def process_image(self, config, imagenum, images, cur_image): # ASpeed seems to place global footer right after the last image # The size contains also part of the footer, so we extract it # But if the image is re-packed, that part is lost # so we need to check and add it, if needed if imagenum == images[-1]: if cur_image[-10:-2] != 'ATENs_FW': footer = FirmwareFooter() footer.rev1 = int(config.get('global', 'major_version'), 0) footer.rev2 = int(config.get('global', 'minor_version'), 0) footer.footerver = int(config.get('global', 'footer_version'), 0) footer.rootfs_nfo = "00000000" footer.webfs_nfo = "00000000" return cur_image + footer.getRawString()[:10] return cur_image
def process_image(self, config, imagenum, images, cur_image): # ASpeed seems to place global footer right after the last image # The size contains also part of the footer, so we extract it # But if the image is re-packed, that part is lost # so we need to check and add it, if needed if imagenum == images[-1]: if cur_image[-10:-2] != 'ATENs_FW': footer = FirmwareFooter() footer.rev1 = int(config.get('global','major_version'),0) footer.rev2 = int(config.get('global','minor_version'),0) footer.footerver = int(config.get('global','footer_version'),0) footer.rootfs_nfo = "00000000" footer.webfs_nfo = "00000000" return cur_image + footer.getRawString()[:10] return cur_image
def parse(self, ipmifw, extract, config): bootloader = ipmifw[:64040] bootloader_md5 = hashlib.md5(bootloader).hexdigest() if extract: print("Dumping bootloader to data/bootloader.bin") with open('data/bootloader.bin', 'wb') as f: f.write(bootloader) imagecrc = [] # Start by parsing all the different images within the firmware # This method comes directly from the SDK. Read through the file in 64 byte chunks, and look for the signature at a certain point in the string # Seems kinda scary, as there might be other parts of the file that include this. for i in range(0, len(ipmifw), 64): footer = ipmifw[i:i + 64] fi = FirmwareImage() # 12 bytes of padding. I think this can really be anything, though it's usually \xFF fi.loadFromString(footer[12:]) if not fi.isValid(): continue print("\n" + str(fi)) imagestart = fi.base_address if imagestart > 0x40000000: # I'm unsure where this 0x40000000 byte offset is coming from. Perhaps I'm not parsing the footer correctly? imagestart -= 0x40000000 imageend = imagestart + fi.length curcrc = zlib.crc32(ipmifw[imagestart:imageend]) & 0xffffffff imagecrc.append(curcrc) if extract: print("Dumping 0x%s to 0x%s to data/%s.bin" % (imagestart, imageend, fi.name)) with open('data/%s.bin' % fi.name, 'wb') as f: f.write(ipmifw[imagestart:imageend]) computed_image_checksum = FirmwareImage.computeChecksum( ipmifw[imagestart:imageend]) if computed_image_checksum != fi.image_checksum: print( "Warning: Image checksum mismatch, footer: 0x%x computed: 0x%x" % (fi.image_checksum, computed_image_checksum)) else: print("Image checksum matches") config.set('images', str(fi.imagenum), 'present') configkey = 'image_%i' % fi.imagenum config.add_section(configkey) config.set(configkey, 'length', hex(fi.length)) config.set(configkey, 'base_addr', hex(fi.base_address)) config.set(configkey, 'load_addr', hex(fi.load_address)) config.set(configkey, 'exec_addr', hex(fi.exec_address)) config.set(configkey, 'name', fi.name) config.set(configkey, 'type', hex(fi.type)) # Next, find and validate the global footer for imageFooter in re.findall(b"ATENs_FW(.{8})", ipmifw, re.DOTALL): footer = FirmwareFooter() footer.loadFromString(imageFooter) computed_checksum = footer.computeFooterChecksum(imagecrc) print("\n" + str(footer)) if footer.checksum == computed_checksum: print("Firmware checksum matches") else: print( "Firwamre checksum mismatch, footer: 0x%x computed: 0x%x" % (footer.checksum, computed_checksum)) config.set('global', 'major_version', str(footer.rev1)) config.set('global', 'minor_version', str(footer.rev2)) config.set('global', 'footer_version', str(footer.footerver))
