关于NOKIA EA0326GMP的研究

keke*** · 发表于 2024-3-28 14:37

首先要感谢诺基亚贝尔 EA0326GMP 免拆开启SSH-无线路由器硬件改造以及故障维修-恩山无线论坛 (right.com.cn)的作者@love0001238 为我们提供了EA0326GMP的免拆开ssh的配置文件，这样我就省的拆机可以直接在系统中进行研究了
相信各位也看到过我写的其他机型的研究过程，有的是从无到有，有的是从有到懂，我都希望把整个过程提供给大家，共同学习
先来看看机子的外观，是个比较少见的不对称天线

下来就开始，根据love0001238提供的配置文件直接恢复后打开ssh，那么首先就是要看执行备份和恢复配置的网页是怎么样的
这个机型它采用lighttp，指向了/www/web/WEBCGI/prog.fcgi，这里可以看到实际上是指向了/usr/bin/prog.cgi

那么就先把它拉出来用IDA分析一下

这里大概能看出来它的流程是先用sysupgrade正常的生成一个未加密备份到/var/backup_tmp.tar.gz，然后再通过mkconfig把它加密成/var/backup.tar.gz，最后调用下载和删除这两个文件
那么就追踪到了mkconfig这个指令，再去追踪到/bin/mkconfig，看看它到底是怎么一个加密过程

果然实际加密是在这里进行的，通过openssl和seama进行了加密和封装，那么到底加密的时候用的password是什么呢，这里提到一个meta_data的变量
又接着meta_data查到了get_meta_data这个函数，存在于libcommon.so里

对于汇编我一点也不擅长，十几年前学的到现在已经基本上不会了，但是配合mkconfig的说明，隐约觉得是跟机型和版本有关的一个参数
那么我就来测试一下吧，我通过指定一个keke1023作为meta_data来加密一个我自己sysupgrade备份的普通备份，mkconfig -a enca -m 'keke1023' -i /var/backup_tmp.tar.gz -o /var/backup.tar.gz然后拖出来跟系统自身加密的备份做一对比

结果很明显了，你所指定的meta_data就会直接被写入到文件开头，那么反推出来系统自身的meta_data就是‘EA0326GMP_3FE79221BAAA’，这个值也是有来由的
/etc/ahsapg/mtd_andlink_store.cfg里有这么一段

#[Version]
FirmVersion=EA0326GMP
SWVersion=NSB0326GMP10t01
HWVserion=3FE79221BAAA
AhsapdVersion=1.4.0

正好就是FirmVersion和HWVserion的拼接
我就测试用mkconfig来解密一个系统的备份配置mkconfig -a de-enca -m 'EA0326GMP_3FE79221BAAA' -i /var/EA0326GMP_SSH.tar.gz -o /var/EA0326GMP_SSH_dec.tar.gz

就变回一个正常可以访问的tar.gz了，到这里，关于配置文件的方面就研究清楚了，虽然不是通过汇编直接明白meta_data的来源，但也算是偷懒解决了
下来就继续研究机子的dts，因为要做固件适配，至少得知道led和button的gpio
本来想直接opkg装一个gpiod来查看的，但是系统并没有opkg，我就从gpiod-tools_1.4.4-1_aarch64_cortex-a53.ipk解压出来的6个gpio*可执行文件，上传到/usr/bin并且chmod +x
再从libgpiod_1.4.4-1_aarch64_cortex-a53.ipk解压出libgpiod.so.2.1.4上传至/usr/lib，并且chmod +x然后ln -s /usr/lib/libgpiod.so.2.1.4 /usr/lib/libgpiod.so.2，就可以运行gpio*这几个可执行文件了

led是456789，button是0和1，再去备份的ubi分区找到d00dfeed来剪切出dtb文件，转回dts看看

也是从主控直接引出wan口，剩下lan口通过p6到mt7531
好了，大功告成，可以去编译FIP和固件啦，希望对大家有所启发~

ba*** · 发表于 2024-3-28 15:03

沙发，为大佬点赞

zju*** · 发表于 2024-3-28 18:21

牛逼的逆向解密过程

afe*** · 发表于 2024-3-28 18:32

4604*** · 发表于 2024-3-28 19:57

下面这段提取出来的的是dtb信息吗？我看跟其他型号的格式差别很大

{
compatible = "mediatek,mt7981", "mediatek,mt7981-rfb";
interrupt-parent = <0x00000001>;
#address-cells = <0x00000001>;
#size-cells = <0x00000001>;
model = "mt7981-rfb";
cpus {
#address-cells = <0x00000001>;
#size-cells = <0x00000000>;
cpu@0 {
device_type = "cpu";
compatible = "arm,cortex-a53";
reg = <0x00000000>;
};
cpu@1 {
device_type = "cpu";
compatible = "arm,cortex-a53";
reg = <0x00000001>;
};
};
gpt_dummy20m {
compatible = "fixed-clock";
clock-frequency = <0x00c65d40>;
#clock-cells = <0x00000000>;
u-boot,dm-pre-reloc;
phandle = <0x00000002>;
};
timer {
compatible = "arm,armv8-timer";
interrupt-parent = <0x00000001>;
clock-frequency = <0x00c65d40>;
interrupts = <0x00000001 0x0000000d 0x00000008 0x00000001 0x0000000e 0x00000008 0x00000001 0x0000000b 0x00000008 0x00000001 0x0000000a 0x00000008>;
arm,cpu-registers-not-fw-configured;
};
timer@10008000 {
compatible = "mediatek,mt7986-timer";
reg = <0x10008000 0x00001000>;
interrupts = <0x00000000 0x00000082 0x00000004>;
clocks = <0x00000002>;
clock-names = "gpt-clk";
u-boot,dm-pre-reloc;
};
watchdog@1001c000 {
compatible = "mediatek,mt7986-wdt";
reg = <0x1001c000 0x00001000>;
interrupts = <0x00000000 0x0000006e 0x00000004>;
#reset-cells = <0x00000001>;
status = "disabled";
};
interrupt-controller@c000000 {
compatible = "arm,gic-v3";
#interrupt-cells = <0x00000003>;
interrupt-parent = <0x00000001>;
interrupt-controller;
reg = <0x0c000000 0x00040000 0x0c080000 0x00200000>;
interrupts = <0x00000001 0x00000009 0x00000004>;
phandle = <0x00000001>;
};
apmixedsys@1001e000 {
compatible = "mediatek,mt7981-fixed-plls";
reg = <0x1001e000 0x00001000>;
#clock-cells = <0x00000001>;
u-boot,dm-pre-reloc;
phandle = <0x00000003>;
};
topckgen@1001b000 {
compatible = "mediatek,mt7981-topckgen";
reg = <0x1001b000 0x00001000>;
clock-parent = <0x00000003>;
#clock-cells = <0x00000001>;
u-boot,dm-pre-reloc;
phandle = <0x00000005>;
};
infracfg_ao@10001000 {
compatible = "mediatek,mt7981-infracfg_ao";
reg = <0x10001000 0x00000080>;
clock-parent = <0x00000004>;
#clock-cells = <0x00000001>;
u-boot,dm-pre-reloc;
phandle = <0x00000006>;
};
infracfg@10001000 {
compatible = "mediatek,mt7981-infracfg";
reg = <0x10001000 0x00000030>;
clock-parent = <0x00000005>;
#clock-cells = <0x00000001>;
u-boot,dm-pre-reloc;
phandle = <0x00000004>;
};
pinctrl@11d00000 {
compatible = "mediatek,mt7981-pinctrl";
reg = <0x11d00000 0x00001000 0x11c00000 0x00001000 0x11c10000 0x00001000 0x11d20000 0x00001000 0x11e00000 0x00001000 0x11e20000 0x00001000 0x11f00000 0x00001000 0x11f10000 0x00001000 0x1000b000 0x00001000>;
reg-names = "gpio_base", "iocfg_rt_base", "iocfg_rm_base", "iocfg_rb_base", "iocfg_lb_base", "iocfg_bl_base", "iocfg_tm_base", "iocfg_tl_base", "eint";
gpio-controller {
gpio-controller;
#gpio-cells = <0x00000002>;
phandle = <0x0000000b>;
};
spi0-pins-func-1 {
phandle = <0x0000000c>;
mux {
function = "flash";
groups = "spi0", "spi0_wp_hold";
};
conf-pu {
pins = "SPI0_CS", "SPI0_HOLD", "SPI0_WP";
drive-strength = <0x00000008>;
bias-pull-up = <0x00000067>;
};
conf-pd {
pins = "SPI0_CLK", "SPI0_MOSI", "SPI0_MISO";
drive-strength = <0x00000008>;
bias-pull-down = <0x00000067>;
};
};
spi1-pins-func-1 {
mux {
function = "spi";
groups = "spi1_1";
};
};
spi1-pins-func-3 {
phandle = <0x00000008>;
mux {
function = "uart";
groups = "uart1_2";
};
};
one-pwm-pins {
mux {
function = "pwm";
groups = "pwm0_1";
};
};
two-pwm-pins {
phandle = <0x00000007>;
mux {
function = "pwm";
groups = "pwm0_1", "pwm1_0";
};
};
three-pwm-pins {
mux {
function = "pwm";
groups = "pwm0_1", "pwm1_0", "pwm2";
};
};
};
pwm@10048000 {
compatible = "mediatek,mt7981-pwm";
reg = <0x10048000 0x00001000>;
#clock-cells = <0x00000001>;
#pwm-cells = <0x00000002>;
interrupts = <0x00000000 0x00000089 0x00000004>;
clocks = <0x00000004 0x00000005 0x00000006 0x0000002d 0x00000006 0x00000003 0x00000006 0x00000004 0x00000006 0x00000004>;
assigned-clocks = <0x00000005 0x00000051>;
assigned-clock-parents = <0x00000005 0x00000000>;
clock-names = "top", "main", "pwm1", "pwm2", "pwm3";
status = "okay";
pinctrl-names = "default";
pinctrl-0 = <0x00000007>;
