|
|
||||||
</a>
|
</a>
|
||||||
|
|
||||||
|
|||||||
@ -253,7 +253,7 @@
|
|||||||
|
|
||||||
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
||||||
|
|
||||||
<span itemprop="name">My First Post</span>
|
<span itemprop="name">小米固件工具mkxqimage</span>
|
||||||
|
|
||||||
</a>
|
</a>
|
||||||
|
|
||||||
|
|||||||
@ -253,7 +253,7 @@
|
|||||||
|
|
||||||
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
|
||||||
|
|
||||||
<span itemprop="name">My First Post</span>
|
<span itemprop="name">小米固件工具mkxqimage</span>
|
||||||
|
|
||||||
</a>
|
</a>
|
||||||
|
|
||||||
|
|||||||
15
index.html
15
index.html
@ -248,7 +248,7 @@
|
|||||||
|
|
||||||
<h1 class="post-title" itemprop="name headline">
|
<h1 class="post-title" itemprop="name headline">
|
||||||
|
|
||||||
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">My First Post</a></h1>
|
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">小米固件工具mkxqimage</a></h1>
|
||||||
|
|
||||||
|
|
||||||
<div class="post-meta">
|
<div class="post-meta">
|
||||||
@ -300,6 +300,19 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line"> [-x file]</span><br><span class="line"> [-I]</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包,在解包前先检查Checksum是否正确,然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名,这两个步骤通过后,根据[0x0C]的固件类型,以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p>
|
||||||
|
<h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名,小米路由器下载固件后用RSA公钥来验证RSA签名,有效地防止固件被篡改。</p>
|
||||||
|
<h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>第1~4字节:ASCII字符串“HDR0”,作为固件的标识;<br>第5~8字节:4字节整型数0x0311D464,表示固件的大小:51500132字节;<br>第9~12字节:固件的检查和;<br>第13~14字节:0x0005,表示固件中包含哪些部分;<br>第15~16字节:0x0002,表示固件格式版本号;<br>第17~20字节:0x00000020,表示固件第一部分在整个固件中的偏移量,0.4.85固件的第一部分是brcm4709_nor.bin,也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像;<br>第21~24字节:0x00FE0020,表示固件第二部分在整个固件中的偏移量,0.4.85固件的第二部分是root.ext4.lzma,也就是硬盘中128M固件的压缩包;<br>第33字节开始是固件的正式内容开始。</p>
|
||||||
|
<h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>(现在会提示秘钥不存在)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>如果能解包应该可以得到脚本文件upsetting.sh</p>
|
||||||
|
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure>
|
||||||
|
<p>执行脚本文件upsetting.sh后,将ssh_en设置为1,同时设置了flag_init_root_pwd项。当正式启动时,/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时,自动修改root用户密码,具体脚本为:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ "$flg_init_pwd" = "1" ]; then</span><br><span class="line"> init_pwd=`mkxqimage -I`</span><br><span class="line"> (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line"> nvram unset flag_init_root_pwd</span><br><span class="line"> nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p>
|
||||||
|
<p>初始密码是mkxqimage -I的结果,实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上,12位数字,如:561000088888</p>
|
||||||
|
<p>初始密码计算算法为:</p>
|
||||||
|
<p><code>substr(md5(SN+"A2E371B0-B34B-48A5-8C40-A7133F3B5D88"), 0, 8)</code></p>
|
||||||
|
<p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user