TVT固件加解密分析教学文档<\/h3>

1. 固件结构分析<\/h4>

工具<\/strong>：binwalk<\/code> 关键信息<\/strong>：<\/p>

uImage<\/strong>：Uboot引导的Legacy格式内核镜像，未压缩，加载地址0x80008000<\/code>，入口点0x80008000<\/code>。头部CRC：0xFDB88F62<\/code>，数据CRC：0x2E36A415<\/code>。<\/li> 内核版本：Linux-4.9.37<\/code>，ARM架构。<\/li> <\/ul> <\/li> 文件系统<\/strong>：SquashFS 4.0，XZ压缩，块大小1MB<\/code>，创建时间2023-02-08<\/code>。分区布局： 0x0-0xE0000<\/code>：Uboot（896KB）<\/li> 0xE0000-0x300000<\/code>：Kernel（2176KB）<\/li> 0x300000-0x1A00000<\/code>：SquashFS（23MB）<\/li> 其他分区：config<\/code>（4MB）、log<\/code>（2MB）。<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ul> 内核启动参数<\/strong>：<\/p> mem=<\/span>179M console=<\/span>ttyAMA0,115200 root=<\/span>\/dev\/mtdblock2 rootfstype=<\/span>squashfs mtdparts=<\/span>hi_sfc:896K(<\/span>boot)<\/span>,2176K(<\/span>nva010000)<\/span>,23M(<\/span>app)<\/span>,4M(<\/span>config)<\/span>,2M(<\/span>log)<\/span> <\/span><\/span><\/code><\/pre> 2. XZ压缩格式与TVT定制修改<\/h4> 标准XZ结构<\/strong>：<\/p> Stream Header<\/strong>：Magic FD 37 7A 58 5A 00<\/code> + CRC校验。<\/li> Block<\/strong>：压缩数据块，含LZMA算法参数。<\/li> Stream Footer<\/strong>：Magic 59 5A<\/code> + CRC校验。<\/li> <\/ul> TVT定制修改<\/strong>：<\/p> 替换Magic<\/strong>：标准XZ头被替换为TVT头 E2 74 56 74 00 50 4B 47 B3 E3 00<\/code>。<\/li> 尾部修改<\/strong>：标准Footer替换为 05 C5 00 74 56 74 5E 00<\/code>。<\/li> 校验逻辑<\/strong>：CRC校验仍使用标准XZ算法，但数据范围调整。<\/li> <\/ul> 解密步骤<\/strong>：<\/p> 修复XZ头<\/strong>： def<\/span> repair_xz<\/span>(input_file): <\/span><\/span> with<\/span> open(input_file, 'rb'<\/span>) as<\/span> f: <\/span><\/span> data =<\/span> f.<\/span>read() <\/span><\/span> tvt_header =<\/span> b<\/span>'<\/span>\xE2\x74\x56\x74\x00\x50\x4B\x47\xB3\xE3\x00<\/span>'<\/span> <\/span><\/span> xz_header =<\/span> b<\/span>'<\/span>\xFD\x37\x7A\x58\x5A\x00<\/span>'<\/span> <\/span><\/span> repaired =<\/span> xz_header +<\/span> data[len(tvt_header):] <\/span><\/span> return<\/span> repaired <\/span><\/span><\/code><\/pre><\/li> 修复XZ尾<\/strong>：替换尾部为 YZ<\/code>。<\/li> <\/ol> 3. 内核解压与逆向<\/h4> 工具<\/strong>：vmlinux-to-elf<\/code> 步骤<\/strong>：<\/p> 提取vmlinux<\/strong>：使用Qiling模拟执行decompress_kernel<\/code>函数，解密内存中的XZ数据。<\/li> 保存解压后的内核到文件（如vmlinux_qiling<\/code>）。<\/li> <\/ul> <\/li> 转换为ELF<\/strong>： python3 vmlinux_to_elf.py vmlinux_qiling vmlinux.elf <\/span><\/span><\/code><\/pre><\/li> IDA分析<\/strong>：加载vmlinux.elf<\/code>，基地址设为0x80008000<\/code>。<\/li> <\/ol> 关键函数<\/strong>：<\/p> dec_main<\/code>：XZ解压主逻辑，处理Stream Header\/Block\/Footer。<\/li> xz_crc32<\/code>：CRC校验表初始化（多项式0xEDB88320<\/code>）。<\/li> <\/ul> 4. 文件系统解包与打包<\/h4> 解包工具<\/strong>：unsquashfs<\/code>（需打补丁支持TVT头）补丁逻辑<\/strong>：<\/p> 修改xz_wrapper.c<\/code>，在压缩时插入TVT头尾： memcpy(new_buff, "<\/span>\xE2\x74\x56\x74\x00<\/span>"<\/span>, 5<\/span>); \/\/ TVT头 <\/span><\/span><\/span><\/span>memcpy(new_buff +<\/span> new_size -<\/span> 8<\/span>, "<\/span>\x05\xC5\x00\x74\x56\x74\x5E<\/span>"<\/span>, 8<\/span>); \/\/ TVT尾 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 打包步骤<\/strong>：<\/p> 使用修改后的mksquashfs<\/code>： mksquashfs rootfs squashfs_new.xz -comp xz <\/span><\/span><\/code><\/pre><\/li> 合并固件： dd if<\/span>=<\/span>squashfs_new.xz of=<\/span>firmware.bin bs=<\/span>1<\/span> seek=<\/span>3145728<\/span> conv=<\/span>notrunc <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 植入后门（理论方案）<\/h4> 限制<\/strong>：<\/p> 固件校验：文件大小\/CRC校验严格，直接修改易触发失败。<\/li> 工具缺失：固件中删除nc<\/code>、wget<\/code>等传输工具。<\/li> <\/ul> 可行方案<\/strong>：<\/p> 替换二进制<\/strong>：编译静态链接的BusyBox，替换\/bin\/ping<\/code>。<\/li> 通过Web接口触发命令执行。<\/li> <\/ul> <\/li> NFS注入<\/strong>：修改服务二进制（如\/usr\/bin\/httpd<\/code>），插入汇编代码加载外部脚本。<\/li> <\/ul> <\/li> <\/ol> 6. 关键工具与代码<\/h4> binwalk<\/strong>：固件结构分析。<\/li> Qiling<\/strong>：模拟执行解密逻辑。<\/li> vmlinux-to-elf<\/strong>：内核转换工具。<\/li> xz-embedded<\/strong>：XZ算法源码（下载链接<\/a>）。<\/li> <\/ul> 参考链接<\/strong>：<\/p> TVT固件解密工具<\/a><\/li> SquashFS逆向<\/a><\/li> <\/ul> 总结<\/strong>：TVT固件通过修改XZ头尾实现加密，需定制工具解包\/打包。内核和文件系统均需修复Magic字段，逆向时注意CRC校验和内存布局。<\/p>