Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #524297
Firmware Reverse Engineering
('toc' missing)
Firmware Images
a1470-timecapsule-20150225.bin [ md5 = 2b0d2c5657daa8b65ac1141c912beaa3 ]
Firmware Image Parsing
The binwalk command ( http://binwalk.org ) is usually helpful when parsing a known binary file, however, we found that binwalk does not do well against the Apple Airport firmware. Binwalk did identify a few locations to examine further by hand.
flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8M,pullups=on -c MX25L25635F -r ./tmp/a1521_timecapsule.bin
User #71383@andromeda:~/tmp$ binwalk -Bv a1470-timecapsule-20150225.bin
Scan Time: 2015-03-24 15:21:11
Target File: /home/User #71383/tmp/a1470-timecapsule-20150225.bin
MD5 Checksum: 2b0d2c5657daa8b65ac1141c912beaa3
Signatures: 328
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
74424 0x122B8 Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/siutils.c
79068 0x134DC Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/aiutils.c
93208 0x16C18 Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/load.c
93340 0x16C9C Unix path: /SourceCache/J28/AirPortFW-77300.1/Embedded/External/cfebrcm/iproc/CFE/src/shared/hndchipc.c
147460 0x24004 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 610436 bytes
1072251 0x105C7B Copyright string: "Copyright 1995-2005 User #71419 "
1072536 0x105D98 CRC32 polynomial table, little endian
1076632 0x106D98 CRC32 polynomial table, big endian
1081700 0x108164 gzip compressed data, maximum compression, has original file name: "netbsd.j28_release.image.bin", from Unix, last modified: 2014-04-14 22:11:40
8214656 0x7D5880 Minix filesystem, V1, little endian, -20629 zones
15752315 0xF05C7B Copyright string: "Copyright 1995-2005 User #71419 "
15752600 0xF05D98 CRC32 polynomial table, little endian
15756696 0xF06D98 CRC32 polynomial table, big endian
15761764 0xF08164 gzip compressed data, maximum compression, has original file name: "netbsd.j28_release.image.bin", from Unix, last modified: 2014-04-14 22:11:40
22894720 0x15D5880 Minix filesystem, V1, little endian, -20629 zones
30584320 0x1D2AE00 OpenSSH RSA1 private key, version "1.1"
30591488 0x1D2CA00 PEMPrivacy Enhanced Mail DSAEncryption algorithm private key
30595072 0x1D2D800 OpenSSH DSAEncryption algorithm public key
30598144 0x1D2E400 PEMPrivacy Enhanced Mail RSAEncryption algorithm private key
30602240 0x1D2F400 OpenSSH RSAEncryption algorithm public key
The "Unix path:" information found by binwalk is simply strings within the Broadcom/Apple CFECommon Firmware Environment bootloader. Analysis of the CFECommon Firmware Environment bootloader is still needed.
The "LZMA compressed data" information found by binwalk is still unknown and analysis is still needed.
We examined the Airport firmware at offset 0x1D2AE00 ( OpenSSH RSA1 private key, version "1.1" ), and determined the five keys found by binwalk to be listed sequentially in the firmware. Where the last key ( OpenSSH RSAEncryption algorithm public key ) ended was a guess.
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./openssh_rsa1_private_key ibs=1 skip=30584320 count=7168
7168+0 records in
14+0 records out
7168 bytes (7.2 kB) copied, 0.00173387 s, 4.1 MB/s
User #71383@andromeda:~/tmp$ ssh-keygen -e -f openssh_rsa1_private_key
version 1 keys are not supported
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./pem_dsa_private_key ibs=1 skip=30591488 count=3584
3584+0 records in
7+0 records out
3584 bytes (3.6 kB) copied, 0.000970766 s, 3.7 MB/s
User #71383@andromeda:~/tmp$ openssl dsa -inform PEMPrivacy Enhanced Mail -text -in pem_dsa_private_key
read DSAEncryption algorithm key
Private-Key: (1024 bit)
priv:
00:96:17:5f:40:3c:2e:0a:50:e1:58:5f:89:eb:25:
61:42:11:04:25:78
pub:
31:4b:4e:ca:45:e7:60:54:a8:a2:64:fc:32:cf:fb:
fd:3e:98:66:ef:7f:9a:a7:a7:2a:d1:99:2e:97:5e:
cf:2a:64:3a:fb:01:c8:fe:b3:1b:bf:ba:e8:4d:f0:
03:dc:ce:52:28:de:8e:a7:b4:9a:a5:33:93:52:09:
f5:06:57:a6:fa:32:74:7a:69:be:9b:20:5e:51:88:
2a:13:81:85:77:f7:fc:f1:ee:1e:db:bb:ca:3a:07:
50:75:29:92:07:4d:e1:87:0a:55:2d:c4:8c:8a:83:
fd:63:bf:d0:6b:e1:a6:eb:a7:64:2c:66:c0:8f:fe:
c0:a9:c0:d3:72:24:95:91
P:
00:e5:9c:e6:b0:cc:d7:a8:20:af:e5:85:04:43:d2:
d2:32:74:03:67:b4:86:3a:96:3c:3a:5b:28:27:c6:
c9:b4:dd:da:a8:12:93:4a:be:bf:bc:da:df:6e:55:
93:a4:cf:74:91:c1:ed:64:a1:9d:69:ff:d5:1d:d0:
f4:60:3f:98:15:1a:fa:54:43:1f:37:49:b4:0c:a8:
ef:8b:cc:27:fe:66:90:78:3d:80:74:25:a3:f7:fa:
0a:65:d6:70:27:5a:f0:34:13:34:ef:0a:7d:d0:40:
3a:cb:6b:ac:87:0d:a4:01:cd:24:8e:6c:32:07:86:
82:d0:6f:38:7e:ea:82:64:a7
Q:
00:ff:bb:d1:e9:a8:b4:da:a9:03:23:84:86:fa:cc:
f2:bc:1d:89:7b:37
G:
00:92:4c:d6:64:1c:4d:c2:a6:f1:20:1e:55:77:27:
e6:32:3a:c1:ef:d1:58:49:8f:d5:1e:4b:18:fa:ad:
5f:87:da:ec:83:69:04:5e:60:64:3b:36:09:c2:11:
33:be:2c:56:1b:52:14:46:27:eb:67:f8:31:3a:85:
c3:6f:7e:cd:f7:0d:b8:6b:7b:6a:d1:1a:96:44:45:
df:3a:89:fd:f1:4b:d6:9c:67:0c:98:cc:95:9c:87:
b5:52:3b:3b:f0:54:ae:be:ab:71:14:10:c5:83:c9:
23:bb:55:db:32:56:0e:48:1c:3c:36:5a:d8:09:42:
05:62:f4:2c:99:0d:c1:44:a0
writing DSAEncryption algorithm key
-----BEGIN DSAEncryption algorithm PRIVATE KEY-----
MIIBvAIBAAKBgQDlnOawzNeoIK/lhQRD0tIydANntIY6ljw6Wygnxsm03dqoEpNK
vr+82t9uVZOkz3SRwe1koZ1p/9Ud0PRgP5gVGvpUQx83SbQMqO+LzCf+ZpB4PYB0
JaP3+gpl1nAnWvA0EzTvCn3QQDrLa6yHDaQBzSSObDIHhoLQbzh+6oJkpwIVAP+7
0emotNqpAyOEhvrM8rwdiXs3AoGBAJJM1mQcTcKm8SAeVXcn5jI6we/RWEmP1R5L
GPqtX4fa7INpBF5gZDs2CcIRM74sVhtSFEYn62f4MTqFw29+zfcNuGt7atEalkRF
3zqJ/fFL1pxnDJjMlZyHtVI7O/BUrr6rcRQQxYPJI7tV2zJWDkgcPDZa2AlCBWL0
LJkNwUSgAoGAMUtOykXnYFSoomT8Ms/7/T6YZu9/mqenKtGZLpdezypkOvsByP6z
G7+66E3wA9zOUijejqe0mqUzk1IJ9QZXpvoydHppvpsgXlGIKhOBhXf3/PHuHtu7
yjoHUHUpkgdN4YcKVS3EjIqD/WO/0GvhpuunZCxmwI/+wKnA03IklZECFQCWF19A
PC4KUOFYX4nrJWFCEQQleA==
-----END DSAEncryption algorithm PRIVATE KEY-----
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./openssh_dsa_public_key ibs=1 skip=30595072 count=3072
3072+0 records in
6+0 records out
3072 bytes (3.1 kB) copied, 0.000795556 s, 3.9 MB/s
User #71383@andromeda:~/tmp$ ssh-keygen -e -f openssh_dsa_public_key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by User #71383@andromeda from OpenSSH"
AAAAB3NzaC1kc3MAAACBAOWc5rDM16ggr+WFBEPS0jJ0A2e0hjqWPDpbKCfGybTd2qgSk0
q+v7za325Vk6TPdJHB7WShnWn/1R3Q9GA/mBUa+lRDHzdJtAyo74vMJ/5mkHg9gHQlo/f6
CmXWcCda8DQTNO8KfdBAOstrrIcNpAHNJI5sMgeGgtBvOH7qgmSnAAAAFQD/u9HpqLTaqQ
MjhIb6zPK8HYl7NwAAAIEAkkzWZBxNwqbxIB5VdyfmMjrB79FYSY/VHksY+q1fh9rsg2kE
XmBkOzYJwhEzvixWG1IURifrZ/gxOoXDb37N9w24a3tq0RqWREXfOon98UvWnGcMmMyVnI
e1Ujs78FSuvqtxFBDFg8kju1XbMlYOSBw8NlrYCUIFYvQsmQ3BRKAAAACAMUtOykXnYFSo
omT8Ms/7/T6YZu9/mqenKtGZLpdezypkOvsByP6zG7+66E3wA9zOUijejqe0mqUzk1IJ9Q
ZXpvoydHppvpsgXlGIKhOBhXf3/PHuHtu7yjoHUHUpkgdN4YcKVS3EjIqD/WO/0Gvhpuun
ZCxmwI/+wKnA03IklZE=
---- END SSH2 PUBLIC KEY ----
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./pem_rsa_private_key ibs=1 skip=30598144 count=4096
4096+0 records in
8+0 records out
4096 bytes (4.1 kB) copied, 0.00101769 s, 4.0 MB/s
User #71383@andromeda:~/tmp$ openssl rsa -inform PEMPrivacy Enhanced Mail -text -in pem_rsa_private_key
Private-Key: (2048 bit)
modulus:
00:e5:9f:ce:d6:ee:d6:85:83:ac:70:15:18:0f:b3:
74:c4:75:4e:bb:7e:1c:51:6d:49:87:8c:46:cc:a5:
df:b7:60:af:ec:2a:2f:6c:41:28:47:74:72:80:36:
0c:ca:ce:8e:fd:d1:d4:28:4e:62:60:30:d8:8c:e5:
ba:b6:79:e4:c8:19:cb:89:c7:9f:71:4e:17:07:fc:
29:4c:16:48:15:7e:c4:dc:e7:18:9c:6e:b9:a5:b2:
3a:75:95:d8:cd:8f:2a:8e:8f:e7:9c:e4:94:fc:93:
9e:a4:71:ad:d6:37:a5:e0:c4:6e:fd:12:93:e2:f6:
82:1c:8d:7a:8b:b9:ca:1b:db:98:64:45:e1:d0:94:
ed:cb:a9:51:e4:c2:cd:be:a0:78:01:76:1e:be:a3:
bb:2e:0a:99:0d:5b:81:6b:c8:40:c1:1a:90:56:35:
a1:ed:e8:b6:fb:69:c5:33:46:a0:c7:9e:9e:f0:01:
95:e8:a9:81:23:03:4d:1f:42:a1:eb:2e:b7:03:4b:
97:21:d6:70:41:96:cc:22:0f:60:9f:2f:58:e2:42:
b7:2c:fb:24:9f:e1:42:c4:88:16:e0:35:f6:a7:e2:
c8:00:14:1c:c6:8c:ff:02:06:ba:69:1c:3b:b4:75:
d4:d0:f3:56:58:b8:f7:1c:60:f3:54:03:66:c7:7e:
03:b5
publicExponent: 65537 (0x10001)
privateExponent:
6c:64:3b:67:09:e7:09:af:56:3e:b2:36:61:72:fc:
b3:a0:0c:42:45:0d:69:02:85:ab:0e:74:7d:35:ef:
9c:c8:6f:42:b3:c7:1e:fa:c2:e0:b7:ff:34:b6:4e:
e3:8d:0d:c2:92:c1:eb:24:d5:1b:42:f3:75:cf:1b:
8b:f7:8e:1f:46:cd:e5:83:ed:a7:b6:8c:f8:9f:f7:
7e:8b:26:0b:bf:83:7e:23:38:62:df:81:92:cd:c6:
fa:aa:79:64:cf:27:ef:93:ce:69:29:1d:8a:fc:c3:
ee:2c:1b:3a:fb:99:b9:b8:00:0c:46:30:b8:fa:54:
00:d6:67:fa:7d:01:02:94:89:0a:51:62:07:d6:8a:
0d:0a:01:13:1a:88:61:d4:6c:3d:fd:a0:72:f3:54:
9a:b2:13:5f:5a:95:ff:a7:e3:8b:31:01:8c:ef:a6:
f6:d7:37:68:1c:53:3d:ac:35:47:14:6e:18:8c:5c:
2b:7c:5b:49:76:26:20:d9:41:73:b8:e2:a1:43:6e:
89:03:bc:b3:a9:b2:59:72:f2:54:03:c4:0e:d5:c8:
b5:76:50:76:39:5e:f2:4d:04:5c:21:5c:c5:77:b2:
e7:3e:f9:96:8b:d1:f4:84:ad:6a:4e:dc:8b:c5:e4:
94:4e:ac:7f:a0:e7:47:c6:39:19:ac:f8:5d:f2:a1:
21
prime1:
00:fc:c0:3f:70:9c:d7:89:03:4c:fe:32:b9:87:e5:
2e:1c:4d:10:5e:8c:01:92:c1:1d:64:91:0d:3e:79:
fc:f7:fb:b1:24:b0:9c:d8:cd:18:98:90:2a:ea:a1:
82:cb:ad:a6:05:b7:8b:32:48:77:35:15:50:fa:32:
54:1c:d9:a2:20:1d:40:bc:df:c5:6c:7e:57:4f:29:
f1:14:ac:02:09:e7:4d:61:1e:1b:5a:56:6e:62:be:
20:f4:c2:e4:0d:f2:96:94:f1:b8:57:e4:76:7c:76:
75:3e:0d:15:eb:25:22:56:e1:57:fe:9b:a3:55:7e:
7b:10:87:49:e1:07:1e:99:cf
prime2:
00:e8:93:74:6e:be:18:78:8c:15:81:dc:92:e0:53:
ae:38:55:51:2c:d4:43:f5:11:d8:3c:38:22:a8:25:
c7:8c:ee:d0:eb:7f:96:5e:c1:5d:ab:e5:7c:fd:2d:
13:d8:62:61:8c:ff:93:47:b0:ad:1c:46:38:73:70:
47:ac:7b:b7:6f:6c:c7:21:63:36:e6:92:ab:69:9c:
c8:77:fb:77:c8:c4:db:52:a7:ac:b3:36:1a:52:42:
04:70:38:f1:d7:f8:0e:c2:fc:77:f6:c0:cf:67:dd:
01:d0:2d:b6:f2:ed:f9:41:bd:aa:08:60:9f:78:a1:
f4:f8:fa:5a:70:ce:c7:9f:3b
exponent1:
00:ea:22:95:22:16:c8:bb:0d:a9:b7:18:fa:31:5f:
26:55:e5:35:b2:bf:f3:7d:25:13:bb:63:7b:67:52:
cd:fa:52:d8:08:6a:eb:01:13:0d:23:d6:f9:4a:9d:
0f:72:ea:8b:8f:64:35:b8:00:d5:1d:01:80:20:25:
9b:31:96:91:cf:3a:0a:0c:6d:26:8f:98:81:fc:bd:
97:ac:54:a3:16:d5:84:22:e1:26:e9:8a:83:7b:49:
31:72:4b:4f:c3:73:e3:f6:59:ed:30:ce:5c:cc:73:
57:ac:81:a6:ba:4b:8e:01:f9:81:f0:43:f1:0c:73:
bc:40:d5:72:a4:d8:59:8a:95
exponent2:
55:4e:30:78:a6:15:07:b2:29:f9:55:d4:31:9f:bf:
d9:3d:c1:e6:75:7c:ef:98:b9:fd:6c:81:99:b7:31:
b8:49:a8:2b:98:c2:a8:c2:b7:fe:e2:cf:b3:75:23:
40:4c:e5:86:f7:ff:27:5e:70:40:5c:a9:3b:fe:44:
eb:c8:fd:01:4b:9e:c6:6a:43:aa:d2:c5:38:99:9f:
16:13:10:5e:7d:86:0c:8d:1f:d5:23:d5:07:b2:db:
39:e6:49:1e:74:07:c6:11:20:57:4b:65:47:ad:52:
8a:ef:19:99:85:1b:d5:b7:21:74:ad:2c:10:ed:26:
93:64:10:64:2c:14:20:1d
coefficient:
51:f8:15:70:fd:36:b0:84:a5:11:66:ac:e1:53:41:
33:fa:6b:ef:cb:59:60:e6:1a:cb:5c:cc:5a:1e:ed:
f2:cd:1b:84:2e:7a:c1:6d:31:e4:a0:f6:99:d7:80:
d5:21:89:9a:85:f7:7d:4b:1a:48:21:8c:a4:4e:f4:
fe:35:60:0e:b7:87:39:c1:22:fb:1d:ef:69:26:10:
bd:a6:3f:d3:d9:72:ac:e2:50:54:f2:08:98:7e:1c:
aa:35:fc:05:0e:d4:d4:a8:48:e6:15:b3:56:40:3a:
20:45:1e:85:9d:f0:e7:89:08:1e:9e:62:dc:3f:76:
7b:a6:d6:11:a6:15:40:80
writing RSAEncryption algorithm key
-----BEGIN RSAEncryption algorithm PRIVATE KEY-----
MIIEowIBAAKCAQEA5Z/O1u7WhYOscBUYD7N0xHVOu34cUW1Jh4xGzKXft2Cv7Cov
bEEoR3RygDYMys6O/dHUKE5iYDDYjOW6tnnkyBnLicefcU4XB/wpTBZIFX7E3OcY
nG65pbI6dZXYzY8qjo/nnOSU/JOepHGt1jel4MRu/RKT4vaCHI16i7nKG9uYZEXh
0JTty6lR5MLNvqB4AXYevqO7LgqZDVuBa8hAwRqQVjWh7ei2+2nFM0agx56e8AGV
6KmBIwNNH0Kh6y63A0uXIdZwQZbMIg9gny9Y4kK3LPskn+FCxIgW4DX2p+LIABQc
xoz/Aga6aRw7tHXU0PNWWLj3HGDzVANmx34DtQIDAQABAoIBAGxkO2cJ5wmvVj6y
NmFy/LOgDEJFDWkChasOdH0175zIb0Kzxx76wuC3/zS2TuONDcKSwesk1RtC83XP
G4v3jh9GzeWD7ae2jPif936LJgu/g34jOGLfgZLNxvqqeWTPJ++TzmkpHYr8w+4s
Gzr7mbm4AAxGMLj6VADWZ/p9AQKUiQpRYgfWig0KARMaiGHUbD39oHLzVJqyE19a
lf+n44sxAYzvpvbXN2gcUz2sNUcUbhiMXCt8W0l2JiDZQXO44qFDbokDvLOpslly
8lQDxA7VyLV2UHY5XvJNBFwhXMV3suc++ZaL0fSErWpO3IvF5JROrH+g50fGORms
+F3yoSECgYEA/MA/cJzXiQNM/jK5h+UuHE0QXowBksEdZJENPnn89/uxJLCc2M0Y
mJAq6qGCy62mBbeLMkh3NRVQ+jJUHNmiIB1AvN/FbH5XTynxFKwCCedNYR4bWlZu
Yr4g9MLkDfKWlPG4V+R2fHZ1Pg0V6yUiVuFX/pujVX57EIdJ4Qcemc8CgYEA6JN0
br4YeIwVgdyS4FOuOFVRLNRD9RHYPDgiqCXHjO7Q63+WXsFdq+V8/S0T2GJhjP+T
R7CtHEY4c3BHrHu3b2zHIWM25pKraZzId/t3yMTbUqesszYaUkIEcDjx1/gOwvx3
9sDPZ90B0C228u35Qb2qCGCfeKH0+PpacM7HnzsCgYEA6iKVIhbIuw2ptxj6MV8m
VeU1sr/zfSUTu2N7Z1LN+lLYCGrrARMNI9b5Sp0PcuqLj2Q1uADVHQGAICWbMZaR
zzoKDG0mj5iB/L2XrFSjFtWEIuEm6YqDe0kxcktPw3Pj9lntMM5czHNXrIGmukuO
AfmB8EPxDHO8QNVypNhZipUCgYBVTjB4phUHsin5VdQxn7/ZPcHmdXzvmLn9bIGZ
tzG4SagrmMKowrf+4s+zdSNATOWG9/8nXnBAXKk7/kTryP0BS57GakOq0sU4mZ8W
ExBefYYMjR/VI9UHsts55kkedAfGESBXS2VHrVKK7xmZhRvVtyF0rSwQ7SaTZBBk
LBQgHQKBgFH4FXD9NrCEpRFmrOFTQTP6a+/LWWDmGstczFoe7fLNG4QuesFtMeSg
9pnXgNUhiZqF931LGkghjKRO9P41YA63hznBIvsd72kmEL2mP9PZcqziUFTyCJh+
HKo1/AUO1NSoSOYVs1ZAOiBFHoWd8OeJCB6eYtw/dnum1hGmFUCA
-----END RSAEncryption algorithm PRIVATE KEY-----
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./openssh_rsa_public_key ibs=1 skip=30602240 count=3071
3071+0 records in
5+1 records out
3071 bytes (3.1 kB) copied, 0.000776856 s, 4.0 MB/s
User #71383@andromeda:~/tmp$ ssh-keygen -e -f openssh_rsa_public_key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by User #71383@andromeda from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDln87W7taFg6xwFRgPs3TEdU67fhxRbUmHjEbMpd
+3YK/sKi9sQShHdHKANgzKzo790dQoTmJgMNiM5bq2eeTIGcuJx59xThcH/ClMFkgVfsTc
5xicbrmlsjp1ldjNjyqOj+ec5JT8k56kca3WN6XgxG79EpPi9oIcjXqLucob25hkReHQlO
3LqVHkws2+oHgBdh6+o7suCpkNW4FryEDBGpBWNaHt6Lb7acUzRqDHnp7wAZXoqYEjA00f
QqHrLrcDS5ch1nBBlswiD2CfL1jiQrcs+ySf4ULEiBbgNfan4sgAFBzGjP8CBrppHDu0dd
TQ81ZYuPccYPNUA2bHfgO1
---- END SSH2 PUBLIC KEY ----
Now we want to look by hand at the "netbsd.j28_release.image.bin" offsets ( 0x108164 and 0xf08164 ). We confirmed with NetBSD source code ( src/sys/arch/evbarm/stand/gzboot/gzboot.c ) there is a gzboot header (gzip header) at these offsets. Further review of the NetBSD source code ( src/sys/arch/evbarm/stand/gzboot/srtbegin.S ) indicated that the bytes starting at offsets 0x100000 and 0xf00000 are the beginning of the NetBSD gzboot loader. To confirm our suspensions we copied the first 48 bytes at 0x100000 into the Online Disassembler ( http://www.onlinedisassembler.com ) - the disassembly closely matched the assembly code in srtbegin.S. Further disassembly of the gzboot loader via Ghidra is needed. This review by hand further confirmed that the compressed NetBSD kernel begins at the offsets 0x108164 and 0xf08164.
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./gzboot-0x100000 ibs=1 skip=1048576 count=33124
33124+0 records in
64+1 records out
33124 bytes (33 kB) copied, 0.011309 s, 2.9 MB/s
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./gzboot-0xf00000 ibs=1 skip=15728640 count=33124
33124+0 records in
64+1 records out
33124 bytes (33 kB) copied, 0.0119577 s, 2.8 MB/s
Additional disassembly of the gzboot code should reveal the size of the compressed NetBSD kernel. But for now we want to look by hand at the "Minix filesystem" offsets ( 0x7d5880 and 0x15d5880 ) found by binwalk. After skipping to offset 0x7d5880, we examined the binary bytes before the offset and found that the first "netbsd.j28_release.image.bin" image ends at 0x7d547b with zeros until 0x7d5880. Therefore, we believe the first compressed NetBSD kernel can be found at 0x108164 - 0x7d5880 ( 7,132,956 bytes ). We followed these same steps with the second "netbsd.j28_release.image.bin" image - the image ends at 0x15d547b with zeros until 0x15d5880. Therefore, we believe the second compressed NetBSD kernel can be found at 0xf08164 - 0x15d5880 ( 7,132,956 bytes ).
