发表于 | 分类于 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
from construct import *

def MessagesSentByAccessory(data):
    d = GreedyRange(Int16ub)
    pkt = d.parse(data)
    for i in pkt:
        print('%04x' % i)
    
idmap = {
    0x0000: {
        'name': 'Name',
        'handler': None
    },
    0x0001: {
        'name': 'ModelIdentifier',
        'handler': None
    },
    0x0002: {
        'name': 'Manufacturer',
        'handler': None
    },
    0x0003: {
        'name': 'SerialNumber',
        'handler': None
    },
    0x0004: {
        'name': 'FirmwareVersion',
        'handler': None
    },
    0x0005: {
        'name': 'HardwareVersion',
        'handler': None
    },
    0x0006: {
        'name': 'MessagesSentByAccessory',
        'handler': MessagesSentByAccessory
    },
    0x0007: {
        'name': 'MessagesReceivedFromDevice',
        'handler': None
    },
    0x0008: {
        'name': 'PowerProvidingCapability',
        'handler': None
    },
    0x0009: {
        'name': 'MaximumCurrentDrawnFromDevice',
        'handler': None
    },
    0x000a: {
        'name': 'SupportedExternalAccessoryProtocol',
        'handler': None
    },
    0x000b: {
        'name': 'AppMatchTeamID',
        'handler': None
    },
    0x000c: {
        'name': 'CurrentLanguage',
        'handler': None
    },
    0x000d: {
        'name': 'SupportedLanguage',
        'handler': None
    },
    0x000e: {
        'name': 'UARTTransportComponent',
        'handler': None
    },
    0x000f: {
        'name': 'USBDeviceTransportComponent',
        'handler': None
    },
    0x0010: {
        'name': 'USBHostTransportComponent',
        'handler': None
    },
    0x0011: {
        'name': 'BluetoothTransportComponent',
        'handler': None
    },
    0x0012: {
        'name': 'iAP2HIDComponent',
        'handler': None
    },
    0x0016: {
        'name': 'LocationInformationComponent',
        'handler': None
    },
    0x0017: {
        'name': 'USBHostHIDComponent',
        'handler': None
    },
    0x001d: {
        'name': 'BluetoothHIDComponent',
        'handler': None
    },
    0x0022: {
        'name': 'ProductPlanUID',
        'handler': None
    },
    0x0014: {
        'name': 'VehicleInformationComponent',
        'handler': None
    },
}

