小米路由固件解包打包
来自Jack's Lab
(版本间的差异)
(→解包) |
(→打包) |
||
| (未显示1个用户的12个中间版本) | |||
| 第1行: | 第1行: | ||
| − | == | + | 本页参考了 carabob001 在这个页面对 [http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E4%BF%AE%E6%94%B9 小米路由器固件修改] 节约了不少时间,在此表示感谢! |
| + | |||
| + | |||
| + | == 工具 == | ||
| − | 小米自己改了个打包解包固件的工具,基于 trx | + | 小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带: |
<source lang=bash> | <source lang=bash> | ||
| 第11行: | 第14行: | ||
</source> | </source> | ||
| − | mkxqimage 解包打包时都会去读这个文件: /usr/share/xiaoqiang/public.pem | + | mkxqimage 解包打包时都会去读这个文件: /usr/share/xiaoqiang/public.pem ,是一个RSA公钥文件 |
没有会报: | 没有会报: | ||
| 第22行: | 第25行: | ||
</source> | </source> | ||
| − | + | 打包时会把校验后的码写在文件尾部,检验失败会报: | |
<source lang=bash> | <source lang=bash> | ||
| 第29行: | 第32行: | ||
Image verify failed, not formal image | Image verify failed, not formal image | ||
</source> | </source> | ||
| + | |||
| + | |||
| + | 有关小米路由固件的格式,可以参考这个页面: [[小米路由固件格式]] | ||
| + | |||
| + | <br><br> | ||
| + | |||
| + | == 解包 == | ||
解包成功则: | 解包成功则: | ||
| 第34行: | 第44行: | ||
<source lang=bash> | <source lang=bash> | ||
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin | root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin | ||
| − | root | + | -rw-r--r-- 1 root root 37199873 Nov 28 01:21 root.ext4.lzma |
| − | root.ext4.lzma | + | -rw-r--r-- 1 root root 2813952 Nov 28 01:21 vmlinuz.trx |
</source> | </source> | ||
| + | |||
| + | |||
| + | 另外使用 binwalk 工具也可解开: | ||
| + | |||
| + | <source lang=bash> | ||
| + | $ binwalk -e ../brcm4709_all_0de4_0.5.56.bin | ||
| + | |||
| + | DECIMAL HEX DESCRIPTION | ||
| + | ------------------------------------------------------------------------------------------------------------------- | ||
| + | 0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 44577981 bytes, CRC32: 0x563BB3C0 flags: 0x3, version: 2 | ||
| + | 32 0x20 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 134217728 bytes | ||
| + | 33957053 0x20624BD TRX firmware header, little endian, header size: 28 bytes, image size: 7761920 bytes, CRC32: 0x2FC538ED flags: 0x0, version: 1 | ||
| + | 33957081 0x20624D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4456704 bytes | ||
| + | 35814013 0x2227A7D Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 5902826 bytes, | ||
| + | 1332 inodes, blocksize: 262144 bytes, created: Sat May 31 15:55:18 2014 | ||
| + | 41718973 0x27C94BD TRX firmware header, little endian, header size: 28 bytes, image size: 2859008 bytes, CRC32: 0x7EF15BCF flags: 0x0, version: 1 | ||
| + | 41719001 0x27C94D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5439744 bytes | ||
| + | |||
| + | $ ls | ||
| + | _brcm4709_all_0de4_0.5.56.bin.extracted | ||
| + | |||
| + | $ ls _brcm4709_all_0de4_0.5.56.bin.extracted/ | ||
| + | 20 20624D9 20624D9.7z 20.7z 2227A7D.squashfs 27C94D9 27C94D9.7z squashfs-root | ||
| + | comcat@Pek-JJJ-d1:/work/openwrt/xiaomi/rom/0.5.56$ ls _brcm4709_all_0de4_0.5.56.bin.extracted/squashfs-root/ | ||
| + | bin data dev etc lib mnt opt overlay proc rom root sbin sys tmp usr var www | ||
| + | </source> | ||
| + | |||
| + | |||
| + | 对于像 [http://bigota.miwifi.com/xiaoqiang/rom/brcm4709_hdr_039ef_0.4.85.bin 0.4.85] 这种带整个16MB flash 镜像文件 brcm4709_nor.bin 的固件: | ||
| + | |||
| + | <source lang=bash> | ||
| + | root@XiaoQiang:/userdisk/rom/0.4.85# mkxqimage -x ../brcm4709_hdr_039ef_0.4.85.bin | ||
| + | root@XiaoQiang:/userdisk/rom/0.4.85# ls | ||
| + | brcm4709_nor.bin root.ext4.lzma | ||
| + | </source> | ||
| + | |||
| + | 还需额外的 flash 解包,这个看看路由系统的 /bin/flash.sh 的做法即知: | ||
| + | |||
| + | <source lang=bash> | ||
| + | 292 [ -f brcm${surfix_ver}_nor.bin ] && { | ||
| + | 293 dd if=brcm4709_nor.bin of=mice_cfe bs=64k count=4 >& /dev/null | ||
| + | 294 dd if=brcm4709_nor.bin of=vmlinuz.trx bs=64k count=48 skip=4 >& /dev/null | ||
| + | ...... | ||
| + | </source> | ||
| + | |||
| + | mice_cfe 为 CFE 镜像 | ||
| + | |||
| + | vmlinuz.trx 为内核 + initramfs,详细格式参考 [[小米路由vmlinuz.trx格式解析]] | ||
<br><br> | <br><br> | ||
| + | |||
| + | == 打包 == | ||
| + | |||
| + | 0.4.58 版本的系统下: | ||
| + | |||
| + | <source lang=bash> | ||
| + | root@XiaoQiang:/userdisk/rom$ mkxqimage -o t.bin -t 3 -p myprivate.pem -f root.ext4.lzma -f root.squashfs -f vmlinuz.trx | ||
| + | |||
| + | </source> | ||
| + | |||
| + | myprivate.pem 为我们自己生成的 RSA 私钥,要解包需要把对应的公钥文件 mypublic.pem 置于 /usr/share/xiaoqiang/ 目录下,替换原厂公钥文件 public.pem,替换前做好备份 | ||
<br><br> | <br><br> | ||
<br><br> | <br><br> | ||
2014年6月5日 (四) 11:04的最后版本
本页参考了 carabob001 在这个页面对 小米路由器固件修改 节约了不少时间,在此表示感谢!
