路由固件的逆向解包及破解方法

发布者:leekwenty
发布于:2019-02-18 13:09
版权声明:本文为LeeKwen的原创文章,请联系微信@leekwenty后转载。 https://blog.csdn.net/leekwen/article/details/53635462

前言

路由器的固件通常存储在FLASH中,对其固件的分析可以获取其中的各种信息,比如得到root用户的登陆权限,查看系统的日志,系统分区及系统的各类配置文件等。

对此固件的分析意义重大,这里主要说明一下通常对固件分析的技术上的方式和使用技巧。

固件分析所需要的环境:

1、常见路由器的SPI FLASH编程器;

2、最好是用Winows 笔记本来登陆到ubuntu系统的台式机上的方式 ;

3、Windows 下的Putty、winhex、WinSCP软件工具;

4、TTL线、网线、万用表及烙铁,热风枪等工具和线材;


分析步骤:

1、拆开对应的路由器设备的外壳;

2、查看路由器内部的的接口标识;

3、用万用表找到对应的地线GND标号;

4、通常为了调试或升级的方便,都会保留TTL引脚;

查看是否存在有TTL线的引脚或触点;

5、用准备好的TTL线连接路由器的TTL引脚或触点;

6、windows下用putty中的串口项打开对应的TTL线连接的串口;

7、查看是否有路由器启动的日志信息,如果有,请仔细分析;

8、等路由信息启动完毕后,看看是否有终端跳出来,是否有登陆窗口跳出;

9、如果有登陆窗口,但是无法输入,或者无法猜测出对应的用户名密码;

10、用热风枪或烙铁取下路由器上的存储FLASH芯片;

11、在Windows下用编程器提前存储在FLASH芯片的全部固件;

12、用WinSCP工具将提取出的固件上传到ubuntu系统中;

13、在ubuntu系统中安装对应的固件分析工具(firmware-mod-kit、binwalk、lzma、squashfs-tools等);

14、用这些分析工具进行分析,分析出来后,解压对应的数据包,提前对应的关键性数据进行分析;

到此步骤已经全部写出来了。

实例如下:

具体的在ubuntu系统中的操作流程如下:

这里以一款不知道哪家的路由器为例子,此家的路由器分AC和86型的AP采购进来,之前对此厂家的信息一无所知。

1、首先分析设备:

AC:

拆开此款AC,能够看到一个MT7621A的主控芯片及对应的256M的BGA的DDR和华邦的32M FLASH存储。

并看到一个4pin的间隙为2.0的TTL线的位置。

AP:

拆开此款的86型AP设备,应一个主控为MT7620N的主控芯片,16M的Ztel的DDR和华邦的4M FLASH存储。

此款的TTL线在板子的背面,而且屏蔽了kernel的启动信息,所以这里就没有此系统的启动过程。

2、查看启动信息:

下面的是AC设备接上TTL线能够看到对应的启动信息,具体如下:

===================================================================
                MT7621   stage1 code Mar 12 2015 14:43:30 (ASIC)
                CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x41100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-400Mhz ===
PLL3 FB_DL: 0xd, 1/0 = 542/482 35000000
PLL4 FB_DL: 0xe, 1/0 = 586/438 39000000
PLL2 FB_DL: 0x15, 1/0 = 579/445 55000000
do DDR setting..[01F40000]
Apply DDR3 Setting...(use customer AC)
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  11                                                                                        2  120
      --------------------------------------------------------------------------                                                                                        ------
0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
000F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            1    1
0010:|    1    1    1    1    1    1    1    1    1    1    1    1    1    1                                                                                            1    1
0011:|    1    1    1    1    1    1    1    1    1    1    1    1    1    0                                                                                            0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0                                                                                            0    0
DRAMC_DQSCTL1[0e0]=14000000
DRAMC_DQSGCTL[124]=80000000
rank 0 coarse = 16
rank 0 fine = 64
B:|    0    0    0    0    0    0    0    0    0    1    1    1    0    0    0                                                                                            0
opt_dle value:10
DRAMC_DDR2CTL[07c]=C287222D
DRAMC_PADCTL4[0e4]=000022B3
DRAMC_DQIDLY1[210]=0B0A090A
DRAMC_DQIDLY2[214]=07090909
DRAMC_DQIDLY3[218]=0B080A06
DRAMC_DQIDLY4[21c]=0A070B07
DRAMC_R0DELDLY[018]=00004040
==================================================================
                RX      DQS perbit delay software calibration
==================================================================
1.0-15 bit dq delay value
==================================================================
bit|     0  1  2  3  4  5  6  7  8  9
--------------------------------------
0 |    10 9 10 11 9 9 9 7 6 10
10 |    8 11 7 11 7 10
--------------------------------------

