0

The Binwalk output of modified firmware

for some reason whenever I try to extract a firmware with the identified parts using python, I get so many additional xz compressed data.

Here's my code in the python script, where it is (name, offset, and size)

    FirmwarePart("uimage_kernel", 0x0, 0x40),
    FirmwarePart("lzma",0x40,0x18A143),
    FirmwarePart("squashfs", 0x18A143,0)

Binwalk output of original firmware

Here's the Binwalk output of the original firmware binary.

I have a feeling I'm not calculating the size of the last component "squashfs" correctly. Sorry if this is unclear, I'm new to all this.

The header added firmware binary file

Bryan
  • 67
  • 7
  • Is it from this video: https://www.youtube.com/watch?v=hV8W4o-Mu2o ? From what device do you want to extract the firmware ? Try to use 7945414 instead of 0 (zero) in your last call: FirmwarePart("squashfs", 0x18A143, 7945414) – areop-enap Jan 26 '21 at 23:27
  • Yes! This is for work, so hopefully I can figure it out soon lol. Ill try it now – Bryan Jan 26 '21 at 23:35
  • When I re-package the firmware (omitting the image-header) like the video, I still get additional compression xz data. Any idea how to calculate the size of the last firmware_part? All help is appropriated – Bryan Jan 26 '21 at 23:44
  • You are missing the image header somehow. Your LZMA data are starting at address 0, which is wrong. I assume LZMA should start at 0x40 (64)... – areop-enap Jan 26 '21 at 23:57
  • I added a pic of the firmware (image header and all). The LZMA data starts at the 0x40 offset. It's still showing tons of additional xz compressed data. – Bryan Jan 27 '21 at 00:02
  • The image size within your header seems to be wrong, it should be 1614083, the size of the LZMA minus 64, not the size of the squashfs nor the whole size of your structure. – areop-enap Jan 27 '21 at 00:11
  • IT WORKS! Thank you!!!! The ```FirmwarePart("uimage_kernel", 0x0, 0x40), FirmwarePart("lzma",0x40,0x18A103), FirmwarePart("squashfs", 0x18A143,0x793CC6)``` worked for me. Do you please mind explaining how you came up with 0x793CC6 for the squashfs size? THANK YOU AGAIN ❤️❤️❤️ – Bryan Jan 27 '21 at 00:34
  • The first line of your original firmware output where it shows '...image size: 1614083...' should give you the size of your LZMA. You should enter that size and not the size of the whole squashfs. Your output had the wrong value as LZMA image size. – areop-enap Jan 27 '21 at 01:04

0 Answers0