import subprocess,lzma import struct,os from npk import NovaPackage,NpkPartID,NpkFileContainer def patch_bzimage(data:bytes,key_dict:dict): PE_TEXT_SECTION_OFFSET = 414 HEADER_PAYLOAD_OFFSET = 584 HEADER_PAYLOAD_LENGTH_OFFSET = HEADER_PAYLOAD_OFFSET + 4 text_section_raw_data = struct.unpack_from(' /dev/null | sed -n '11p' stdout,_ = run_shell_command(f"debugfs {dev} -R 'stat {file}' 2> /dev/null | sed -n '11p' ") #(0-11):1592-1603, (IND):1173, (12-15):1604-1607, (16-26):1424-1434 blocks_info = stdout.decode().strip().split(',') blocks = [] ind_block_id = None for block_info in blocks_info: _tmp = block_info.strip().split(':') if _tmp[0].strip() == '(IND)': ind_block_id = int(_tmp[1]) else: id_range = _tmp[0].strip().replace('(','').replace(')','').split('-') block_range = _tmp[1].strip().replace('(','').replace(')','').split('-') blocks += [id for id in range(int(block_range[0]),int(block_range[1])+1)] print(f' blocks : {len(blocks)} ind_block_id : {ind_block_id}') #sudo debugfs /dev/nbd0p1 -R 'cat boot/initrd.rgz' > data data,stderr = run_shell_command(f"debugfs {dev} -R 'cat {file}' 2> /dev/null") new_data = patch_kernel(data,key_dict) print(f'write block {len(blocks)} : [',end="") with open(dev,'wb') as f: for index,block_id in enumerate(blocks): print('#',end="") f.seek(block_id*BLOCK_SIZE) f.write(new_data[index*BLOCK_SIZE:(index+1)*BLOCK_SIZE]) f.flush() print(']') def patch_initrd_xz(initrd_xz:bytes,key_dict:dict,ljust=True): initrd = lzma.decompress(initrd_xz) new_initrd = initrd for old_public_key,new_public_key in key_dict.items(): if old_public_key in new_initrd: print(f'initrd public key patched {old_public_key[:16].hex().upper()}...') new_initrd = new_initrd.replace(old_public_key,new_public_key) new_initrd_xz = lzma.compress(new_initrd,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": 9,}] ) if ljust: assert len(new_initrd_xz) <= len(initrd_xz),'new initrd xz size is too big' print(f'new initrd xz size:{len(new_initrd_xz)}') print(f'old initrd xz size:{len(initrd_xz)}') print(f'ljust size:{len(initrd_xz)-len(new_initrd_xz)}') new_initrd_xz = new_initrd_xz.ljust(len(initrd_xz),b'\0') return new_initrd_xz def find_7zXZ_data(data:bytes): offset1 = 0 _data = data while b'\xFD7zXZ\x00\x00\x01' in _data: offset1 = offset1 + _data.index(b'\xFD7zXZ\x00\x00\x01') + 8 _data = _data[offset1:] offset1 -= 8 offset2 = 0 _data = data while b'\x00\x00\x00\x00\x01\x59\x5A' in _data: offset2 = offset2 + _data.index(b'\x00\x00\x00\x00\x01\x59\x5A') + 7 _data = _data[offset2:] print(f'found 7zXZ data offset:{offset1} size:{offset2-offset1}') return data[offset1:offset2] def patch_elf(data: bytes,key_dict:dict): initrd_xz = find_7zXZ_data(data) new_initrd_xz = patch_initrd_xz(initrd_xz,key_dict) return data.replace(initrd_xz,new_initrd_xz) def patch_pe(data: bytes,key_dict:dict): vmlinux_xz = find_7zXZ_data(data) vmlinux = lzma.decompress(vmlinux_xz) initrd_xz_offset = vmlinux.index(b'\xFD7zXZ\x00\x00\x01') initrd_xz_size = vmlinux[initrd_xz_offset:].index(b'\x00\x00\x00\x00\x01\x59\x5A') + 7 initrd_xz = vmlinux[initrd_xz_offset:initrd_xz_offset+initrd_xz_size] new_initrd_xz = patch_initrd_xz(initrd_xz,key_dict) new_vmlinux = vmlinux.replace(initrd_xz,new_initrd_xz) new_vmlinux_xz = lzma.compress(new_vmlinux,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": 9,}] ) assert len(new_vmlinux_xz) <= len(vmlinux_xz),'new vmlinux xz size is too big' print(f'new vmlinux xz size:{len(new_vmlinux_xz)}') print(f'old vmlinux xz