Closed soxrok2212 closed 1 month ago
Hi, you just need to write an entry in any of the magic files with a custom MIME type (see the existing magic rules or a guide on how to do that or ask ChatGPT) and assign this MIME type to your custom unpacker:
MIME_PATTERNS = ['<your/custom/mime>']
fact_helper_file is used inside the extractor for determining the file's (MIME) type, so you need to make sure that the version with your MIME type is installed when building the Docker image of the extractor.
Maybe I should add that you can always test if your custom MIME type works by installing fact_helper_file from your local directory (pip install .
) and checking the type of your firmware file:
from fact_helper_file import get_file_type_from_path
get_file_type_from_path("path/to/your/fw")
Please note that you always need to reinstall fact_helper_file after changing the magic files, because they get compiled during installation
Right, for other devices I've made a few custom entries, but those did not have signatures in the firmwares. I just wasn't sure if the magic had to be at the start of the binary for it to be detected, or if it just had to exist somewhere in the binary.
I just wasn't sure if the magic had to be at the start of the binary for it to be detected, or if it just had to exist somewhere in the binary.
The offset can be anywhere in the file. In general in a magic rule you first have the offset, then comes the type, followed by the value and finally a description. You can even have relative offsets. You can find a detailed explanation in the man page: https://linux.die.net/man/5/magic
If your file looks like 3082060D<1549 bytes of data>12345678<rest of the firmware>
and 060D
is the length of the DER signature, you can use that as relative offset. Maybe something like this would work:
0 string \x30\x82
>(0x02.s+2) string \x12\x34\x56\x78 Firmware with prepended DER signature
!:mime firmware/prepended-der
If it doesn't, there is also a search feature where you can search for a value. This should search for the string \x12\x34\x56\x78
in the first 2048 bytes:
0 string \x30\x82
>0 search/0x800 \x12\x34\x56\x78
Understood, thank you kindly!
Hi,
I have a firmware that has an n-byte DER signature prepended to the firmware before the unsigned version's magic bytes. I'm wondering what would be the best route for this problem since the magic bytes exist, but they're just not at the start of the binary and I want to make sure my custom extractor is used over the generic one.
An example firmware (bytes) might look like:
Where
12345678
are the magic bytes. The DER signature length can be different for any given release. Cheers!