search

PAGalaxyLab / vxhunter

ToolSet for VxWorks Based Embedded Device Analyses
BSD 2-Clause "Simplified" License
339 stars 73 forks source link

Error occurred when analysing a TP-Link firmware #8

Closed cq674350529 closed 5 years ago

cq674350529 commented 5 years ago

Recently I use vxhunter to auto-analyse a binary file extracted from a TP-Link firmware. During the auto-rebase procedure, an error occurred.

Failed while executing plugin_t.run():
Traceback (most recent call last):
  File "D:/Program Files/IDA 7.0/plugins/vxhunter_ida.py", line 962, in run
    self.handler_auto_fix_idb()
  File "D:/Program Files/IDA 7.0/plugins/vxhunter_ida.py", line 820, in handler_auto_fix_idb
    self.fix_vxworks_idb(load_address, vx_version, symbol_table_start, symbol_table_end)
  File "D:/Program Files/IDA 7.0/plugins/vxhunter_ida.py", line 848, in fix_vxworks_idb
    symbol_table_end += load_address
TypeError: unsupported operand type(s) for +=: 'NoneType' and 'long'

It seems due to the lack of symbol table.

Any advice would be appreciated! Thanks in advance.

PS: the related firmware is as follows. firmware.zip

dark-lbp commented 5 years ago

Please Try 4e2c83b0fab2bad2f460df5a163d5808c49777a3 this commit, it support load VxWorks symbol file from firmware.

Step1: Using binwalk to extract firmware, find VxWorks image and Symbol file.

➜  tp-link binwalk -e TL-WDR7660_V1.0_2.0.16_Build_190325_Rel.71480n.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           uImage header, header size: 64 bytes, header CRC: 0xDEFB3DA, created: 2018-09-05 07:32:57, image size: 48928 bytes, Data Address: 0x41C00000, Entry Point: 0x41C00000, data CRC: 0x2A36A3AD, OS: Firmware, CPU: ARM, image type: Standalone Program, compression type: lzma, image name: "U-Boot 2014.04-rc1-gdbb6e75-dirt]"
576           0x240           LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
66560         0x10400         LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3580296 bytes

Goto extracted folder, file 10400 is VxWorks image, and file 140B96 is VxWorks symbol file.

Step2: Load VxWorks image at address 0x00, then load symbol file. VxHunter will rebase image to correct loading address and load the symbols from VxWorks symbol file.

image Chose extracted VxWorks symbol file 140B96 image Wait VxHunter finish analyze, and have fun ^ ^ image

cq674350529 commented 5 years ago

@dark-lbp Thanks! It works for me.

zhjygit commented 1 year ago

Can you give me the vxhunter file for ida? I have fixed some errors of the python script,but no results with long running。 For example,is it necessary to add base value like “known_address = [0x40205000,0x80002000, 0x10000, 0x1000, 0xf2003fe4, 0x100000, 0x107fe0]”? However,i cannot find 0x40205000 base address mannully.

dark-lbp commented 1 year ago

Can you give me the vxhunter file for ida? I have fixed some errors of the python script,but no results with long running。 For example,is it necessary to add base value like “known_address = [0x40205000,0x80002000, 0x10000, 0x1000, 0xf2003fe4, 0x100000, 0x107fe0]”? However,i cannot find 0x40205000 base address mannully.

You mean the firmware @cq674350529 used?