Closed RenateUSB closed 2 months ago
Thanks. Yes, I noticed such firehose. In general, they are processed like regular firehose, but at the same time, most likely, fh_loader will not be able to work with them without additional work. See https://github.com/hoplik/Firehose-Finder/blob/master/Guide.cs strings 110-129 You write that the corpses made changes after signing. I do not think so. Most likely, they managed to change only the header of the file (ELF => ELE). This will be enough to make it impossible to run through fh_loader, but it will not change the certificate chain. All other identifier data from certificates is read correctly. I hope that the reverse change (7F454C45=>7F454C46) will be enough for the correct operation of the hose. I did not make such changes myself, because there is nothing to check the result on. If it doesn't work such a way, please let me know, I'll remove these hoses from the database.
I think the problem is that somebody patched them also.
I did not make such changes myself, because there is nothing to check the result on.
Oh? Google "QcomView". 😄
Oh? Google "QcomView". 😄
I wanted to take a look, but the computer is swearing at the virus. ;(
What can I say? I get 0 of 93 bad by https://www.virustotal.com/
I'm not for myself, I'm for others. That's how I looked, it's very interesting. Can we discuss it in the chat (https://t.me/+Suwc1u6h8PYzM2Qy)?
Telegram, no.
Xiaomi did/does this stupid thing. They change the signature in ELF files to "ELE". They do this after signing. If you change the "ELE" back to "ELF" then the first hash (on the ELF header) is now correct. But the third hash is still off because they did something stupid somewhere else too.
Is there any EDL client which still can do these modifications before sending the loader out? Could these files be fixed so that they are correct without further handling so as to be compatible with generic EDL clients?
Does "rb" mean reversed bytes or bits?