[编辑] 1 工具
小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -h
mkxqimage: invalid option -- h
Usage:
mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] -----> 打包
[-x file] -----> 解包
mkxqimage 解包打包时都会去读这个文件: /usr/share/xiaoqiang/public.pem ,是一个RSA公钥文件
没有会报:
root@XiaoQiang:/userdisk/rom/0.2.62$ mv /usr/share/xiaoqiang/public.pem / root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin error fopen public key Image verify failed, not formal image
打包时会把校验后的码写在文件尾部,检验失败会报:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin error PEM_read_RSAPublicKey Image verify failed, not formal image
有关小米路由固件的格式,可以参考这个页面: 小米路由固件格式
[编辑] 2 解包
解包成功则:
root@XiaoQiang:/userdisk/rom/0.2.62$ mkxqimage -x ../brcm4709_hdk_0.2.62.bin -rw-r--r-- 1 root root 37199873 Nov 28 01:21 root.ext4.lzma -rw-r--r-- 1 root root 2813952 Nov 28 01:21 vmlinuz.trx
另外使用 binwalk 工具也可解开:
$ binwalk -e ../brcm4709_all_0de4_0.5.56.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 44577981 bytes, CRC32: 0x563BB3C0 flags: 0x3, version: 2
32 0x20 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 134217728 bytes
33957053 0x20624BD TRX firmware header, little endian, header size: 28 bytes, image size: 7761920 bytes, CRC32: 0x2FC538ED flags: 0x0, version: 1
33957081 0x20624D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4456704 bytes
35814013 0x2227A7D Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 5902826 bytes,
1332 inodes, blocksize: 262144 bytes, created: Sat May 31 15:55:18 2014
41718973 0x27C94BD TRX firmware header, little endian, header size: 28 bytes, image size: 2859008 bytes, CRC32: 0x7EF15BCF flags: 0x0, version: 1
41719001 0x27C94D9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5439744 bytes
$ ls
_brcm4709_all_0de4_0.5.56.bin.extracted
$ ls _brcm4709_all_0de4_0.5.56.bin.extracted/
20 20624D9 20624D9.7z 20.7z 2227A7D.squashfs 27C94D9 27C94D9.7z squashfs-root
comcat@Pek-JJJ-d1:/work/openwrt/xiaomi/rom/0.5.56$ ls _brcm4709_all_0de4_0.5.56.bin.extracted/squashfs-root/
bin data dev etc lib mnt opt overlay proc rom root sbin sys tmp usr var www
对于像 0.4.85 这种带整个16MB flash 镜像文件 brcm4709_nor.bin 的固件:
root@XiaoQiang:/userdisk/rom/0.4.85# mkxqimage -x ../brcm4709_hdr_039ef_0.4.85.bin root@XiaoQiang:/userdisk/rom/0.4.85# ls brcm4709_nor.bin root.ext4.lzma
还需额外的 flash 解包,这个看看路由系统的 /bin/flash.sh 的做法即知:
292 [ -f brcm${surfix_ver}_nor.bin ] && {
293 dd if=brcm4709_nor.bin of=mice_cfe bs=64k count=4 >& /dev/null
294 dd if=brcm4709_nor.bin of=vmlinuz.trx bs=64k count=48 skip=4 >& /dev/null
......
mice_cfe 为 CFE 镜像
vmlinuz.trx 为内核 + initramfs,详细格式参考 小米路由vmlinuz.trx格式解析
[编辑] 3 打包
0.4.58 版本的系统下:
root@XiaoQiang:/userdisk/rom$ mkxqimage -o t.bin -t 3 -p myprivate.pem -f root.ext4.lzma -f root.squashfs -f vmlinuz.trx
myprivate.pem 为我们自己生成的 RSA 私钥,要解包需要把对应的公钥文件 mypublic.pem 置于 /usr/share/xiaoqiang/ 目录下,替换原厂公钥文件 public.pem,替换前做好备份
