固件的逆向解包及破解方法

前言

路由器的固件通常存储在FLASH中,对其固件的分析可以获取其中的各种信息,比如得到root用户的登陆权限,查看系统的日志,系统分区及系统的各类配置文件等。

对此固件的分析意义重大,这里主要说明一下通常对固件分析的技术上的方式和使用技巧。
固件分析所需要的环境:

1、常见路由器的SPI FLASH编程器;

2、最好是用Winows 笔记本来登陆到ubuntu系统的台式机上的方式 ;

3、Windows 下的Putty、winhex、WinSCP软件工具;

4、TTL线、网线、万用表及烙铁,热风枪等工具和线材;

分析步骤:

1、拆开对应的路由器设备的外壳;

2、查看路由器内部的的接口标识;

3、用万用表找到对应的地线GND标号;

4、通常为了调试或升级的方便,都会保留TTL引脚;

查看是否存在有TTL线的引脚或触点;

5、用准备好的TTL线连接路由器的TTL引脚或触点;

6、windows下用putty中的串口项打开对应的TTL线连接的串口;

7、查看是否有路由器启动的日志信息,如果有,请仔细分析;

8、等路由信息启动完毕后,看看是否有终端跳出来,是否有登陆窗口跳出;

9、如果有登陆窗口,但是无法输入,或者无法猜测出对应的用户名密码;

10、用热风枪或烙铁取下路由器上的存储FLASH芯片;

11、在Windows下用编程器提前存储在FLASH芯片的全部固件;

12、用WinSCP工具将提取出的固件上传到ubuntu系统中;

13、在ubuntu系统中安装对应的固件分析工具(firmware-mod-kit、binwalk、lzma、squashfs-tools等);

14、用这些分析工具进行分析,分析出来后,解压对应的数据包,提前对应的关键性数据进行分析;

到此步骤已经全部写出来了。
实例如下:

具体的在ubuntu系统中的操作流程如下:

这里以一款不知道哪家的路由器为例子,此家的路由器分AC和86型的AP采购进来,之前对此厂家的信息一无所知。
1、首先分析设备:

AC:

拆开此款AC,能够看到一个MT7621A的主控芯片及对应的256M的BGA的DDR和华邦的32M FLASH存储。

并看到一个4pin的间隙为2.0的TTL线的位置。

AP:

拆开此款的86型AP设备,应一个主控为MT7620N的主控芯片,16M的Ztel的DDR和华邦的4M FLASH存储。

此款的TTL线在板子的背面,而且屏蔽了kernel的启动信息,所以这里就没有此系统的启动过程。
2、查看启动信息:

下面的是AC设备接上TTL线能够看到对应的启动信息,具体如下:
===================================================================
MT7621 stage1 code Mar 12 2015 14:43:30 (ASIC)
CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR…
do MEMPLL setting..
MEMPLL Config : 0x41100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-400Mhz ===
PLL3 FB_DL: 0xd, 1/0 = 542/482 35000000
PLL4 FB_DL: 0xe, 1/0 = 586/438 39000000
PLL2 FB_DL: 0x15, 1/0 = 579/445 55000000
do DDR setting..[01F40000]
Apply DDR3 Setting…(use customer AC)
0 8 16 24 32 40 48 56 64 72 80 88 96 104 11 2 120
————————————————————————– ——
0000:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0001:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0002:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0003:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0004:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0005:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0006:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0007:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0008:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0009:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000D:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000E:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000F:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0010:| 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0011:| 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
0012:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0013:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0014:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0015:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0016:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0017:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0018:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0019:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001D:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001E:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001F:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
DRAMC_DQSCTL1[0e0]=14000000
DRAMC_DQSGCTL[124]=80000000
rank 0 coarse = 16
rank 0 fine = 64
B:| 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0
opt_dle value:10
DRAMC_DDR2CTL[07c]=C287222D
DRAMC_PADCTL4[0e4]=000022B3
DRAMC_DQIDLY1[210]=0B0A090A
DRAMC_DQIDLY2[214]=07090909
DRAMC_DQIDLY3[218]=0B080A06
DRAMC_DQIDLY4[21c]=0A070B07
DRAMC_R0DELDLY[018]=00004040
==================================================================
RX DQS perbit delay software calibration
==================================================================
1.0-15 bit dq delay value
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
————————————–
0 | 10 9 10 11 9 9 9 7 6 10
10 | 8 11 7 11 7 10
————————————–

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center
y=0-7bit DQ of every group
input delay:DQS0 =64 DQS1 = 64
==================================================================
bit DQS0 bit DQS1
0 (1~127)64 8 (1~127)64
1 (1~127)64 9 (2~127)64
2 (1~127)64 10 (1~127)64
3 (1~127)64 11 (1~127)64
4 (2~127)64 12 (1~127)64
5 (1~127)64 13 (1~127)64
6 (1~127)64 14 (1~127)64
7 (1~127)64 15 (1~127)64
==================================================================
3.dq delay value last
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
————————————–
0 | 10 9 10 11 9 9 9 7 6 10
10 | 8 11 7 11 7 10
==================================================================
==================================================================
TX perbyte calibration
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqsdly_pass[0]=15, finish count=1
dqs_perbyte_dly.last_dqsdly_pass[1]=15, finish count=2
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15, finish count=1
dqs_perbyte_dly.last_dqdly_pass[1]=15, finish count=2
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
DRAMC_DQODLY1[200]=88888888
DRAMC_DQODLY2[204]=88888888
20,data:88
[EMI] DRAMC calibration passed

===================================================================
MT7621 stage1 code done
CPU=500000000 HZ BUS=166666666 HZ
===================================================================

U-Boot 1.1.3 (Jun 27 2016 – 10:37:27)

Board: Ralink APSoC DRAM: 256 MB
relocate_code Pointer at: 8ffb8000

Config XHCI 40M PLL
flash manufacture id: ef, device id 40 18
find flash: W25Q128BV
*** Warning – bad CRC, using default environment

============================================
Ralink UBoot Version: 4.3.0.0
——————————————–
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jun 27 2016 Time:10:37:27
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

##### The CPU freq = 880 MHZ ####
estimate memory size =256 Mbytes
#Reset_MT7530
set LAN/WAN WLLLL

Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
default: 3 0

3: System Boot system code via Flash.
## Booting image at bc050000 …
Image Name: Linux Kernel Image
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 6157391 Bytes = 5.9 MB
Load Address: 80001000
Entry Point: 803559d0
Verifying Checksum … OK
Uncompressing Kernel Image … OK
No initrd
## Transferring control to Linux (at address 803559d0) …
## Giving linux memsize in MB, 256

Starting kernel …

LINUX started…

THIS IS ASIC
Linux version 3.10.14 (root@Erick) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #450 SMP Wed Jul 6 17:56:27 CST 2016

The CPU feqenuce set to 880 MHz
GCMP present
CPU0 revision is: 0001992f (MIPS 1004Kc)
Software DMA cache coherency
Determined physical RAM map:
memory: 10000000 @ 00000000 (usable)
Initrd not found or empty – disabling initrd
Zone ranges:
Normal [mem 0x00000000-0x0fffffff]
HighMem empty
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x0fffffff]
Detected 3 available secondary CPU(s)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
PERCPU: Embedded 7 pages/cpu @81203000 s6720 r8192 d13760 u32768
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 console=ttyS1,57600 root=/dev/ram0 rootfstype=squashfs,jffs2
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Writing ErrCtl register=0001e103
Readback ErrCtl register=0001e103
Memory: 249948k/262144k available (3443k kernel code, 12196k reserved, 1654k data, 4432k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop… 580.60 BogoMIPS (lpj=1161216)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Performance counters: mips/1004K PMU enabled, 2 32-bit counters available to each CPU, irq -1 (share with timer interrupt)
launch: starting cpu1
launch: cpu1 gone!
CPU1 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 1: done.
launch: starting cpu2
launch: cpu2 gone!
CPU2 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 2: done.
launch: starting cpu3
launch: cpu3 gone!
CPU3 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 3: done.
Brought up 4 CPUs
devtmpfs: initialized
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
Switching to clocksource MIPS
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
4 CPUs re-calibrate udelay(lpj = 1167360)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NTFS driver 2.1.30 [Flags: R/W DEBUG].
jffs2: version 2.2. (NAND) (SUMMARY) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
fuse init (API version 7.22)
io scheduler noop registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x1e000d00 (irq = 27) is a 16550A
serial8250: ttyS1 at MMIO 0x1e000c00 (irq = 26) is a 16550A
Ralink gpio driver initialized
brd: module loaded
loop: module loaded
flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 6 MTD partitions on “raspi”:
0x000000000000-0x000000030000 : “Bootloader”
0x000000030000-0x000000040000 : “Config”
0x000000040000-0x000000050000 : “Factory”
0x000000050000-0x000000800000 : “Kernel”
0x000000800000-0x000001000000 : “DataBase”
0x000000000000-0x000001000000 : “ALL”
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.8.5
rdm_major = 253
netif_napi_add() called with weight 128 on device eth2
GMAC1_MAC_ADRH — : 0x000078d3
GMAC1_MAC_ADRL — : 0x8dddbebc
Ralink APSoC Ethernet Driver Initilization. v3.1 1024 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 1024, Rx Ring = 1024
GMAC1_MAC_ADRH — : 0x000078d3
GMAC1_MAC_ADRL — : 0x8dddbebc
PROC INIT OK!
Ralink APSoC Hardware Watchdog Timer
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (3905 buckets, 15620 max)
ipt_domain 0.0.4 : Platinum, http://platinum.cublog.cn/
xt_time: kernel timezone is -0000
gre: GRE over IPv4 demultiplexor driver
ip_tables: (C) 2000-2006 Netfilter Core Team
Type=Linux
TCP: cubic registered
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
l2tp_ppp: PPPoL2TP kernel driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Warning: unable to open an initial console.
Freeing unused kernel memory: 4432K (804fc000 – 80950000)
Algorithmics/MIPS FPU Emulator v1.5
jffs2: notice: (120) jffs2_build_xattr_subsystem: xref (0 dead, 0 orphan) found.
78:FFFFFFD3:FFFFFF8D:FFFFFFDD:FFFFFFBE:FFFFFFBC
Raeth v3.1 (NAPI)

