Skip to content

Latest commit

 

History

History
112 lines (75 loc) · 5.5 KB

README.md

File metadata and controls

112 lines (75 loc) · 5.5 KB

horus_frk

Extracting Horus internal RF firmware

Commands:
=========

Find prolog:
------------

$ binwalk -R "\x79\x09\xAA\x9A\xBE\x70\x25\xB3\x7C\xF9\x87\x5F\xAA\x7C\xC3\xD1" X10*.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1793748       0x1B5ED4        \x79\x09\xAA\x9A\xBE\x70\x25\xB3\x7C\xF9\x87\x5F\xAA\x7C\xC3\xD1

-> this is your offset (0x1B5ED4 in hexadecimal or 1793748 in decimal)

Find end-of-firmware:
---------------------

$ binwalk -R "\x00\x00\x00\x00" -l 80000 -o 0x1B5ED4 X12S_mode1_NEU_1603_frtx.bin | head -n 5

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1867476       0x1C7ED4        \x00\x00\x00\x00
1867486       0x1C7EDE        \x00\x00\x00\x00

-> this gives you the end offset. If you substract the previous offset from that one, you get the length.

Check what is before the prolog:
--------------------------------

Here we want to see what is contained in the 16 bytes before the firmware,
so we display 16 bytes, beginning at (start offset - 0x10). 

So here: 0x1B5ED4 - 0x10 = 0x1B5EC4

$ binwalk -W -l 16 -o 0x1B5EC4 X12S_mode1_NEU_1603_frtx.bin

OFFSET      X12S_mode1_NEU_1603_frtx.bin
--------------------------------------------------------------------------------
0x001B5EC4  00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 |...........<....|

In this firmware, the length seems to be encoded after the firmware, so let's have a look at it.

Check epilog:
-------------

Here we want to look at the 16 bytes after the firmware, which is why we use the end offset (0x1C7ED4).

$ binwalk -W -l 16 -o 0x1C7ED4 X12S_mode1_NEU_1603_frtx.bin

OFFSET      X12S_mode1_NEU_1603_frtx.bin
--------------------------------------------------------------------------------
0x001C7ED4  00 00 00 00 01 20 01 00 4A 31 00 00 00 00 00 00 |........J1......|

-> firmware size: 0x012000 (72KB)

Now we should check that numbers match:
end offset - start offset = 0x1C7ED4 - 0x1B5ED4 = 0x12000
-> Looks good!

Cut firmware out:
-----------------

Here we use the start offset (0x1B5ED4) and the length (72k):

$ dd bs=1 skip=$((0x1B5ED4)) if=X12S_mode1_NEU_1603_frtx.bin of=X12S_NEU_1603_iXJT.frk count=72k
73728+0 records in
73728+0 records out
73728 bytes transferred in 0.598368 secs (123215 bytes/sec)

Please note that using "count=$((0x12000))" would work just the same.

Offset       Filename                           Before prolog                                     Epilog / Size
===========================================================================================================================================
0x110C5C     X10S_EU_1102_frtx.bin              00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000
0x110C0C     X10S_NEU_1102_frtx.bin             00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000

0x1220D0     X10_mode1_EU_1204_frtx.bin         00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000
0x1220D8     X10_mode2_EU_1204_frtx.bin         00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000

0x121DF0     X10_mode1_NEU_1204_frtx.bin        00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000
0x121DF8     X10_mode2_NEU_1204_frtx.bin        00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000

0x12C04C     X12S_NEU_1404_frtx.bin             00 00 00 00 00 00 10 3C 00 80 2A 44 01 18 01 00   size: 0x011800
0x12C0C4     X12S_EU_1404_frtx.bin              00 00 00 00 00 00 10 3C 00 80 2A 44 01 18 01 00   size: 0x011800

0x136D14     X12S_mode2_NEU_1505_frtx.bin       00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000
0x136D0C     X12S_mode1_NEU_1505_frtx.bin       00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00   size: 0x012000

0x13704C     X12S_mode2_EU_1505_frtx.bin        00 00 00 00 00 00 10 3C 00 80 2A 44 01 28 01 00   size: 0x012800
0x137044     X12S_mode1_EU_1505_frtx.bin        00 00 00 00 00 00 10 3C 00 80 2A 44 01 28 01 00   size: 0x012800

0x19FE1C     X10_EU_1304_Beta0228_frtx.bin      00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000
0x19FAF4     X10_FLEX_1304_Beta0228_frtx.bin    00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000
0x19FA34     X10_NEU_1304_Beta0228_frtx.bin     00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000

0x1A259C     X12S_NEU_1225_frtx.bin             00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 18 01 00    size: 0x011800
0x1A25F4     X12S_EU_1225_frtx.bin              00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 18 01 00    size: 0x011800

0x1B5ED4     X12S_mode1_NEU_1603_frtx.bin       00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000
0x1B5ED4     X12S_mode2_NEU_1603_frtx.bin       00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000

0x1B5F8C     X12S_mode1_FLEX_1603_frtx.bin      00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000
0x1B5F8C     X12S_mode2_FLEX_1603_frtx.bin      00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 20 01 00    size: 0x012000

0x1B62B4     X12S_mode1_EU_1603_frtx.bin        00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 28 01 00    size: 0x012800
0x1B62B4     X12S_mode2_EU_1603_frtx.bin        00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00   00 00 00 00 01 28 01 00    size: 0x012800