小米路由vmlinuz.trx格式解析
来自Jack's Lab
本页参考了 carabob001 在这个 页面的分析 节约了不少时间,在此严重感谢!
1 概述
看一个 [0.5.56] 版本的固件,mkxqimage -x brcm4709_*.bin 解压后得到的 vmlinuz.trx:
$ hexdump -C vmlinuz.trx | head -n 3 00000000 48 44 52 30 00 b0 2b 00 d6 3b 1d 6d 00 00 01 00 |HDR0..+..;.m....| 00000010 1c 00 00 00 00 00 00 00 00 00 00 00 5d 00 00 01 |............]...| 00000020 00 00 01 53 00 00 00 00 00 00 69 bc 00 2e 35 68 |...S......i...5h|
00 - 03: 0x30524448 TRX格式文件 Magic Number
04 - 07: 0x002bb000 整个TRX文件大小
08 - 11: CRC32
12 - 15:
16 - 19: 0x0000001C 第一分区文件内偏移
第一分区又是 LZMA 压缩格式,LZMA 压缩文件的头为 13 个字节:
5D 00 00 01 00 00 01 53 00 00 00 00 00 00
前5个字节表示压缩率:
-1 5d 00 00 01 00 -2 5d 00 00 10 00 -3 5d 00 00 08 00 -4 5d 00 00 10 00 -5 5d 00 00 20 00 -6 5d 00 00 40 00 -7 5d 00 00 80 00 -8 5d 00 00 00 01 -9 5d 00 00 00 02
后8个字节是解压后内容的大小:0x00530100 (5439744)
解压 vmlinuz.trx 文件的方法:
$ dd if=vmlinuz.trx of=vmlinux.lzma bs=1 skip=28 $ unlzma vmlinux.lzma
解压得到的内核文件vmlinux 编译时带了 initramfs,通过搜索“5D 00 00 00”,找到:
$ hexdump -C vmlinux | grep -i "5D 00 00 00" 0001e000 5d 00 00 00 02 ff ff ff ff ff ff ff ff 00 18 0d |]...............| 00402450 5d 00 00 00 08 d2 49 c0 00 00 00 00 e8 be 15 c0 |].....I.........| 00409890 00 00 00 00 5d 00 00 00 94 67 4a c0 74 96 01 c0 |....]....gJ.t...| 00414c70 01 5d 00 00 00 00 c0 00 48 3f 05 01 01 58 00 00 |.]......H?...X..| 004981e0 3c 25 70 3e 5d 00 00 00 20 28 25 73 29 00 00 00 |<%p>]... (%s)...| 00499900 5b 25 6c 78 2b 25 6c 78 5d 00 00 00 6d 6d 2f 6d |[%lx+%lx]...mm/m| 0049c140 65 72 66 64 5d 00 00 00 5b 65 76 65 6e 74 66 64 |erfd]...[eventfd| 0049c150 5d 00 00 00 66 73 2f 6c 6f 63 6b 73 2e 63 00 00 |]...fs/locks.c..| 0049d7d0 5b 44 4d 5d 00 00 00 00 5b 45 5a 44 5d 00 00 00 |[DM]....[EZD]...| 00524490 5d 00 00 00 93 10 00 00 e7 70 00 00 ff ff ff ff |]........p......| 005244a0 ff ff ff ff 00 00 00 00 00 00 00 00 5d 00 00 00 |............]...|
用下面的命令分离出 LZMA 压缩的initramfs:
$ dd if=vmlinux of=initramfs.cpio.lzma bs=1 skip=$((0x1E000)) $ umlzma initramfs.cpio.lzma #得到 initramfs.cpio 文件,用下面的命令解压: $ mkdir x && cd x $ cpio -idv --no-absolute-filenames < ../initramfs.cpio
2 应用
小米路由R1D内的flash分区:
root@XiaoQiang:/userdisk/mtd# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "boot" mtd1: 00300000 00010000 "os" mtd2: 00300000 00010000 "os1" mtd3: 00890000 00010000 "squashfs" mtd4: 00010000 00010000 "crash" mtd5: 00100000 00010000 "overlay" mtd6: 00010000 00010000 "board_data" mtd7: 00010000 00010000 "nvram" mtd8: 00fe0000 00010000 "firmware"
mtd0 为 CFE 所在
mtd1 和 mtd2 为内核所在,即 vmlinuz.trx 刷写的位置,系统自带的刷机脚本 /bin/flash.sh:
24 upker() {
25 if [ -f vmlinuz.trx ]; then
26 if [ "$part" = "1" ]; then
27 if [ -e /dev/mtd1 ]; then
28 klogger -n "Burning Linux Kernel 1st Image..."
