Created
December 12, 2018 20:37
-
-
Save dogtopus/b2aa1e90bdc66aeeb36c0b88f7ce8a88 to your computer and use it in GitHub Desktop.
CSR OTAU binary parser
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # CSR OTAU binary parser | |
| # https://developer.qualcomm.com/qfile/34081/csr102x_otau_overview.pdf | |
| # For use with test and demonstration only. This is obviously not official and | |
| # is not affiliated with Qualcomm. | |
| import io | |
| import os | |
| import sys | |
| MAGIC_HEADER = b'APPUHDR2' | |
| MAGIC_PART = b'PARTDATA' | |
| MAGIC_FOOTER = b'APPUPFTR' | |
| def read_otau(otau_path, out_path=None): | |
| with open(otau_path, 'rb') as otau: | |
| magic = otau.read(8) | |
| if magic != MAGIC_HEADER: | |
| raise RuntimeError('Not an OTAU file.') | |
| print_otau_header(otau) | |
| seq = 0 | |
| while True: | |
| magic = otau.read(8) | |
| if len(magic) == 0: | |
| print('EOF') | |
| break | |
| if magic == MAGIC_PART: | |
| print() | |
| ptype, pnum, psize = parse_partition_header(otau) | |
| if out_path is not None: | |
| out_file_path = os.path.join(out_path, f'{os.path.basename(otau_path)}.s{seq}.n{pnum}.t{ptype}') | |
| print(f'Dumping partition {pnum} to', out_file_path) | |
| with open(out_file_path, 'wb') as part: | |
| part.write(otau.read(psize)) | |
| else: | |
| otau.seek(psize, io.SEEK_CUR) | |
| seq += 1 | |
| elif magic == MAGIC_FOOTER: | |
| footer_size = int.from_bytes(otau.read(4), 'big') | |
| if out_path is not None: | |
| print(f'Dumping footer') | |
| with open(f'{os.path.basename(otau_path)}.footer', 'wb') as footer: | |
| footer.write(otau.read(footer_size)) | |
| else: | |
| otau.seek(footer_size, io.SEEK_CUR) | |
| else: | |
| raise RuntimeError(f'Unexpected magic {repr(magic)}') | |
| def print_otau_header(otau): | |
| hsize = int.from_bytes(otau.read(4), 'big') | |
| begin_pos = otau.tell() | |
| model = otau.read(8) | |
| ver = int.from_bytes(otau.read(4), 'big') | |
| n_compatatible_upgrades = int.from_bytes(otau.read(2), 'big') | |
| compatatible_upgrades = tuple(int.from_bytes(otau.read(4), 'big') for _ in range(n_compatatible_upgrades)) | |
| ps_config_ver = int.from_bytes(otau.read(2), 'big') | |
| n_prev_ps_config_vers = int.from_bytes(otau.read(2), 'big') | |
| prev_ps_config_vers = tuple(int.from_bytes(otau.read(2), 'big') for _ in range(n_prev_ps_config_vers)) | |
| end_pos = otau.tell() | |
| assert end_pos - begin_pos == hsize, f'Header size mismatch (got {end_pos - begin_pos}, expecting {hsize})' | |
| print('Model:', model) | |
| print('Upgrade version:', f'{ver >> 16}.{ver & 0xffff}') | |
| print('Compatible upgrades:') | |
| for cu in compatatible_upgrades: | |
| print(f' - {cu >> 16}.{cu & 0xffff}') | |
| print('PS (Persistent Storage?) config ver:', ps_config_ver) | |
| print('Prev PS config vers:') | |
| for ppsv in prev_ps_config_vers: | |
| print(f' - {ppsv}') | |
| def parse_partition_header(otau): | |
| # exclude ptype and pnum fields | |
| psize = int.from_bytes(otau.read(4), 'big') - 4 | |
| ptype = int.from_bytes(otau.read(2), 'big') | |
| pnum = int.from_bytes(otau.read(2), 'big') | |
| print('Partition #:', pnum) | |
| print('Partition type:', ptype) | |
| print('Payload size:', psize) | |
| return ptype, pnum, psize | |
| if __name__ == '__main__': | |
| if len(sys.argv) < 2: | |
| print(f'Usage: {sys.argv[0]} <otau> [outdir]') | |
| sys.exit(1) | |
| read_otau(sys.argv[1], (sys.argv[2] if len(sys.argv) >= 3 else None)) |
Ah yes, the cursed 16-bit "byte" or hextets. They are pretty common if you look at the right corner of the Internet but never gets support by major reverse engineering toolkit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AFAICT in this case (and well, all the other "big cans" until the WH-1000XM3) they used a CSR8675.
But I tri... Oh, what the fu they tell you it's RISC straight out of the product brief!And guess what? Let's just say that I could easily find the entire csr8670 ADK (which should be pretty much just an older version of the same chip) and they used this compiler. No shit ghidra was sometimes struggling to even find strings with something this weird.
https://reverseengineering.stackexchange.com/questions/22435/csr-dfu-file-format
And CSR-dfu2 is itself another file system with multiple files inside.
So.. the second one is probably (I took a guess) a "kalimba application package", and I presume it should mostly just be concerned with audio. I couldn't find an unpacker for kalpac2, nor a disassembler for kalasm2 (even compilers seem to be a miracle) so that's definitively a dead end.
As for the first one that looks 100% like a normal executable file (if even in its own format).
But alas I'm too much of a noob to work with IDA or radare.
https://github.com/ramikg/csr-dfu-parser#disassembly