https://github.com/raphaelcoeffic/horus_frk
Extracting Horus internal RF firmware
https://github.com/raphaelcoeffic/horus_frk
Last synced: 4 months ago
JSON representation
Extracting Horus internal RF firmware
- Host: GitHub
- URL: https://github.com/raphaelcoeffic/horus_frk
- Owner: raphaelcoeffic
- Created: 2019-07-26T14:23:56.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2019-08-05T08:03:03.000Z (almost 7 years ago)
- Last Synced: 2025-08-20T09:35:11.539Z (10 months ago)
- Size: 3.91 KB
- Stars: 1
- Watchers: 0
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# horus_frk
Extracting Horus internal RF firmware
```
Commands:
=========
Find prolog:
------------
$ binwalk -R "\x79\x09\xAA\x9A\xBE\x70\x25\xB3\x7C\xF9\x87\x5F\xAA\x7C\xC3\xD1" X10*.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1793748 0x1B5ED4 \x79\x09\xAA\x9A\xBE\x70\x25\xB3\x7C\xF9\x87\x5F\xAA\x7C\xC3\xD1
-> this is your offset (0x1B5ED4 in hexadecimal or 1793748 in decimal)
Find end-of-firmware:
---------------------
$ binwalk -R "\x00\x00\x00\x00" -l 80000 -o 0x1B5ED4 X12S_mode1_NEU_1603_frtx.bin | head -n 5
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1867476 0x1C7ED4 \x00\x00\x00\x00
1867486 0x1C7EDE \x00\x00\x00\x00
-> this gives you the end offset. If you substract the previous offset from that one, you get the length.
Check what is before the prolog:
--------------------------------
Here we want to see what is contained in the 16 bytes before the firmware,
so we display 16 bytes, beginning at (start offset - 0x10).
So here: 0x1B5ED4 - 0x10 = 0x1B5EC4
$ binwalk -W -l 16 -o 0x1B5EC4 X12S_mode1_NEU_1603_frtx.bin
OFFSET X12S_mode1_NEU_1603_frtx.bin
--------------------------------------------------------------------------------
0x001B5EC4 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 |...........<....|
In this firmware, the length seems to be encoded after the firmware, so let's have a look at it.
Check epilog:
-------------
Here we want to look at the 16 bytes after the firmware, which is why we use the end offset (0x1C7ED4).
$ binwalk -W -l 16 -o 0x1C7ED4 X12S_mode1_NEU_1603_frtx.bin
OFFSET X12S_mode1_NEU_1603_frtx.bin
--------------------------------------------------------------------------------
0x001C7ED4 00 00 00 00 01 20 01 00 4A 31 00 00 00 00 00 00 |........J1......|
-> firmware size: 0x012000 (72KB)
Now we should check that numbers match:
end offset - start offset = 0x1C7ED4 - 0x1B5ED4 = 0x12000
-> Looks good!
Cut firmware out:
-----------------
Here we use the start offset (0x1B5ED4) and the length (72k):
$ dd bs=1 skip=$((0x1B5ED4)) if=X12S_mode1_NEU_1603_frtx.bin of=X12S_NEU_1603_iXJT.frk count=72k
73728+0 records in
73728+0 records out
73728 bytes transferred in 0.598368 secs (123215 bytes/sec)
Please note that using "count=$((0x12000))" would work just the same.
Offset Filename Before prolog Epilog / Size
===========================================================================================================================================
0x110C5C X10S_EU_1102_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x110C0C X10S_NEU_1102_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x1220D0 X10_mode1_EU_1204_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x1220D8 X10_mode2_EU_1204_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x121DF0 X10_mode1_NEU_1204_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x121DF8 X10_mode2_NEU_1204_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x12C04C X12S_NEU_1404_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 18 01 00 size: 0x011800
0x12C0C4 X12S_EU_1404_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 18 01 00 size: 0x011800
0x136D14 X12S_mode2_NEU_1505_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x136D0C X12S_mode1_NEU_1505_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 20 01 00 size: 0x012000
0x13704C X12S_mode2_EU_1505_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 28 01 00 size: 0x012800
0x137044 X12S_mode1_EU_1505_frtx.bin 00 00 00 00 00 00 10 3C 00 80 2A 44 01 28 01 00 size: 0x012800
0x19FE1C X10_EU_1304_Beta0228_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x19FAF4 X10_FLEX_1304_Beta0228_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x19FA34 X10_NEU_1304_Beta0228_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x1A259C X12S_NEU_1225_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 18 01 00 size: 0x011800
0x1A25F4 X12S_EU_1225_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 18 01 00 size: 0x011800
0x1B5ED4 X12S_mode1_NEU_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x1B5ED4 X12S_mode2_NEU_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x1B5F8C X12S_mode1_FLEX_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x1B5F8C X12S_mode2_FLEX_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 20 01 00 size: 0x012000
0x1B62B4 X12S_mode1_EU_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 28 01 00 size: 0x012800
0x1B62B4 X12S_mode2_EU_1603_frtx.bin 00 00 00 00 00 00 00 00 00 00 10 3C 2E 00 00 00 00 00 00 00 01 28 01 00 size: 0x012800
```