While older backups included variety of files with different extensions like SPB, SPBA, SME, SMEA etc, which were created by Samsung Kies, more recent backups were created by Smart Switch and had extension EBK.
First attempt was to detect file type with tool "file" in Linux distribution. This tool reads first bytes from file and tries to detect type according to "magic" numbers.
file didn't succeed to detect format and returned just type "data" (unknown format).
Second attempt was tool TrID. Surprisingly, despite library of numerous known formats, this tool returned just "Unknown!".
When I compared hex dump of arbitrary backup files with extension EBK, I've found all they had same magic number 6b39a474 at offset 0. This is a good sign for us.
I've picked most small file which has extension EBK and size 544 bytes and looked onto his hex dump. When I found 4 consecutive sequences of hex 10101010 at offset 256 bytes and same sequence at offset 528 (last 16 bytes). These sequences may represent end of block or even used for padding for blocks with fixed size.
Other file above 544 bytes also contained these sequences at end of file.
Content of file looks quite "random", at least either compressed or encrypted.
Among set of observed files were files with same size and all sizes are multiples of 2. Yet same size doesn't means same content! We had 2 files with same size but different content.
Another observation showed that first 256 bytes of all EBK files was same (by md5sum):
for f in `find backup -type f -name '*.ebk'`; do head -c 256 $f | md5sum; done
Another observation showed that first 256 bytes of SPBA files are same as of EBK files.
Yet another observation showed that 10101010 sequences are repetitive across files:
Комментариев нет:
Отправить комментарий