Tool for decrypting the firmware files for Samsung SSDs
Samsung distributes firmware updates for their SSDs for either "Windows" or "Mac". Ironically, both of these are bootable Linux
.isofiles, containing the actual firmware and update program.
The
.isofiles can be unpacked, but ultimately we end up with an obfuscated binary blob, even for the meta information.
For the upstream file downloads, see
https://www.samsung.com/semiconductor/minisite/ssd/download/tools/
Out of curiosity, I decided to create a decryption tool for this obfuscated format, which is found in this repository.
First, we download a firmware iso:
`wget http://downloadcenter.samsung.com/content/FM/201711/20171102105105735/Samsung_SSD_850_PRO_EXM04B6Q_Win.iso`
Next, we unpack the relevant file from the iso, the
initrd:
`7z x Samsung_SSD_850_PRO_EXM04B6Q_Win.iso initrd`
This file is a gzip-compressed cpio archive, so use 7z to strip gzip:
`7z x initrd`
This produces
initrd~, containing the uncompressed contents. From here we extract the directory of interest,
root/fumagician:
`7z -ofw x 'initrd~' root/fumagician`
This creates
fw/root/fumagicianin the current directory:
$ cd fw/root/fumagician $ ls -l total 5408 -rw-rw-r-- 1 user user 2124 1971-03-22 19:52 DSRD.enc -rw-rw-r-- 1 user user 4752867 1971-03-22 19:52 EXM04B6Q.enc -rw-rw-r-- 1 user user 772516 2016-10-14 10:42 fumagician -rw-rw-r-- 1 user user 290 2016-10-14 10:42 fumagician.sh
The files
DSRD.enc(xml list of firmwares) and
EXM04B6Q.enc(firmwares) are the obfuscated files, that we can now decrypt.
The included
decode.pyscript will unpack these
.encfiles, like so:
## show xml on stdout: $ ./samsung-magic.py < fw/root/fumagician/DSRD.encdecrypt firmware to file:
$ ./samsung-magic.py < fw/root/fumagician/EXM04B6Q.enc > EXM04B6Q.bin
Seemingly, the folks at Samsung are huge fans of nesting things, because the decrypted
EXM04B6Q.binfile is actually a zip file, containing encrypted firmware files:
$ unzip -l EXM04B6Q.bin Archive: EXM04B6Q.bin Length Date Time Name --------- ---------- ----- ---- 1048576 2017-02-19 10:41 EXM04B6Q_10170217.enc 1048576 2017-02-19 10:41 EXM04B6Q_20170203.enc 1048576 2017-02-19 10:41 EXM04B6Q_30170203.enc 1048576 2017-02-19 10:41 EXM04B6Q_40170902.enc 1048576 2017-02-19 10:41 EXM04B6Q_50170208.enc 1048576 2017-02-19 10:41 EXM04B6Q_60170208.enc --------- ------- 6291456 6 files
Luckily, the encryption is exactly the same, so
samsung-magic.pycan decrypt these as well:
$ unzip EXM04B6Q.bin $ ./samsung-magic.py < EXM04B6Q_10170217.enc > EXM04B6Q_10170217.bin
Now, at last, we have the raw firmware.
Enjoy!