查看小米路由vmlinuz.trx格式解析的源代码
←
小米路由vmlinuz.trx格式解析
跳转到:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您刚才请求的操作只有这个用户组中的用户才能使用:
用户
您可以查看并复制此页面的源代码:
本页参考了 carabob001 在这个 [http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%86%85%E6%A0%B8 页面的分析] 节约了不少时间,在此严重感谢! == 概述 == 看一个 [0.5.56] 版本的固件,mkxqimage -x brcm4709_*.bin 解压后得到的 vmlinuz.trx: <source lang=bash> $ hexdump -C vmlinuz.trx | head -n 3 00000000 48 44 52 30 00 b0 2b 00 d6 3b 1d 6d 00 00 01 00 |HDR0..+..;.m....| 00000010 1c 00 00 00 00 00 00 00 00 00 00 00 5d 00 00 01 |............]...| 00000020 00 00 01 53 00 00 00 00 00 00 69 bc 00 2e 35 68 |...S......i...5h| </source> 00 - 03: 0x30524448 TRX格式文件 Magic Number 04 - 07: 0x002bb000 整个TRX文件大小 08 - 11: CRC32 12 - 15: 16 - 19: 0x0000001C 第一分区文件内偏移 第一分区又是 LZMA 压缩格式,LZMA 压缩文件的头为 13 个字节: 5D 00 00 01 00 00 01 53 00 00 00 00 00 00 前5个字节表示压缩率: <pre> -1 5d 00 00 01 00 -2 5d 00 00 10 00 -3 5d 00 00 08 00 -4 5d 00 00 10 00 -5 5d 00 00 20 00 -6 5d 00 00 40 00 -7 5d 00 00 80 00 -8 5d 00 00 00 01 -9 5d 00 00 00 02 </pre> 后8个字节是解压后内容的大小:0x00530100 (5439744) 解压 vmlinuz.trx 文件的方法: <source lang=bash> $ dd if=vmlinuz.trx of=vmlinux.lzma bs=1 skip=28 $ unlzma vmlinux.lzma </source> 解压得到的内核文件vmlinux 编译时带了 initramfs,通过搜索“5D 00 00 00”,找到: <source lang=bash> $ hexdump -C vmlinux | grep -i "5D 00 00 00" 0001e000 5d 00 00 00 02 ff ff ff ff ff ff ff ff 00 18 0d |]...............| 00402450 5d 00 00 00 08 d2 49 c0 00 00 00 00 e8 be 15 c0 |].....I.........| 00409890 00 00 00 00 5d 00 00 00 94 67 4a c0 74 96 01 c0 |....]....gJ.t...| 00414c70 01 5d 00 00 00 00 c0 00 48 3f 05 01 01 58 00 00 |.]......H?...X..| 004981e0 3c 25 70 3e 5d 00 00 00 20 28 25 73 29 00 00 00 |<%p>]... (%s)...| 00499900 5b 25 6c 78 2b 25 6c 78 5d 00 00 00 6d 6d 2f 6d |[%lx+%lx]...mm/m| 0049c140 65 72 66 64 5d 00 00 00 5b 65 76 65 6e 74 66 64 |erfd]...[eventfd| 0049c150 5d 00 00 00 66 73 2f 6c 6f 63 6b 73 2e 63 00 00 |]...fs/locks.c..| 0049d7d0 5b 44 4d 5d 00 00 00 00 5b 45 5a 44 5d 00 00 00 |[DM]....[EZD]...| 00524490 5d 00 00 00 93 10 00 00 e7 70 00 00 ff ff ff ff |]........p......| 005244a0 ff ff ff ff 00 00 00 00 00 00 00 00 5d 00 00 00 |............]...| </source> 用下面的命令分离出 LZMA 压缩的initramfs: <source lang=bash> $ dd if=vmlinux of=initramfs.cpio.lzma bs=1 skip=$((0x1E000)) $ umlzma initramfs.cpio.lzma #得到 initramfs.cpio 文件,用下面的命令解压: $ mkdir x && cd x $ cpio -idv --no-absolute-filenames < ../initramfs.cpio </source> <br><br> == 应用 == 小米路由R1D内的flash分区: <source lang=bash> root@XiaoQiang:/userdisk/mtd# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "boot" mtd1: 00300000 00010000 "os" mtd2: 00300000 00010000 "os1" mtd3: 00890000 00010000 "squashfs" mtd4: 00010000 00010000 "crash" mtd5: 00100000 00010000 "overlay" mtd6: 00010000 00010000 "board_data" mtd7: 00010000 00010000 "nvram" mtd8: 00fe0000 00010000 "firmware" </source> mtd0 为 CFE 所在 mtd1 和 mtd2 为内核所在,即 vmlinuz.trx 刷写的位置,系统自带的刷机脚本 /bin/flash.sh: <source lang=bash> 24 upker() { 25 if [ -f vmlinuz.trx ]; then 26 if [ "$part" = "1" ]; then 27 if [ -e /dev/mtd1 ]; then 28 klogger -n "Burning Linux Kernel 1st Image..." 