phy_tx_ring = 0x0c678000, tx_ring = 0xac678000

phy_rx_ring0 = 0x0c67c000, rx_ring0 = 0xac67c000
MT7530 Reset Completed!!
change HW-TRAP to 0x15c8f
set LAN/WAN LLLLW
GMAC1_MAC_ADRH — : 0x000078d3
GMAC1_MAC_ADRL — : 0x8dddbebc
GDMA2_MAC_ADRH — : 0x000078d3
GDMA2_MAC_ADRL — : 0x8dddbebd
eth3: ===> VirtualIF_open
CDMA_CSG_CFG = 81000000
GDMA1_FWD_CFG = 20710000
GDMA2_FWD_CFG = 20710000
device eth2 entered promiscuous mode
eth3: ===> VirtualIF_open
device eth3 entered promiscuous mode
br0: port 2(eth3) entered forwarding state
br0: port 2(eth3) entered forwarding state
br0: port 1(eth2) entered forwarding state
br0: port 1(eth2) entered forwarding state
MTK MSDC device init.
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<insmod><0x198>
msdc0 -> !!! Set<400KHz> Source<50000KHz> -> sclk<390KHz> <- msdc_set_mclk() : L<687> PID<insmod><0x198>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<insmod><0x198>
msdc0 -> ops_get_cd return<1> <- msdc_ops_get_cd() : L<2317> PID<kworker/u8:0><0x6>
mtk-sd: MediaTek MT6575 MSDC Driver
mmc0: mmc_rescan_try_freq: trying to init card at 400000 Hz
msdc0 -> XXX MSDC_INT_SDIOIRQ <- msdc_irq() : L<2393>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
mmc0: mmc_rescan_try_freq: trying to init card at 300000 Hz
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<kworker/u8:0><0x6>
msdc0 -> !!! Set<300KHz> Source<50000KHz> -> sclk<297KHz> <- msdc_set_mclk() : L<687> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<kworker/u8:0><0x6>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
mmc0: mmc_rescan_try_freq: trying to init card at 260000 Hz
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<kworker/u8:0><0x6>
msdc0 -> !!! Set<260KHz> Source<50000KHz> -> sclk<255KHz> <- msdc_set_mclk() : L<687> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<kworker/u8:0><0x6>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
Started WatchDog Timer.

br0: port 2(eth3) entered forwarding state
br0: port 1(eth2) entered forwarding state

AC1000 login:

 

后面有破解出来的密码,用用户名,密码就可以直接登录进入系统了。。

用户名:admin
密码:a1sev5y7c39k

PW300 login: admin
Password: a1sev5y7c39k
3、获取关键性数据:
最后能看到提示符:

AC1000 login:

看到提示符很是欣喜!

但是TTL的输入好像被软件或硬件上给做了屏蔽,此时通过键盘进行输入,失落。。。。

不过从上面的启动信息上,可以看出对应的硬件配置了,flash的分区表也有了。

配置的关键性数据:

 

mtd分区表的结构:

flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 6 MTD partitions on “raspi”:
0x000000000000-0x000000030000 : “Bootloader”
0x000000030000-0x000000040000 : “Config”
0x000000040000-0x000000050000 : “Factory”
0x000000050000-0x000000800000 : “Kernel”
0x000000800000-0x000001000000 : “DataBase”
0x000000000000-0x000001000000 : “ALL”

 

对硬件有了基本上的了解,但是无法进行输入,所以也就无法进入下去了,只有拆卸Flash了。

4、无法输入或不知密码后的,拆卸FLASH后的分析步骤:

热风枪吹下来后,将其放置在编程器上读取32Mflash的数据,并将其通过WinSCP上传到ubuntu系统中进行查看;

root@dell-180:/home/leekwen/ac1000# binwalk 7621A-ac1000.bin -v

Scan Time: 2016-12-09 16:32:31
Target File: /home/leekwen/ac1000/7621A-ac1000.bin
MD5 Checksum: a4b523383795fa8af2680b29b67604f1
Signatures: 374

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
71368 0x116C8 U-Boot version string, “U-Boot 1.1.3 (Jun 27 2016 – 10:37:27)”
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xCEF2FB2F, created: 2016-07-06 09:56:37, image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: “Linux Kernel Image”
327744 0x50040 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3675222 0x381456 MPEG transport stream data
8388608 0x800000 JFFS2 filesystem, little endian

 

用binwalk工具查看固件的头文件,看到上面的结果。

此时可以通过windows的winhex提取对应位置上的分区信息,中重要的是rootfs数据。

此时看到的是0x800000位置后的数据为JFFS2的分区数据。

提取后,进行解包即可。但是此时如果结果的数据是CPIO压缩的,建议还是解压到本地目录,否则会覆盖到你的X86的文件系统中,导致你的X86的ubuntu系统崩溃。

此篇文章的主要说明trips:

这里需要说明以下几点:

1、首先用binwalk进行头的分析,然后提取对应的头数据,并在系统中挂载对应的分区;

2、CPIO数据格式的文件,解压时需要注意不要直接解压到X86系统目录,否则会导致X86 ubuntu系统的崩溃;

3、如果是固件只开启的Telnetd服务,系统中也没有curl,nc,wget命令的话,那么传输数据的时候,就只能通过tftp命令了;

4、固件系统的挂载,需要指定对应的格式,mtd分区的挂载需要注意下,与传统的ntfs,fat,ext,LVM等分区的挂载不同;

实例:
mtd分区的挂载:

root@leekwen:/home/leekwen/ac1000/ac_bin# modprobe mtdram total_size=32768 erase_size=64
root@leekwen:/home/leekwen/ac1000/ac_bin# modprobe mtdblock
root@leekwen:/home/leekwen/ac1000/ac_bin# dd if=conf of=/dev/mtdblock0
root@leekwen:/home/leekwen/ac1000/ac_bin# mount -t jffs2 /dev/mtdblock0 /mnt

 

5、如果固件中的busybox版本比较低,而且命令不全的话,可以去下载对应cpu架构支持的busybox 静态文件,通过tftp上传上去,赋予执行权限后即可使用了。

此MT7621A所用的busybox为busybox-mipsel版本,非busybox-mipse版本的。

经研究发现,7620N 模块中的telnetd服务开启;
端口:23
用户名:admin
密码:a1sev5y7c39k

PW300 login: admin
Password: a1sev5y7c39k

所以就可以直接用admin及密码登陆了。

开启Win7端的TFTPD服务后,使用tftp命令上传及下载如下实例:

86型AP的架构如下:

# cat /proc/cpuinfo
system type : Ralink SoC
processor : 0
cpu model : MIPS 24Kc V5.0
BogoMIPS : 386.04
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ff8, 0x0ff8, 0x0bdb, 0x0ff8]
ASEs implemented : mips16 dsp
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available

下载busybox-mipsel,并放置在tftpd服务器的根目录下,然后在嵌入式系统中运行下面的命令:

# tftp -g -r busybox-mipsel 192.168.1.127
busybox-mipsel 100% |*******************************| 1539k 0:00:00 ETA
# ./busybox-mipsel
BusyBox v1.21.1 (2013-07-08 11:09:23 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]…]
or: busybox –list[-full]
or: busybox –install [-s] [DIR]
or: function [arguments]…

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.

原来的嵌入式系统中没有的命令,可以通过如下的命令进行创建:

# cp busybox-mipsel /bin/
# ln -s /bin/busybox-mipsel /bin/netstat
# netstat -aln
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 139 192.168.1.181:23 192.168.1.127:27602 ESTABLISHED
netstat: /proc/net/tcp6: No such file or directory
udp 0 0 0.0.0.0:9090 0.0.0.0:*
udp 0 0 0.0.0.0:63638 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path

将嵌入式系统中的mtd固件分区打包后,上传到windows中的命令如下:

导出固件:
# fdisk -l

Disk /dev/mtdblock0: 0 MB, 196608 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock0 doesn’t contain a valid partition table
Disk /dev/mtdblock1: 0 MB, 65536 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock1 doesn’t contain a valid partition table

Disk /dev/mtdblock2: 0 MB, 65536 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock2 doesn’t contain a valid partition table
Disk /dev/mtdblock3: 8 MB, 8060928 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock3 doesn’t contain a valid partition table

Disk /dev/mtdblock4: 8 MB, 8388608 bytes
255 heads, 63 sectors/track, 1 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock4 doesn’t contain a valid partition table
Disk /dev/mtdblock5: 16 MB, 16777216 bytes
255 heads, 63 sectors/track, 2 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock5 doesn’t contain a valid partition table

# cat /proc/mtd
dev: size erasesize name
mtd0: 00030000 00010000 “Bootloader”
mtd1: 00010000 00010000 “Config”
mtd2: 00010000 00010000 “Factory”
mtd3: 007b0000 00010000 “Kernel”
mtd4: 00800000 00010000 “DataBase”
mtd5: 01000000 00010000 “ALL”

# dd if=/dev/mtdblock3 of=block3
-sh: dd: not found

# ln -s /bin/busybox-mipsel /bin/dd

# dd if=/dev/mtdblock3 of=block3
15744+0 records in
15744+0 records out
8060928 bytes (7.7MB) copied, 3.758830 seconds, 2.0MB/s

# dd if=/dev/mtdblock4 of=block4
16384+0 records in
16384+0 records out
8388608 bytes (8.0MB) copied, 3.925839 seconds, 2.0MB/s

# dd if=/dev/mtdblock5 of=block5
32768+0 records in
32768+0 records out
16777216 bytes (16.0MB) copied, 7.893829 seconds, 2.0MB/s

# busybox-mipsel ls -lh
total 32448
-rw-r–r– 1 admin admin 7.7M Jan 1 00:23 block3
-rw-r–r– 1 admin admin 8.0M Jan 1 00:24 block4
-rw-r–r– 1 admin admin 16.0M Jan 1 00:24 block5

ubuntu分析提取的mtd块数据:

leekwen@leekwen:~/ac1000/mtd$ ls -lh
total 32448
-rw-r–r– 1 leekwen leekwen 7.7M Dec 13 01:33 block3
-rw-r–r– 1 leekwen leekwen 8.0M Dec 13 01:34 block4
-rw-r–r– 1 leekwen leekwen 16.0M Dec 13 01:35 block5
leekwen@leekwen:~/ac1000/mtd$ binwalk block3 -v

Scan Time: 2016-12-13 09:41:53
Target File: /home/leekwen/ac1000/mtd/block3
MD5 Checksum: 2930b8f9eacd024c8137de1f36ada2a0
Signatures: 374

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 uImage header, header size: 64 bytes, header CRC:0xCEF2FB2F, created: 2016-07-06 09:56:37,
image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5,
OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: “Linux Kernel Image”
64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3347542 0x331456 MPEG transport stream data

leekwen@leekwen:~/ac1000/mtd$ binwalk block4 -v

Scan Time: 2016-12-13 09:42:12
Target File: /home/leekwen/ac1000/mtd/block4
MD5 Checksum: b9250ddca6f75eb200820e8eb12ef0fe
Signatures: 374

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 JFFS2 filesystem, little endian

leekwen@leekwen:~/ac1000/mtd$ binwalk block5 -v

Scan Time: 2016-12-13 09:42:20
Target File: /home/leekwen/ac1000/mtd/block5
MD5 Checksum: 0279c45881de84827d4eddb780b6cc24
Signatures: 374

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
71368 0x116C8 U-Boot version string, “U-Boot 1.1.3 (Jun 27 2016 – 10:37:27)”
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xCEF2FB2F, created: 2016-07-06 09:56:37,
image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5,
OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: “Linux Kernel Image”
327744 0x50040 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3675222 0x381456 MPEG transport stream data
8388608 0x800000 JFFS2 filesystem, little endian

嵌入式系统中执行上传命令,将打包的mtd分区包上传到windows的tftpd服务器中:
# tftp -p -r mtd.tar.gz 192.168.1.127
mtd.tar.gz 100% |*****************************************| 3910k 0:00:00 ETA
#

6、入门级的就写到这里了,其它的就看自己的linux命令用的如何了。。。

7、其AC与下面的AP通讯用的是SNMP:

日志如下:

通过snmpd进程进行通信
通信日志:
NET-SNMP version 5.6.2 restarted
Received SNMP packet(s) from UDP: [192.168.200.1]:62604->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:32450->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:15380->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.3.1.0
Received SNMP packet(s) from UDP: [192.168.200.1]:15195->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.59.1
Received SNMP packet(s) from UDP: [192.168.200.1]:45220->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.60.1
Received SNMP packet(s) from UDP: [192.168.200.1]:15945->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.61.1
Received SNMP packet(s) from UDP: [192.168.200.1]:2043->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.40.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.15.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.16.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.17.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.29.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.30.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.13.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.20.1
— iso.3.6.1.4.1.33980.100.1.3.1.0
— iso.3.6.1.4.1.33980.100.1.1.1.1.19.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.10.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.12.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.55.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.56.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.57.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.4.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.5.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.26.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.28.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.29.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.22.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.13.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.23.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.24.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.36.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.15.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.40.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.41.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.21.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.10.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.11.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.31.1
Received SNMP packet(s) from UDP: [192.168.200.1]:63905->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.4
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.1
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.2
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.3
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.4
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.1
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.2
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.3
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.4
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.1
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.2
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.3
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.4
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.1
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.2
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.3
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.4
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.1
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.2
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.3
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.4
Received SNMP packet(s) from UDP: [192.168.200.1]:16330->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:33809->[192.168.200.96]:161
SET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.61.1

urging address from address cache: UDP: [192.168.200.1]:33809->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:62614->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.3.1.0
Purging address from address cache: UDP: [192.168.200.1]:24740->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:45882->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.59.1
Purging address from address cache: UDP: [192.168.200.1]:22828->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:7701->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.60.1
Purging address from address cache: UDP: [192.168.200.1]:40545->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:60496->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.61.1
Purging address from address cache: UDP: [192.168.200.1]:16535->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:26281->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.1.1.1.40.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.15.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.16.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.17.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.29.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.30.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.13.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.20.1
— iso.3.6.1.4.1.33980.100.1.3.1.0
— iso.3.6.1.4.1.33980.100.1.1.1.1.19.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.10.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.12.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.55.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.56.1
— iso.3.6.1.4.1.33980.100.1.1.1.1.57.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.4.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.5.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.26.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.28.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.29.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.22.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.13.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.23.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.24.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.36.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.15.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.40.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.41.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.21.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.10.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.11.1
— iso.3.6.1.4.1.33980.100.1.2.3.1.31.1
Purging address from address cache: UDP: [192.168.200.1]:64805->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:47345->[192.168.200.96]:161
GET message
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.3.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.4.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.2.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.10.4
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.1
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.2
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.3
— iso.3.6.1.4.1.33980.100.1.3.2.1.3.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.7.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.8.4
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.1
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.2
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.3
— iso.3.6.1.4.1.33980.100.1.3.3.1.9.4
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.1
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.2
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.3
— iso.3.6.1.4.1.33980.100.1.4.1.1.3.4
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.1
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.2
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.3
— iso.3.6.1.4.1.33980.100.1.4.1.1.2.4
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.1
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.2
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.3
— iso.3.6.1.4.1.33980.100.1.4.2.1.3.4
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.1
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.2
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.3
— iso.3.6.1.4.1.33980.100.1.4.2.1.2.4

上面为自己的一些实际操作过程,以此备份,防止自己遗忘了。。~

Leave a Reply