29 mtd write vmlinuz.trx os >& /dev/null
30 if [ $? -eq 0 ]; then
31 klogger "Done"
32 else
33 klogger "Error"
34 exit 1
35 fi
36 fi
37 else
38 if [ -e /dev/mtd2 ]; then
39 klogger -n "Burning Linux Kernel 2nd Image..."
40 mtd write vmlinuz.trx os1 >& /dev/null
41 if [ $? -eq 0 ]; then
42 klogger "Done"
43 else
44 klogger "Error"
45 exit 1
46 fi
47 fi
48 fi
49 fi
50 }
路由现在刷的 0.4.58 的固件,直接从 mtd1 和 mtd2 提取内核:
root@XiaoQiang:/userdisk/mtd# cat /dev/mtd0 > mtd0.boot root@XiaoQiang:/userdisk/mtd# cat /dev/mtd1 > mtd1.os root@XiaoQiang:/userdisk/mtd# cat /dev/mtd2 > mtd2.os1 root@XiaoQiang:/userdisk/mtd# cat /dev/mtd3 > mtd3.squashfs root@XiaoQiang:/userdisk/mtd# cat /dev/mtd8 > mtd8.fw root@XiaoQiang:/userdisk/mtd# ls -l -rw-r--r-- 1 root root 262144 Nov 27 22:07 mtd0.boot -rw-r--r-- 1 root root 3145728 Nov 27 22:07 mtd1.os -rw-r--r-- 1 root root 3145728 Nov 27 22:07 mtd2.os1 -rw-r--r-- 1 root root 8978432 Nov 27 22:08 mtd3.squashfs -rw-r--r-- 1 root root 16646144 Nov 27 22:09 mtd8.fw root@XiaoQiang:/userdisk/mtd# echo $((0xfe0000)) 16646144 root@XiaoQiang:/userdisk/mtd# echo $((0x300000)) 3145728 root@XiaoQiang:/userdisk/mtd# dd if=mtd1.os of=vmlinuz.trx1 bs=1 count=$((0x002a f000)) 2813952+0 records in 2813952+0 records out 2813952 bytes (2.7MB) copied, 23.000804 seconds, 119.5KB/s root@XiaoQiang:/userdisk/mtd# dd if=mtd2.os1 of=vmlinuz.trx2 bs=1 count=$((0x002 b4000)) 2834432+0 records in 2834432+0 records out 2834432 bytes (2.7MB) copied, 23.511877 seconds, 117.7KB/s root@XiaoQiang:/userdisk/mtd# md5sum vmlinuz.trx2 2b0d8f7e05b1f5b170a2fd1ff7af5608 vmlinuz.trx2 root@XiaoQiang:/userdisk/mtd# cd ../rom/0.4.58/ root@XiaoQiang:/userdisk/rom/0.4.58# mkxqimage -x ../brcm4709_all_1635f_0.4.58.bin root@XiaoQiang:/userdisk/rom/0.4.58# ls -l -rw-r--r-- 1 root root 34941768 Nov 27 22:43 root.ext4.lzma -rw-r--r-- 1 root root 7962624 Nov 27 22:43 root.squashfs -rw-r--r-- 1 root root 2834432 Nov 27 22:43 vmlinuz.trx root@XiaoQiang:/userdisk/rom/0.4.58# md5sum vmlinuz.trx 2b0d8f7e05b1f5b170a2fd1ff7af5608 vmlinuz.trx root@XiaoQiang:/userdisk/rom/0.4.58# md5sum /userdisk/mtd/vmlinuz.trx2 2b0d8f7e05b1f5b170a2fd1ff7af5608 /userdisk/mtd/vmlinuz.trx2
提取 CFE 可以直接 tftpboot 加载后启动的格式(lzma压缩格式):
root@XiaoQiang:/userdisk/mtd# dd if=mtd1.os of=vmlinuz.1 bs=1 skip=$((0x1c)) count=$((0x002af000-0x1c)) 2813924+0 records in 2813924+0 records out 2813924 bytes (2.7MB) copied, 25.377537 seconds, 108.3KB/s root@XiaoQiang:/userdisk/mtd# dd if=mtd2.os1 of=vmlinuz.2 bs=1 skip=$((0x1c)) count=$((0x002b4000-0x1c)) 2834404+0 records in 2834404+0 records out 2834404 bytes (2.7MB) copied, 23.204559 seconds, 119.3KB/s
