Show Posts
1
Hacking and Security / Uboot extracting firmware
« on: December 01, 2015, 02:52:28 pm »
hi, i want to use uboot to extract firmware from my ipcamera, i cannot get into a shell after the kernal boots so im stuck with the "sf probe" and "tftp" commands. i can load the image into the memory with the sf probe command. the problem is i dont understand memory addresses that good. i want to load the fs into the memory and then upload it to my computer with tftp. can someone help me figure out the command i would use with sf probe so i pick the right spots when loading the rom into the memory, something like "sf probe 0;sf read 0x82000000 0x40000 0x370000, i dont understand where to get the "0x40000 and 0x370000" from. so im going to paste a layout of the fs
hisilicon # print
bootcmd=sf probe 0;sf read 84000000 770000 10000;logoload 84000000;decjpg;sf read 82000000 30000 400000;squashfsload 82000000;bootm 0x82000000
bootdelay=1
baudrate=115200
bootfile="uImage"
restore=1
da=mw.b 0x82000000 ff 1000000;tftp 0x82000000 u-boot.bin.img;sf probe 0;flwrite
du=mw.b 0x82000000 ff 1000000;tftp 0x82000000 user-x.cramfs.img;sf probe 0;flwrite
dr=mw.b 0x82000000 ff 1000000;tftp 0x82000000 romfs-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x82000000 ff 1000000;tftp 0x82000000 web-x.cramfs.img;sf probe 0;flwrite
dl=mw.b 0x82000000 ff 1000000;tftp 0x82000000 logo-x.cramfs.img;sf probe 0;flwrite
dc=mw.b 0x82000000 ff 1000000;tftp 0x82000000 custom-x.cramfs.img;sf probe 0;flwrite
up=mw.b 0x82000000 ff 1000000;tftp 0x82000000 update.img;sf probe 0;flwrite
tk=mw.b 0x82000000 ff 1000000;tftp 0x82000000 zImage.img; bootm 0x82000000
dd=mw.b 0x82000000 ff 1000000;tftp 0x82000000 mtd-x.jffs2.img;sf probe 0;flwrite
ipaddr=192.168.1.10
serverip=192.168.1.1
netmask=255.255.255.0
gatewayip=192.168.0.1
ethaddr=00:0b:3f:00:00:01
bootargs=mem=96M console=ttyAMA0,115200 root=1f01 rootfstype=squashfs mtdparts=hi_sfc:192K(boot),1984K(romfs),3776K(usr),1664K(custom),64K(logo),512K(mtd)
appSystemLanguage=English
appVideoStandard=NTSC
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06-svn198 (Dec 08 2014 - 13:02:43)
--------------------------------------------------------------------------------------------
U-Boot 2010.06-svn198 (Dec 08 2014 - 13:02:43)
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC2 0x20 0x17 0xC2 0x20 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"MX25L6406E"
envcrc 0xb0411110
ENV_SIZE = 0xfffc
In: serial
Out: serial
Err: serial
USB: scanning bus for devices... 1 USB Device(s) found
0 Storage Device(s) found
Press CTRL-C to abort autoboot in 0 seconds8192 KiB hi_sfc at 0:0 is now current device
CFG_BOOT_ADDR:0x0
0ff:0x84000000
### /UbootLogo UbootLogoload complete: 19650 bytes loaded to 0x8e800000
jpeg decoding ...
<<addr=0x8e800000, size=0xb85f9, vobuf=0x8e800000>>
<<imgwidth=800, imgheight=600, linebytes=1600>>
decode success!!!!
decode jpeg success.
decode jpeg!
srcAddr 0x82000000, dstAddr 0x82000000
find_squashfs_file: name bin, start_block 0, offset 1284, type 1
find_squashfs_file: name boot, start_block 0, offset 1376, type 1
read inode: name boot, sb 0, of 1376, type 1
find_squashfs_file: name zImage.img, start_block 0, offset 1316, type 2
read inode: name zImage.img, sb 0, of 1316, type 2
### FS load complete: 1613452 bytes loaded to 0x82000000
## Booting kernel from Legacy Image at 82000000 ...
Image Name: linux
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1613388 Bytes = 1.5 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
what would the commands be for my situation, sf probe 0; sfread 0x? 0x? 0x?
thank you.
also when i use sasquatch i get
user@user-Aurora:/sasquatch$ sasquatch /home/user/Desktop/romfs.squashfs
SquashFS version [2017.10187] / inode count [-26176739] suggests a SquashFS image of a different endianess
Non-standard SquashFS Magic: �ٝ�
Reading a different endian SQUASHFS filesystem on /home/user/Desktop/romfs.squashfs.