};
serial@11002000 {
compatible = "mediatek,hsuart";
reg = <0x11002000 0x00000400>;
interrupts = <0x00000000 0x0000007b 0x00000004>;
clocks = <0x00000006 0x00000012>;
assigned-clocks = <0x00000005 0x00000050 0x00000006 0x00000025>;
assigned-clock-parents = <0x00000005 0x00000000 0x00000004 0x00000001>;
mediatek,force-highspeed;
status = "okay";
u-boot,dm-pre-reloc;
};
serial@11003000 {
compatible = "mediatek,hsuart";
reg = <0x11003000 0x00000400>;
interrupts = <0x00000000 0x0000007c 0x00000004>;
clocks = <0x00000006 0x00000013>;
assigned-clocks = <0x00000005 0x00000050 0x00000006 0x00000026>;
assigned-clock-parents = <0x00000005 0x00000000 0x00000004 0x00000001>;
mediatek,force-highspeed;
status = "disabled";
pinctrl-names = "default";
pinctrl-0 = <0x00000008>;
};
serial@11004000 {
compatible = "mediatek,hsuart";
reg = <0x11004000 0x00000400>;
interrupts = <0x00000000 0x0000007c 0x00000004>;
clocks = <0x00000006 0x00000014>;
assigned-clocks = <0x00000005 0x00000050 0x00000006 0x00000027>;
assigned-clock-parents = <0x00000005 0x00000000 0x00000004 0x00000001>;
mediatek,force-highspeed;
status = "disabled";
};
snand@11005000 {
compatible = "mediatek,mt7986-snand";
reg = <0x11005000 0x00001000 0x11006000 0x00001000>;
reg-names = "nfi", "ecc";
clocks = <0x00000006 0x00000018 0x00000006 0x00000017 0x00000006 0x00000019>;
clock-names = "pad_clk", "nfi_clk", "nfi_hclk";
assigned-clocks = <0x00000005 0x0000004d 0x00000005 0x0000004c>;
assigned-clock-parents = <0x00000005 0x00000006 0x00000005 0x00000006>;
status = "disabled";
};
syscon@15000000 {
compatible = "mediatek,mt7981-ethsys", "syscon";
reg = <0x15000000 0x00001000>;
clock-parent = <0x00000005>;
#clock-cells = <0x00000001>;
#reset-cells = <0x00000001>;
phandle = <0x00000009>;
};
ethernet@15100000 {
compatible = "mediatek,mt7981-eth", "syscon";
reg = <0x15100000 0x00020000>;
resets = <0x00000009 0x00000006>;
reset-names = "fe";
mediatek,ethsys = <0x00000009>;
mediatek,sgmiisys = <0x0000000a>;
#address-cells = <0x00000001>;
#size-cells = <0x00000000>;
status = "okay";
mediatek,gmac-id = <0x00000000>;
phy-mode = "sgmii";
mediatek,switch = "mt7531";
reset-gpios = <0x0000000b 0x00000027 0x00000000>;
fixed-link {
speed = <0x000003e8>;
full-duplex;
};
};
syscon@10060000 {
compatible = "mediatek,mt7986-sgmiisys", "syscon";
reg = <0x10060000 0x00001000>;
pn_swap;
#clock-cells = <0x00000001>;
phandle = <0x0000000a>;
};
syscon@10070000 {
compatible = "mediatek,mt7986-sgmiisys", "syscon";
reg = <0x10070000 0x00001000>;
#clock-cells = <0x00000001>;
};
spi@1100a000 {
compatible = "mediatek,ipm-spi";
reg = <0x1100a000 0x00000100>;
clocks = <0x00000006 0x0000001a 0x00000005 0x0000004e>;
assigned-clocks = <0x00000005 0x0000004e 0x00000004 0x00000028>;
assigned-clock-parents = <0x00000005 0x00000002 0x00000005 0x00000002>;
clock-names = "sel-clk", "spi-clk";
interrupts = <0x00000000 0x0000008c 0x00000004>;
status = "okay";
#address-cells = <0x00000001>;
#size-cells = <0x00000000>;
pinctrl-names = "default";
pinctrl-0 = <0x0000000c>;
must_tx;
enhance_timing;
dma_ext;
ipm_design;
support_quad;
tick_dly = <0x00000002>;
sample_sel = <0x00000000>;
spi_nand@0 {
compatible = "spi-nand";
reg = <0x00000000>;
spi-max-frequency = <0x03197500>;
};
};
spi@1100b000 {
compatible = "mediatek,ipm-spi";
reg = <0x1100b000 0x00000100>;
interrupts = <0x00000000 0x0000008d 0x00000004>;
status = "disabled";
};
spi@11009000 {
compatible = "mediatek,ipm-spi";
reg = <0x11009000 0x00000100>;
clocks = <0x00000006 0x0000001a 0x00000005 0x0000004e>;
assigned-clocks = <0x00000005 0x0000004e 0x00000004 0x00000028>;
assigned-clock-parents = <0x00000005 0x00000002 0x00000005 0x00000002>;
clock-names = "sel-clk", "spi-clk";
interrupts = <0x00000000 0x0000008e 0x00000004>;
status = "disabled";
};
mmc@11230000 {
compatible = "mediatek,mt7981-mmc";
reg = <0x11230000 0x00001000 0x11c20000 0x00001000>;
interrupts = <0x00000000 0x0000008f 0x00000004>;
clocks = <0x00000005 0x00000034 0x00000005 0x00000033 0x00000006 0x0000001f>;
assigned-clocks = <0x00000005 0x00000055 0x00000005 0x00000054>;
assigned-clock-parents = <0x00000005 0x0000001c 0x00000005 0x00000002>;
clock-names = "source", "hclk", "source_cg";
status = "disabled";
};
chosen {
stdout-path = "/serial@11002000";
tick-timer = "/timer@10008000";
};
memory@40000000 {
device_type = "memory";
reg = <0x40000000 0x10000000>;
};
};

