Site updated: 2019-03-16 15:29:02

This commit is contained in:
Cool-Y 2019-03-16 15:29:06 +08:00
parent 766528e785
commit 8a57d81e97
6 changed files with 68 additions and 14 deletions

View File

@ -79,14 +79,17 @@
<meta name="description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能路由系统里自带1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
<meta property="og:type" content="article"> <meta property="og:type" content="article">
<meta property="og:title" content="My First Post"> <meta property="og:title" content="小米固件工具mkxqimage">
<meta property="og:url" content="https://cool-y.github.io/2019/03/16/My-First-Post/index.html"> <meta property="og:url" content="https://cool-y.github.io/2019/03/16/My-First-Post/index.html">
<meta property="og:site_name" content="混元霹雳手"> <meta property="og:site_name" content="混元霹雳手">
<meta property="og:description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能路由系统里自带1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
<meta property="og:locale" content="zh-Hans"> <meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2019-03-16T06:57:56.054Z"> <meta property="og:updated_time" content="2019-03-16T07:28:51.888Z">
<meta name="twitter:card" content="summary"> <meta name="twitter:card" content="summary">
<meta name="twitter:title" content="My First Post"> <meta name="twitter:title" content="小米固件工具mkxqimage">
<meta name="twitter:description" content="小米固件工具mkxqimage小米自己改了个打包解包固件的工具基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能路由系统里自带1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解">
@ -122,7 +125,7 @@
<title>My First Post | 混元霹雳手</title> <title>小米固件工具mkxqimage | 混元霹雳手</title>
@ -246,7 +249,7 @@
<h1 class="post-title" itemprop="name headline">My First Post</h1> <h1 class="post-title" itemprop="name headline">小米固件工具mkxqimage</h1>
<div class="post-meta"> <div class="post-meta">
@ -296,7 +299,20 @@
<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line"> [-x file]</span><br><span class="line"> [-I]</span><br></pre></td></tr></table></figure></p>
<h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包在解包前先检查Checksum是否正确然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名这两个步骤通过后根据[0x0C]的固件类型,以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p>
<h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名小米路由器下载固件后用RSA公钥来验证RSA签名有效地防止固件被篡改。</p>
<h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p>
<p>第14字节ASCII字符串“HDR0”作为固件的标识<br>第58字节4字节整型数0x0311D464表示固件的大小51500132字节<br>第9~12字节固件的检查和<br>第1314字节0x0005表示固件中包含哪些部分<br>第1516字节0x0002表示固件格式版本号<br>第1720字节0x00000020表示固件第一部分在整个固件中的偏移量0.4.85固件的第一部分是brcm4709_nor.bin也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像<br>第2124字节0x00FE0020表示固件第二部分在整个固件中的偏移量0.4.85固件的第二部分是root.ext4.lzma也就是硬盘中128M固件的压缩包<br>第33字节开始是固件的正式内容开始。</p>
<h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>(现在会提示秘钥不存在)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p>
<p>如果能解包应该可以得到脚本文件upsetting.sh</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure>
<p>执行脚本文件upsetting.sh后将ssh_en设置为1同时设置了flag_init_root_pwd项。当正式启动时/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时自动修改root用户密码具体脚本为<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ &quot;$flg_init_pwd&quot; = &quot;1&quot; ]; then</span><br><span class="line"> init_pwd=`mkxqimage -I`</span><br><span class="line"> (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line"> nvram unset flag_init_root_pwd</span><br><span class="line"> nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p>
<p>初始密码是mkxqimage -I的结果实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上12位数字561000088888</p>
<p>初始密码计算算法为:</p>
<p><code>substr(md5(SN+&quot;A2E371B0-B34B-48A5-8C40-A7133F3B5D88&quot;), 0, 8)</code></p>
<p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>
</div> </div>
@ -380,8 +396,17 @@
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
文章目录
</li>
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
站点概览
</li>
</ul>
<section class="site-overview-wrap sidebar-panel sidebar-panel-active"> <section class="site-overview-wrap sidebar-panel">
<div class="site-overview"> <div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person"> <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
@ -424,6 +449,22 @@
</section> </section>
<!--noindex-->
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
<div class="post-toc">
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#小米固件工具mkxqimage"><span class="nav-number">1.</span> <span class="nav-text">小米固件工具mkxqimage</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#固件解包"><span class="nav-number">1.1.</span> <span class="nav-text">固件解包</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#固件打包"><span class="nav-number">1.2.</span> <span class="nav-text">固件打包</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#固件格式"><span class="nav-number">1.3.</span> <span class="nav-text">固件格式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#小米开启ssh工具包"><span class="nav-number">1.4.</span> <span class="nav-text">小米开启ssh工具包</span></a></li></ol></li></ol></div>
</div>
</section>
<!--/noindex-->

