Firmware extraction¶
The first step in the analysis process is to retrieve data from the uploaded firmware, in other words, firmware extraction. For this purpose the platform uses unblob, an open-source firmware extraction suite created by ONEKEY developers.
Unblob parses unknown binary blobs for over 100 different archive, compression, and file-system formats, and identifies both known and unknown chunks.
Known and unknown chunks?
Known chunks are segment of data within a file belonging to a known format, with clear start and end offsets. The start offset is located using a search rule; the end offset is computed based on the format standard.
Unknown chunks represent unidentified data before, after, or between known chunks. Examples of unkown chunks are: custom headers, signatures, encrypted content, or firmware formats that are not yet supported by unblob.
The extraction process works as follows:
- Unblob scans the firmware for supported formats using format signatures.
- When a format is identified, the start and end offset of that valid chunk is carved to disk.
- The valid chunks are decompressed or extracted, depending on their format.
- We do the same with unidentified data between the files (the unknown chunks).
- The process is repeated recursively, with decompressed or extracted files being fed back to unblob.
Note
Unknown chunks composed of known content (for example padding) are automatically identified and reported.
For the full unblob documentation check: unblob.org
On the ONEKEY platform, select the Extraction page in the Firmware analysis view of a firmware to display a list of all identified blobs.
See Firmware structure visualization for a graphical representation of the firmware content.
Once the firmware is extracted, the platform moves on to Enumeration.
Supported formats and filesystems¶
| Archive | Bare metal | Bootloader | Compression | Executable | Filesystem | Vendor |
|---|---|---|---|---|---|---|
| Apple DMG | FreeRTOS OTA | Android Bootloader (ABL) | BZIP2 | Binary Flat (BFLT) | Android AVB | Alcatel firmware |
| AR | Device Tree Blob (DTB) | COMPRESS | ELF | Android DTBO | Autel ECC | |
| ARC | Xilinx First Stage Bootloader (FSBL) | GZIP | Intel Hex | Android OTA | BNEG | |
| ARJ | Qualcomm (MIBIB) | LZMA | Linux Kernel | Android Sparse | Bosch firmware | |
| CAB | LZO | Motorola SREC | Android bootimg | Cisco ASDM | ||
| CPIO | LZIP | UF2 | Android superimg | Cisco CBS | ||
| Docker image | LZH | Android vendorimg | Cisco SGZ | |||
| RAR | LZ4 | BTRFS | D-Link Encrpted | |||
| StuffIt | ZLIB | CRAMFS | D-Link SHRS | |||
| TAR | ZSTD | Dahua Filesystem | Engenius | |||
| uImage | XZ | dm-verity | Festo firmware | |||
| ZIP | eCos ROMFS | HP BDL | ||||
| 7-ZIP | ExtFS | HP IPKG | ||||
| FAT | Hirschmann firmware | |||||
| Festo FEZLV | InstarHD | |||||
| HRFS | MTS firmware | |||||
| ISO9660 | Netgear CHK | |||||
| JFFS2 | Netgear TRX | |||||
| LittleFS | NewH firmware | |||||
| Master Boot Record (MBR) | PCK firmware | |||||
| MemFS | QNAP NAS | |||||
| Microchip MPFS | Rockwell firmware | |||||
| NTFS | Telit firmware | |||||
| QNX IFSv4 | Webrom firmware | |||||
| Qualcomm FBPK | Xiaomi HDR | |||||
| Qualcomm FBPT | ||||||
| ROMFS | ||||||
| Rockchip RKAF | ||||||
| Rockchip RKFW | ||||||
| SquashFS (v1, v2, v3, v4) | ||||||
| UBI | ||||||
| UBIFS | ||||||
| VMWare VMDK | ||||||
| YAFFS | ||||||
| Yealink ROM | ||||||
| Yealink SQUASHFS | ||||||
| Yealink UBI | ||||||
| Yealink YAFFS |
Tip
The platform also supports custom vendor formats. If you encounter a problem while uploading a custom format firmware, Request an Expert review.
Firmware structure visualization¶
This view helps you navigate through the nested layers that compose a firmware. Click on a file or a chunk in a lower level to reveal the underlying layer of the firmware structure.
Click on a chunk (green or blue rectangle in the visualization) to see its content:
- If there are further levels below the chunk, the visualization zooms in on them.
- If there are no further layers, the File details popup will open.
To go back to a previous folder click the folder's name at the top.
If you click on an unknown chunk, the Entropy chart will open.1
Colors and their meaning
Red: Unknown chunk.
Blue: Valid chunk.
Green: file that contains chunks.
Grey: file grouped by a category that does not contain chunks.
Note
Unknown chunks that we could not identify (or "unknown unknowns") are not shown in the visualization.
To find Firmware structure visualization:
- Select a firmware to enter Firmware analysis view.
- Go to the Extraction.
- Select the Firmware structure tab.
-
Entropy indicates the randomness of the data in a code block. Higher entropy signifies that the data is either encrypted or compressed. ↩