近幾年,物聯(lián)網(wǎng)設(shè)備已滲透到生活的方方面面,為人們帶來(lái)了極大的方便。但是,因其承載有人們?nèi)粘I町a(chǎn)生的數(shù)據(jù)和隱私信息,其安全性也越來(lái)越受到人們的關(guān)注。在上一篇中,我們討論了用腳本控制小米設(shè)備,這主要是從流量層面入手來(lái)進(jìn)行的安全分析;在這一篇,主要從固件入手,分析固件的脆弱性。
開(kāi)篇
“工欲善其事,必先利其器”,在正式開(kāi)始,先來(lái)講講固件分析環(huán)境的搭建,主要就是binwalk的安裝。由于固件壓縮打包的方式有很多種,單用apt instll binwalk這條命令安裝,很多文件系統(tǒng)的格式是不支持解壓的,需要將各種解壓插件一并安裝,才能正確解壓出固件中的文件系統(tǒng)。完整安裝可參考binwalk的官方安裝文檔。但每次都要這樣手動(dòng)安裝,筆者覺(jué)得很麻煩,因此寫(xiě)了安裝腳本自動(dòng)完成安裝。
同時(shí),考慮到有很多依賴(lài)包需要安裝,Ubuntu系統(tǒng)帶的apt源下載賊慢,可將其更換成阿里云的源,主要參考這篇文章。但每次照著帖子操作,相當(dāng)浪費(fèi)時(shí)間,也寫(xiě)了一個(gè)腳本自動(dòng)換源的腳本,如下所示。
#!/bin/bash
# [*]change ubuntu system sources to aliyun source
#:<<BLOCK
sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak.1
codename=`lsb_release -c | cut -c 11-`
echo "codename is $codename"
sudo touch /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-proposed main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-proposed main restricted universe multiverse" >> /etc/apt/sources.list
sudo apt-get update
#BLOCK
# [*]change pip sources to aliyun source
if [ ! -d ~/.pip ];then
mkdir ~/.pip
fi
if [ -f ~/.pip/pip.conf ];
then
sudo mv ~/.pip/pip.conf ~/.pip/pip.conf.bak
sudo touch ~/.pip/pip.conf
else
sudo touch ~/.pip/pip.conf
fi
sudo echo "[global]" >> ~/.pip/pip.conf
sudo echo "index-url = https://mirrors.aliyun.com/pypi/simple" >> ~/.pip/pip.conf
在腳本中,主要分為兩部分,先是將Ubuntu系統(tǒng)的源換成阿里云的源,并按照Ubuntu系統(tǒng)codename的不同,形成有針對(duì)性的apt源文件;再將pip的源也換成的阿里云的源。換源后,安裝速度快了幾十倍。
接著,就是對(duì)binwalk完整版的安裝了,binwalk的安裝文件和它的相關(guān)插件,我已從github上下載完成(在后文的工具中,已集成),如下圖所示。
binwalk的安裝文件和它的相關(guān)插件
安裝腳本為: install_binwalk.sh,如下所示,即是按照官方的安裝方案編寫(xiě)的腳本(官方雖然有./deps.sh自動(dòng)安裝腳本,安裝很慢,表示不太好用),該腳本目前只適用于Python2.7。
#!/bin/bash
#dependencies
sudo apt -y install python-lzma python-crypto
sudo apt -y install libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip
sudo pip install pyqtgraph
sudo pip install capstone
# Install standard extraction utilities(必選)
sudo apt -y install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord
#Install binwalk
#sudo apt-get install binwalk
cd binwalk
sudo python setup.py install
cd ..
# Install sasquatch to extract non-standard SquashFS images(必選)
sudo apt -y install zlib1g-dev liblzma-dev liblzo2-dev
cd sasquatch && sudo ./build.sh
cd ..
# Install jefferson to extract JFFS2 file systems(可選)
sudo pip install cstruct
cd jefferson && sudo python setup.py install
cd ..
# Install ubi_reader to extract UBIFS file systems(可選)
sudo apt -y install liblzo2-dev python-lzo
cd ubi_reader && sudo python setup.py install
cd ..
# Install yaffshiv to extract YAFFS file systems(可選)
cd yaffshiv && sudo python setup.py install
cd ..
#install unstuff (closed source) to extract StuffIt archive files
| 