复制代码

keke*** · 发表于 2024-3-28 20:11

460418589 发表于 2024-3-28 19:57
下面这段提取出来的的是dtb信息吗？我看跟其他型号的格式差别很大

是的，但它不是具体机型的，它相当于是一个公版，是这一类机型共有的基础内容

good*** · 发表于 2024-4-1 21:01

支持楼主这种研究态度，希望加把力，把我的那台mr3000d-ciq新版也早日研究出来。

wolf*** · 发表于 2024-4-8 09:47

牛逼的不要不要的，技术贴

jog*** · 发表于 2024-4-8 16:01

这真太6了，向您学习

fann*** · 发表于 2024-4-10 22:17

太牛了。SSH文件上传后点恢复吗

luol*** · 发表于 2024-4-10 23:48

差生在看了一遍默默流泪远去

keke*** · 发表于 2024-4-11 07:55

luoluo788 发表于 2024-4-10 23:48
差生在看了一遍默默流泪远去

还有另外两篇不同机型的也可以看看~会有启发的

lwwang*** · 发表于 2024-4-11 10:26

6666啊。这个论坛就是牛人多。

Tianc*** · 发表于 2024-4-11 10:55

太牛了，

，技术大佬

l432*** · 发表于 2024-4-16 11:40

可以可以，帖子很有用

账号		自动登录	找回密码
密码			立即注册

关于NOKIA EA0326GMP的研究

本帖子中包含更多资源

点评