any tool to analyze...
 
Notifications
Clear all

any tool to analyze an Akai iLike F-243 binary dump ?!  

  RSS
passcodeunlock
(@passcodeunlock)
Senior Member

The chipset is a Spreadtrum SPD6631E, the NOR binary image was extracted successfully.

- UFED PA 7.29 isn't parsing the binary dump, their support was already contacted

- Oxygen Forensic Detective isn't parsing the binary dump

- Belkasoft Evidence Center isn't parsing it

Any suggestions are welcome!

Quote
Posted : 20/02/2020 6:27 am
benfindlay
(@benfindlay)
Active Member

Are you able to determine what filesystem is present on the device? Just a hunch, but it may be one that the standard tools do not support, such as YAFFS/JFFS2/SQUASHFS.

Have you run binwalk across it? If not, perhaps doing so and posting the output of that tool here may help others figure out what's going on.

Thanks,

Ben

ReplyQuote
Posted : 20/02/2020 9:15 am
passcodeunlock
(@passcodeunlock)
Senior Member

Most probably there is an FTL, I will post later on the binwalk results as well.

ReplyQuote
Posted : 20/02/2020 11:05 am
TobiasJ
(@tobiasj)
New Member

I am guessing this was a SPD6531 rather than a SPD6631? I've never heard of 6631 but 6531 is a very common Spreadtrum chip which XRY has good support for so if you have access to XRY importing the binary with the Spreadtrum USB Generic profile is certainly worth a shot!

ReplyQuote
Posted : 21/02/2020 7:24 am
passcodeunlock
(@passcodeunlock)
Senior Member

It is SPD6631E, as I wrote it. Maybe it is a fake name, but still, this is what the chipset reading reports.

ReplyQuote
Posted : 21/02/2020 3:14 pm
passcodeunlock
(@passcodeunlock)
Senior Member

binwalk finds 9 LZMA parts, but not able to open them, could it be that the content is encrypted ?!

ReplyQuote
Posted : 24/02/2020 7:54 am
benfindlay
(@benfindlay)
Active Member

Possibly, but not necessarily. If you run binwalk with the "-eM" options, it will attempt to unpackage content based on other dependencies you have installed that are compatible (and - caveat - that it knows about). Assuming you're usung a Linux system and have tools like tar/untar installed then this may succeed.

If all you get is lzma blocks, then you can always attempt to unpackage them yourself with the untar command, or perhaps by using "lzma -d" at the command line.

If unpackaging fails altogether, use dd to manually extract the lzma blocks based on the offset and count values provided by binwalk.

Hope this helps!

Ben

ReplyQuote
Posted : 24/02/2020 3:23 pm
Share: