[File] [PATCH] Magdir/archive POSIX tar generic for AVM FRITZ!Box images
Jörg Jenderek (GMX)
joerg.jen.der.ek at gmx.net
Wed Jan 31 01:41:22 UTC 2024
Hello,
some days ago i update my router manually. The device is from company
with name AVM. The firmware (called FRITZ!OS) can be downloaded and
installed via web interface. The firmware samples have names like
FRITZ.Box_4040-07.57.image where 4040 is the model name and 07.57 is the
firmware version.
When i run file command version 5.45 on such samples with -e tar option
i get an output like:
FRITZ.Box_4040-07.12.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 13514356267
FRITZ.Box_4040-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474472440
FRITZ.Box_5530_Fiber-07.58.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14476336641
FRITZ.Box_6490_Cable-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474577126
FRITZ.Box_6660_Cable-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474612254
FRITZ.Box_6820v3_LTE-07.57.image: POSIX tar archive (GNU), directory
./lte/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14475334204
FRITZ.Box_7272-06.88.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14476052240
FRITZ.Box_7362_SL-07.14.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14475035071
FRITZ.Box_7412.137.06.88.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474710751
FRITZ.Box_7520_B-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474476653
FRITZ.Box_7583_VDSL-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474466115
FRITZ.Box_7590_AX-07.57.image: POSIX tar archive (GNU), directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474465455
With option --extension for samples wrong tar/gtar suffix are shown.
With -i option application/x-gtar is shown.
For comparison reason i also run the file format identification utility
DROID (See https://sourceforge.net/projects/droid/). Here the samples
are recognized generic. These are described as "Tape Archive Format"with
mime type application/x-tar by PUID x-fmt/265.
On Linux according to shared MIME-info database such samples are called
"Tar archive". Here application/x-gtar is used as mime type. The
samples are just recognized by looking for 8 byte sequence
ustar\040\040\0 at offset 257. Here 3 suffix (tar gtar gem) are listed.
That information can be seen in source freedesktop.org.xml.in found for
example on gitlab.freedesktop.org.
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies
the samples with highest priority as "AVM FRITZ!Box firmware" with mime
type application/x-gtar by image-avm.trid.xml. The samples are also
described as "TAR - Tape ARchive (GNU)" with application/x-gtar mime
type and 2 suffix (.TAR/GTAR) by ark-tar-gnu.trid.xml. The samples are
also described with lowest priority as "TAR - Tape ARchive (directory)"
with application/x-tar mime type and 1 suffix (.TAR) by
ark-tar-dir.trid.xml (See appended trid-v-image.txt.gz).
This tool list the used file name extension and with -v option the
related URL pointing to some file format information. The tar format is
documented, but is is used by AVM to pack their firmware, but i found no
official page about what is difference to distinguish their images from
other TAR archives. With German language i found pages in context with
alternative firmware freetz. With English language i found a page in
context with IT security. So i use this as reference. That informations
are expressed by comment lines inside Magdir/archive like:
# URL: https://en.wikipedia.org/wiki/Fritz!Box
# URL: https://www.redteam-pentesting.de/de/advisories/rt-sa-2014-010/
# -avm-fritz-box-firmware-signature-bypass
# Ref.: http://mark0.net/download/triddefs_xml.7z
# defs/i/image-avm.trid.xml
So i put displaying part inside sub routine that starts like
0 name tar-avm
>0 string x AVM FRITZ!Box firmware
!:mime application/x-avm-image
!:ext image
AVM instead of standard suffix like GTAR or TAR use another file name
suffix. This company behaves like Microsoft. There is neither
explanation nor file registration. Shame on them. Where is our political
elite? For myself i must get many regulation and such companies can put
their firmware files on my computer without any rules. That in the end
leads to trouble, because there exist other file formats with same name
suffix image. Instead of standard tar mime type i choose an user defined
one. So instead of unpacking tool a flashing tool for AVM firmware can
be called.
The sub routine ends with lines looking like:
>0 use tar-entry
>156 ubyte 0x35
>>512 use tar-entry
So for control reason show first tar entry. Apparently the firmware
entry seems to start with a relative directory entry. Often this is
./var/, but i found one example starting with ./lte/. So i use this fact
as test before calling this subroutine and before general case with
calling tar-file. So inserted lines look like:
>>>>>>>>0 ubequad&0xFFffE5eaE8ffFFff 0x2e2f6460602f0000
>>>>>>>>>0 use tar-avm
If first entry is directory (indicated by type flag value 0x35) this has
no content and in next block starts second entry. So by last line in sub
routine this entry is also shown. Often second name is ./var/content.
