小米路由固件解包打包
来自Jack's Lab
本页参考了 carabob001 在这个页面对 小米路由器固件修改 节约了不少时间,在此表示感谢!
1 工具
小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -h
mkxqimage: invalid option -- h
Usage:
mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] -----> 打包
[-x file] -----> 解包
mkxqimage 解包打包时都会去读这个文件: /usr/share/xiaoqiang/public.pem ,是一个RSA公钥文件
没有会报:
root@XiaoQiang:/userdisk/rom/0.2.62$ mv /usr/share/xiaoqiang/public.pem / root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin error fopen public key Image verify failed, not formal image
打包时会把校验后的码写在文件尾部,检验失败会报:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin error PEM_read_RSAPublicKey Image verify failed, not formal image
有关小米路由固件的格式,可以参考这个页面: 小米路由固件格式
2 解包
解包成功则:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin -rw-r--r-- 1 root root 37199873 Nov 28 01:21 root.ext4.lzma -rw-r--r-- 1 root root 2813952 Nov 28 01:21 vmlinuz.trx
另外使用 binwalk 工具也可解开:
$ binwalk -e ../brcm4709_all_0de4_0.5.56.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 44577981 bytes, CRC32: 0x563BB3C0 flags: 0x3, version: 2
32 0x20 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 134217728 bytes
33957053 0x20624BD TRX firmware header, little endian, header size: 28 bytes, image size: 7761920 bytes, CRC32: 0x2FC538ED flags: 0x0, version: 1
33957081 0x20624D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4456704 bytes
35814013 0x2227A7D Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 5902826 bytes,
1332 inodes, blocksize: 262144 bytes, created: Sat May 31 15:55:18 2014
41718973 0x27C94BD TRX firmware header, little endian, header size: 28 bytes, image size: 2859008 bytes, CRC32: 0x7EF15BCF flags: 0x0, version: 1
41719001 0x27C94D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5439744 bytes
$ ls
_brcm4709_all_0de4_0.5.56.bin.extracted
$ ls _brcm4709_all_0de4_0.5.56.bin.extracted/
20 20624D9 20624D9.7z 20.7z 2227A7D.squashfs 27C94D9 27C94D9.7z squashfs-root
comcat@Pek-JJJ-d1:/work/openwrt/xiaomi/rom/0.5.56$ ls _brcm4709_all_0de4_0.5.56.bin.extracted/squashfs-root/
bin data dev etc lib mnt opt overlay proc rom root sbin sys tmp usr var www
对于像 0.4.85 这种带整个16MB flash 镜像文件 brcm4709_nor.bin 的固件:
root@XiaoQiang:/userdisk/rom/0.4.85# mkxqimage -x ../brcm4709_hdr_039ef_0.4.85.bin root@XiaoQiang:/userdisk/rom/0.4.85# ls brcm4709_nor.bin root.ext4.lzma
还需额外的 flash 解包,这个看看路由系统的 /bin/flash.sh 的做法即知:
292 [ -f brcm${surfix_ver}_nor.bin ] && {
293 dd if=brcm4709_nor.bin of=mice_cfe bs=64k count=4 >& /dev/null
294 dd if=brcm4709_nor.bin of=vmlinuz.trx bs=64k count=48 skip=4 >& /dev/null
......
mice_cfe 为 CFE 镜像
vmlinuz.trx 为内核 + initramfs,详细格式参考 小米路由vmlinuz.trx格式解析
3 打包
0.4.58 版本的系统下:
root@XiaoQiang:/userdisk/rom$ mkxqimage -o t.bin -t 3 -p myprivate.pem -f root.ext4.lzma -f root.squashfs -f vmlinuz.trx
myprivate.pem 为我们自己生成的 RSA 私钥,要解包需要把对应的公钥文件 mypublic.pem 置于 /usr/share/xiaoqiang/ 目录下,替换原厂公钥文件 public.pem,替换前做好备份
