How to Extract Unencrypted Firmware Segments from Chinese OTA
This is documentation of my tries of getting into system files. My first try was on English 3.0.2 OTA which I assume is encrypted and hard to work with. This time I was trying to do it on Chinese version from this hub which seems unencrypted and easier to "unpack" and cut into partition segments. I've managed to do that, but because of lack of variables and documentations in those partitions, I think it would need now to be manually de-assembled. I leave all of my findings in hope someone more competent would find this useful for his own purposes.
Details
-
Type
-
Documentation
-
Downloads
-
3 downloads
-
Contributor
-
Lakafior
Installation Instructions
➜ Downloads esptool.py image_info full_flash.bin esptool.py v4.10.0 File size: 16777216 (bytes) Detected image type: ESP32-C3 Image version: 1 Entry point: 403cc710 3 segments Segment 1: len 0x0038c load 0x3fcd5810 file_offs 0x00000018 [DRAM,BYTE_ACCESSIBLE] Segment 2: len 0x006a0 load 0x403cc710 file_offs 0x000003ac [IRAM] Segment 3: len 0x025f4 load 0x403ce710 file_offs 0x00000a54 [IRAM] Checksum: 51 (valid) Validation Hash: 9bc05e897975f634f44fbdf8c976a7dcff713817af4f0a7fcc92a7a5ecfa3645 (valid) ➜ Downloads dd if=full_flash.bin of=app0_partition.bin bs=1 skip=65536 16711680+0 records in 16711680+0 records out 16711680 bytes transferred in 20.995467 secs (795966 bytes/sec) ➜ Downloads esptool.py image_info app0_partition.bin esptool.py v4.10.0 File size: 16711680 (bytes) Detected image type: ESP32-C3 Image version: 1 Entry point: 40381a64 6 segments Segment 1: len 0x4713d0 load 0x3c180020 file_offs 0x00000018 [DROM] Segment 2: len 0x04084 load 0x3fc91c00 file_offs 0x004713f0 [DRAM,BYTE_ACCESSIBLE] Segment 3: len 0x0ab94 load 0x40380000 file_offs 0x0047547c [IRAM] Segment 4: len 0x1781c8 load 0x42000020 file_offs 0x00480018 [IROM] Segment 5: len 0x06f64 load 0x4038ab94 file_offs 0x005f81e8 [IRAM] Segment 6: len 0x00034 load 0x50000000 file_offs 0x005ff154 [RTC_IRAM,RTC_DRAM] Checksum: 04 (valid) Validation Hash: 33430eb577d16e51353f56fd192dbe125b0bdb3c9bddd80410325b66a6fad5e5 (valid) ➜ Downloads dd if=app0_partition.bin of=DROM_segment.bin bs=1 skip=24 count=4658128 4658128+0 records in 4658128+0 records out 4658128 bytes transferred in 5.716548 secs (814850 bytes/sec) ➜ Downloads dd if=app0_partition.bin of=DRAM_segment.bin bs=1 skip=4658160 count=16516 16516+0 records in 16516+0 records out 16516 bytes transferred in 0.033076 secs (499335 bytes/sec) ➜ Downloads dd if=app0_partition.bin of=IRAM1_segment.bin bs=1 skip=4674684 count=43924 43924+0 records in 43924+0 records out 43924 bytes transferred in 0.080036 secs (548803 bytes/sec) ➜ Downloads dd if=app0_partition.bin of=IROM_segment.bin bs=1 skip=4718616 count=1540552 1540552+0 records in 1540552+0 records out 1540552 bytes transferred in 1.950438 secs (789849 bytes/sec) ➜ Downloads dd if=app0_partition.bin of=IRAM2_segment.bin bs=1 skip=6259176 count=28516 28516+0 records in 28516+0 records out 28516 bytes transferred in 0.057075 secs (499623 bytes/sec) ➜ Downloads dd if=app0_partition.bin of=RTC_segment.bin bs=1 skip=6287700 count=52 52+0 records in 52+0 records out 52 bytes transferred in 0.000457 secs (113786 bytes/sec) ➜ Downloads