size:{len(vmlinux_xz)}') print(f'ljust size:{len(vmlinux_xz)-len(new_vmlinux_xz)}') new_vmlinux_xz = new_vmlinux_xz.ljust(len(vmlinux_xz),b'\0') new_data = data.replace(vmlinux_xz,new_vmlinux_xz) return new_data def patch_netinstall(key_dict: dict,input_file,output_file=None): netinstall = open(input_file,'rb').read() if netinstall[:2] == b'MZ': from package import check_install_package check_install_package(['pefile']) import pefile ROUTEROS_BOOT = { 129:{'arch':'power','name':'Powerboot'}, 130:{'arch':'e500','name':'e500_boot'}, 131:{'arch':'mips','name':'Mips_boot'}, 135:{'arch':'400','name':'440__boot'}, 136:{'arch':'tile','name':'tile_boot'}, 137:{'arch':'arm','name':'ARM__boot'}, 138:{'arch':'mmips','name':'MMipsBoot'}, 139:{'arch':'arm64','name':'ARM64__boot'}, 143:{'arch':'x86_64','name':'x86_64boot'} } with pefile.PE(input_file) as pe: for resource in pe.DIRECTORY_ENTRY_RESOURCE.entries: if resource.id == pefile.RESOURCE_TYPE["RT_RCDATA"]: for sub_resource in resource.directory.entries: if sub_resource.id in ROUTEROS_BOOT: bootloader = ROUTEROS_BOOT[sub_resource.id] print(f'found {bootloader["arch"]}({sub_resource.id}) bootloader') rva = sub_resource.directory.entries[0].data.struct.OffsetToData size = sub_resource.directory.entries[0].data.struct.Size data = pe.get_data(rva,size) _size = struct.unpack(' 0: for package in npk._packages: patch_npk_package(package,key_dict) else: patch_npk_package(npk,key_dict) npk.sign(kcdsa_private_key,eddsa_private_key) npk.save(output_file or input_file) if __name__ == '__main__': import argparse,os parser = argparse.ArgumentParser(description='MikroTik patcher') subparsers = parser.add_subparsers(dest="command") npk_parser = subparsers.add_parser('npk',help='patch and sign npk file') npk_parser.add_argument('input',type=str, help='Input file') npk_parser.add_argument('-O','--output',type=str,help='Output file') kernel_parser = subparsers.add_parser('kernel',help='patch kernel file') kernel_parser.add_argument('input',type=str, help='Input file') kernel_parser.add_argument('-O','--output',type=str,help='Output file') block_parser = subparsers.add_parser('block',help='patch block file') block_parser.add_argument('dev',type=str, help='block device') block_parser.add_argument('file',type=str, help='file path') netinstall_parser = subparsers.add_parser('netinstall',help='patch netinstall file') netinstall_parser.add_argument('input',type=str, help='Input file') netinstall_parser.add_argument('-O','--output',type=str,help='Output file') args = parser.parse_args() key_dict = { bytes.fromhex(os.environ['MIKRO_LICENSE_PUBLIC_KEY']):bytes.fromhex(os.environ['CUSTOM_LICENSE_PUBLIC_KEY']), bytes.fromhex(os.environ['MIKRO_NPK_SIGN_PUBLIC_KEY']):bytes.fromhex(os.environ['CUSTOM_NPK_SIGN_PUBLIC_KEY']) } kcdsa_private_key = bytes.fromhex(os.environ['CUSTOM_LICENSE_PRIVATE_KEY']) eddsa_private_key = bytes.fromhex(os.environ['CUSTOM_NPK_SIGN_PRIVATE_KEY']) if args.command =='npk': print(f'patching {args.input} ...') patch_npk_file(key_dict,kcdsa_private_key,eddsa_private_key,args.input,args.output) elif args.command == 'kernel': print(f'patching {args.input} ...') data = patch_kernel(open(args.input,'rb').read(),key_dict) open(args.output or args.input,'wb').write(data) elif args.command == 'block': print(f'patching {args.file} in {args.dev} ...') patch_block(args.dev,args.file,key_dict) elif args.command == 'netinstall': print(f'patching {args.input} ...') patch_netinstall(key_dict,args.input,args.output) else: parser.print_help()