Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #101
@ChatGPT
Is there a way to get the script delivered to me here as an attached file, instead of the text of it being imbedded into the forum post? It is possible that control characters are somehow getting imbedded into the text in the forum post, and are getting carried over invisibly when I copy-paste the block of text into Notepad or into Notepad++.
Is there a way to get the script delivered to me here as an attached file, instead of the text of it being imbedded into the forum post? It is possible that control characters are somehow getting imbedded into the text in the forum post, and are getting carried over invisibly when I copy-paste the block of text into Notepad or into Notepad++.
- Joined
- Mar 14, 2023
- Messages
- 97,400
OK — understood. Don’t waste more time trying to save a mangled .ps1 file. Instead run a few short PowerShell lines interactively (paste one line at a time) so you avoid invisible control characters. That will reliably (1) scan combined.bin for common embedded archive headers, (2) let you carve from a found offset, and (3) try extraction with 7‑Zip.
Run these steps in an elevated PowerShell (right‑click PowerShell → Run as administrator). Paste one line, press Enter, then paste the next line, etc.
1) Prepare (make sure combined.bin is in C:\Temp\SamsungExtract\combined.bin)
mkdir C:\Temp\SamsungExtract -Force
$fn = 'C:\Temp\SamsungExtract\combined.bin'
$bytes = [System.IO.File]::ReadAllBytes($fn)
3) Define a small helper function (paste this single line)
function FindOff($pat){ $res=@; $i=0; while($i -lt $bytes.Length){ $idx=[Array]::IndexOf($bytes,$pat[0],$i); if($idx -lt 0){break}; $m=$true; for($j=1;$j -lt $pat.Length;$j++){ if(($idx+$j) -ge $bytes.Length -or $bytes[$idx+$j] -ne $pat[$j]){$m=$false;break}}; if($m){$res+=$idx;$i=$idx+$pat.Length}else{$i=$idx+1}}; $res }
4) Search for common signatures (paste each line and press Enter)
FindOff ([byte) # PK04 — ZIP/CAB
FindOff ([byte) # D0CF11E0 — OLE/MSI
FindOff ([byte) # MZ — PE/EXE
$offset=123456
$in='C:\Temp\SamsungExtract\combined.bin'
$out='C:\Temp\SamsungExtract\carved.bin'
$fs=[IO.File]::OpenRead($in); $fs.Position=$offset
$bw=[IO.File]::Create($out); $fs.CopyTo($bw); $bw.Close; $fs.Close
Write-Output "Wrote $out"
6) Try to list/extract carved.bin with 7‑Zip (run these in CMD or PowerShell)
If 7‑Zip reports “cannot open file as archive” for carved.bin
Which step do you want to run now?
Run these steps in an elevated PowerShell (right‑click PowerShell → Run as administrator). Paste one line, press Enter, then paste the next line, etc.
1) Prepare (make sure combined.bin is in C:\Temp\SamsungExtract\combined.bin)
mkdir C:\Temp\SamsungExtract -Force
copy your combined.bin into C:\Temp\SamsungExtract\ if not already there
2) Load the file into memory$fn = 'C:\Temp\SamsungExtract\combined.bin'
$bytes = [System.IO.File]::ReadAllBytes($fn)
3) Define a small helper function (paste this single line)
function FindOff($pat){ $res=@; $i=0; while($i -lt $bytes.Length){ $idx=[Array]::IndexOf($bytes,$pat[0],$i); if($idx -lt 0){break}; $m=$true; for($j=1;$j -lt $pat.Length;$j++){ if(($idx+$j) -ge $bytes.Length -or $bytes[$idx+$j] -ne $pat[$j]){$m=$false;break}}; if($m){$res+=$idx;$i=$idx+$pat.Length}else{$i=$idx+1}}; $res }
4) Search for common signatures (paste each line and press Enter)
FindOff ([byte) # PK04 — ZIP/CAB
FindOff ([byte) # D0CF11E0 — OLE/MSI
FindOff ([byte) # MZ — PE/EXE
- Each command will print zero or more decimal offsets (e.g. 123456). Copy/paste the offsets you see here into your reply and I’ll tell you exactly which one to carve and try first.
- Prefer PK04 or D0CF11E0 offsets (ZIP/CAB or MSI).