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center
y=0-7bit DQ of every group
input delay:DQS0 =64 DQS1 = 64
==================================================================
bit     DQS0     bit      DQS1
0  (1~127)64  8  (1~127)64
1  (1~127)64  9  (2~127)64
2  (1~127)64  10  (1~127)64
3  (1~127)64  11  (1~127)64
4  (2~127)64  12  (1~127)64
5  (1~127)64  13  (1~127)64
6  (1~127)64  14  (1~127)64
7  (1~127)64  15  (1~127)64
==================================================================
3.dq delay value last
==================================================================
bit|    0  1  2  3  4  5  6  7  8   9
--------------------------------------
0 |    10 9 10 11 9 9 9 7 6 10
10 |    8 11 7 11 7 10
==================================================================
==================================================================
     TX  perbyte calibration
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1
dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15,  finish count=1
dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=2
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
DRAMC_DQODLY1[200]=88888888
DRAMC_DQODLY2[204]=88888888
20,data:88
[EMI] DRAMC calibration passed

===================================================================
                MT7621   stage1 code done
                CPU=500000000 HZ BUS=166666666 HZ
===================================================================


U-Boot 1.1.3 (Jun 27 2016 - 10:37:27)

Board: Ralink APSoC DRAM:  256 MB
relocate_code Pointer at: 8ffb8000

Config XHCI 40M PLL
flash manufacture id: ef, device id 40 18
find flash: W25Q128BV
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jun 27 2016  Time:10:37:27
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 880 MHZ ####
 estimate memory size =256 Mbytes
#Reset_MT7530
set LAN/WAN WLLLL

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
default: 3                                                                                                                                                            0

3: System Boot system code via Flash.
## Booting image at bc050000 ...
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    6157391 Bytes =  5.9 MB
   Load Address: 80001000
   Entry Point:  803559d0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 803559d0) ...
## Giving linux memsize in MB, 256

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 3.10.14 (root@Erick) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #450 SMP Wed Jul 6 17:56:27 CST 2016

 The CPU feqenuce set to 880 MHz
GCMP present
CPU0 revision is: 0001992f (MIPS 1004Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 10000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone ranges:
  Normal   [mem 0x00000000-0x0fffffff]
  HighMem  empty
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x0fffffff]
Detected 3 available secondary CPU(s)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
PERCPU: Embedded 7 pages/cpu @81203000 s6720 r8192 d13760 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65024
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 console=ttyS1,57600 root=/dev/ram0 rootfstype=squashfs,jffs2
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Writing ErrCtl register=0001e103
Readback ErrCtl register=0001e103
Memory: 249948k/262144k available (3443k kernel code, 12196k reserved, 1654k data, 4432k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 580.60 BogoMIPS (lpj=1161216)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Performance counters: mips/1004K PMU enabled, 2 32-bit counters available to each CPU, irq -1 (share with timer interrupt)
launch: starting cpu1
launch: cpu1 gone!
CPU1 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 1: done.
launch: starting cpu2
launch: cpu2 gone!
CPU2 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 2: done.
launch: starting cpu3
launch: cpu3 gone!
CPU3 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 3: done.
Brought up 4 CPUs
devtmpfs: initialized
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
Switching to clocksource MIPS
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
4 CPUs re-calibrate udelay(lpj = 1167360)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NTFS driver 2.1.30 [Flags: R/W DEBUG].
jffs2: version 2.2. (NAND) (SUMMARY)  (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
fuse init (API version 7.22)
io scheduler noop registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x1e000d00 (irq = 27) is a 16550A
serial8250: ttyS1 at MMIO 0x1e000c00 (irq = 26) is a 16550A
Ralink gpio driver initialized
brd: module loaded
loop: module loaded
flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 6 MTD partitions on "raspi":
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000000800000 : "Kernel"
0x000000800000-0x000001000000 : "DataBase"
0x000000000000-0x000001000000 : "ALL"
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.8.5
rdm_major = 253
netif_napi_add() called with weight 128 on device eth2
GMAC1_MAC_ADRH -- : 0x000078d3
GMAC1_MAC_ADRL -- : 0x8dddbebc
Ralink APSoC Ethernet Driver Initilization. v3.1  1024 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 1024, Rx Ring = 1024
GMAC1_MAC_ADRH -- : 0x000078d3
GMAC1_MAC_ADRL -- : 0x8dddbebc
PROC INIT OK!
Ralink APSoC Hardware Watchdog Timer
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (3905 buckets, 15620 max)
ipt_domain 0.0.4 : Platinum, http://platinum.cublog.cn/
xt_time: kernel timezone is -0000
gre: GRE over IPv4 demultiplexor driver
ip_tables: (C) 2000-2006 Netfilter Core Team
Type=Linux
TCP: cubic registered
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
l2tp_ppp: PPPoL2TP kernel driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Warning: unable to open an initial console.
Freeing unused kernel memory: 4432K (804fc000 - 80950000)
Algorithmics/MIPS FPU Emulator v1.5
jffs2: notice: (120) jffs2_build_xattr_subsystem:  xref (0 dead, 0 orphan) found.
78:FFFFFFD3:FFFFFF8D:FFFFFFDD:FFFFFFBE:FFFFFFBC
Raeth v3.1 (NAPI)

phy_tx_ring = 0x0c678000, tx_ring = 0xac678000

phy_rx_ring0 = 0x0c67c000, rx_ring0 = 0xac67c000
MT7530 Reset Completed!!
change HW-TRAP to 0x15c8f
set LAN/WAN LLLLW
GMAC1_MAC_ADRH -- : 0x000078d3
GMAC1_MAC_ADRL -- : 0x8dddbebc
GDMA2_MAC_ADRH -- : 0x000078d3
GDMA2_MAC_ADRL -- : 0x8dddbebd
eth3: ===> VirtualIF_open
CDMA_CSG_CFG = 81000000
GDMA1_FWD_CFG = 20710000
GDMA2_FWD_CFG = 20710000
device eth2 entered promiscuous mode
eth3: ===> VirtualIF_open
device eth3 entered promiscuous mode
br0: port 2(eth3) entered forwarding state
br0: port 2(eth3) entered forwarding state
br0: port 1(eth2) entered forwarding state
br0: port 1(eth2) entered forwarding state
MTK MSDC device init.
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<insmod><0x198>
msdc0 -> !!! Set<400KHz> Source<50000KHz> -> sclk<390KHz> <- msdc_set_mclk() : L<687> PID<insmod><0x198>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<insmod><0x198>
msdc0 -> ops_get_cd return<1> <- msdc_ops_get_cd() : L<2317> PID<kworker/u8:0><0x6>
mtk-sd: MediaTek MT6575 MSDC Driver
mmc0: mmc_rescan_try_freq: trying to init card at 400000 Hz
msdc0 -> XXX MSDC_INT_SDIOIRQ <- msdc_irq() : L<2393>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
mmc0: mmc_rescan_try_freq: trying to init card at 300000 Hz
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<kworker/u8:0><0x6>
msdc0 -> !!! Set<300KHz> Source<50000KHz> -> sclk<297KHz> <- msdc_set_mclk() : L<687> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<kworker/u8:0><0x6>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
mmc0: mmc_rescan_try_freq: trying to init card at 260000 Hz
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<686> PID<kworker/u8:0><0x6>
msdc0 -> !!! Set<260KHz> Source<50000KHz> -> sclk<255KHz> <- msdc_set_mclk() : L<687> PID<kworker/u8:0><0x6>
msdc0 -> ================ <- msdc_set_mclk() : L<688> PID<kworker/u8:0><0x6>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> XXX CMD<1> MSDC_INT_CMDTMO <- msdc_irq() : L<2461>
msdc0 -> set mclk to 0!!! <- msdc_set_mclk() : L<634> PID<kworker/u8:0><0x6>
Started WatchDog Timer.

br0: port 2(eth3) entered forwarding state
br0: port 1(eth2) entered forwarding state

AC1000 login:


后面有破解出来的密码,用用户名,密码就可以直接登录进入系统了。。

用户名:admin
密码:a1sev5y7c39k


PW300 login: admin
Password: a1sev5y7c39k

3、获取关键性数据:

最后能看到提示符:

AC1000 login:

看到提示符很是欣喜!