When we try to gunzip the extracted, compressed NetBSD kernels with the information above we received the following message - "gzip: compressed_netbsd_kernel-0x108164.gz: unexpected end of file". Therefore, we need to re-examine the compressed kernel's ending offsets until gunzip can properly uncompress the kernel. The first question we have is - why did binwalk identify a "Minix filesystem" at offsets ( 0x7d5880 and 0x15d5880 )? When looking at the binary bytes in a hex editor, we find all zeros before and after these offsets.
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./compressed_netbsd_kernel-0x108164 ibs=1 skip=1081700 count=7132956
7132956+0 records in
13931+1 records out
7132956 bytes (7.1 MB) copied, 2.46885 s, 2.9 MB/s
User #71383@andromeda:~/tmp$ dd if=a1470-timecapsule-20150225.bin of=./compressed_netbsd_kernel-0xf08164 ibs=1 skip=15761764 count=7132956
7132956+0 records in
13931+1 records out
7132956 bytes (7.1 MB) copied, 1.90497 s, 3.7 MB/s
User #71383@andromeda:~/tmp$ file compressed_netbsd_kernel-0x*
compressed_netbsd_kernel-0x108164: gzip compressed data, was "netbsd.j28_release.image.bin", from Unix, last modified: Mon Apr 14 18:11:40 2014, max compression
compressed_netbsd_kernel-0xf08164: gzip compressed data, was "netbsd.j28_release.image.bin", from Unix, last modified: Mon Apr 14 18:11:40 2014, max compression
Previous Attempts
Interesting points of
| Offset | Data | Notes |
|---|---|---|
| 0x0000 - 0x003f | unknown, but repetitive data | inital bootstrap code? |
| 0x03E0 | "ZSIB" | Some kind of section header |
| 0x0400 | "FLSH" |
16 bytes of data, followed by what looks like null-terminated strings for NVRAMNon-volatile Random Access Memory variables. Seems data is repeated at offset 0x80000. |
| 0x1400 | "AMZL" | AMZL == LZMA in reverse? |
| 0x8230 | "SHMOO VEPKID" | wtf? |
| 0xB0008 | "C86439500FNF55QAX" |
serial #? repeated later in variable as "mlbserial" |
| 0xB0050 | "141004141004p" 0x700a 0x07d4 | unknown data |
| 0x108164 | gzip compressed data | filename included: "netbsd.j28_release.image.bin", file repeated again at offset 0xF08164 |
| 0xF08164 | gzip compressed data | filename included: "netbsd.j28_release.image.bin" (repeated) |
My attempt at parsing the firmware for the Time Capsule -
| Start Offset | End Offset | Length (bytes) | Interesting Bytes | Notes |
|---|---|---|---|---|
| 0x00000000 | 0x000003DF | 992 | 0xff 0x04 0x00 0xea ... 0x78 0x56 0x34 0x12 | strange/unknown header with several repeating values |
| 0x000003E0 | 0x000003FF | 32 | ZSIB – what is ZSIB | |
| 0x00000400 | 0x000013FF | 4096 | 0xb9 0xb3 0xac 0xb7 at the end of the section | FLSH – I believe this is NVRAM |
| 0x00001400 | 0x0001FFFF | 125,952 | AMZL – I believe this is Broadcom/Apple CFECommon Firmware Environment Bootloader | |
| 0x00020000 | 0x00023FFF | 16,384 | a simple pattern exists for what reason I don't know | |
| 0x00024000 | 0x0004F87F | 178,304 | binary, compressed, and/or encrypted information | |
| 0x0004F880 | 0x0007FFFF | 198,528 | all 0xff – uninitialized flash memory | |
| 0x00080000 | 0x0008026F | 624 | FLSH – an almost complete copy of previous FLSH | |
| 0x00080270 | 0x0009FFFF | 130,448 | all 0xff – uninitialized flash memory | |
| 0x000A0000 | 0x000A7FFF | 32,768 | mlbserial=C86439500FNF55QAX.apple-sn=C86NH3UGF9H5 | NULL terminated strings – transceiver settings |
| 0x000A8000 | 0x000FFFFF | 360,448 | all 0xff – uninitialized flash memory with two exceptions (see above) | |
| 0x00100000 | gzipped NetBSD for Broadcom BCM5301x |
-- that is what I have so far