Analysis of Samsung Kies / Smart Switch backup files, part II

In previous article I made analysis of Samsung Kies backup files.
Thanks to researchers who made research [1] before me, I was able to figure out how data is arranged inside. Indeed, each such file represents container encrypted by symmetric encryption AES 256 CBC.

CBC mode uses initial vector (IV) and encryption key for encryption. Both should be known prior to decryption. Fortunately they present in source code [1] and can be also found in strings extracted from SmartSwitch 2.5 setup executable.

After decryption of file we can see that file represents following structure:

1. Header: XML file
2. Data (optionally): packed content

XML file

XML file is padded from end with 0x10 (DLE control code) to fixed size 512 bytes.
XML tag "HeaderData" has attribute "xmlns" with value "Kies.Common.Data".
XML tag "version" has values "Kies3" (for Samsung Kies) or "Kies4" (Smart Switch).
XML tag "zipType" has values "GZip" (if Kies3) or "ZLib" (if Kies4). Value "GZip" means that packed file will contain binary stream compressed as gzip file format. Value "ZLib" means that packed file represents ZIP file format.

In most simple case unpacked file consists of 512 bytes with XML file:

Packed content

This file represents packed content as described above. This section also padded from end with 0x10 (256 size block?).

Source code

I developed simple scripts in Ruby for extraction of content from EBK files.

References

[1] Samsung Kies .SSC / .SPB decrypter