Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds signatures for some known encrypted firmware types #793

Merged
merged 1 commit into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/magic.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1108,6 +1108,17 @@ pub fn patterns() -> Vec<signatures::common::Signature> {
description: signatures::dkbs::DESCRIPTION.to_string(),
extractor: None,
},
// known encrypted firmware
signatures::common::Signature {
name: "encfw".to_string(),
short: true,
magic_offset: 0,
always_display: true,
magic: signatures::encfw::encfw_magic(),
parser: signatures::encfw::encfw_parser,
description: signatures::encfw::DESCRIPTION.to_string(),
extractor: None,
},
];

binary_signatures
Expand Down
1 change: 1 addition & 0 deletions src/signatures.rs
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ pub mod dxbc;
pub mod ecos;
pub mod efigpt;
pub mod elf;
pub mod encfw;
pub mod encrpted_img;
pub mod ext;
pub mod fat;
Expand Down
66 changes: 66 additions & 0 deletions src/signatures/encfw.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
use crate::signatures::common::{
SignatureError, SignatureResult, CONFIDENCE_LOW, CONFIDENCE_MEDIUM,
};
use std::collections::HashMap;

/// Known encrypted firmware magics and their associated make/model
fn encfw_known_firmware() -> HashMap<Vec<u8>, String> {
HashMap::from([
(
b"\xdf\x8c\x39\x0d".to_vec(),
"D-Link DIR-822 rev C".to_string(),
),
(b"\x35\x66\x6f\x68".to_vec(), "D-Link DAP-1665".to_string()),
(
b"\xf5\x2a\xa0\xb4".to_vec(),
"D-Link DIR-842 rev C".to_string(),
),
(
b"\xe3\x13\x00\x5b".to_vec(),
"D-Link DIR-850 rev A".to_string(),
),
(
b"\x0a\x14\xe4\x24".to_vec(),
"D-Link DIR-850 rev B".to_string(),
),
])
}

/// Human readable description
pub const DESCRIPTION: &str = "Known encrypted firmware";

/// Known encrypted firmware magic bytes
pub fn encfw_magic() -> Vec<Vec<u8>> {
encfw_known_firmware().keys().cloned().collect()
}

/// Parse the magic signature match
pub fn encfw_parser(file_data: &[u8], offset: usize) -> Result<SignatureResult, SignatureError> {
const MAGIC_LEN: usize = 4;

// Successful return value
let mut result = SignatureResult {
offset,
description: DESCRIPTION.to_string(),
confidence: CONFIDENCE_MEDIUM,
..Default::default()
};

if let Some(magic_bytes) = file_data.get(offset..offset + MAGIC_LEN) {
if encfw_known_firmware().contains_key(magic_bytes) {
if result.offset != 0 {
result.confidence = CONFIDENCE_LOW;
}

result.description = format!(
"{}, {}",
result.description,
encfw_known_firmware()[magic_bytes]
);

return Ok(result);
}
}

Err(SignatureError)
}
Loading