Filesystem on /home/user/Desktop/romfs.squashfs is (57607:52007), which is a later filesystem version than I support!
can someone please shed some light on this thanks again
hisilicon # print
bootcmd=sf probe 0;sf read 84000000 770000 10000;logoload 84000000;decjpg;sf read 82000000 30000 400000;squashfsload 82000000;bootm 0x82000000
bootdelay=1
baudrate=115200
bootfile="uImage"
restore=1
da=mw.b 0x82000000 ff 1000000;tftp 0x82000000 u-boot.bin.img;sf probe 0;flwrite
du=mw.b 0x82000000 ff 1000000;tftp 0x82000000 user-x.cramfs.img;sf probe 0;flwrite
dr=mw.b 0x82000000 ff 1000000;tftp 0x82000000 romfs-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x82000000 ff 1000000;tftp 0x82000000 web-x.cramfs.img;sf probe 0;flwrite
dl=mw.b 0x82000000 ff 1000000;tftp 0x82000000 logo-x.cramfs.img;sf probe 0;flwrite
dc=mw.b 0x82000000 ff 1000000;tftp 0x82000000 custom-x.cramfs.img;sf probe 0;flwrite
up=mw.b 0x82000000 ff 1000000;tftp 0x82000000 update.img;sf probe 0;flwrite
tk=mw.b 0x82000000 ff 1000000;tftp 0x82000000 zImage.img; bootm 0x82000000
dd=mw.b 0x82000000 ff 1000000;tftp 0x82000000 mtd-x.jffs2.img;sf probe 0;flwrite
ipaddr=192.168.1.10
serverip=192.168.1.1
netmask=255.255.255.0
gatewayip=192.168.0.1
ethaddr=00:0b:3f:00:00:01
bootargs=mem=96M console=ttyAMA0,115200 root=1f01 rootfstype=squashfs mtdparts=hi_sfc:192K(boot),1984K(romfs),3776K(usr),1664K(custom),64K(logo),512K(mtd)
appSystemLanguage=English
appVideoStandard=NTSC
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06-svn198 (Dec 08 2014 - 13:02:43)
--------------------------------------------------------------------------------------------
U-Boot 2010.06-svn198 (Dec 08 2014 - 13:02:43)
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC2 0x20 0x17 0xC2 0x20 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"MX25L6406E"
envcrc 0xb0411110
ENV_SIZE = 0xfffc
In: serial
Out: serial
Err: serial
USB: scanning bus for devices... 1 USB Device(s) found
0 Storage Device(s) found
Press CTRL-C to abort autoboot in 0 seconds8192 KiB hi_sfc at 0:0 is now current device
CFG_BOOT_ADDR:0x0
0ff:0x84000000
### /UbootLogo UbootLogoload complete: 19650 bytes loaded to 0x8e800000
jpeg decoding ...
<<addr=0x8e800000, size=0xb85f9, vobuf=0x8e800000>>
<<imgwidth=800, imgheight=600, linebytes=1600>>
decode success!!!!
decode jpeg success.
decode jpeg!
srcAddr 0x82000000, dstAddr 0x82000000
find_squashfs_file: name bin, start_block 0, offset 1284, type 1
find_squashfs_file: name boot, start_block 0, offset 1376, type 1
read inode: name boot, sb 0, of 1376, type 1
find_squashfs_file: name zImage.img, start_block 0, offset 1316, type 2
read inode: name zImage.img, sb 0, of 1316, type 2
### FS load complete: 1613452 bytes loaded to 0x82000000
## Booting kernel from Legacy Image at 82000000 ...
Image Name: linux
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1613388 Bytes = 1.5 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
what would the commands be for my situation, sf probe 0; sfread 0x? 0x? 0x?
thank you.
also when i use sasquatch i get
user@user-Aurora:/sasquatch$ sasquatch /home/user/Desktop/romfs.squashfs
SquashFS version [2017.10187] / inode count [-26176739] suggests a SquashFS image of a different endianess
Non-standard SquashFS Magic: �ٝ�
Reading a different endian SQUASHFS filesystem on /home/user/Desktop/romfs.squashfs.
Filesystem on /home/user/Desktop/romfs.squashfs is (57607:52007), which is a later filesystem version than I support!
can someone please shed some light on this thanks again