Extracting official firmware image of Casio G’zOne LTE (C811)

Most stock rom of Casio G’zOne 4G LTE (C811) is extracted from stock devices after uploading corresponding firmware. Verizon also supports firmware restoration tool from PC. There were some efforts to extract real stock firmware from that image but that never happened. I analyzed the Verizon firmware restoration tool and how to extract (not flash) firmware images uploaded on NEC Casio server.

There are some INI files bundled with Verizon tool (TL-Bootstrap). It specifies base address where all required tools are uploaded. When executed, the program checks all required tools’ version from http://baseaddress/ToolVersion.txt, downloads newer version when available. Real upgrade processes are hidden in the tool downloaded by bootstrap. Latest version of firmware is checked via /files.txt which contains version, size and some other information. Downloading firmware itself is straightforward by using filename from the text file, but only latest version is available from official server. All previous versions were deleted.

The firmware consists of single ZIP file, which then contains single MBN file for flashing. Despite same extension as Qualcomm tools, it uses proprietary format to encode and encrypt the image. Metadata is located at the last 2KB of MBN file. It starts with header, something like version and number of partitions. Each partition record basic information of partition and “flags”. EXT4 partition images are stored in standard sparce format which could be restored using simg2img. Other images stored with trailing zero bytes stripped, with separate original size information. All binary data except header is XOR encrypted, which differs among partition and even among firmware version.

I deduced XOR keys by comparing “extracted” file system images with encrypted images, which share same header bytes. XOR key of EXT4 sparce partition is also easily deducible since they use standard Android magic numbers. Attached source code calculates XOR key and extracts file system image. Probably works on Linux and OS X.

eut_extract.c code is here: https://gist.github.com/peremen/71330cbb4a6556358b938e0e353255a6

Using the attached source code, you can obtain “pure” stock ROM which is not altered by flashing and dumping.