any tool to analyze...
 
Notifications
Clear all

any tool to analyze an Akai iLike F-243 binary dump ?!

7 Posts
3 Users
0 Likes
1,084 Views
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
Topic starter
 

The chipset is a Spreadtrum SPD6631E, the NOR binary image was extracted successfully.

- UFED PA 7.29 isn't parsing the binary dump, their support was already contacted

- Oxygen Forensic Detective isn't parsing the binary dump

- Belkasoft Evidence Center isn't parsing it

Any suggestions are welcome!

 
Posted : 20/02/2020 6:27 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Are you able to determine what filesystem is present on the device? Just a hunch, but it may be one that the standard tools do not support, such as YAFFS/JFFS2/SQUASHFS.

Have you run binwalk across it? If not, perhaps doing so and posting the output of that tool here may help others figure out what's going on.

Thanks,

Ben

 
Posted : 20/02/2020 9:15 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
Topic starter
 

Most probably there is an FTL, I will post later on the binwalk results as well.

 
Posted : 20/02/2020 11:05 am
(@tobiasj)
Posts: 22
Eminent Member
 

I am guessing this was a SPD6531 rather than a SPD6631? I've never heard of 6631 but 6531 is a very common Spreadtrum chip which XRY has good support for so if you have access to XRY importing the binary with the Spreadtrum USB Generic profile is certainly worth a shot!

 
Posted : 21/02/2020 7:24 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
Topic starter
 

It is SPD6631E, as I wrote it. Maybe it is a fake name, but still, this is what the chipset reading reports.

 
Posted : 21/02/2020 3:14 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
Topic starter
 

binwalk finds 9 LZMA parts, but not able to open them, could it be that the content is encrypted ?!

 
Posted : 24/02/2020 7:54 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Possibly, but not necessarily. If you run binwalk with the "-eM" options, it will attempt to unpackage content based on other dependencies you have installed that are compatible (and - caveat - that it knows about). Assuming you're usung a Linux system and have tools like tar/untar installed then this may succeed.

If all you get is lzma blocks, then you can always attempt to unpackage them yourself with the untar command, or perhaps by using "lzma -d" at the command line.

If unpackaging fails altogether, use dd to manually extract the lzma blocks based on the offset and count values provided by binwalk.

Hope this helps!

Ben

 
Posted : 24/02/2020 3:23 pm
Share: