9/27/2023 0 Comments Unpack xz fileLoadAddress, = struct.unpack("!i", uimghdr )ĮntryPtAddr, = struct.unpack("!i", uimghdr )ĭatacrc32, = struct.unpack("!i", uimghdr ) Timestamp, = struct.unpack("!i", uimghdr )ĭatasize, = struct.unpack("!i", uimghdr ) Headercrc32, = struct.unpack("!i", uimghdr ) I just cooked a python script to rip the compressed blob out of the firmwareĪnd testing the blob with 7zip yields no errorsįileext = It appears Uboot Image header and data that follows is documented fairly well Important note: All these parts were padded to size with x'FF' this is something important to take into account when putting everything back together: How to pad a file with “FF” using dd?Ĭuriosity led me to google for the firmware Putting it back together is a matter of doing the reverse: dd if=header.bin of=somefile.img bs=1 count=64ĭd if=xzdata.xz of=somefile.img bs=1 count=2162624 seek=64ĭd if=squashfs.bin of=somefile.img bs=1 count=7667712 seek=2162688ĭd if=jffs2.bin of=somefile.img bs=1 count=6488144 seek=9830400 To unpack everything: dd if=tf_recovery.img of=header.bin bs=1 count=64 skip=0ĭd if=tf_recovery.img of=xzdata.xz bs=1 count=2162624 skip=64ĭd if=tf_recovery.img of=squashfs.bin bs=1 count=7667712 skip=2162688ĭd if=tf_recovery.img of=jffs2.bin bs=1 skip=9830400 And finally a JFFS2 filesystem from 9830400 to the end of the file.There's also a SquashFS filesystem from 2162688 to 9830400.There's a XZ archive from 64 to 2162688.There is something from address 0 to 64 (something that binwalk doesn't show, this ended up being u-boot's header).Then, it was a matter of using dd to split the parts and putting them back together.įor example, here's the output from Binwalk: $ binwalk tf_recovery.imgĢ162688 0x210000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6502290 bytes, 2019 inodes, blocksize: 131072 bytes, created: 07:02:05ĩ830400 0x960000 JFFS2 filesystem, little endian What ultimately enabled me to understand the firmware structure was Binwalk. I'd really appreciate if anyone can provide additional ideias on how to unpack this. Searched for, to the best of my abilities, any alternative methods online.Simply extracting the image like if it was a compressed archive.Tried every image type explicitly, by using -T parameter of dumpimage.Multiple versions of u-boot, including the latest (v2019.04-rc1) built from source.GP Header: Size 27051956 LoadAddr 5799cfc3įile gives some information, nothing I can use: $ file tf_recovery.img ![]() Mkimage -ldoesn't show any useful information: $ mkimage -l tf_recovery.img I have this tf_recovery.img that's supposedly a U-Boot image, but I can't unpack it either using dumpimage or other techniques because mkimage -l doesn't provide me with enough information.ĭumpimage does nothing: $ dumpimage -o out tf_recovery.img I'm trying to unpack (extract) and analyse the firmware of an IP Camera (Xiaomi mjsxj02cm).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |