Personal View site logo

User Tools

Site Tools


sony-hack:lzpt

Complete source for LZPT unpacker - unlzpt.zip

It is ready to compile in http://www.smorgasbordet.com/pellesc/ , so anyone can join quickly.


LZPT files

NOTE: Latest “fwtool” project can also decrypt “LZPT” images: fwencryption

LZPT files (aka TPZL - endian reversed) are images found in the 'second wave' firmware files.

This appears to be a custom image format created by Sony. The files are LZ77-compressed images.

There are two LZPT files in the second wave firmware:

0700_part_image/dev/nflasha3
0700_part_image/dev/nflasha8

As “nflasha3/nflasha8” are names of flash partitions on the device, it appears that these are raw images that are written to those flash partitions.

“nflasha3” is an LZPT-compressed DOS (vfat) filesystem.

“nflasha8” is an LZPT-compressed EXT2 filesystem.

I will write a more complete description of the internals of the LZPT files later. For now, the files were generated by breaking-up the original DOS/EXT2 file images into 64K-byte blocks, then compressing each block separately. A 'table of contents' is at the beginning of the LZPT file, which is indexed by the block number. Using this, you can find the starting offset/length of the lz77-compressed block. Seek to that offset in the file/partition, read length bytes, then lz77-decompress it to get the original block.

Below is a hexdump of the start of an “nflasha3” (LZPT) file, as an example:

00000000  54 50 5a 4c 10 00 00 00  18 00 00 00 78 06 00 00  |TPZL........x...|
00000010  00 00 00 00 00 00 00 00  90 06 00 00 b8 61 00 00  |.............a..|
00000020  48 68 00 00 68 cc 00 00  b0 34 01 00 60 c2 00 00  |Hh..h....4..`...|
00000030  10 f7 01 00 a8 cd 00 00  b8 c4 02 00 70 c2 00 00  |............p...|
00000040  28 87 03 00 38 c1 00 00  60 48 04 00 c8 c0 00 00  |(...8...`H......|
00000050  28 09 05 00 f8 cb 00 00  20 d5 05 00 34 ce 00 00  |(....... ...4...|
00000060  54 a3 06 00 1c da 00 00  70 7d 07 00 d4 ee 00 00  |T.......p}......|
00000070  44 6c 08 00 24 bf 00 00  68 2b 09 00 14 cf 00 00  |Dl..$...h+......|

Offset 0x0000 is a 4-byte magic ID "LZPT" stored in reverse-endian order)
Offset 0x0008 is a 4-byte offset to the start of the table of contents (stored in little-endian order)
Offset 0x000C is a 4-byte size of the table of contents (stored in little-endian order)

From the above, you can see that the TOC starts at offset 0x00000018, and is 0x00000678 bytes long.

There are each entry in the TOC table is 8-bytes (two 32-bit values, stored little-endian): a 4-byte offset to the start of the compressed block, and a 4-byte length of the compressed block.

Using the above example (TOC table starting at 0x00000018), block 0's compressed data starts at offset 0x00000690) and ix 0x000061b8 bytes long.

Newer devices use a new version of the LZTP format. The fifth byte is the version number, if it is a 32bit LE int or a perhaps unsigned byte only is not known. Version 0x10 is the first version using 64k block length, 0x11 is the second version used to day by EA50 and FS700 with a block length of 128k.

fwtool v06b11 and newer allows for extraction of LZTP ver 0x11, unlztp or earlier versions of fwtool will crash.

sony-hack/lzpt.txt · Last modified: 2015/08/10 13:06 by vitaliy_kiselev