skochinsky · August 5, 2021 11:36
diff --git a/ftab_split.py b/ftab_split.py
 #!/usr/bin/env python3
 # initial script by b1n4r1b01 but he deleted his repo
 # https://gist.github.com/woachk/6092f9ae950455dcdf8428c3ce2d639e
 # added python3 support

 import sys
 import struct 
 import os


 def extract_ticket(fw_bin):
    """
    Extract APticket wich is DER encoded.
    """
    fw_bin.seek(16)
    data = fw_bin.read(4)
    ticket_offset = struct.unpack('<i',data)[0]

    print("ticket offset : {}".format(ticket_offset))

    fw_bin.seek(20)
    data = fw_bin.read(4)
    sz = struct.unpack('<i',data)[0]

    print("ticket size : {}".format(sz))

    if sz != 0:
        fw_bin.seek(ticket_offset)
        ticket = fw_bin.read(sz)
        open("ticket", 'wb').write(ticket)


 def get_image_info(ftab, base_offset):
    # seek at the occurence which is the name of the image
    # first image should be rkos
    ftab.seek(base_offset)
    tag = ftab.read(4).decode()

    # get address of image
    ftab.seek(base_offset + 4)
    offset = struct.unpack('<i', ftab.read(4))[0]

    # get size of image
    ftab.seek(base_offset + 8)
    sz = struct.unpack('<i', ftab.read(4))[0]

    return tag, offset, sz


 def split_firmware(ftab):
    default_offset = 48
    tag, offset, sz = get_image_info(ftab, 48)
    offset_tag = offset

    while default_offset < offset_tag:
        print("tag : {}    offset : {}    size : {}".format(tag, hex(offset), hex(sz)))

        ftab.seek(offset)
        img_data = ftab.read(sz)
        open(tag, 'wb').write(img_data)

        default_offset += 16
        tag, offset, sz = get_image_info(ftab, default_offset)
        
        if default_offset == offset_tag:
            return 0
    return 1


 def main():
    if len(sys.argv) != 2:
        print("Usage rkos_extract.py [ftab.bin]")
        return 1

    firmware = sys.argv[1]

    ftab = open(firmware, 'rb')
    ftab.seek(0x20)

    magic = ftab.read(8) 
    print(magic.decode())

    if magic.decode() != "rkosftab":
        print("bad magic")
        return 1

    extract_ticket(ftab)
    split_firmware(ftab)

    ftab.close()

    return 0


 if __name__ == '__main__':
 	sys.exit(main())
	#!/usr/bin/env python3
	# initial script by b1n4r1b01 but he deleted his repo
	# https://gist.github.com/woachk/6092f9ae950455dcdf8428c3ce2d639e
	# added python3 support

	import sys
	import struct
	import os


	def extract_ticket(fw_bin):
	"""
	Extract APticket wich is DER encoded.
	"""
	fw_bin.seek(16)
	data = fw_bin.read(4)
	ticket_offset = struct.unpack('<i',data)[0]

	print("ticket offset : {}".format(ticket_offset))

	fw_bin.seek(20)
	data = fw_bin.read(4)
	sz = struct.unpack('<i',data)[0]

	print("ticket size : {}".format(sz))

	if sz != 0:
	fw_bin.seek(ticket_offset)
	ticket = fw_bin.read(sz)
	open("ticket", 'wb').write(ticket)


	def get_image_info(ftab, base_offset):
	# seek at the occurence which is the name of the image
	# first image should be rkos
	ftab.seek(base_offset)
	tag = ftab.read(4).decode()

	# get address of image
	ftab.seek(base_offset + 4)
	offset = struct.unpack('<i', ftab.read(4))[0]

	# get size of image
	ftab.seek(base_offset + 8)
	sz = struct.unpack('<i', ftab.read(4))[0]

	return tag, offset, sz


	def split_firmware(ftab):
	default_offset = 48
	tag, offset, sz = get_image_info(ftab, 48)
	offset_tag = offset

	while default_offset < offset_tag:
	print("tag : {} offset : {} size : {}".format(tag, hex(offset), hex(sz)))

	ftab.seek(offset)
	img_data = ftab.read(sz)
	open(tag, 'wb').write(img_data)

	default_offset += 16
	tag, offset, sz = get_image_info(ftab, default_offset)

	if default_offset == offset_tag:
	return 0
	return 1


	def main():
	if len(sys.argv) != 2:
	print("Usage rkos_extract.py [ftab.bin]")
	return 1

	firmware = sys.argv[1]

	ftab = open(firmware, 'rb')
	ftab.seek(0x20)

	magic = ftab.read(8)
	print(magic.decode())

	if magic.decode() != "rkosftab":
	print("bad magic")
	return 1

	extract_ticket(ftab)
	split_firmware(ftab)

	ftab.close()

	return 0


	if __name__ == '__main__':
	sys.exit(main())