search

ReFirmLabs / binwalk

Firmware Analysis Tool
MIT License
11.01k stars 1.55k forks source link

Add modified CramFS to filesystem magic #363

Open E3V3A opened 6 years ago

E3V3A commented 6 years ago

Some time ago, there were a bunch of Pirelli routers whose firmware was using a modified CramFS. (also containing LZMA structures).

The file magic for these were: 45 3D CD 28. With LZMA:

I suggest to call this after the modifers: Jungo's OpenRG version of CramFS or alternatively Jungo modified CramFS

How can I add this to the magic file?

PS. The original:

http://va.ler.io/dl/lzma-uncramfs.tar.gz
lzma-uncramfs v0.7rg by Andrew Stitcher, lzma for openrg  by V. Di Giampietro (v@ler.io)
45 3D CD 28, and is preceding (by 12 bytes) the string "Compressed ROMFS"
E3V3A commented 5 years ago

uuhm, this is not a support ticket, it's an enhancement.

devttys0 commented 5 years ago

Since the LZMA version of CramFS has the same signature, I think there are two approaches to this.

First, the easy way: just add the lzma-uncramfs utility as a cramfs extractor. If it fails, binwalk will move on to the next cramfs extractor. This requires minimal effort, and the files will be extracted correctly, but there won't be anything in binwalk's output to indicate that the CramFS image has Jungo's LZMA modifications.

Second, the "correct" way: write a plugin. I don't think this can be done with a simple signature as the location of the compressed blocks is not necessarily predictable (at least AFAIK). A plugin that does some basic parsing of the CramFS image and looks at a compressed block and sees that it starts with 0x5D could then modify the displayed description string to indicate that it's a Jungo LZMA CramFS image.

Engineer-26 commented 4 months ago

it seems the issue is that after Ubuntu 18.04 cramfs was depricated for squashfs. To manually install cramfs extractor support: