Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #524297
Firmware Reverse Engineering
('toc' missing)
Firmware Images
a1470-timecapsule-20150225.bin [ md5 = 2b0d2c5657daa8b65ac1141c912beaa3 ]
Firmware Image Parsing
User #71383@andromeda:~/tmp$ binwalk -Bev a1470-timecapsule-20150225.bin
Scan Time: 2015-03-24 15:21:11
Target File: /home/User #71383/tmp/a1470-timecapsule-20150225.bin
MD5 Checksum: 2b0d2c5657daa8b65ac1141c912beaa3
Signatures: 328
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
74424 0x122B8 Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/siutils.c
79068 0x134DC Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/aiutils.c
93208 0x16C18 Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/load.c
93340 0x16C9C Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/hndchipc.c
147460 0x24004 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 610436 bytes
1072251 0x105C7B Copyright string: "Copyright 1995-2005 User #71419 "
1072536 0x105D98 CRC32 polynomial table, little endian
1076632 0x106D98 CRC32 polynomial table, big endian
1081700 0x108164 gzip compressed data, maximum compression, has original file name: "netbsd.j28_release.image.bin", from Unix, last modified: 2014-04-14 22:11:40
8214656 0x7D5880 Minix filesystem, V1, little endian, -20629 zones
15752315 0xF05C7B Copyright string: "Copyright 1995-2005 User #71419 "
15752600 0xF05D98 CRC32 polynomial table, little endian
15756696 0xF06D98 CRC32 polynomial table, big endian
15761764 0xF08164 gzip compressed data, maximum compression, has original file name: "netbsd.j28_release.image.bin", from Unix, last modified: 2014-04-14 22:11:40
22894720 0x15D5880 Minix filesystem, V1, little endian, -20629 zones
30584320 0x1D2AE00 OpenSSH RSA1 private key, version "1.1"
30591488 0x1D2CA00 PEMPrivacy Enhanced Mail DSAEncryption algorithm private key
30595072 0x1D2D800 OpenSSH DSAEncryption algorithm public key
30598144 0x1D2E400 PEMPrivacy Enhanced Mail RSAEncryption algorithm private key
30602240 0x1D2F400 OpenSSH RSAEncryption algorithm public key
User #71383@andromeda:~/tmp$ ll _a1470-timecapsule-20150225.bin.extracted/
total 64044
drwxrwxr-x 2 User #71383 User #71383 4096 2015-03-24 16:36 ./