View File

@ -338,8 +338,8 @@
<div class="post-nav-prev post-nav-item"> <div class="post-nav-prev post-nav-item">
<a href="/2019/03/16/My-First-Post/" rel="prev" title="My First Post"> <a href="/2019/03/16/My-First-Post/" rel="prev" title="小米固件工具mkxqimage">
My First Post <i class="fa fa-chevron-right"></i> 小米固件工具mkxqimage <i class="fa fa-chevron-right"></i>
</a> </a>
</div> </div>

View File

@ -253,7 +253,7 @@
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url"> <a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
<span itemprop="name">My First Post</span> <span itemprop="name">小米固件工具mkxqimage</span>
</a> </a>

View File

@ -253,7 +253,7 @@
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url"> <a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
<span itemprop="name">My First Post</span> <span itemprop="name">小米固件工具mkxqimage</span>
</a> </a>

View File

@ -253,7 +253,7 @@
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url"> <a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">
<span itemprop="name">My First Post</span> <span itemprop="name">小米固件工具mkxqimage</span>
</a> </a>

View File

@ -248,7 +248,7 @@
<h1 class="post-title" itemprop="name headline"> <h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">My First Post</a></h1> <a class="post-title-link" href="/2019/03/16/My-First-Post/" itemprop="url">小米固件工具mkxqimage</a></h1>
<div class="post-meta"> <div class="post-meta">
@ -300,7 +300,20 @@
<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line"> [-x file]</span><br><span class="line"> [-I]</span><br></pre></td></tr></table></figure></p>
<h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包在解包前先检查Checksum是否正确然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名这两个步骤通过后根据[0x0C]的固件类型,以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p>
<h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名小米路由器下载固件后用RSA公钥来验证RSA签名有效地防止固件被篡改。</p>
<h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p>
<p>第14字节ASCII字符串“HDR0”作为固件的标识<br>第58字节4字节整型数0x0311D464表示固件的大小51500132字节<br>第9~12字节固件的检查和<br>第1314字节0x0005表示固件中包含哪些部分<br>第1516字节0x0002表示固件格式版本号<br>第1720字节0x00000020表示固件第一部分在整个固件中的偏移量0.4.85固件的第一部分是brcm4709_nor.bin也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像<br>第2124字节0x00FE0020表示固件第二部分在整个固件中的偏移量0.4.85固件的第二部分是root.ext4.lzma也就是硬盘中128M固件的压缩包<br>第33字节开始是固件的正式内容开始。</p>
<h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>(现在会提示秘钥不存在)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p>
<p>如果能解包应该可以得到脚本文件upsetting.sh</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure>
<p>执行脚本文件upsetting.sh后将ssh_en设置为1同时设置了flag_init_root_pwd项。当正式启动时/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时自动修改root用户密码具体脚本为<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ &quot;$flg_init_pwd&quot; = &quot;1&quot; ]; then</span><br><span class="line"> init_pwd=`mkxqimage -I`</span><br><span class="line"> (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line"> nvram unset flag_init_root_pwd</span><br><span class="line"> nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p>
<p>初始密码是mkxqimage -I的结果实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上12位数字561000088888</p>
<p>初始密码计算算法为:</p>
<p><code>substr(md5(SN+&quot;A2E371B0-B34B-48A5-8C40-A7133F3B5D88&quot;), 0, 8)</code></p>
<p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>