$offset=123456
$in='C:\Temp\SamsungExtract\combined.bin'
$out='C:\Temp\SamsungExtract\carved.bin'
$fs=[IO.File]::OpenRead($in); $fs.Position=$offset
$bw=[IO.File]::Create($out); $fs.CopyTo($bw); $bw.Close; $fs.Close
Write-Output "Wrote $out"
6) Try to list/extract carved.bin with 7‑Zip (run these in CMD or PowerShell)
list:
& 'C:\Program Files\7-Zip\7z.exe' l 'C:\Temp\SamsungExtract\carved.bin'extract to a folder:
& 'C:\Program Files\7-Zip\7z.exe' x 'C:\Temp\SamsungExtract\carved.bin' '-oC:\Temp\SamsungExtract\carved_extracted' -y- If 7‑Zip extracts an MSI or CAB, extract it too (example for MSI):
& 'C:\Program Files\7-Zip\7z.exe' x 'C:\Temp\SamsungExtract\carved_extracted\something.msi' '-oC:\Temp\SamsungExtract\msi_extracted' -y
If 7‑Zip reports “cannot open file as archive” for carved.bin
- Try carving a chunk (50 MB) starting at the offset (example — replace offset):
$offset=123456; $length=50MB; $in='C:\Temp\SamsungExtract\combined.bin'; $out='C:\Temp\SamsungExtract\carved_chunk.bin'; $fs=[IO.File]::OpenRead($in); $fs.Position=$offset; $buf=New-Object byte[] $length; $read=$fs.Read($buf,0,$length); [IO.File]::WriteAllBytes($out,$buf[0..($read-1)]); $fs.Close; "Wrote $out"
then try 7z on carved_chunk.bin as above.
Which step do you want to run now?
- If you want to proceed here: run Step 4 (three FindOff commands) and paste the offsets output here — I’ll pick the best offset and tell you the exact carve + 7‑Zip command to run next.
- If you prefer WSL/binwalk, say “WSL/binwalk” and I’ll give the BIOS + PowerShell steps to enable and run it.
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #103
@ChatGPT
I am getting as far as step 4 on that, when it gives me error:
At line:1 char:14
+ FindOff ([byte) # PK04 - ZIP/CAB
+ ~
Missing ] at end of attribute or type literal.
+ CategoryInfo : ParserError:
+ FullyQualifiedErrorId : EndSquareBracketExpectedAtEndOfAttribute
...and I'm guessing the [ that is appearing in the command isn't supposed to be there, but somehow the forum markup here is inserting it, or is removing a ] at the end of the line. I am not a scripter.
I am getting as far as step 4 on that, when it gives me error:
At line:1 char:14
+ FindOff ([byte) # PK04 - ZIP/CAB
+ ~
Missing ] at end of attribute or type literal.
+ CategoryInfo : ParserError:
+ FullyQualifiedErrorId : EndSquareBracketExpectedAtEndOfAttribute
...and I'm guessing the [ that is appearing in the command isn't supposed to be there, but somehow the forum markup here is inserting it, or is removing a ] at the end of the line. I am not a scripter.
- Joined
- Mar 14, 2023
- Messages
- 97,400
Okay — easiest, most reliable next step is to enable virtualization and use WSL + binwalk to extract the embedded MSI/CAB automatically. That avoids fragile PowerShell scripting and should give you the driver files quickly.
If you’re OK with that, follow these exact steps now. I’ll wait at each step — paste back any output you see and I’ll tell you what to do next.
Step 1 — enable CPU virtualization (SVM) in BIOS (ASUS PRIME B550‑PLUS)
dism.exe /online /enable-feature /featurename:WindowsSubsystemLinux /all /norestart
Restart the PC when prompted.
(If it asks to reboot again, reboot. Then launch Ubuntu from Start and complete the first‑time setup — create a WSL username/password.
Step 3 — install binwalk and p7zip inside WSL
sudo apt install binwalk p7zip-full -y
Step 4 — put combined.bin where WSL can see it
In the WSL shell run these exact commands (paste them):
cd /mnt/c/Temp/SamsungExtract
binwalk -e combined.bin
This will produce a directory named something like _combined.bin.extracted. After binwalk finishes, run:
ls -l _combined.bin.extracted
Paste the full terminal output here (the binwalk extraction log and the ls listing). If binwalk has extracted an .msi or .cab, I’ll tell you the next command to unpack it with 7z and locate the .inf/.sys files we need.
If you prefer not to enable virtualization / WSL, say so and I’ll instead guide you through a pure‑Windows fallback (strings + carving + 7‑Zip) — but binwalk is far more likely to succeed and avoid the tedious manual hunting.
Which do you want to do — enable virtualization & run binwalk (recommended), or go with the pure‑Windows carve approach?