def parse(self, ipmifw, extract, config): bootloader = ipmifw[:64040] bootloader_md5 = hashlib.md5(bootloader).hexdigest() if extract: print "Dumping bootloader to data/bootloader.bin" with open('data/bootloader.bin','w') as f: f.write(bootloader) imagecrc = [] # Start by parsing all the different images within the firmware # This method comes directly from the SDK. Read through the file in 64 byte chunks, and look for the signature at a certain point in the string # Seems kinda scary, as there might be other parts of the file that include this. for i in range(0,len(ipmifw),64): footer = ipmifw[i:i+64] fi = FirmwareImage() # 12 bytes of padding. I think this can really be anything, though it's usually \xFF fi.loadFromString(footer[12:]) if not fi.isValid(): continue print "\n"+str(fi) imagestart = fi.base_address if imagestart > 0x40000000: # I'm unsure where this 0x40000000 byte offset is coming from. Perhaps I'm not parsing the footer correctly? imagestart -= 0x40000000 imageend = imagestart + fi.length curcrc = zlib.crc32(ipmifw[imagestart:imageend]) & 0xffffffff imagecrc.append(curcrc) if extract: print "Dumping 0x%s to 0x%s to data/%s.bin" % (imagestart, imageend, fi.name) with open('data/%s.bin' % fi.name.replace("\x00",""),'w') as f: f.write(ipmifw[imagestart:imageend]) computed_image_checksum = FirmwareImage.computeChecksum(ipmifw[imagestart:imageend]) if computed_image_checksum != fi.image_checksum: print "Warning: Image checksum mismatch, footer: 0x%x computed: 0x%x" % (fi.image_checksum,computed_image_checksum) else: print "Image checksum matches" config.set('images', str(fi.imagenum), 'present') configkey = 'image_%i' % fi.imagenum config.add_section(configkey) config.set(configkey, 'length', hex(fi.length)) config.set(configkey, 'base_addr', hex(fi.base_address)) config.set(configkey, 'load_addr', hex(fi.load_address)) config.set(configkey, 'exec_addr', hex(fi.exec_address)) config.set(configkey, 'name', fi.name) config.set(configkey, 'type', hex(fi.type)) # Next, find and validate the global footer for imageFooter in re.findall("ATENs_FW(.{8})",ipmifw,re.DOTALL): footer = FirmwareFooter() footer.loadFromString(imageFooter) computed_checksum = footer.computeFooterChecksum(imagecrc) print "\n"+str(footer) if footer.checksum == computed_checksum: print "Firmware checksum matches" else: print "Firwamre checksum mismatch, footer: 0x%x computed: 0x%x" % (footer.checksum, computed_checksum) config.set('global', 'major_version', footer.rev1) config.set('global', 'minor_version', footer.rev2) config.set('global', 'footer_version', footer.footerver)
curblockend = curblock * 65536 last_image_end = new_image.tell() # If we don't have space to write the footer at the end of the current block, move to the next block if curblockend - 61 < last_image_end: curblock += 1 footerpos = (curblock * 65536) - 61 new_image.seek(footerpos) # And write the footer to the output file new_image.write(fi.getRawString()) footer = FirmwareFooter() footer.rev1 = int(config.get('global', 'major_version'), 0) footer.rev2 = int(config.get('global', 'minor_version'), 0) footer.footerver = int(config.get('global', 'footer_version'), 0) footer.checksum = footer.computeFooterChecksum(imagecrc) # Hmm... no documentation on where this should be, but in the firmware I have it's been palced right before the last image footer # Unsure if that's where it goes, or if it doesn't matter # 16 includes 8 padding \xFF's between the global footer and the last image footer global_start = footerpos - 16 if global_start < curblockend: print "ERROR: Would have written global footer over last image" print "Aborting" sys.exit(1) # Write the global footer
last_image_end = new_image.tell() # If we don't have space to write the footer at the end of the current block, move to the next block if curblockend - 61 < last_image_end: curblock += 1 footerpos = (curblock * 65536) - 61 new_image.seek(footerpos) # And write the footer to the output file new_image.write(fi.getRawString()) footer = FirmwareFooter() footer.rev1 = int(config.get('global','major_version'),0) footer.rev2 = int(config.get('global','minor_version'),0) footer.footerver = int(config.get('global','footer_version'),0) footer.checksum = footer.computeFooterChecksum(imagecrc) # Hmm... no documentation on where this should be, but in the firmware I have it's been palced right before the last image footer # Unsure if that's where it goes, or if it doesn't matter # 16 includes 8 padding \xFF's between the global footer and the last image footer global_start = footerpos-16 if global_start < curblockend: print "ERROR: Would have written global footer over last image" print "Aborting" sys.exit(1) # Write the global footer