mailto:wangkai0351@gmail.com
【未經同意禁止轉載】
釘釘智能指紋考勤機M1s,支持指紋、WIFI、藍牙、GPS四種考勤方式,並且可實時查看考勤數據,自動生成考勤報表,告別人工核算,數據雲端存儲不易丟失。
1. 固件脆弱性分析
1.1 固件文件提取
1.1.1 固件文件提取方法
a. 直接讀取spi flash芯片中的數據
b. 串口訪問設備(使用boot命令upload)
c. 固件在線升級
1.2 固件文件升級
a.
1 binwalk 2018_5_20.bin 2 3 DECIMAL HEXADECIMAL DESCRIPTION 4 -------------------------------------------------------------------------------- 5 135388 0x210DC Unix path: /usr/local/lib 6 136444 0x214FC Unix path: /dev/uart/0 7 136784 0x21650 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./heap_alloc_caps.c 8 137592 0x21978 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./ipc.c 9 138316 0x21C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./intr_alloc.c 10 151420 0x24F7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/newlib/./locks.c 11 153984 0x25980 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/nvs_flash/src/nvs_pagemanager.cpp 12 154936 0x25D38 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/tcpip_adapter/./tcpip_adapter_lwip.c 13 158188 0x269EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/./bravo.c 14 158608 0x26B90 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/base/dt_log.c 15 160212 0x271D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./rtc_module.c 16 162508 0x27ACC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./crosscore_int.c 17 163212 0x27D8C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./phy_init.c 18 164840 0x283E8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint.c 19 168032 0x29060 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint_helper.c 20 170560 0x29A40 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./userIdpool.c 21 172452 0x2A1A4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./alc5660.c 22 173328 0x2A510 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./fd650b.c 23 173548 0x2A5EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./gpio_helper..c 24 173720 0x2A698 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./pcf8563.c 25 174092 0x2A80C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_fireeye.c 26 174372 0x2A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_flash.c 27 177628 0x2B5DC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_device.c 28 178748 0x2BA3C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_fingerprint.c 29 180436 0x2C0D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_root.c 30 184596 0x2D114 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_coredump_upload.c 31 185312 0x2D3E0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/wifi/./wifi.c 32 192984 0x2F1D8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_response.c 33 199756 0x30C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_mid.c 34 429436 0x68D7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/app_update/./esp_ota_ops.c 35 430192 0x69070 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_ble.c 36 432240 0x69870 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_npc.c 37 433612 0x69DCC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/controller.c 38 434636 0x6A1CC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_layer.c 39 435060 0x6A374 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_packet_factory.c 40 435564 0x6A56C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/packet_fragmenter.c 41 436272 0x6A830 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/fixed_queue.c 42 436516 0x6A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/future.c 43 468964 0x727E4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btu/btu_task.c 44 491312 0x77F30 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_api.c 45 502756 0x7ABE4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_fcr.c 46 534680 0x82898 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/dm/bta_dm_pm.c 47 540096 0x83DC0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/sys/bta_sys_main.c 48 540940 0x8410C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/btcore/bdaddr.c 49 541200 0x84210 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/gki/gki_buffer.c 50 555132 0x8787C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btm/btm_ble_bgconn.c 51 590680 0x90358 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/interop.c 52 592260 0x90984 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2c.c 53 593324 0x90DAC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2s.c 54 596092 0x9187C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./uart.c 55 598004 0x91FF4 SHA256 hash constants, little endian 56 600212 0x92894 PEM RSA private key 57 600276 0x928D4 PEM EC private key 58 603708 0x9363C PEM certificate 59 644556 0x9D5CC PEM RSA private key 60 646264 0x9DC78 PEM certificate 61 647476 0x9E134 PEM RSA private key 62 649184 0x9E7E0 PEM certificate 63 650400 0x9ECA0 PEM RSA private key 64 652184 0x9F398 PEM certificate 65 653492 0x9F8B4 PEM certificate 66 662104 0xA1A58 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./heap_regions.c 67 662296 0xA1B18 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./queue.c 68 663168 0xA1E80 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./timers.c 69 663532 0xA1FEC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./ringbuf.c 70 6426992 0x621170 Unix path: /dev/uart/0
直接拖入IDA Pro V6.8
strings工具得到該固件編譯過程中include 的一些c語言代碼文件的路徑和文件名如下
ESP32 有 3 個 UART 接口,即 UART0、UART1 和 UART2。
查閱《ESP32 技術規格書》版本2.1可知
U0RXD 40 號引腳
U0TXD 41 號引腳
U1RXD 28 號引腳
U1TXD 29 號引腳
U2RXD 25 號引腳
U2TXD 27 號引腳
到PCB上看看,這三對引腳有沒有露出來,如果有任意一對引腳引到了PCB的焊盤上,那么很可能就是這個PCB的串口調試端口。