MIME type for firmware with a prepended signature

fkie-cad / fact_helper_file

File type helper functions and magic library

GNU General Public License v3.0

3 stars 8 forks source link

MIME type for firmware with a prepended signature #34

Closed soxrok2212 closed 1 month ago

soxrok2212 commented 1 month ago

Hi,

I have a firmware that has an n-byte DER signature prepended to the firmware before the unsigned version's magic bytes. I'm wondering what would be the best route for this problem since the magic bytes exist, but they're just not at the start of the binary and I want to make sure my custom extractor is used over the generic one.

An example firmware (bytes) might look like:

3082060D<1549 bytes of data>12345678<rest of the firmware>

Where 12345678 are the magic bytes. The DER signature length can be different for any given release. Cheers!

jstucke commented 1 month ago

Hi, you just need to write an entry in any of the magic files with a custom MIME type (see the existing magic rules or a guide on how to do that or ask ChatGPT) and assign this MIME type to your custom unpacker:

MIME_PATTERNS = ['<your/custom/mime>']

fact_helper_file is used inside the extractor for determining the file's (MIME) type, so you need to make sure that the version with your MIME type is installed when building the Docker image of the extractor.

jstucke commented 1 month ago

Maybe I should add that you can always test if your custom MIME type works by installing fact_helper_file from your local directory (pip install .) and checking the type of your firmware file:

from fact_helper_file import get_file_type_from_path
get_file_type_from_path("path/to/your/fw")

Please note that you always need to reinstall fact_helper_file after changing the magic files, because they get compiled during installation

soxrok2212 commented 1 month ago

Right, for other devices I've made a few custom entries, but those did not have signatures in the firmwares. I just wasn't sure if the magic had to be at the start of the binary for it to be detected, or if it just had to exist somewhere in the binary.

jstucke commented 1 month ago

I just wasn't sure if the magic had to be at the start of the binary for it to be detected, or if it just had to exist somewhere in the binary.

The offset can be anywhere in the file. In general in a magic rule you first have the offset, then comes the type, followed by the value and finally a description. You can even have relative offsets. You can find a detailed explanation in the man page: https://linux.die.net/man/5/magic

If your file looks like 3082060D<1549 bytes of data>12345678<rest of the firmware> and 060D is the length of the DER signature, you can use that as relative offset. Maybe something like this would work:

0                string    \x30\x82
>(0x02.s+2)    string    \x12\x34\x56\x78     Firmware with prepended DER signature
!:mime  firmware/prepended-der

If it doesn't, there is also a search feature where you can search for a value. This should search for the string \x12\x34\x56\x78 in the first 2048 bytes:

0            string    \x30\x82
>0           search/0x800    \x12\x34\x56\x78

soxrok2212 commented 1 month ago

Understood, thank you kindly!