drwxr-xr-x 4 User #71383 User #71383 4096 2015-03-24 16:36 ../
-rw-rw-r-- 1 User #71383 User #71383 2970112 2015-03-24 16:36 1D2AE00.key
-rw-rw-r-- 1 User #71383 User #71383 2962944 2015-03-24 16:36 1D2CA00.key
-rw-rw-r-- 1 User #71383 User #71383 2956288 2015-03-24 16:36 1D2E400.key
-rw-rw-r-- 1 User #71383 User #71383 610436 2015-03-24 16:36 24004
-rw-rw-r-- 1 User #71383 User #71383 33406972 2015-03-24 16:36 24004.7z
-rw-rw-r-- 1 User #71383 User #71383 22652736 2015-03-24 16:36 netbsd.j28_release.image.bin
User #71383@andromeda:~/tmp$ file _a1470-timecapsule-20150225.bin.extracted/*
_a1470-timecapsule-20150225.bin.extracted/1D2AE00.key: OpenSSH RSA1 private key, version 1.1
_a1470-timecapsule-20150225.bin.extracted/1D2CA00.key: PEMPrivacy Enhanced Mail DSAEncryption algorithm private key
_a1470-timecapsule-20150225.bin.extracted/1D2E400.key: PEMPrivacy Enhanced Mail RSAEncryption algorithm private key
_a1470-timecapsule-20150225.bin.extracted/24004: data
_a1470-timecapsule-20150225.bin.extracted/24004.7z: data
_a1470-timecapsule-20150225.bin.extracted/netbsd.j28_release.image.bin: data
User #71383@andromeda:~/tmp$ openssl rsa -inform PEMPrivacy Enhanced Mail -text -in _a1470-timecapsule-20150225.bin.extracted/1D2E400.key
Private-Key: (2048 bit)
modulus:
00:e5:9f:ce:d6:ee:d6:85:83:ac:70:15:18:0f:b3:
74:c4:75:4e:bb:7e:1c:51:6d:49:87:8c:46:cc:a5:
df:b7:60:af:ec:2a:2f:6c:41:28:47:74:72:80:36:
0c:ca:ce:8e:fd:d1:d4:28:4e:62:60:30:d8:8c:e5:
ba:b6:79:e4:c8:19:cb:89:c7:9f:71:4e:17:07:fc:
29:4c:16:48:15:7e:c4:dc:e7:18:9c:6e:b9:a5:b2:
3a:75:95:d8:cd:8f:2a:8e:8f:e7:9c:e4:94:fc:93:
9e:a4:71:ad:d6:37:a5:e0:c4:6e:fd:12:93:e2:f6:
82:1c:8d:7a:8b:b9:ca:1b:db:98:64:45:e1:d0:94:
ed:cb:a9:51:e4:c2:cd:be:a0:78:01:76:1e:be:a3:
bb:2e:0a:99:0d:5b:81:6b:c8:40:c1:1a:90:56:35:
a1:ed:e8:b6:fb:69:c5:33:46:a0:c7:9e:9e:f0:01:
95:e8:a9:81:23:03:4d:1f:42:a1:eb:2e:b7:03:4b:
97:21:d6:70:41:96:cc:22:0f:60:9f:2f:58:e2:42:
b7:2c:fb:24:9f:e1:42:c4:88:16:e0:35:f6:a7:e2:
c8:00:14:1c:c6:8c:ff:02:06:ba:69:1c:3b:b4:75:
d4:d0:f3:56:58:b8:f7:1c:60:f3:54:03:66:c7:7e:
03:b5
publicExponent: 65537 (0x10001)
privateExponent:
6c:64:3b:67:09:e7:09:af:56:3e:b2:36:61:72:fc:
b3:a0:0c:42:45:0d:69:02:85:ab:0e:74:7d:35:ef:
9c:c8:6f:42:b3:c7:1e:fa:c2:e0:b7:ff:34:b6:4e:
e3:8d:0d:c2:92:c1:eb:24:d5:1b:42:f3:75:cf:1b:
8b:f7:8e:1f:46:cd:e5:83:ed:a7:b6:8c:f8:9f:f7:
7e:8b:26:0b:bf:83:7e:23:38:62:df:81:92:cd:c6:
fa:aa:79:64:cf:27:ef:93:ce:69:29:1d:8a:fc:c3:
ee:2c:1b:3a:fb:99:b9:b8:00:0c:46:30:b8:fa:54:
00:d6:67:fa:7d:01:02:94:89:0a:51:62:07:d6:8a:
0d:0a:01:13:1a:88:61:d4:6c:3d:fd:a0:72:f3:54:
9a:b2:13:5f:5a:95:ff:a7:e3:8b:31:01:8c:ef:a6:
f6:d7:37:68:1c:53:3d:ac:35:47:14:6e:18:8c:5c:
2b:7c:5b:49:76:26:20:d9:41:73:b8:e2:a1:43:6e:
89:03:bc:b3:a9:b2:59:72:f2:54:03:c4:0e:d5:c8:
b5:76:50:76:39:5e:f2:4d:04:5c:21:5c:c5:77:b2:
e7:3e:f9:96:8b:d1:f4:84:ad:6a:4e:dc:8b:c5:e4:
94:4e:ac:7f:a0:e7:47:c6:39:19:ac:f8:5d:f2:a1:
21
prime1:
00:fc:c0:3f:70:9c:d7:89:03:4c:fe:32:b9:87:e5:
2e:1c:4d:10:5e:8c:01:92:c1:1d:64:91:0d:3e:79:
fc:f7:fb:b1:24:b0:9c:d8:cd:18:98:90:2a:ea:a1:
82:cb:ad:a6:05:b7:8b:32:48:77:35:15:50:fa:32:
54:1c:d9:a2:20:1d:40:bc:df:c5:6c:7e:57:4f:29:
f1:14:ac:02:09:e7:4d:61:1e:1b:5a:56:6e:62:be:
20:f4:c2:e4:0d:f2:96:94:f1:b8:57:e4:76:7c:76:
75:3e:0d:15:eb:25:22:56:e1:57:fe:9b:a3:55:7e:
7b:10:87:49:e1:07:1e:99:cf
prime2:
00:e8:93:74:6e:be:18:78:8c:15:81:dc:92:e0:53:
ae:38:55:51:2c:d4:43:f5:11:d8:3c:38:22:a8:25:
c7:8c:ee:d0:eb:7f:96:5e:c1:5d:ab:e5:7c:fd:2d:
13:d8:62:61:8c:ff:93:47:b0:ad:1c:46:38:73:70:
47:ac:7b:b7:6f:6c:c7:21:63:36:e6:92:ab:69:9c:
c8:77:fb:77:c8:c4:db:52:a7:ac:b3:36:1a:52:42:
04:70:38:f1:d7:f8:0e:c2:fc:77:f6:c0:cf:67:dd:
01:d0:2d:b6:f2:ed:f9:41:bd:aa:08:60:9f:78:a1:
f4:f8:fa:5a:70:ce:c7:9f:3b
exponent1:
00:ea:22:95:22:16:c8:bb:0d:a9:b7:18:fa:31:5f:
26:55:e5:35:b2:bf:f3:7d:25:13:bb:63:7b:67:52:
cd:fa:52:d8:08:6a:eb:01:13:0d:23:d6:f9:4a:9d:
0f:72:ea:8b:8f:64:35:b8:00:d5:1d:01:80:20:25:
9b:31:96:91:cf:3a:0a:0c:6d:26:8f:98:81:fc:bd:
97:ac:54:a3:16:d5:84:22:e1:26:e9:8a:83:7b:49:
31:72:4b:4f:c3:73:e3:f6:59:ed:30:ce:5c:cc:73:
57:ac:81:a6:ba:4b:8e:01:f9:81:f0:43:f1:0c:73:
bc:40:d5:72:a4:d8:59:8a:95
exponent2:
55:4e:30:78:a6:15:07:b2:29:f9:55:d4:31:9f:bf:
d9:3d:c1:e6:75:7c:ef:98:b9:fd:6c:81:99:b7:31:
b8:49:a8:2b:98:c2:a8:c2:b7:fe:e2:cf:b3:75:23:
40:4c:e5:86:f7:ff:27:5e:70:40:5c:a9:3b:fe:44:
eb:c8:fd:01:4b:9e:c6:6a:43:aa:d2:c5:38:99:9f:
16:13:10:5e:7d:86:0c:8d:1f:d5:23:d5:07:b2:db:
39:e6:49:1e:74:07:c6:11:20:57:4b:65:47:ad:52:
8a:ef:19:99:85:1b:d5:b7:21:74:ad:2c:10:ed:26:
93:64:10:64:2c:14:20:1d
coefficient:
51:f8:15:70:fd:36:b0:84:a5:11:66:ac:e1:53:41:
33:fa:6b:ef:cb:59:60:e6:1a:cb:5c:cc:5a:1e:ed:
f2:cd:1b:84:2e:7a:c1:6d:31:e4:a0:f6:99:d7:80:
d5:21:89:9a:85:f7:7d:4b:1a:48:21:8c:a4:4e:f4:
fe:35:60:0e:b7:87:39:c1:22:fb:1d:ef:69:26:10:
bd:a6:3f:d3:d9:72:ac:e2:50:54:f2:08:98:7e:1c:
aa:35:fc:05:0e:d4:d4:a8:48:e6:15:b3:56:40:3a:
20:45:1e:85:9d:f0:e7:89:08:1e:9e:62:dc:3f:76:
7b:a6:d6:11:a6:15:40:80
writing RSAEncryption algorithm key
-----BEGIN RSAEncryption algorithm PRIVATE KEY-----
MIIEowIBAAKCAQEA5Z/O1u7WhYOscBUYD7N0xHVOu34cUW1Jh4xGzKXft2Cv7Cov
bEEoR3RygDYMys6O/dHUKE5iYDDYjOW6tnnkyBnLicefcU4XB/wpTBZIFX7E3OcY
nG65pbI6dZXYzY8qjo/nnOSU/JOepHGt1jel4MRu/RKT4vaCHI16i7nKG9uYZEXh
0JTty6lR5MLNvqB4AXYevqO7LgqZDVuBa8hAwRqQVjWh7ei2+2nFM0agx56e8AGV
6KmBIwNNH0Kh6y63A0uXIdZwQZbMIg9gny9Y4kK3LPskn+FCxIgW4DX2p+LIABQc
xoz/Aga6aRw7tHXU0PNWWLj3HGDzVANmx34DtQIDAQABAoIBAGxkO2cJ5wmvVj6y
NmFy/LOgDEJFDWkChasOdH0175zIb0Kzxx76wuC3/zS2TuONDcKSwesk1RtC83XP
G4v3jh9GzeWD7ae2jPif936LJgu/g34jOGLfgZLNxvqqeWTPJ++TzmkpHYr8w+4s
Gzr7mbm4AAxGMLj6VADWZ/p9AQKUiQpRYgfWig0KARMaiGHUbD39oHLzVJqyE19a
lf+n44sxAYzvpvbXN2gcUz2sNUcUbhiMXCt8W0l2JiDZQXO44qFDbokDvLOpslly
8lQDxA7VyLV2UHY5XvJNBFwhXMV3suc++ZaL0fSErWpO3IvF5JROrH+g50fGORms
+F3yoSECgYEA/MA/cJzXiQNM/jK5h+UuHE0QXowBksEdZJENPnn89/uxJLCc2M0Y
mJAq6qGCy62mBbeLMkh3NRVQ+jJUHNmiIB1AvN/FbH5XTynxFKwCCedNYR4bWlZu
Yr4g9MLkDfKWlPG4V+R2fHZ1Pg0V6yUiVuFX/pujVX57EIdJ4Qcemc8CgYEA6JN0
br4YeIwVgdyS4FOuOFVRLNRD9RHYPDgiqCXHjO7Q63+WXsFdq+V8/S0T2GJhjP+T
R7CtHEY4c3BHrHu3b2zHIWM25pKraZzId/t3yMTbUqesszYaUkIEcDjx1/gOwvx3
9sDPZ90B0C228u35Qb2qCGCfeKH0+PpacM7HnzsCgYEA6iKVIhbIuw2ptxj6MV8m
VeU1sr/zfSUTu2N7Z1LN+lLYCGrrARMNI9b5Sp0PcuqLj2Q1uADVHQGAICWbMZaR
zzoKDG0mj5iB/L2XrFSjFtWEIuEm6YqDe0kxcktPw3Pj9lntMM5czHNXrIGmukuO
AfmB8EPxDHO8QNVypNhZipUCgYBVTjB4phUHsin5VdQxn7/ZPcHmdXzvmLn9bIGZ
tzG4SagrmMKowrf+4s+zdSNATOWG9/8nXnBAXKk7/kTryP0BS57GakOq0sU4mZ8W
ExBefYYMjR/VI9UHsts55kkedAfGESBXS2VHrVKK7xmZhRvVtyF0rSwQ7SaTZBBk
LBQgHQKBgFH4FXD9NrCEpRFmrOFTQTP6a+/LWWDmGstczFoe7fLNG4QuesFtMeSg
9pnXgNUhiZqF931LGkghjKRO9P41YA63hznBIvsd72kmEL2mP9PZcqziUFTyCJh+
HKo1/AUO1NSoSOYVs1ZAOiBFHoWd8OeJCB6eYtw/dnum1hGmFUCA
-----END RSAEncryption algorithm PRIVATE KEY-----
