Flash.bin build tool for LG KS 20

This is a command line tool to extract content from a flash.bin file and rebuild a new one using other file parts. Click on the link below to download the tool.

Latest version : LGFlashMuncher Version 0.2

Usage :

LGFlashMuncher.exe [options] path [output]
  EXTRACT Options ---(at least one option required)-----------------------------
        -r      : extract Raw data
        -h      : extract header
        -m      : extract MBR
        -p      : extract partitions
        -t      : trim extracted partitions
        -l      : output layout informations to file 'flash.xml'
        -o      : output OS.nb compatible file
        output  : path to output directory (must exists)

  CREATE Options  ---(all options required)-------------------------------------
        -c file : create new flash.bin outputed to 'file'
                  (MBR and fat partition are taken from original flash.bin)
        -e file : use 'file' for header
        -0 file : use 'file' for partition 0 (boot)
        -1 file : use 'file' for partition 1 (rawfs)
        -2 file : use 'file' for partition 2 (imgfs)

  COMMON Option  ---------------------------------------------------------------
        path       : path to flash.bin file

Next, how to extract data from a flash.bin to a directory named output :

LGFlashMuncher.exe -htmlp FLASH.bin output

How to rebuild a new flash.bin :

LGFlashMuncher.exe -c newflash.bin -e header.bin -0 part_0_BOOT.bin -1 part_1_RAWFS.bin -2 part_2_IMGFS.bin FLASH.bin

WCF : WS-Security Hell

dotnetLastly, I had to build a client to consume a web service. This task seems a bit trivial at first, but the service required an authentication mechanism based on WS-Security. Nothing really complex, the only requirement was to send a username and a password in plain text.

As usual when I build this kind of application, I used Visual Studio wizard to create the proxy to the web service, and after some tweaking in the app.config file, my application was ready to consume this web service !

Unfortunately, there is a security behavior in WCF that prevent from using plain text message based authentication over unsecure transport : i.e. you cannot send a clear password if you are using HTTP as the transport layer instead of HTTPS. That would have been nice of Microsoft to give us a way to override this mechanism easily, but they didn”t (and they didn”t bother to add an explicit error message in the thrown exception…)

So, if you want to send a plain-text username and password using WCF, the only way I found was to stuff the corresponding soap header when sending the request.

Here is my code, use it at your own risks…

public class SecurityBehavior : MessageHeader, IClientMessageInspector, IEndpointBehavior
{
     private string m_sUserName;
     private string m_sPassword;
     public override string Name        
     {            
        get { return "wsse:Security"; }
     }
 
     public override string Namespace        
     {            
        get { return ""; }
     }          
 
     public string UserName        
     {            
        get { return m_sUserName; }
        set { m_sUserName = value; }        
     }          
 
     public string Password        
     {            
        get { return m_sPassword; }            
        set { m_sPassword = value; }        
     }          
 
     public void AfterReceiveReply(ref System.ServiceModel.Channels.Message reply, object correlationState)        
     {                      
 
     }          
 
     public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)        
     {              
        request.Headers.Add(this);
        return null;
     }          
 
     public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)        
     {                      
 
     }          
 
     public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)        
     {            
        clientRuntime.MessageInspectors.Add((IClientMessageInspector)this);
     }          
 
     public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)        
     {          
 
     }          
 
     public void Validate(ServiceEndpoint endpoint)        
     {          
 
     }          
 
     protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)        
     {            
        writer.WriteAttributeString("xmlns", "wsse", null, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        writer.WriteStartElement("wsse:UsernameToken");
        writer.WriteElementString("wsse:Username", m_sUserName);
        writer.WriteStartElement("wsse:Password");
        writer.WriteAttributeString("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        writer.WriteValue(m_sPassword);                          
        writer.WriteEndElement(); //wsse:Password            
        writer.WriteEndElement(); //wsse:UsernameToken        
     }              
}

DZExtract LG DZ file format and extract tool lg ks20

Everything is in the title, just click on the link below to download the file.

Latest version : DZ Extract Version 0.2

Some details about the various format found in the DZ file.

DZ File format
Offset length (byte) Description
0x0 0x8 Magic code “MSTXMETX”
0x8 0x2 Unknown, same value in all files (value 0x01)
0xA 0x2 Separator ? (value 0x0)
0xC 0x2 Unknown, same value in all files (value 0x0B)
0xE 0x2 Separator ? (value 0x0)
0x10 0x6 Unknow, value differs from file to file
0x16 0x2 Unknown, same value in all files (value0x01C8)
0x18 0x8 String, phone model ? (value “KS20”)
0x20 0x50 String, file title ?
0x70 0x1C Two null terminated string concatened (“[chipmodel]\\0[osname]\\0”)
0x8C 0x80 String, DZ filename
0x10C 0x20 Separator (filled with 0xFF)
0x12C 0x10 Header MD5 hash
0x13C Variable Concatened subfiles (see Subfile format)
0x78 Offset Table, unknown useage
Optionnal data, present in some DZ file (unknown)

 

Subfile format
Offset length (byte) Description
0x0 0x4 Magic code “SSTX”
0x4 0x2 Unknown, same value for all subheaders (value 0x01)
0x6 0x2 Separator ? (value 0x0)
0x8 0x2 File Type ?
0xA 0x6 Separator ? (filled with 0x0)
0x10 0x4 Data length
0x14 0x80 Filename, null terminated string
0x94 0x10 Separator (filled with 0xFF)
0xA4 0x10 Uncompressed data MD5 hash
0xB4 0x10 Subheader MD5 Hash
0xC4 Data length Gzip compressed data

 

File type
Type Filename Description
0x3 amss.mbn AMSS modem
0x8 partition.mbn Partition table
0xA qcsblhd_cfgdata.mbn QCSBL header
0xB qcsbl.mbn QCSBL
0xC oemsblhd.mbn OEM boot header
0xD oemsbl.mbn OEM boot
0xE amsshd.mbn AMSS modem header
0x13 appsboothd.mbn APPS boot loader header
0x14 appsboot.mbn APPS boot loader
0x15 FLASH.bin Windows CE flash.bin
0x16 apps.mbn APPS