From Samsung H1 Wiki

Contents 1 Distribution 2 Format 2.1 Cryptography 2.1.1 Key derivation 2.1.2 Decryption 3 Structure 3.1 PDA tar structure

Distribution

Device firmware can be upgraded via the updater included with New PC Studio. Alternatively, some updates may be made available OTA.

Format

The updater checks for availability of an update by sending the phone's PDA, baseband and CSC version to the Samsung FUS server. If an update is available the client constructs the firmware archive URL from parameters returned by the server and proceeds by downloading the (encrypted) firmware archive via HTTP.

Cryptography

Files downloaded from the FUS server are encrypted using DES. Although one can intercept the decrypted zip files during the update process, they may also be decrypted using either the COM+ FUScrypt DLL which ships with New PC Studio or a custom implementation of the decryption procedure outlined below.

Key derivation

The DES key is derived by taking the first 7 bytes from the MD5 hash of a server-supplied passphrase. Although this passphrase is unique for each firmware release, Samsung consistently appears to use the wide-char (base 10) representation of a relatively short integer, thus severely limiting the key space. Combined with knowledge of the first bytes of the plaintext (the zip header), the key can be easily brute-forced.

Decryption

Using the key and a zero IV, the zipfile may be decrypted using DES in CBC mode.

Structure

The firmware zip archive may contain the following items:

SS_DL.dll

DLL which implements the Odin protocol, used by the updater to upload the firmware

*.bin file

Contains the modem firmware

PDA tar

Contains files to be flashed to NAND

PDA tar structure

The tar archive has been found to contain any of the following files:

boot.bin

The first-stage bootloader, Pbl

Sbl.bin

The second-stage bootloader, Sbl

zImage

Compressed linux kernel

initrd.cramfs

cramfs compressed initrd

factoryfs.cramfs

cramfs compressed filesystem

country.csc

Carrier specific data

datafs.rfs

Likely used as read/write NAND partition, using the RFS filesystem

param.lfs

Used to store environment variables, j4fs filesystem

movinand.bin

Partition image for the eMMC moviNAND flash memory, used for user data