User #71383@andromeda:~/tmp$ openssl dsa -inform PEMPrivacy Enhanced Mail -text -in _a1470-timecapsule-20150225.bin.extracted/1D2CA00.key
read DSAEncryption algorithm key
Private-Key: (1024 bit)
priv:
00:96:17:5f:40:3c:2e:0a:50:e1:58:5f:89:eb:25:
61:42:11:04:25:78
pub:
31:4b:4e:ca:45:e7:60:54:a8:a2:64:fc:32:cf:fb:
fd:3e:98:66:ef:7f:9a:a7:a7:2a:d1:99:2e:97:5e:
cf:2a:64:3a:fb:01:c8:fe:b3:1b:bf:ba:e8:4d:f0:
03:dc:ce:52:28:de:8e:a7:b4:9a:a5:33:93:52:09:
f5:06:57:a6:fa:32:74:7a:69:be:9b:20:5e:51:88:
2a:13:81:85:77:f7:fc:f1:ee:1e:db:bb:ca:3a:07:
50:75:29:92:07:4d:e1:87:0a:55:2d:c4:8c:8a:83:
fd:63:bf:d0:6b:e1:a6:eb:a7:64:2c:66:c0:8f:fe:
c0:a9:c0:d3:72:24:95:91
P:
00:e5:9c:e6:b0:cc:d7:a8:20:af:e5:85:04:43:d2:
d2:32:74:03:67:b4:86:3a:96:3c:3a:5b:28:27:c6:
c9:b4:dd:da:a8:12:93:4a:be:bf:bc:da:df:6e:55:
93:a4:cf:74:91:c1:ed:64:a1:9d:69:ff:d5:1d:d0:
f4:60:3f:98:15:1a:fa:54:43:1f:37:49:b4:0c:a8:
ef:8b:cc:27:fe:66:90:78:3d:80:74:25:a3:f7:fa:
0a:65:d6:70:27:5a:f0:34:13:34:ef:0a:7d:d0:40:
3a:cb:6b:ac:87:0d:a4:01:cd:24:8e:6c:32:07:86:
82:d0:6f:38:7e:ea:82:64:a7
Q:
00:ff:bb:d1:e9:a8:b4:da:a9:03:23:84:86:fa:cc:
f2:bc:1d:89:7b:37
G:
00:92:4c:d6:64:1c:4d:c2:a6:f1:20:1e:55:77:27:
e6:32:3a:c1:ef:d1:58:49:8f:d5:1e:4b:18:fa:ad:
5f:87:da:ec:83:69:04:5e:60:64:3b:36:09:c2:11:
33:be:2c:56:1b:52:14:46:27:eb:67:f8:31:3a:85:
c3:6f:7e:cd:f7:0d:b8:6b:7b:6a:d1:1a:96:44:45:
df:3a:89:fd:f1:4b:d6:9c:67:0c:98:cc:95:9c:87:
b5:52:3b:3b:f0:54:ae:be:ab:71:14:10:c5:83:c9:
23:bb:55:db:32:56:0e:48:1c:3c:36:5a:d8:09:42:
05:62:f4:2c:99:0d:c1:44:a0
writing DSAEncryption algorithm key
-----BEGIN DSAEncryption algorithm PRIVATE KEY-----
MIIBvAIBAAKBgQDlnOawzNeoIK/lhQRD0tIydANntIY6ljw6Wygnxsm03dqoEpNK
vr+82t9uVZOkz3SRwe1koZ1p/9Ud0PRgP5gVGvpUQx83SbQMqO+LzCf+ZpB4PYB0
JaP3+gpl1nAnWvA0EzTvCn3QQDrLa6yHDaQBzSSObDIHhoLQbzh+6oJkpwIVAP+7
0emotNqpAyOEhvrM8rwdiXs3AoGBAJJM1mQcTcKm8SAeVXcn5jI6we/RWEmP1R5L
GPqtX4fa7INpBF5gZDs2CcIRM74sVhtSFEYn62f4MTqFw29+zfcNuGt7atEalkRF
3zqJ/fFL1pxnDJjMlZyHtVI7O/BUrr6rcRQQxYPJI7tV2zJWDkgcPDZa2AlCBWL0
LJkNwUSgAoGAMUtOykXnYFSoomT8Ms/7/T6YZu9/mqenKtGZLpdezypkOvsByP6z
G7+66E3wA9zOUijejqe0mqUzk1IJ9QZXpvoydHppvpsgXlGIKhOBhXf3/PHuHtu7
yjoHUHUpkgdN4YcKVS3EjIqD/WO/0GvhpuunZCxmwI/+wKnA03IklZECFQCWF19A