但是TTL的输入好像被软件或硬件上给做了屏蔽,此时通过键盘进行输入,失落。。。。

不过从上面的启动信息上,可以看出对应的硬件配置了,flash的分区表也有了。

配置的关键性数据:


mtd分区表的结构:

flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 6 MTD partitions on "raspi":
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000000800000 : "Kernel"
0x000000800000-0x000001000000 : "DataBase"
0x000000000000-0x000001000000 : "ALL"

对硬件有了基本上的了解,但是无法进行输入,所以也就无法进入下去了,只有拆卸Flash了。

4、无法输入或不知密码后的,拆卸FLASH后的分析步骤:

热风枪吹下来后,将其放置在编程器上读取32Mflash的数据,并将其通过WinSCP上传到ubuntu系统中进行查看;

root@dell-180:/home/leekwen/ac1000# binwalk 7621A-ac1000.bin -v

Scan Time:     2016-12-09 16:32:31
Target File:   /home/leekwen/ac1000/7621A-ac1000.bin
MD5 Checksum:  a4b523383795fa8af2680b29b67604f1
Signatures:    374

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
71368         0x116C8         U-Boot version string, "U-Boot 1.1.3 (Jun 27 2016 - 10:37:27)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xCEF2FB2F, created: 2016-07-06 09:56:37, image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3675222       0x381456        MPEG transport stream data
8388608       0x800000        JFFS2 filesystem, little endian
用binwalk工具查看固件的头文件,看到上面的结果。

此时可以通过windows的winhex提取对应位置上的分区信息,中重要的是rootfs数据。

此时看到的是0x800000位置后的数据为JFFS2的分区数据。

提取后,进行解包即可。但是此时如果结果的数据是CPIO压缩的,建议还是解压到本地目录,否则会覆盖到你的X86的文件系统中,导致你的X86的ubuntu系统崩溃。


此篇文章的主要说明trips:

这里需要说明以下几点:

1、首先用binwalk进行头的分析,然后提取对应的头数据,并在系统中挂载对应的分区;

2、CPIO数据格式的文件,解压时需要注意不要直接解压到X86系统目录,否则会导致X86 ubuntu系统的崩溃;

3、如果是固件只开启的Telnetd服务,系统中也没有curl,nc,wget命令的话,那么传输数据的时候,就只能通过tftp命令了;

4、固件系统的挂载,需要指定对应的格式,mtd分区的挂载需要注意下,与传统的ntfs,fat,ext,LVM等分区的挂载不同;

实例:

mtd分区的挂载:

root@leekwen:/home/leekwen/ac1000/ac_bin# modprobe mtdram total_size=32768 erase_size=64
root@leekwen:/home/leekwen/ac1000/ac_bin# modprobe mtdblock
root@leekwen:/home/leekwen/ac1000/ac_bin# dd if=conf of=/dev/mtdblock0
root@leekwen:/home/leekwen/ac1000/ac_bin# mount -t jffs2 /dev/mtdblock0 /mnt

5、如果固件中的busybox版本比较低,而且命令不全的话,可以去下载对应cpu架构支持的busybox 静态文件,通过tftp上传上去,赋予执行权限后即可使用了。

此MT7621A所用的busybox为busybox-mipsel版本,非busybox-mipse版本的。


经研究发现,7620N 模块中的telnetd服务开启;
端口:23
用户名:admin
密码:a1sev5y7c39k


PW300 login: admin
Password:  a1sev5y7c39k


所以就可以直接用admin及密码登陆了。


开启Win7端的TFTPD服务后,使用tftp命令上传及下载如下实例:

86型AP的架构如下:

# cat /proc/cpuinfo
system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24Kc V5.0
BogoMIPS                : 386.04
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ff8, 0x0ff8, 0x0bdb, 0x0ff8]
ASEs implemented        : mips16 dsp
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available
下载busybox-mipsel,并放置在tftpd服务器的根目录下,然后在嵌入式系统中运行下面的命令:
# tftp -g -r busybox-mipsel 192.168.1.127
busybox-mipsel       100% |*******************************|  1539k  0:00:00 ETA
# ./busybox-mipsel
BusyBox v1.21.1 (2013-07-08 11:09:23 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

