Skip to content

Commit

Permalink
Merge pull request #793 from ReFirmLabs/enc_fw_sigs
Browse files Browse the repository at this point in the history
Adds signatures for some known encrypted firmware types
  • Loading branch information
devttys0 authored Dec 3, 2024
2 parents 3e0743b + 1572592 commit 6988c06
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/magic.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1108,6 +1108,17 @@ pub fn patterns() -> Vec<signatures::common::Signature> {
description: signatures::dkbs::DESCRIPTION.to_string(),
extractor: None,
},
// known encrypted firmware
signatures::common::Signature {
name: "encfw".to_string(),
short: true,
magic_offset: 0,
always_display: true,
magic: signatures::encfw::encfw_magic(),
parser: signatures::encfw::encfw_parser,
description: signatures::encfw::DESCRIPTION.to_string(),
extractor: None,
},
];

binary_signatures
Expand Down
1 change: 1 addition & 0 deletions src/signatures.rs
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ pub mod dxbc;
pub mod ecos;
pub mod efigpt;
pub mod elf;
pub mod encfw;
pub mod encrpted_img;
pub mod ext;
pub mod fat;
Expand Down
66 changes: 66 additions & 0 deletions src/signatures/encfw.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
use crate::signatures::common::{
SignatureError, SignatureResult, CONFIDENCE_LOW, CONFIDENCE_MEDIUM,
};
use std::collections::HashMap;

/// Known encrypted firmware magics and their associated make/model
fn encfw_known_firmware() -> HashMap<Vec<u8>, String> {
HashMap::from([
(
b"\xdf\x8c\x39\x0d".to_vec(),
"D-Link DIR-822 rev C".to_string(),
),
(b"\x35\x66\x6f\x68".to_vec(), "D-Link DAP-1665".to_string()),
(
b"\xf5\x2a\xa0\xb4".to_vec(),
"D-Link DIR-842 rev C".to_string(),
),
(
b"\xe3\x13\x00\x5b".to_vec(),
"D-Link DIR-850 rev A".to_string(),
),
(
b"\x0a\x14\xe4\x24".to_vec(),
"D-Link DIR-850 rev B".to_string(),
),
])
}

/// Human readable description
pub const DESCRIPTION: &str = "Known encrypted firmware";

/// Known encrypted firmware magic bytes
pub fn encfw_magic() -> Vec<Vec<u8>> {
encfw_known_firmware().keys().cloned().collect()
}

/// Parse the magic signature match
pub fn encfw_parser(file_data: &[u8], offset: usize) -> Result<SignatureResult, SignatureError> {
const MAGIC_LEN: usize = 4;

// Successful return value
let mut result = SignatureResult {
offset,
description: DESCRIPTION.to_string(),
confidence: CONFIDENCE_MEDIUM,
..Default::default()
};

if let Some(magic_bytes) = file_data.get(offset..offset + MAGIC_LEN) {
if encfw_known_firmware().contains_key(magic_bytes) {
if result.offset != 0 {
result.confidence = CONFIDENCE_LOW;
}

result.description = format!(
"{}, {}",
result.description,
encfw_known_firmware()[magic_bytes]
);

return Ok(result);
}
}

Err(SignatureError)
}

0 comments on commit 6988c06

Please sign in to comment.