liyansong2018
commented
2 years ago 看上去跟网卡有关系,运行 reset.py 之后再试试,还有这个工具的新版不支持 ubuntu
Closed huahai111 closed 2 years ago
liyansong2018
commented
2 years ago 看上去跟网卡有关系,运行 reset.py 之后再试试,还有这个工具的新版不支持 ubuntu
huahai111
commented
2 years ago ./fat1.py -q ./2.5.0/ ./testcases/wnap320_V3.7.11.4_firmware.tar
______ _ ___
| ___| (_) / _ \
| |_ _ _ __ ___ / /_\ \ _ __ ___
| _| | | | '_ ` _ \ | _ | | '_ \ / __| ++
| | | | | | | | | | | | | | | | | | \__ \
\_| |_| |_| |_| |_| \_| |_/ |_| |_| |___/
Welcome to the Firmware Analysis Plus - v2.1By lys - https://github.com/liyansong2018/firmware-analysis-plus | @liyansong
[+] Firmware: wnap320_V3.7.11.4_firmware.tar [+] Extracting the firmware... [+] Image ID: 4 [+] Identifying architecture... [+] Architecture: mipseb [+] Building QEMU disk image... [+] Setting up the network connection, please standby... Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 150, in read_nonblocking s = os.read(self.child_fd, size) OSError: [Errno 5] Input/output error
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 99, in expect_loop incoming = spawn.read_nonblocking(spawn.maxread, timeout) File "/usr/lib/python3/dist-packages/pexpect/pty_spawn.py", line 465, in read_nonblocking return super(spawn, self).read_nonblocking(size) File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 155, in read_nonblocking raise EOF('End Of File (EOF). Exception style platform.') pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./fat1.py", line 182, in
师傅好,我看了看别的issues,这是新替换后用v0.1的脚本运行的。我的是ubuntu16.04,同时,reset后还是出了上述的问题。我在kali也尝试装载,但奇怪的是解压的步骤就会提示出错了。我尝试重装binwalk,但是有几个依赖一直报错,切换软件源,提示切换的源不安全自动禁用。找了找解除kali禁用源的方法也不起作用。仿佛进入了死循环。。。。。
liyansong2018
commented
2 years ago 不用担心,正是由于很多人反应 binwalk 安装失败,所以后来 firmware-analysis-plus 也支持无 binwalk 模式。
binwalk 模式huahai111
commented
2 years ago 好的,感谢感谢。我新装了kali-2020.04,配置好了。 ./fat.py -q ./2.5.0/ ./testcases/wnap320_V3.7.11.4_firmware.tar
______ _ ___
| ___| (_) / _ \
| |_ _ _ __ ___ / /_\ \ _ __ ___
| _| | | | '_ ` _ \ | _ | | '_ \ / __| ++
| | | | | | | | | | | | | | | | | | \__ \
\_| |_| |_| |_| |_| \_| |_/ |_| |_| |___/
Welcome to the Firmware Analysis Plus - v2.1By lys - https://github.com/liyansong2018/firmware-analysis-plus | @liyansong
[+] Firmware: wnap320_V3.7.11.4_firmware.tar [+] Extracting the firmware... [+] Image ID: 3 [+] Identifying architecture... [+] Architecture: mipseb [+] Building QEMU disk image... [+] Setting up the network connection, please standby... [+] Network interfaces: [('brtrunk', '192.168.0.100')] [+] Using qemu-system-mips from /home/kali/桌面/firmware-analysis-plus/qemu-builds/2.5.0 [+] All set! Press ENTER to run the firmware... [+] When running, press Ctrl + A X to terminate qemu
还想问一下,出现下面的shell然后出现其他的运行代码,是正常的么? Welcome to SDK.
Have a lot of fun...