原来的嵌入式系统中没有的命令,可以通过如下的命令进行创建:

# cp busybox-mipsel /bin/
# ln -s /bin/busybox-mipsel /bin/netstat
# netstat -aln
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
tcp        0    139 192.168.1.181:23        192.168.1.127:27602     ESTABLISHED
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 0.0.0.0:9090            0.0.0.0:*
udp        0      0 0.0.0.0:63638           0.0.0.0:*
udp        0      0 0.0.0.0:162             0.0.0.0:*
udp        0      0 0.0.0.0:69              0.0.0.0:*
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path

将嵌入式系统中的mtd固件分区打包后,上传到windows中的命令如下:

导出固件:
# fdisk -l

Disk /dev/mtdblock0: 0 MB, 196608 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock0 doesn't contain a valid partition table

Disk /dev/mtdblock1: 0 MB, 65536 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock1 doesn't contain a valid partition table

Disk /dev/mtdblock2: 0 MB, 65536 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock2 doesn't contain a valid partition table

Disk /dev/mtdblock3: 8 MB, 8060928 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock3 doesn't contain a valid partition table

Disk /dev/mtdblock4: 8 MB, 8388608 bytes
255 heads, 63 sectors/track, 1 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock4 doesn't contain a valid partition table

Disk /dev/mtdblock5: 16 MB, 16777216 bytes
255 heads, 63 sectors/track, 2 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/mtdblock5 doesn't contain a valid partition table


# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00030000 00010000 "Bootloader"
mtd1: 00010000 00010000 "Config"
mtd2: 00010000 00010000 "Factory"
mtd3: 007b0000 00010000 "Kernel"
mtd4: 00800000 00010000 "DataBase"
mtd5: 01000000 00010000 "ALL"


# dd if=/dev/mtdblock3 of=block3
-sh: dd: not found

# ln -s /bin/busybox-mipsel /bin/dd

# dd if=/dev/mtdblock3 of=block3
15744+0 records in
15744+0 records out
8060928 bytes (7.7MB) copied, 3.758830 seconds, 2.0MB/s


# dd if=/dev/mtdblock4 of=block4
16384+0 records in
16384+0 records out
8388608 bytes (8.0MB) copied, 3.925839 seconds, 2.0MB/s


# dd if=/dev/mtdblock5 of=block5
32768+0 records in
32768+0 records out
16777216 bytes (16.0MB) copied, 7.893829 seconds, 2.0MB/s


# busybox-mipsel ls -lh
total 32448
-rw-r--r--    1 admin    admin       7.7M Jan  1 00:23 block3
-rw-r--r--    1 admin    admin       8.0M Jan  1 00:24 block4
-rw-r--r--    1 admin    admin      16.0M Jan  1 00:24 block5


ubuntu分析提取的mtd块数据:

leekwen@leekwen:~/ac1000/mtd$ ls -lh
total 32448
-rw-r--r--    1 leekwen  leekwen     7.7M Dec 13 01:33 block3
-rw-r--r--    1 leekwen  leekwen     8.0M Dec 13 01:34 block4
-rw-r--r--    1 leekwen  leekwen    16.0M Dec 13 01:35 block5
leekwen@leekwen:~/ac1000/mtd$ binwalk block3 -v

Scan Time:     2016-12-13 09:41:53
Target File:   /home/leekwen/ac1000/mtd/block3
MD5 Checksum:  2930b8f9eacd024c8137de1f36ada2a0
Signatures:    374

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC:0xCEF2FB2F, created: 2016-07-06 09:56:37, 
							image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5,
							OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3347542       0x331456        MPEG transport stream data

leekwen@leekwen:~/ac1000/mtd$ binwalk block4 -v

Scan Time:     2016-12-13 09:42:12
Target File:   /home/leekwen/ac1000/mtd/block4
MD5 Checksum:  b9250ddca6f75eb200820e8eb12ef0fe
Signatures:    374

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JFFS2 filesystem, little endian

leekwen@leekwen:~/ac1000/mtd$ binwalk block5 -v

Scan Time:     2016-12-13 09:42:20
Target File:   /home/leekwen/ac1000/mtd/block5
MD5 Checksum:  0279c45881de84827d4eddb780b6cc24
Signatures:    374

DECIMAL  HEXADECIMAL   DESCRIPTION
--------------------------------------------------------------------------------
71368     0x116C8    U-Boot version string, "U-Boot 1.1.3 (Jun 27 2016 - 10:37:27)"
327680    0x50000    uImage header, header size: 64 bytes, header CRC: 0xCEF2FB2F, created: 2016-07-06 09:56:37, 
                         image size: 6157391 bytes, Data Address: 0x80001000, Entry Point: 0x803559D0, data CRC: 0x4AB990B5, 
				         OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
327744    0x50040    LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9701952 bytes
3675222   0x381456   MPEG transport stream data
8388608   0x800000   JFFS2 filesystem, little endian


嵌入式系统中执行上传命令,将打包的mtd分区包上传到windows的tftpd服务器中:
# tftp -p -r mtd.tar.gz 192.168.1.127
mtd.tar.gz           100% |*****************************************|  3910k  0:00:00 ETA
#

6、入门级的就写到这里了,其它的就看自己的linux命令用的如何了。。。


7、其AC与下面的AP通讯用的是SNMP:

日志如下:

通过snmpd进程进行通信
通信日志:
NET-SNMP version 5.6.2 restarted
Received SNMP packet(s) from UDP: [192.168.200.1]:62604->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:32450->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:15380->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.3.1.0
Received SNMP packet(s) from UDP: [192.168.200.1]:15195->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.59.1
Received SNMP packet(s) from UDP: [192.168.200.1]:45220->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.60.1
Received SNMP packet(s) from UDP: [192.168.200.1]:15945->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.61.1
Received SNMP packet(s) from UDP: [192.168.200.1]:2043->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.40.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.15.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.16.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.17.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.29.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.30.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.13.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.20.1
    -- iso.3.6.1.4.1.33980.100.1.3.1.0
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.19.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.12.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.55.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.56.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.57.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.4.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.5.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.26.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.28.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.29.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.22.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.13.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.23.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.24.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.36.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.15.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.40.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.41.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.21.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.11.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.31.1
Received SNMP packet(s) from UDP: [192.168.200.1]:63905->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.4
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.4
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.4
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.4
Received SNMP packet(s) from UDP: [192.168.200.1]:16330->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
Received SNMP packet(s) from UDP: [192.168.200.1]:33809->[192.168.200.96]:161
  SET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.61.1

urging address from address cache: UDP: [192.168.200.1]:33809->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:62614->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.3.1.0
Purging address from address cache: UDP: [192.168.200.1]:24740->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:45882->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.59.1
Purging address from address cache: UDP: [192.168.200.1]:22828->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:7701->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.60.1
Purging address from address cache: UDP: [192.168.200.1]:40545->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:60496->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.61.1
Purging address from address cache: UDP: [192.168.200.1]:16535->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:26281->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.40.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.15.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.16.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.17.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.29.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.30.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.18.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.13.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.20.1
    -- iso.3.6.1.4.1.33980.100.1.3.1.0
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.19.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.12.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.55.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.56.1
    -- iso.3.6.1.4.1.33980.100.1.1.1.1.57.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.4.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.5.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.26.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.28.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.29.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.22.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.13.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.23.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.24.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.36.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.15.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.40.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.41.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.21.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.11.1
    -- iso.3.6.1.4.1.33980.100.1.2.3.1.31.1
Purging address from address cache: UDP: [192.168.200.1]:64805->[192.168.200.96]:161Received SNMP packet(s) from UDP: [192.168.200.1]:47345->[192.168.200.96]:161
  GET message
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.4.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.2.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.10.4
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.3.2.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.7.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.8.4
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.1
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.2
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.3
    -- iso.3.6.1.4.1.33980.100.1.3.3.1.9.4
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.4.1.1.2.4
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.1
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.2
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.3
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.3.4
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.1
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.2
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.3
    -- iso.3.6.1.4.1.33980.100.1.4.2.1.2.4

上面为自己的一些实际操作过程,以此备份,防止自己遗忘了。。~

原文链接:https://blog.csdn.net/leekwen/article/details/53635462
声明:该文观点仅代表作者本人,转载请注明来自看雪