本文博客地址:http://blog.csdn.net/qq1084283172/article/details/70140865
01.路由器固件分析和动态调试环境搭建简述的原文
《Emulating and Debugging Workspace》这篇博文时间比较早,但是详细的介绍了路由器固件分析和动态调试环境搭建简要步骤和一些重要的信息。为了避免翻译带来的错误,直接将作者的原文摘抄过来进行学习,后面会进行作者博客的思路的整理。
Hello,
I think the best approach(最好的方法) is to describe how I set up my tool chain and environment. Hopefully that will be helpful for you.
To start with, I do my work in an Ubuntu VM. Specifically 12.04. I don't think the exact release matters(我不知道其他的版本是否运行OK), but I know 12.04 works with my tools.
I keep a set of cross compilers in my path for various architectures(交叉编译器). In my opinion(在我看来), building with a cross compiler is faster and easier than building with gcc inside QEMU. I recommendbuilding a set of cross-compiling toolchains using Buildroot. Buildroot uses a Linux Kernel-style menuconfig build system. I don't have anything written up on building cross compilers, but I could probably send you my buildroot configuration if you need it, and if I can find it.
You can download the firmware for the routerfrom Netgear's support website.
Here's a link to the firmware:
http://support.netgear.com/product/wndr3700v4
In order to unpack the firmware, I recommend my colleague(同事), Craig Heffner's tool,Binwalk:
https://code.google.com/p/binwalk/
Binwalk will analyze a binary file and describe the subcomponents(组成结构)it finds within, such asfilesystems,compressed kernel, etc. Additionally(另外), it canunpack the subcomponents it finds, assuming it knows how.
Install binwalk in your Ubuntu environment using the "debian_quick_install.sh" installation script, which will apt-get install a number of dependencies.
Rather than describe binwalk's usage, I'll refer you to the wiki:
https://code.google.com/p/binwalk/wiki/Usage?tm=6
Also, in your Ubuntu environment you'llneed a Debian MIPS QEMU system that you canuse to emulate(模拟) the firmware's binaries.
I found lots of information about running Debian in QEMU, but most of it was incomplete(不完整), and a lot of it was inconsistent(不一致), so I've written a blog post describing how I set up my QEMU systems:
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html
This is just personal, but I like to export my workspace to the QEMU machines via NFS. In fact, I export my workspace from my Mac via NFS, and my Ubuntu VMs and Debian QEMU VMs all mount the same directory. That wayI'm not having to copy firmware, scripts and debuggers around.
Once logged into your QEMU VM, you can chroot into the router's firmware andrun some of its binaries:
firmware_rootfs # chroot . /bin/sh
#
The simple ones, such as busybox, will run with no problem. The web server,upnp server, etc.are more complicated(复杂)because they make a lot of assumptions(假设)about the router's specific hardware(特定的硬件环境)being present.
One of the problems you run into has to do with queries(获取) to NVRAM(路由器的非易失性存储器)for runtime configuration. Obviously(显然),your Debian MIPS Linux has no NVRAM, so thesequeries will fail. For that,I have a project called "nvram-faker":
https://github.com/zcutlip/nvram-faker
You build the library for your target andpreload it using the LD_PRELOAD environment variable. It intercepts calls(拦截函数调用) tonvram_getand provides answers based on the contentsan nvram.ini file that you provide. It prints all the nvram queries to stdout, and colorizes the ones that it couldn't find in the .ini file. Obviouslyit takes some guesswork(猜测) to provide sane(合理) configuration parameters.
Sometimes you can skip(略过) running the web server andjust run the cgi binaries from a shell script. Most cgi binaries take their input from the web server as a combination(结合)of standard input and environment variables. They send their response to the web server over standard output.
I hope this helps. Let me know if I can help any other way.
Zach
02.路由器固件分析和动态调试环境的搭建简述步骤整理
1.创建一个ubuntu 12.04的虚拟机
2.使用Buildroot构建MIPS程序的交叉编译工具链,Buildroot使用Linux内核配置menuconfig的形式进行编译工具的构建
3.从路由器的官方网站下载路由器使用的固件,以Netgear的为例,下载地址为:
http://support.netgear.com/product/wndr3700v4
4.路由器固件的解包使用binwalk工具,binwalk工具能够分析出固件的文件结构组成,binwalk工具的介绍和下载地址:
https://code.google.com/p/binwalk/
在ubuntu系统上安装binwalk的时,只需要运行binwalk工具安装包里的 "debian_quick_install.sh" 脚本即可,binwalk工具的需要的依赖库文件和组件会自动下载安装好。更详细的有关binwalk工具的介绍和使用参考地址:
https://code.google.com/p/binwalk/wiki/Usage?tm=6
5.在ubuntu环境下运行MIPS程序还需要 Debian MIPS QEMU 虚拟机,有关MIPS QEMU虚拟机搭建的步骤参考网址:
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html
6.为了qemu-mips虚拟机在系统模式下能够运行路由器固件的mips程序,还需要为ubuntu主机和qemu虚拟机建立 NFS 进行文件共享,使 qemu 虚拟机能够通过 mount 的方式访问ubuntu主机系统的上的路由器系统文件而不需要拷贝。
7.登陆到qemu虚拟机上,chroot切换到路由器固件的文件系统的根目录下,运行一些mips程序。路由器系统文件里的一下简单的mips程序如:busybox直接运行没有什么问题,但是一些像路由器系统文件里的 web server, upnp server 等比较复杂,需要特定的硬件环境的支持才能成功运行。比如说:它们运行的时候可能会获取路由器的NVRAM(非易失性存储器)里的 .ini配置文件里信息,但是Debian MIPS QEMU 虚拟机上没有NVRAM,因此会运行失败。
8."nvram-faker"的工程能解决7.中提到的问题,下载地址如下;编译"nvram-faker"工程得到一个动态库,在qemu上运行mips程序时通过 LD_PRELOAD 环境变量预加载该动态库文件。该动态库文件会拦截 nvram_get 函数的调用,通过 nvram.ini 文件为运行的misp程序提供需要的配置参数信息。该动态库还会打印出mips程序运行时的需要获取的信息并用颜色标识出 nvram.ini 文件中找不到的。 nvram.ini 配置文件的编写需要进行一些合理的假设。
https://github.com/zcutlip/nvram-faker