netgear123456 login: a[ 148.452000] do_page_fault() #2: sending SIGSEGV to hostapd_tr for invalid read access from [ 148.452000] 00000004 (epc == 2b7f7810, ra == 00417768) [ 148.452000] Cpu 0 [ 148.452000] $ 0 : 00000000 1000a400 00000004 00000000 [ 148.452000] $ 4 : 00000004 0041b178 00000000 00000001 [ 148.452000] $ 8 : 2b820004 006d70b8 00000031 fffffff0
这样我来不及输入,就跳过了。 我测试,浏览器访问192.168.0.100是可以登录的。
具体的运行情况这样的,这些反复出现:
[ 430.008000] do_page_fault() #2: sending SIGSEGV to hostapd_tr for invalid read access from
[ 430.008000] 00000004 (epc == 2b02a810, ra == 00417768)
[ 430.008000] Cpu 0
[ 430.008000] $ 0 : 00000000 1000a400 00000004 00000000
[ 430.008000] $ 4 : 00000004 0041b178 00000000 00000001
[ 430.008000] $ 8 : 2b053004 00b130b8 00000031 fffffff0
[ 430.008000] $12 : 8fbe7eb0 00000234 06ca3695 2b007578
[ 430.008000] $16 : 7f9550c0 7f954f50 7ff6c7e4 ffffffff
[ 430.008000] $20 : 7f955014 00401a08 00000001 00401bc0
[ 430.008000] $24 : 00000000 2b02a810
[ 430.008000] $28 : 00437080 7f9549a0 7f9549a0 00417768
[ 430.008000] Hi : 00000005
[ 430.008000] Lo : 19999999
[ 430.008000] epc : 2b02a810 0x2b02a810
[ 430.008000] Not tainted
[ 430.008000] ra : 00417768 0x417768
[ 430.008000] Status: 0000a413 USER EXL IE
[ 430.008000] Cause : 10800008
[ 430.008000] BadVA : 00000004
[ 430.008000] PrId : 00019300 (MIPS 24Kc)
[ 430.008000] Modules linked in:
[ 430.008000] Process hostapd_tr (pid: 14914, threadinfo=8fbe6000, task=8f0d2550, tls=00000000)
[ 430.008000] Stack : 704c6973 743a6b6e 6f776e41 70546162 00437080 6c616e30 00000000 79737465
[ 430.008000] 6d3a6163 63657373 7f9549d0 0040295c 0041b178 0041b428 776c616e 41636365
[ 430.008000] 00437080 2f61702e 636f6e66 2e776966 69302e74 656d7000 3020740a 73797374
[ 430.012000] 656d3a64 756d7041 70436f6e 6669674c 6f675365 7474696e 67732074 0a737973
[ 430.012000] 74656d3a 64756d70 4170436f 6e666967 4c6f6753 65747469 6e67733a 64756d70
[ 430.012000] ...
[ 430.012000] Call Trace:
[ 430.012000]
[ 430.012000]
[ 430.012000] Code: 00000000 00000000 00000000
[ 430.012000] 90a20000 24840001 14600003 24a50001 03e00008
[ 430.012000] hostapd_tr/14914: potentially unexpected fatal signal 11.
[ 430.012000]
[ 430.012000] Cpu 0
[ 430.012000] $ 0 : 00000000 1000a400 00000004 00000000
[ 430.012000] $ 4 : 00000004 0041b178 00000000 00000001
[ 430.012000] $ 8 : 2b053004 00b130b8 00000031 fffffff0
[ 430.016000] $12 : 8fbe7eb0 00000234 06ca3695 2b007578
[ 430.016000] $16 : 7f9550c0 7f954f50 7ff6c7e4 ffffffff
[ 430.016000] $20 : 7f955014 00401a08 00000001 00401bc0
[ 430.016000] $24 : 00000000 2b02a810
[ 430.016000] $28 : 00437080 7f9549a0 7f9549a0 00417768
[ 430.016000] Hi : 00000005
[ 430.016000] Lo : 19999999
[ 430.016000] epc : 2b02a810 0x2b02a810
[ 430.016000] Not tainted
[ 430.016000] ra : 00417768 0x417768
[ 430.016000] Status: 0000a413 USER EXL IE
[ 430.016000] Cause : 10800008
[ 430.016000] BadVA : 00000004
[ 430.016000] PrId : 00019300 (MIPS 24Kc)
[ 430.020000] hostapd_tr/14909: potentially unexpected fatal signal 11.
[ 430.020000]
[ 430.020000] Cpu 0
[ 430.020000] $ 0 : 00000000 1000a400 00000004 00000000
[ 430.020000] $ 4 : 00000004 0041b178 00000000 00000001
[ 430.020000] $ 8 : 2b7f9004 004f80b8 00000031 fffffff0
[ 430.020000] $12 : 8fb63eb0 00000234 06ca3695 2b7ad578
[ 430.020000] $16 : 7f803df0 7f803c80 7ff6c7e4 ffffffff
[ 430.020000] $20 : 7f803d44 00401a08 00000001 00401bc0
[ 430.024000] $24 : 00000002 2b7d0810
[ 430.024000] $28 : 00437080 7f8036d0 7f8036d0 00417768
[ 430.024000] Hi : 00000005
[ 430.024000] Lo : 19999999
[ 430.024000] epc : 2b7d0810 0x2b7d0810
[ 430.024000] Not tainted
[ 430.024000] ra : 00417768 0x417768
[ 430.024000] Status: 0000a413 USER EXL IE
[ 430.024000] Cause : 10800008
[ 430.024000] BadVA : 00000004
[ 430.024000] PrId : 00019300 (MIPS 24Kc)
这是不是哪里有问题了呀?求师傅看看
huahai111
commented
2 years ago kali2020.04的自带binwalk我卸载了,重新安装了,但是中途./desp执行有报错,是不是没有装载完全binwalk导致shell里一直滚动输出呀
huahai111
commented
