Details
-
Type
-
Documentation
-
Downloads
-
23 downloads
-
Contributor
-
Lakafior
How to Extract Unencrypted Firmware Segments from Chinese OTA
About this resource
This is documentation of my tries of getting into system files. My first try was on English 3.0.2 OTA which I assume is encrypted and hard to work with.
This time I was trying to do it on Chinese version from this hub which seems unencrypted and easier to "unpack" and cut into partition segments. I've managed to do that, but because of lack of variables and documentations in those partitions, I think it would need now to be manually de-assembled.
I leave all of my findings in hope someone more competent would find this useful for his own purposes.
Tags
Get credit on your member profile
Log in or join the club to link future resource submissions to your public member ID — just like wallpapers.
Are you the author?
If this resource is yours, you can ask to be listed as the contributor on this page (same process as firmware maintainers). Member #001 receives the request.
Installation Instructions
➜ Downloads esptool.py image_info full_flash.bin
esptool.py v4.10.0
File size: 16777216 (bytes)
Detected image type: ESP32-C3
Image version: 1
Entry point: 403cc710
3 segments
Segment 1: len 0x0038c load 0x3fcd5810 file_offs 0x00000018 [DRAM,BYTE_ACCESSIBLE]
Segment 2: len 0x006a0 load 0x403cc710 file_offs 0x000003ac [IRAM]
Segment 3: len 0x025f4 load 0x403ce710 file_offs 0x00000a54 [IRAM]
Checksum: 51 (valid)
Validation Hash: 9bc05e897975f634f44fbdf8c976a7dcff713817af4f0a7fcc92a7a5ecfa3645 (valid)
➜ Downloads dd if=full_flash.bin of=app0_partition.bin bs=1 skip=65536
16711680+0 records in
16711680+0 records out
16711680 bytes transferred in 20.995467 secs (795966 bytes/sec)
➜ Downloads esptool.py image_info app0_partition.bin
esptool.py v4.10.0
File size: 16711680 (bytes)
Detected image type: ESP32-C3
Image version: 1
Entry point: 40381a64
6 segments
Segment 1: len 0x4713d0 load 0x3c180020 file_offs 0x00000018 [DROM]
Segment 2: len 0x04084 load 0x3fc91c00 file_offs 0x004713f0 [DRAM,BYTE_ACCESSIBLE]
Segment 3: len 0x0ab94 load 0x40380000 file_offs 0x0047547c [IRAM]
Segment 4: len 0x1781c8 load 0x42000020 file_offs 0x00480018 [IROM]
Segment 5: len 0x06f64 load 0x4038ab94 file_offs 0x005f81e8 [IRAM]
Segment 6: len 0x00034 load 0x50000000 file_offs 0x005ff154 [RTC_IRAM,RTC_DRAM]
Checksum: 04 (valid)
Validation Hash: 33430eb577d16e51353f56fd192dbe125b0bdb3c9bddd80410325b66a6fad5e5 (valid)
➜ Downloads dd if=app0_partition.bin of=DROM_segment.bin bs=1 skip=24 count=4658128
4658128+0 records in
4658128+0 records out
4658128 bytes transferred in 5.716548 secs (814850 bytes/sec)
➜ Downloads dd if=app0_partition.bin of=DRAM_segment.bin bs=1 skip=4658160 count=16516
16516+0 records in
16516+0 records out
16516 bytes transferred in 0.033076 secs (499335 bytes/sec)
➜ Downloads dd if=app0_partition.bin of=IRAM1_segment.bin bs=1 skip=4674684 count=43924
43924+0 records in
43924+0 records out
43924 bytes transferred in 0.080036 secs (548803 bytes/sec)
➜ Downloads dd if=app0_partition.bin of=IROM_segment.bin bs=1 skip=4718616 count=1540552
1540552+0 records in
1540552+0 records out
1540552 bytes transferred in 1.950438 secs (789849 bytes/sec)
➜ Downloads dd if=app0_partition.bin of=IRAM2_segment.bin bs=1 skip=6259176 count=28516
28516+0 records in
28516+0 records out
28516 bytes transferred in 0.057075 secs (499623 bytes/sec)
➜ Downloads dd if=app0_partition.bin of=RTC_segment.bin bs=1 skip=6287700 count=52
52+0 records in
52+0 records out
52 bytes transferred in 0.000457 secs (113786 bytes/sec)
➜ Downloads