29 mtd write vmlinuz.trx os >& /dev/null 30 if [ $? -eq 0 ]; then 31 klogger "Done" 32 else 33 klogger "Error" 34 exit 1 35 fi 36 fi 37 else 38 if [ -e /dev/mtd2 ]; then 39 klogger -n "Burning Linux Kernel 2nd Image..." 40 mtd write vmlinuz.trx os1 >& /dev/null 41 if [ $? -eq 0 ]; then 42 klogger "Done" 43 else 44 klogger "Error" 45 exit 1 46 fi 47 fi 48 fi 49 fi 50 } </source> 路由现在刷的 0.4.58 的固件,直接从 mtd1 和 mtd2 提取内核: <source lang=bash> root@XiaoQiang:/userdisk/mtd# cat /dev/mtd0 > mtd0.boot root@XiaoQiang:/userdisk/mtd# cat /dev/mtd1 > mtd1.os root@XiaoQiang:/userdisk/mtd# cat /dev/mtd2 > mtd2.os1 root@XiaoQiang:/userdisk/mtd# cat /dev/mtd3 > mtd3.squashfs root@XiaoQiang:/userdisk/mtd# cat /dev/mtd8 > mtd8.fw root@XiaoQiang:/userdisk/mtd# ls -l -rw-r--r-- 1 root root 262144 Nov 27 22:07 mtd0.boot -rw-r--r-- 1 root root 3145728 Nov 27 22:07 mtd1.os -rw-r--r-- 1 root root 3145728 Nov 27 22:07 mtd2.os1 -rw-r--r-- 1 root root 8978432 Nov 27 22:08 mtd3.squashfs -rw-r--r-- 1 root root 16646144 Nov 27 22:09 mtd8.fw root@XiaoQiang:/userdisk/mtd# echo $((0xfe0000)) 16646144 root@XiaoQiang:/userdisk/mtd# echo $((0x300000)) 3145728 root@XiaoQiang:/userdisk/mtd# dd if=mtd1.os of=vmlinuz.trx1 bs=1 count=$((0x002a f000)) 2813952+0 records in 2813952+0 records out 2813952 bytes (2.7MB) copied, 23.000804 seconds, 119.5KB/s root@XiaoQiang:/userdisk/mtd# dd if=mtd2.os1 of=vmlinuz.trx2 bs=1 count=$((0x002 b4000)) 2834432+0 records in 2834432+0 records out 2834432 bytes (2.7MB) copied, 23.511877 seconds, 117.7KB/s root@XiaoQiang:/userdisk/mtd# md5sum vmlinuz.trx2 2b0d8f7e05b1f5b170a2fd1ff7af5608 vmlinuz.trx2 root@XiaoQiang:/userdisk/mtd# cd ../rom/0.4.58/ root@XiaoQiang:/userdisk/rom/0.4.58# mkxqimage -x ../brcm4709_all_1635f_0.4.58.bin root@XiaoQiang:/userdisk/rom/0.4.58# ls -l -rw-r--r-- 1 root root 34941768 Nov 27 22:43 root.ext4.lzma -rw-r--r-- 1 root root 7962624 Nov 27 22:43 root.squashfs -rw-r--r-- 1 root root 2834432 Nov 27 22:43 vmlinuz.trx root@XiaoQiang:/userdisk/rom/0.4.58# md5sum vmlinuz.trx 2b0d8f7e05b1f5b170a2fd1ff7af5608 vmlinuz.trx root@XiaoQiang:/userdisk/rom/0.4.58# md5sum /userdisk/mtd/vmlinuz.trx2 2b0d8f7e05b1f5b170a2fd1ff7af5608 /userdisk/mtd/vmlinuz.trx2 </source> 提取 CFE 可以直接 tftpboot 加载后启动的格式(lzma压缩格式): <source lang=bash> root@XiaoQiang:/userdisk/mtd# dd if=mtd1.os of=vmlinuz.1 bs=1 skip=$((0x1c)) count=$((0x002af000-0x1c)) 2813924+0 records in 2813924+0 records out 2813924 bytes (2.7MB) copied, 25.377537 seconds, 108.3KB/s root@XiaoQiang:/userdisk/mtd# dd if=mtd2.os1 of=vmlinuz.2 bs=1 skip=$((0x1c)) count=$((0x002b4000-0x1c)) 2834404+0 records in 2834404+0 records out 2834404 bytes (2.7MB) copied, 23.204559 seconds, 119.3KB/s </source> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br> <br><br><br><br> <br><br> <br><br> <br><br> <br><br>
返回到
小米路由vmlinuz.trx格式解析
。
个人工具
登录
名字空间
页面
讨论
变换
查看
阅读
查看源代码
查看历史
操作
搜索
导航
首页
社区专页
新闻动态
最近更改
随机页面
帮助
工具箱
链入页面
相关更改
特殊页面