Note: You are viewing an old version of this page. View the current version.

Differences between version 4 and previous revision of KnowledgeBase/ExpressGate.

Other diffs: Previous Major Revision, Previous Author

Newer page: version 4 Last edited on Saturday, 6 November 2010 3:19:16 by CyberLeo Revert
Older page: version 3 Last edited on Saturday, 6 November 2010 3:09:03 by CyberLeo Revert
@@ -1,8 +1,16 @@
 !! DFI image file format: 
  
-* 32 -byte header  
-* 16-byte padding  
+* 48 -byte header  
+* * 16-char string: _DeviceVM Inc._\0  
+** 8-char datestamp  
+** 8 bytes unknown  
+** 16 bytes unknown  
+<verbatim>  
+00000000 5f 44 65 76 69 63 65 56 4d 20 49 6e 63 2e 5f 00 |_DeviceVM Inc._.|  
+00000010 32 30 30 39 30 37 33 30 01 04 0a 08 72 5c 6a 6f |20090730....r\jo|  
+  
+</verbatim>  
 * MBR-partitioned disk image 
 * FAT16 filesystem 
  
  

version 4

DFI image file format:

  • 48-byte header

    • 16-char string: _DeviceVM Inc._\0
    • 8-char datestamp
    • 8 bytes unknown
    • 16 bytes unknown


  • MBR-partitioned disk image
    • 

  • FAT16 filesystem
    • 



CE.CEX format:


Weird. Looks like a debian archive, but it's not. More specifically, it appears to be a debian archive header that's been overwritten with other values in certain places:


64-byte header with overwrite at 0x10-0x13 and 0x30-0x37, with the actual data payload starting at 0x40 instead of 0x44


0x10-0x13 contains the hex value '27 5b c9 47', or '[EG in ascii


The useful bits are at offset 0x30-0x37, two little-endian encoded int32 sizes (including headers), representing the sizes of the two chunks in the file:


First chunk is a 64-byte header (since it includes the file header) and a tar.gz


Second chunk is an empty debian archive.