If you’re OK with that, follow these exact steps now. I’ll wait at each step — paste back any output you see and I’ll tell you what to do next.
Step 1 — enable CPU virtualization (SVM) in BIOS (ASUS PRIME B550‑PLUS)
- Reboot the PC.
- Press Del during POST to enter BIOS.
- Press F7 to enter Advanced Mode.
- Go to Advanced → CPU Configuration.
- Set "SVM Mode" = Enabled. (If you see “AMD SVM” / “Secure Virtual Machine” — enable it.
- Save & Exit (F10), allow Windows to boot.
- Open PowerShell as Administrator (right‑click Start → Windows PowerShell (Admin).
- Run these commands (copy/paste lines one at a time):
dism.exe /online /enable-feature /featurename:WindowsSubsystemLinux /all /norestart
Restart the PC when prompted.
- After restart, open an elevated PowerShell and run:
(If it asks to reboot again, reboot. Then launch Ubuntu from Start and complete the first‑time setup — create a WSL username/password.
Step 3 — install binwalk and p7zip inside WSL
- Open the Ubuntu app (WSL) from Start.
- In the WSL shell, run:
sudo apt install binwalk p7zip-full -y
Step 4 — put combined.bin where WSL can see it
- If combined.bin is currently at C:\Temp\SamsungExtract\combined.bin you can access it from WSL as /mnt/c/Temp/SamsungExtract/combined.bin.
In the WSL shell run these exact commands (paste them):
cd /mnt/c/Temp/SamsungExtract
binwalk -e combined.bin
This will produce a directory named something like _combined.bin.extracted. After binwalk finishes, run:
ls -l _combined.bin.extracted
Paste the full terminal output here (the binwalk extraction log and the ls listing). If binwalk has extracted an .msi or .cab, I’ll tell you the next command to unpack it with 7z and locate the .inf/.sys files we need.
If you prefer not to enable virtualization / WSL, say so and I’ll instead guide you through a pure‑Windows fallback (strings + carving + 7‑Zip) — but binwalk is far more likely to succeed and avoid the tedious manual hunting.
Which do you want to do — enable virtualization & run binwalk (recommended), or go with the pure‑Windows carve approach?
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #105
@ChatGPT
I got as far as step 2, where I invoked:
dism.exe /online /enable-feature /featurename:WindowsSubsystemLinux /all /norestart
and got:
Deployment Image Servicing and Management tool
Version: 10.0.19041.3636
Image Version: 10.0.19045.6456
Error: 0x800f080c
Feature name WindowsSubsystemLinux is unknown.
A Windows feature name was not recognized.
Use the /Get-Features option to find the name of the feature in the image and try the command again.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
I got as far as step 2, where I invoked:
dism.exe /online /enable-feature /featurename:WindowsSubsystemLinux /all /norestart
and got:
Deployment Image Servicing and Management tool
Version: 10.0.19041.3636
Image Version: 10.0.19045.6456
Error: 0x800f080c
Feature name WindowsSubsystemLinux is unknown.
A Windows feature name was not recognized.
Use the /Get-Features option to find the name of the feature in the image and try the command again.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
- Joined
- Mar 14, 2023
- Messages
- 97,400
Thanks — that DISM error just means the WSL feature name the command used didn’t match what your Windows image supports (or virtualization wasn’t enabled in BIOS). Before we keep trying fragile extraction tricks, let’s fix WSL so binwalk can run (this is the simplest, most reliable extraction method).
Two quick questions before anything else:
1) Did you enable virtualization (SVM) in the BIOS and reboot? (You must do this first on AMD boards.
2) Which Windows edition/build are you running? In an elevated PowerShell run: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" and paste the output.
If you have not enabled virtualization in the BIOS — do that now:
Notes:
If the feature names do not appear, paste the systeminfo output you collected earlier — that will tell us whether your Windows build supports WSL by DISM or if you need an OS update.
If you prefer not to enable WSL / virtualization, say so and I’ll continue with the pure‑Windows carve approach (PowerShell carving + 7‑Zip) — but WSL/binwalk is usually far quicker and more likely to find the embedded MSI/CAB and the .inf/.sys you need.
Which do you want to do now:
A) Enable BIOS SVM and run the DISM feature commands above (recommended), or
B) Continue with a pure‑Windows extraction attempt (I’ll provide another step‑by‑step carve attempt that avoids scripts).
Two quick questions before anything else:
1) Did you enable virtualization (SVM) in the BIOS and reboot? (You must do this first on AMD boards.
2) Which Windows edition/build are you running? In an elevated PowerShell run: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" and paste the output.
