Last byte \x02 is for letting the firmware update service know that it's a resource and not the firmware file. The search results differ from the output of the signature scan.The next step was to Initialize the firmware/resource Update On Characteristic 1531 with write command of 4-byte Either that or binwalk augments its signature scan with additional information or heuristics that I am not aware of to reduce false positives. In addition, not all of the compressed blocks may be detected when I used wxHe圎ditor to search for byte 0x78DA, more than 3000 matches were found. With that being said, binwalk detects roughly 1900 zlib compressed data blocks, with some false positives detected throughout the file. JPEG presence of readable ASCII strings seems to confirm that the data is compressed and was successfully decompressed. When the compressed data at offset 4C is decompressed, the result is a binary blob with some image signatures and string data: $ binwalk 4CĨ9 0x59 JPEG image data, JFIF standard 1.02ġ19 0x77 TIFF image data, big-endian, offset of first image directory: 8Ĥ13 0x19D JPEG image data, JFIF standard 1.02Ħ169 0x1819 Copyright string: "Copyright Flag"Ħ800 0x1A90 JPEG image data, JFIF standard 1.02 $ binwalk -B vdrv.datħ6 0x4C Zlib compressed data, best compressionĤ10855 0圆44E7 Zlib compressed data, best compressionĤ11415 0圆4717 Zlib compressed data, best compressionĤ11833 0圆48B9 Zlib compressed data, best compressionħ39843 0xB4A03 Zlib compressed data, best compressionħ40261 0xB4BA5 Zlib compressed data, best compressionĩ43653 0圎6625 Zlib compressed data, best compressionĩ44071 0圎67C7 Zlib compressed data, best compressionġ342964 0x147DF4 Zlib compressed data, best compressionġ343382 0x147F96 Zlib compressed data, best compressionġ715439 0x1A2CEF Zlib compressed data, best compressionġ715857 0x1A2E91 Zlib compressed data, best compressionīinwalk treats the following bytes as zlib signatures: #0 beshort 0x7801 Zlib header, no compressionĠ beshort 0x789c Zlib compressed data, default compressionĠ beshort 0x78da Zlib compressed data, best compressionĠ beshort 0x785e Zlib compressed data, compressed The binary seems to be composed of blocks of zlib compressed data. Any help in figuring this out would be much appreciated! That is all I have been able to figure out up to now. Now there are obviously some repeated patterns here, so I'm thinking that it might be some XOR-ish cipher, though I haven't been able to figure out a key or even a structure.Īlso, I know that these (partial) strings should be in there somewhere in some way or another (got those from the executable): data I dumped the data from the 64 and 120 long blocks seperately, without those twelve "header" bytes.
0 Comments
Leave a Reply. |