search

tenable / esp32_image_parser

A toolkit for helping you reverse engineer ESP32 firmware.
MIT License
165 stars 42 forks source link

Show partitions says reading partitions and then exits #2

Open mpsOxygen opened 3 years ago

mpsOxygen commented 3 years ago

Hello,

I am trying to dump a esp32 binary image from a Xiaomi IR remote, unfortunately it isn't working.

Any ideas why this is happening?

(venv) [user@fedora esp32_image_parser-master]$ ./esp32_image_parser.py show_partitions chuangmi.remote_2.0.6_0006.v2.bin reading partition table... (venv) [user@fedora esp32_image_parser-master]$

mpsOxygen commented 3 years ago

From what I can tell my magic isn't matching what is in the script:

>>> f.seek(0x8000)
32768
>>> magic = f.read(2)
>>> magic
b'av'

The images is a valid esp32 bin:

(venv) [user@fedora irtest]$ esptool --chip esp32 image_info chuangmi.remote_2.0.6_0006.v2.bin 
esptool.py v2.8
Image version: 1
Entry point: 40080fe8
7 segments

Segment 1: len 0x2b950 load 0x3f400020 file_offs 0x00000018 [DROM]
Segment 2: len 0x0341c load 0x3ffc0000 file_offs 0x0002b970 [BYTE_ACCESSIBLE, DRAM, DMA]
Segment 3: len 0x00470 load 0x3ffc341c file_offs 0x0002ed94 [BYTE_ACCESSIBLE, DRAM, DMA]
Segment 4: len 0x00400 load 0x40080000 file_offs 0x0002f20c [IRAM]
Segment 5: len 0x009f4 load 0x40080400 file_offs 0x0002f614 [IRAM]
Segment 6: len 0xebef0 load 0x400d0018 file_offs 0x00030010 [IROM]
Segment 7: len 0x16d84 load 0x40080df4 file_offs 0x0011bf08 [IRAM]
Checksum: ee (valid)
Validation Hash: 271e2ef23bf38595b866d1cfa239380f611bb6c39b879f8c123bad8dd60ff480 (valid)
leon0399 commented 1 year ago

For me, even #3 does not help:

esptool.py v4.5.1
Image version: 1
Entry point: 4008172c
6 segments

Segment 1: len 0xd0648 load 0x3f400020 file_offs 0x00000018 [DROM]
Segment 2: len 0x021ec load 0x3ffb0000 file_offs 0x000d0668 [BYTE_ACCESSIBLE,DRAM]
Segment 3: len 0x00404 load 0x40080000 file_offs 0x000d285c [IRAM]
Segment 4: len 0x0a408 load 0x40080404 file_offs 0x000d2c68 [IRAM]
Segment 5: len 0x02f98 load 0x00000000 file_offs 0x000dd078 [PADDING]
Segment 6: len 0x1afa0 load 0x400d0020 file_offs 0x000e0018 [IROM]
Checksum: 23 (valid)
Validation Hash: 8dacb1ef2bb331943cf3101d696ab8a51c42bd1bf76681c99b3db07298930dbf (valid)
esptool.py v4.5.1
Image version: 1
Entry point: 40082c98
6 segments

Segment 1: len 0x23dc0 load 0x3f400020 file_offs 0x00000018 [DROM]
Segment 2: len 0x05cd8 load 0x3ffbdb60 file_offs 0x00023de0 [BYTE_ACCESSIBLE,DRAM]
Segment 3: len 0x06550 load 0x40080000 file_offs 0x00029ac0 [IRAM]
Segment 4: len 0xcc32c load 0x400d0020 file_offs 0x00030018 [IROM]
Segment 5: len 0x131d0 load 0x40086550 file_offs 0x000fc34c [IRAM]
Segment 6: len 0x00010 load 0x50000200 file_offs 0x0010f524 [RTC_DATA]
Checksum: b5 (valid)
Validation Hash: 282c5a28814801d963a85c5e11a09483ff839d6084c60fe95bfe19d026c02b29 (valid)
delfer commented 11 months ago

may be you have the ESP32 RISC-V based https://github.com/tenable/esp32_image_parser/pull/12

yaghmr commented 8 months ago

Which image are you using? If you don't have the device at hand, you can reconstruct the image in the flash with dd using the application's binary,bootloader/bootloader.bin, and partition_table/partition-table.bin.