• 1 Post
  • 38 Comments
Joined 1 year ago
cake
Cake day: August 9th, 2023

help-circle

  • The inner zip files are just stored, uncompressed:

    Archive: update.zip
    Index Encryption Compression CRC32    Uncompressed  Packed size Name
    ----- ---------- ----------- -------- ------------ ------------ ----------------
        0 ZipCrypto  Store       d1bca061     65761967     65761979 system_lib.zip
        1 ZipCrypto  Deflate     64a3f383         2183          741 config.json
        2 ZipCrypto  Store       3731280f     89300292     89300304 app.zip
        3 ZipCrypto  Store       a2bd64f5    135518964    135518976 app_lib.zip
        4 ZipCrypto  Store       700eb186      5996410      5996422 system.zip
    

    So 12 bytes from the original content.


  • The entries in update.zip are encrypted using the weak ZipCrypto scheme, which is known to be seriously flawed. If you feel motivated, and can guess at least 12 bytes of plaintext for an entry, it is possible to recover the internal state of the generator, which is enough to decipher the data entirely, as well as other entries which were encrypted with the same password. The bkcrack project implements this attack.

    Since some of the entries are zip files themselves, it is within the realm of possibility to guess 12 bytes of plaintext. Parts of the zip local file header are pretty static, and you can use some of the values from the local file header of update.zip itself. Still, this would require a bit of luck / inspired guesswork.