https://github.com/chrivers/samsung-firmware-magic
Tool for decrypting the firmware files for Samsung SSDs
https://github.com/chrivers/samsung-firmware-magic
decryptor deobfuscation firmware firmware-extraction samsung
Last synced: about 1 year ago
JSON representation
Tool for decrypting the firmware files for Samsung SSDs
- Host: GitHub
- URL: https://github.com/chrivers/samsung-firmware-magic
- Owner: chrivers
- Created: 2020-04-08T23:31:03.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2021-04-11T13:08:57.000Z (about 5 years ago)
- Last Synced: 2025-03-16T07:41:30.953Z (over 1 year ago)
- Topics: decryptor, deobfuscation, firmware, firmware-extraction, samsung
- Language: Python
- Size: 3.91 KB
- Stars: 217
- Watchers: 10
- Forks: 23
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-connected-things-sec - Samsung Firmware Magic
- awesome-embedded-and-iot-security - Samsung Firmware Magic - Decrypt Samsung SSD firmware updates. (Software Tools / Misc Tools)
- awesome-drone-hacking - Samsung Firmware Magic - Decrypt Samsung SSD firmware updates. (💽 Autopilot Firmware / Firmware Extraction)
README
Samsung Firmware Magic
======================
Samsung distributes firmware updates for their SSDs for either "Windows" or
"Mac". Ironically, both of these are bootable Linux `.iso` files, containing the
actual firmware and update program.
The `.iso` files can be unpacked, but ultimately we end up with an obfuscated
binary blob, even for the meta information.
For the upstream file downloads, see
https://www.samsung.com/semiconductor/minisite/ssd/download/tools/
Out of curiosity, I decided to create a decryption tool for this obfuscated
format, which is found in this repository.
Unpacking iso image to firmware blob
------------------------------------
First, we download a firmware iso:
`wget http://downloadcenter.samsung.com/content/FM/201711/20171102105105735/Samsung_SSD_850_PRO_EXM04B6Q_Win.iso`
Next, we unpack the relevant file from the iso, the `initrd`:
`7z x Samsung_SSD_850_PRO_EXM04B6Q_Win.iso initrd`
This file is a gzip-compressed cpio archive, so use 7z to strip gzip:
`7z x initrd`
This produces `initrd~`, containing the uncompressed contents. From here we
extract the directory of interest, `root/fumagician`:
`7z -ofw x 'initrd~' root/fumagician`
This creates `fw/root/fumagician` in the current directory:
```
$ cd fw/root/fumagician
$ ls -l
total 5408
-rw-rw-r-- 1 user user 2124 1971-03-22 19:52 DSRD.enc
-rw-rw-r-- 1 user user 4752867 1971-03-22 19:52 EXM04B6Q.enc
-rw-rw-r-- 1 user user 772516 2016-10-14 10:42 fumagician
-rw-rw-r-- 1 user user 290 2016-10-14 10:42 fumagician.sh
```
The files `DSRD.enc` (xml list of firmwares) and `EXM04B6Q.enc` (firmwares)
are the obfuscated files, that we can now decrypt.
Decrypting firmware blob
------------------------
The included `decode.py` script will unpack these `.enc` files, like so:
```shell
## show xml on stdout:
$ ./samsung-magic.py < fw/root/fumagician/DSRD.enc
## decrypt firmware to file:
$ ./samsung-magic.py < fw/root/fumagician/EXM04B6Q.enc > EXM04B6Q.bin
```
Seemingly, the folks at Samsung are huge fans of nesting things, because the
decrypted `EXM04B6Q.bin` file is actually a zip file, containing encrypted
firmware files:
```shell
$ unzip -l EXM04B6Q.bin
Archive: EXM04B6Q.bin
Length Date Time Name
--------- ---------- ----- ----
1048576 2017-02-19 10:41 EXM04B6Q_10170217.enc
1048576 2017-02-19 10:41 EXM04B6Q_20170203.enc
1048576 2017-02-19 10:41 EXM04B6Q_30170203.enc
1048576 2017-02-19 10:41 EXM04B6Q_40170902.enc
1048576 2017-02-19 10:41 EXM04B6Q_50170208.enc
1048576 2017-02-19 10:41 EXM04B6Q_60170208.enc
--------- -------
6291456 6 files
```
Luckily, the encryption is exactly the same, so `samsung-magic.py` can decrypt
these as well:
```
$ unzip EXM04B6Q.bin
$ ./samsung-magic.py < EXM04B6Q_10170217.enc > EXM04B6Q_10170217.bin
```
Now, at last, we have the raw firmware.
Enjoy!