2 years ago 手动把binwalk的包装载了,还是会出现 [ 430.008000] do_page_fault() #2: sending SIGSEGV to hostapd_tr for invalid read access from [ 430.008000] 00000004 (epc == 2b02a810, ra == 00417768) [ 430.008000] Cpu 0 [ 430.008000] $ 0 : 00000000 1000a400 00000004 00000000 [ 430.008000] $ 4 : 00000004 0041b178 00000000 00000001 [ 430.008000] $ 8 : 2b053004 00b130b8 00000031 fffffff0 。。。。。。
这些在按了回车之后就一直出现了,大约3-4秒出现一次,导致shell没法输入东西了
huahai111
commented
2 years ago 师傅,手动binwalk解压重新打包文件根目录,使用无binwalk模式,回车后还是出现了上述shell输出内容的情况 ./fat.py -q ./2.5.0/ -b 0 ./testcases/test.tar.gz
______ _ ___
| ___| (_) / _ \
| |_ _ _ __ ___ / /_\ \ _ __ ___
| _| | | | '_ ` _ \ | _ | | '_ \ / __| ++
| | | | | | | | | | | | | | | | | | \__ \
\_| |_| |_| |_| |_| \_| |_/ |_| |_| |___/
Welcome to the Firmware Analysis Plus - v2.1By lys - https://github.com/liyansong2018/firmware-analysis-plus | @liyansong
[+] Firmware: test.tar.gz [+] Extracting the firmware... [+] Cleaning previous images and created files by firmadyne [+] All done. Go ahead and run fat.py to continue firmware analysis [+] Image ID: 1 [+] Identifying architecture... [+] Architecture: mipseb [+] Building QEMU disk image... [+] Setting up the network connection, please standby... [+] Network interfaces: [('brtrunk', '192.168.0.100')] [+] Using qemu-system-mips from /home/kali/桌面/firmware-analysis-plus/qemu-builds/2.5.0 [+] All set! Press ENTER to run the firmware... [+] When running, press Ctrl + A X to terminate qemu
liyansong2018
commented
2 years ago 这是正常的。不同的固件都会有不同的错误,这是因为不同固件都会有差异,模拟器不能解决关于硬件驱动的相关问题。但这不会影响主要业务。
至于你说的 shell 也就是串口会被错误日志覆盖,可以在固件中放入 busybox,启动项添加 busybox telnetd ,这样可以远程登录。
liyansong2018
commented
2 years ago fap 的窗口是模拟路由器的串口,也不是所有固件的串口都会提供 shell,有些固件仿真后,你只能看到打印的日志,没办法输入。这就需要使用我在上面提到的方法。
firmware-analysis-plus 2.1 提供的固件 TL_WR802N_debug.tar.gz 是一个很好的案例。你可以用这个固件学习。
huahai111
commented
2 years ago 好的好的,感谢师傅回复。 另外,我想通过模糊测试输入,调试这些固件看看报错信息 crash啥的获取反馈,fap怎么进入调试呢?fap有没有相关的功能文档啊
liyansong2018
commented
2 years ago gdb 远程调试。上面提到的固件我已添加gdbserver for mips、busybox for mips,就是为了方便调试。我看看最近两天有没有时间,如果有的话,我会附上wiki。
huahai111
commented
2 years ago 好的,感谢师傅
liyansong2018
commented
2 years ago 关于调试,请参考 固件远程登陆及二进制调试
./fat.py -q ./2.5.0/ ./testcases/wnap320_V3.7.11.4_firmware.tar
By lys - https://github.com/liyansong2018/firmware-analysis-plus | @liyansong
[+] Firmware: wnap320_V3.7.11.4_firmware.tar [+] Extracting the firmware... [+] Image ID: 3 [+] Identifying architecture... [+] Architecture: mipseb [+] Building QEMU disk image... [+] Setting up the network connection, please standby... Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 150, in read_nonblocking s = os.read(self.child_fd, size) OSError: [Errno 5] Input/output error
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 99, in expect_loop incoming = spawn.read_nonblocking(spawn.maxread, timeout) File "/usr/lib/python3/dist-packages/pexpect/pty_spawn.py", line 465, in read_nonblocking return super(spawn, self).read_nonblocking(size) File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 155, in read_nonblocking raise EOF('End Of File (EOF). Exception style platform.') pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "./fat.py", line 184, in
main()
File "./fat.py", line 179, in main
infer_network(arch, image_id, qemu_dir)
File "./fat.py", line 124, in infer_network
child.expect_exact("Interfaces:", timeout=None)
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 390, in expect_exact
return exp.expect_loop(timeout)
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 105, in expect_loop
return self.eof(e)
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 50, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f04f6df1438>
command: /home/huahai/firmware-analysis-plus/firmadyne/scripts/inferNetwork.sh
args: ['/home/huahai/firmware-analysis-plus/firmadyne/scripts/inferNetwork.sh', '3', 'mipseb']
buffer (last 100 chars): b''
before (last 100 chars): b"icodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 8914: ordinal not in range(128)\r\n"
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 3961
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_string:
0: "b'Interfaces:'"