data = bytes([
0x40, 0x40, 0x01, 0xA5, 0x1D, 0x01, 0x00, 0x0F, 0x00, 0x00, 0x56, 0x6F, 0x6C, 0x6B, 0x73, 0x77, 0x61, 0x67, 0x65, 0x6E, 0x00, 0x00, 0x0F, 0x00, 0x01, 0x31, 0x37, 0x47, 0x30, 0x33, 0x35, 0x32, 0x38, 0x30, 0x20, 0x00, 0x00, 0x18, 0x00, 0x02, 0x44, 0x65, 0x73, 0x61, 0x79, 0x20, 0x53, 0x56, 0x20, 0x41, 0x75, 0x74, 0x6F, 0x6D, 0x6F, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x13, 0x00, 0x03, 0x56, 0x57, 0x5A, 0x36, 0x5A, 0x32, 0x53, 0x30, 0x30, 0x32, 0x38, 0x34, 0x38, 0x30, 0x00, 0x00, 0x09, 0x00, 0x04, 0x30, 0x33, 0x39, 0x31, 0x00, 0x00, 0x0B, 0x00, 0x05, 0x33, 0x36, 0x2E, 0x30, 0x2E, 0x30, 0x00, 0x00, 0x16, 0x00, 0x06, 0xAE, 0x00, 0xAE, 0x02, 0xAE, 0x03, 0xFF, 0xFB, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x41, 0x59, 0xEA, 0x02, 0x00, 0x12, 0x00, 0x07, 0xAE, 0x01, 0xFF, 0xFA, 0xFF, 0xFC, 0x41, 0x55, 0x41, 0x58, 0xEA, 0x00, 0xEA, 0x01, 0x00, 0x05, 0x00, 0x08, 0x02, 0x00, 0x06, 0x00, 0x09, 0x00, 0x00, 0x00, 0x36, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x00, 0x0D, 0x00, 0x28, 0x00, 0x01, 0x63, 0x6F, 0x6D, 0x2E, 0x76, 0x77, 0x61, 0x67, 0x2E, 0x69, 0x6E, 0x66, 0x6F, 0x74, 0x61, 0x69, 0x6E, 0x6D, 0x65, 0x6E, 0x74, 0x2E, 0x63, 0x61, 0x72, 0x70, 0x6C, 0x61, 0x79, 0x2E, 0x65, 0x78, 0x6C, 0x61, 0x70, 0x00, 0x00, 0x05, 0x00, 0x02, 0x01, 0x00, 0x1F, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x01, 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x70, 0x31, 0x00, 0x00, 0x05, 0x00, 0x02, 0x01, 0x00, 0x1F, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x00, 0x0F, 0x00, 0x11, 0x00, 0x01, 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x70, 0x32, 0x00, 0x00, 0x05, 0x00, 0x02, 0x01, 0x00, 0x07, 0x00, 0x0C, 0x65, 0x6E, 0x00, 0x00, 0x07, 0x00, 0x0D, 0x65, 0x6E, 0x00, 0x00, 0x0A, 0x00, 0x0D, 0x7A, 0x68, 0x5F, 0x43, 0x4E, 0x00, 0x00, 0x2E, 0x00, 0x10, 0x00, 0x06, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x1B, 0x00, 0x01, 0x54, 0x72, 0x61, 0x6E, 0x73, 0x70, 0x6F, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x70, 0x6F, 0x6E, 0x65, 0x6E, 0x74, 0x4E, 0x61, 0x6D, 0x65, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x05, 0x00, 0x03, 0x01, 0x00, 0x32, 0x00, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x14, 0x00, 0x01, 0x56, 0x45, 0x48, 0x49, 0x43, 0x4C, 0x45, 0x49, 0x4E, 0x46, 0x4F, 0x43, 0x4F, 0x4D, 0x50, 0x00, 0x00, 0x05, 0x00, 0x02, 0x00, 0x00, 0x0F, 0x00, 0x06, 0x56, 0x6F, 0x6C, 0x6B, 0x73, 0x77, 0x61, 0x67, 0x65, 0x6E, 0x00, 0x00, 0x23, 0x00, 0x16, 0x00, 0x06, 0x00, 0x00, 0x00, 0x29, 0x00, 0x15, 0x00, 0x01, 0x4C, 0x4F, 0x43, 0x41, 0x54, 0x49, 0x4F, 0x4E, 0x49, 0x4E, 0x46, 0x4F, 0x43, 0x4F, 0x4D, 0x50, 0x00, 0x00, 0x04, 0x00, 0x14])

#data = bytes.fromhex('404000E31D01000E000051756269692050726F00000C00014D4B5051532D5700001000024D616B74617220496E632E00001500034230373033323130323036413030433500000A0004312E302E3300000A0005312E302E3100000A0006AE00AE02AE0300060007AE010005000802000600090000002C000A000500000000180001636F6D2E6D616B7461722E717562696970726F000005000201000600030000000F000B4E4C354837544B475645000007000C656E000007000D656E0000260010000600000000001800014C696768746E696E6720436F6E6E6563746F72000004000268')
#data = bytes.fromhex('404000E21D02000E0000636F6F6C6275696C6400000E0001636F6F6C6275696C6400000E0002636F6F6C6275696C6400000E0003636F6F6C6275696C640000120004636F6F6C6275696C642D312E300000080005312E3000000A0006AE00AE02AE0300060007AE0100050008020006000900000007000C656E000007000D656E00002C000A000500000000180001636F6D2E6D616B7461722E717562696970726F000005000201000600030000000F000B4E4C354837544B4756450000260010000600000000001800014C696768746E696E6720436F6E6E6563746F720000040002BE')

format = Struct(
    "magic" / Bytes(2),
    "length" / Int16ub,
    "id" / Int16ub,
    "data" / Bytes(this.length - 6)
)

pkt = format.parse(data)
data = pkt.data

while True:
    if len(data) <= 0:
        break
    format = Struct(
        "length" / Int16ub,
        "id" / Int16ub,
        "data" / Bytes(this.length - 4)
    )
    pkt = format.parse(data)
    data = data[pkt.length:]
    if pkt.id in idmap:
        print('======%s======' % idmap[pkt.id]['name'])
        print(pkt.data)
        handler = idmap[pkt.id]['handler']
        if handler != None:
            handler(pkt.data)
        
    else:
        print('=====> %d' % pkt.id)
阅读全文 »

发表于 | 分类于

使用beagle 480抓到的usb ncm数据直接分析比较困难, 这里将beagle 480抓到的包导出成csv文件(注意要勾选data数据栏) 下面脚本将每包ncm数据,去掉nth16头和ndp头,然后将同一包ncm数据里的所有ndp entry 提取出来,合并到一起,然后形成一个以太帧 最后将所有以太帧一起写到pcap文件,再用wireshark打开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import re
from construct import *
from csv import reader
import scapy.all as scapy

def ncm_extract_payload(data):
    payload = bytearray()
    nth_format = Struct(
        "magic" / Bytes(4),
        "header_length" / Int16ul,
        "seq" / Int16ul,
        "block_length" / Int16ul,
        "fp_index" / Int16ul,
    )
    
    ndp_format = Struct(
        "magic" / Bytes(4),
        "length" / Int16ul,
        "next_ndp_index" / Int16ul
    )
    
    entry_format = Struct(
        "index" / Int16ul,
        "length" / Int16ul
    )
    
    nth16 = nth_format.parse(data)
    offset = nth16.fp_index
    if len(data) == 116:
        print('====> %d' % offset)
    
    while True:
        ndp16 = ndp_format.parse(data[offset:])
        num_entries = int((ndp16.length - 8) / 4)
        offset += 8
        for i in range(0, num_entries):
            entry = entry_format.parse(data[offset:])
            offset += 4
            if entry.length > 0 and entry.index > 0:
                payload += data[entry.index: entry.index + entry.length]
        
        offset = ndp16.next_ndp_index
        if offset == 0:
            break
    
    print('%d %d %d' % (len(data), len(payload), num_entries))
    return payload
    
    
def parse_ts(str):
    m = re.match(r'(\d+):(\d+)\.(\d+)\.(\d+)', str)
    if m == None:
        return 0
    
    groups = m.groups()
    if len(groups) != 4:
        return 0
    
    return round(float(groups[0]) * 60 + float(groups[1]) + \
        float(groups[2]) / 1000.0 + float(groups[3]) / 1000000.0, 6)
        
packets = []

count = 0
with open('out.csv', 'r') as fp:
    csvr = reader(fp)
    for row in csvr:
        if row[0][0] == '#':
            continue
        err = row[6]
        if err != '':
            continue
        dev = row[7]
        if dev != '02':
            continue
            
        ep = row[8]
        if ep == '02' or ep == '02':
            data = row[10]
            ts = parse_ts(row[3])
            data = bytes.fromhex(data.strip())
            if len(data) == 0:
                continue
            payload = ncm_extract_payload(data)
            packets.append(scapy.Ether(payload))
            #count += 1
            #if count == 10:
            #    break

scapy.wrpcap("output.pcap", packets)
阅读全文 »

发表于 | 分类于

android下

1
2
prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-addr2line -C -f -e out/target/product/<xxxx>
/obj/EXECUTABLES/<yyyy>_intermediates/LINKED/<yyyy> <函数地址>

buildroot下 需要编译的时候保留非strip版本

1
buildroot/prebuilts/uclibc-6.5.0/bin/arm-buildroot-linux-uclibcgnueabihf-addr2line -C -f -e output/build/<yyyy>/<yyyy>.nostrip <函数地址>
阅读全文 »

发表于 | 分类于 
1
2
3
4
5
6
7
8
9
10
mkfs_jffs2() {                                                                                                                   
        local erase_block=$(/bin/cat /proc/mtd | /bin/grep "$(basename /dev/by-name/rootfs_data)" | /usr/bin/awk '{print $3}')    
        /bin/mkdir -p /tmp/jffs2.dir/tmp        
        mkfs.jffs2 -p -e 0x${erase_block} -d /tmp/jffs2.dir \
                -o /tmp/jffs2.img >/dev/null || return 1     
        /bin/dd if=/tmp/jffs2.img of=/dev/by-name/rootfs_data || return 1          
        /bin/rm -rf /tmp/jffs2.img /tmp/jffs2.dir                                                
}

mkfs_jffs2
阅读全文 »

发表于 | 分类于

将apk解压到test文件夹, 替换apk内的so之后快速打包apk用。

1
2
3
rm -f test.apk
(cd test && zip -0 -D -r ../test.apk . *)
java -jar signapk.jar testkey.x509.pem testkey.pk8 test.apk out.apk
阅读全文 »