Many have /var/install and few have ./var/chksum and one sample has
./lte/modfw.nfo. So maybe first test for AVM images is maybe not too
specific. Then a second test branch must be inserted which look like:
# >>>>>>>>>517 string /content\0
# >>>>>>>>>>0 use tar-avm
# >>>>>>>>>517 string /install\0
# >>>>>>>>>>0 use tar-avm
# >>>>>>>>>517 string /chksum\0
# >>>>>>>>>>0 use tar-avm
# >>>>>>>>>517 string /modfw.nfo\0
# >>>>>>>>>>0 use tar-avm
I looked inside TrID definition for AVM characteristic patterns and i
try to translate this into magic lines, but i get no general solution.
The main problem was that characteristic patterns sometimes occur dozen
of MB behind the beginning and that is beyond file command limits.
Many image have ./var/content as second entry. Apparently these text
file start with line like:
Product=Fritz_Box_HW227 (FRITZ!Box 4040)
So show this information inside sub routine tar-avm by lines like:
>>1024 search/512 Product=Fritz_Box_
>>>&0 string x %s
A little bit later comes phrase version followed by equal sign. This is
followed by version string (like 07.57 07.58). So i also show this
information by adaptional lines inside sub routine. These look like:
>>>1044 search Version= \b, version
>>>>&0 string x %s
After applying the above mentioned modifications by patch
file-archive-image.diff then my AVM images are more precisely described.
This now looks like:
FRITZ.Box_4040-07.12.image: AVM FRITZ!Box firmware
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 13514356267
, file
./var/install, mode 0100755
, uid 0000000,
gid 0000000, size 00000061064,
seconds 13514356267
FRITZ.Box_4040-07.57.image: AVM FRITZ!Box firmware
HW227 (FRITZ!Box 4040)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474472440
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000530,
seconds 14474472440
FRITZ.Box_5530_Fiber-07.58.image: AVM FRITZ!Box firmware
HW257 (FRITZ!Box 5530 Fiber)
, version 07.58
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14476336641
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000547,
seconds 14476336641
FRITZ.Box_6490_Cable-07.57.image: AVM FRITZ!Box firmware
HW213a (FRITZ!Box 6490 Cable)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474577126
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000532,
seconds 14474577126
FRITZ.Box_6660_Cable-07.57.image: AVM FRITZ!Box firmware
HW252a (FRITZ!Box 6660 Cable)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474612254
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000535,
seconds 14474612254
FRITZ.Box_6820v3_LTE-07.57.image: AVM FRITZ!Box firmware
, directory
./lte/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14475334204
, file
./lte/modfw.nfo, mode 0100444
, uid 0000000,
gid 0000000, size 00000000426,
seconds 14475334204
FRITZ.Box_7272-06.88.image: AVM FRITZ!Box firmware
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14476052240
, file
./var/chksum, mode 0100550
, uid 0000000,
gid 0000000, size 00001040660,
seconds 13006104074
FRITZ.Box_7362_SL-07.14.image: AVM FRITZ!Box firmware
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14475035071
, file
./var/install, mode 0100755
, uid 0000000,
gid 0000000, size 00000107123,
seconds 14475035071
FRITZ.Box_7412.137.06.88.image: AVM FRITZ!Box firmware
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474710751
, file
./var/chksum, mode 0100550
, uid 0000000,
gid 0000000, size 00001040030,
seconds 12773015052
FRITZ.Box_7520_B-07.57.image: AVM FRITZ!Box firmware
HW276 (FRITZ!Box 7520 B)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474476653
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000543,
seconds 14474476653
FRITZ.Box_7583_VDSL-07.57.image: AVM FRITZ!Box firmware
HW260 (FRITZ!Box 7583 VDSL)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474466115
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000546,
seconds 14474466115
FRITZ.Box_7590_AX-07.57.image: AVM FRITZ!Box firmware
HW259 (FRITZ!Box 7590 AX)
, version 07.57
, directory
./var/, mode 0040755, uid 0000000,
gid 0000000, size 00000000000,
seconds 14474465455
, file
./var/content, mode 0100644
, uid 0000000,
gid 0000000, size 00000000544,
seconds 14474465455
I hope my diff file can be applied in future version of file
utility.
With best wishes,
Jörg Jenderek
--
Jörg Jenderek
-------------- next part --------------
--
File mailing list
File at astron.com
https://mailman.astron.com/mailman/listinfo/file
-------------- next part --------------
--- file-master/magic/Magdir/archive.old 2024-01-30 22:31:26.818517800 +0100
+++ file-master/magic/Magdir/archive 2024-01-31 02:29:10.340810800 +0100
@@ -39,9 +39,24 @@
# check for 1st member name with ovf suffix
>>>>>>>>0 regex \^.{1,96}[.](ovf)
>>>>>>>>>0 use tar-ova
-# if 1st member name without digits and without used image suffix, without *.ovf and TpmEmuTpms/ then it is a pure TAR archive
+# look for relative directory ./var/ or ./lte/ as 1st member name that indicates AVM firmware with other file name suffix
+>>>>>>>>0 ubequad&0xFFffE5eaE8ffFFff 0x2e2f6460602f0000
+>>>>>>>>>0 use tar-avm
+# maybe look for AVM specific 2nd name entry
+# >>>>>>>>>517 string /content\0 content~
+# >>>>>>>>>>0 use tar-avm
+# >>>>>>>>>517 string /install\0 install~
+# >>>>>>>>>>0 use tar-avm
+# >>>>>>>>>517 string /chksum\0 chksum~
+# >>>>>>>>>>0 use tar-avm
+# >>>>>>>>>517 string /modfw.nfo\0 modfw~
+# >>>>>>>>>>0 use tar-avm
+# if 1st member name without digits and without used image suffix, without *.ovf,
+# ./var/ , ./lte/ and TpmEmuTpms/ then it is a pure TAR archive
>>>>>>>>0 default x
>>>>>>>>>0 use tar-file
+# Note: called "TAR - Tape ARchive" by TrID, "Tape Archive Format" by DROID via PUID x-fmt/265
+# and "Tar archive" by shared MIME-info database from freedesktop.org
# minimal check and then display tar archive information which can also be
# embedded inside others like Android Backup, Clam AntiVirus database
0 name tar-file
@@ -151,7 +166,7 @@
>>265 string >\0 \b, user %-.32s
# group name null terminated
>>297 string >\0 \b, group %-.32s
-# device major minor if not zero
+# device major minor if not zero (binary or ASCII)
>>329 ubequad&0xCFCFCFCFcFcFcFdf !0
>>>329 string x \b, devmaj %-.7s
>>337 ubequad&0xCFCFCFCFcFcFcFdf !0
@@ -215,6 +230,33 @@
# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf
#>0 string >\0 \b, with %-.60s
>0 use tar-entry
+# Summary: AVM firmware (FRITZ!OS) for the FRITZ!Box (router)
+# From: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/Fritz!Box
+# https://www.redteam-pentesting.de/de/advisories/rt-sa-2014-010/-avm-fritz-box-firmware-signature-bypass
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/image-avm.trid.xml
+# Note: verified by 7-Zip `7z l -ttar FRITZ.Box_4040-07.57.image`
+0 name tar-avm
+>0 string x AVM FRITZ!Box firmware
+#!:mime application/x-gtar
+!:mime application/x-avm-image
+!:ext image
+# tar member ./var/content starts with line like "Product=Fritz_Box_HW227 (FRITZ!Box 4040)"
+>>1024 search/512 Product=Fritz_Box_
+>>>&0 string x %s
+# version string like: 07.57 07.58
+>>>1044 search Version= \b, version
+>>>>&0 string x %s
+# product phrase too far behind (dozen MB) in many samples like: FRITZ.Box_4040-07.12.image FRITZ.Box_6820v3_LTE-07.57.image
+# so try to look for other characteristic foo
+# >>1024 default x OTHER_PATTERN!
+# >>>1023 search AVM_PATTERN PATTERNfound
+# first name[100] like: ./var/ ./lte/
+>0 use tar-entry
+# if 1st entry is directory then show 2nd entry
+>156 ubyte 0x35
+# 2nd tar member name like: ./var/content (often ) ./var/install ./var/chksum ./lte/modfw.nfo
+>>512 use tar-entry
# Incremental snapshot gnu-tar format from:
# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-archive-image.diff.sig
Type: application/octet-stream
Size: 1758 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20240131/c8a3636a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-image.txt.gz
Type: application/x-gzip
Size: 1015 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20240131/c8a3636a/attachment.bin>
More information about the File
mailing list