PC4KUOFYX4nrJWFCEQQleA==
-----END DSAEncryption algorithm PRIVATE KEY-----
Previous Attempts
Interesting points of
Offset | Data | Notes |
---|---|---|
0x0000 - 0x003f | unknown, but repetitive data | inital bootstrap code? |
0x03E0 | "ZSIB" | Some kind of section header |
0x0400 | "FLSH" |
16 bytes of data, followed by what looks like null-terminated strings for NVRAMNon-volatile Random Access Memory variables. Seems data is repeated at offset 0x80000. |
0x1400 | "AMZL" | AMZL == LZMA in reverse? |
0x8230 | "SHMOO VEPKID" | wtf? |
0xB0008 | "C86439500FNF55QAX" |
serial #? repeated later in variable as "mlbserial" |
0xB0050 | "141004141004p" 0x700a 0x07d4 | unknown data |
0x108164 | gzip compressed data | filename included: "netbsd.j28_release.image.bin", file repeated again at offset 0xF08164 |
0xF08164 | gzip compressed data | filename included: "netbsd.j28_release.image.bin" (repeated) |
My attempt at parsing the firmware for the Time Capsule -
Start Offset | End Offset | Length (bytes) | Interesting Bytes | Notes |
---|---|---|---|---|
0x00000000 | 0x000003DF | 992 | 0xff 0x04 0x00 0xea ... 0x78 0x56 0x34 0x12 | strange/unknown header with several repeating values |
0x000003E0 | 0x000003FF | 32 | ZSIB – what is ZSIB | |
0x00000400 | 0x000013FF | 4096 | 0xb9 0xb3 0xac 0xb7 at the end of the section | FLSH – I believe this is NVRAM |
0x00001400 | 0x0001FFFF | 125,952 | AMZL – I believe this is Broadcom/Apple CFECommon Firmware Environment Bootloader | |
0x00020000 | 0x00023FFF | 16,384 | a simple pattern exists for what reason I don't know | |
0x00024000 | 0x0004F87F | 178,304 | binary, compressed, and/or encrypted information | |
0x0004F880 | 0x0007FFFF | 198,528 | all 0xff – uninitialized flash memory | |
0x00080000 | 0x0008026F | 624 | FLSH – an almost complete copy of previous FLSH | |
0x00080270 | 0x0009FFFF | 130,448 | all 0xff – uninitialized flash memory | |
0x000A0000 | 0x000A7FFF | 32,768 | mlbserial=C86439500FNF55QAX.apple-sn=C86NH3UGF9H5 | NULL terminated strings – transceiver settings |
0x000A8000 | 0x000FFFFF | 360,448 | all 0xff – uninitialized flash memory with two exceptions (see above) | |
0x00100000 | gzipped NetBSD for Broadcom BCM5301x |
-- that is what I have so far.