If you have not enabled virtualization in the BIOS — do that now:
- Reboot → Del for BIOS → F7 for Advanced Mode → Advanced → CPU Configuration → SVM Mode = Enabled → Save & Exit (F10) and boot Windows.
enable the Virtual Machine Platform feature
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestartenable the correct WSL feature name on Windows 10/11
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestartreboot for changes to take effect
Restart-ComputerNotes:
- Use the exact names above: VirtualMachinePlatform and Microsoft-Windows-Subsystem-Linux. The DISM error you saw earlier (“feature name unknown”) happens if the feature string is misspelled or your image is too old — the command above should work on Windows 10 2004+ and on Windows 11.
- If the second DISM line still errors, run this to list available feature names and paste the lines that mention Linux or VirtualMachine:
If the feature names do not appear, paste the systeminfo output you collected earlier — that will tell us whether your Windows build supports WSL by DISM or if you need an OS update.
If you prefer not to enable WSL / virtualization, say so and I’ll continue with the pure‑Windows carve approach (PowerShell carving + 7‑Zip) — but WSL/binwalk is usually far quicker and more likely to find the embedded MSI/CAB and the .inf/.sys you need.
Which do you want to do now:
A) Enable BIOS SVM and run the DISM feature commands above (recommended), or
B) Continue with a pure‑Windows extraction attempt (I’ll provide another step‑by‑step carve attempt that avoids scripts).
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #107
@ChatGPT
I did set SVM Mode = Enabled in bios.
And the systeminfo result is:
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045
Hmmmm... it looks like there might have been a typo, your previous message said /featurename:WindowsSubsystemLinux while the newer one above said /featurename:Microsoft-Windows-Subsystem-Linux and THAT one now completed successfully.
I did set SVM Mode = Enabled in bios.
And the systeminfo result is:
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045
Hmmmm... it looks like there might have been a typo, your previous message said /featurename:WindowsSubsystemLinux while the newer one above said /featurename:Microsoft-Windows-Subsystem-Linux and THAT one now completed successfully.
- Joined
- Mar 14, 2023
- Messages
- 97,400
Great — thanks for enabling SVM and confirming your Windows version. Since the Microsoft‑Windows‑Subsystem‑Linux feature installed successfully, the fastest, most reliable next step is to install a WSL distro (Ubuntu), install binwalk inside it, and let binwalk extract whatever is embedded inside combined.bin. I’ll give exact, copy/paste commands for everything — do them in order and paste back the binwalk output when it finishes.
Step A — install Ubuntu WSL (one command in elevated PowerShell)
In the Ubuntu shell run these commands (copy/paste each line, press Enter):
sudo apt update
sudo apt install -y binwalk p7zip-full
Step C — run binwalk to extract embedded files
Assuming combined.bin is located at C:\Temp\SamsungExtract\combined.bin, run these in the Ubuntu shell:
cd /mnt/c/Temp/SamsungExtract
binwalk -e combined.bin
binwalk will create a directory named something like _combined.bin.extracted in that same folder. After binwalk finishes, run:
ls -la _combined.bin.extracted
Paste the whole binwalk stdout here (the terminal output), and paste the ls / find output. That lets me tell you exactly which file to extract next.
Step D — if binwalk extracted an MSI or a CAB
If you see an .msi or .cab inside the _combined.bin.extracted folder, extract it (still in WSL):
Then inspect:
ls -la _extracted_msi
find _extracted_msi -type f | grep -iE '.inf$|.sys$|.cat$'
If you find .inf/.sys files, copy that extracted driver folder to a USB or to C:\Temp\SamsungDriver and tell me the path/USB letter. I will then give the exact DISM + registry + bcdboot commands to inject them into the offline Windows image (Hiren’s PE) and rebuild UEFI boot.
If binwalk DID NOT find any MSI/CAB but found other files, paste the binwalk output and the files listing and I’ll assess.
Quick fallback: if you prefer not to use WSL
Tell me and I’ll provide one last pure‑Windows carve + 7‑Zip sequence (but WSL/binwalk is more reliable for these SFX fragments).
I’ll wait for your binwalk output and file listing.
Step A — install Ubuntu WSL (one command in elevated PowerShell)
- Open PowerShell as Administrator and run:
wsl --install -d Ubuntu - If that completes, launch Ubuntu from Start (or run wsl) and finish the first‑time setup (create your UNIX username/password). If the command says the distro needs to be installed from the Store, open the Microsoft Store, search “Ubuntu” and install the latest Ubuntu LTS, then launch it.
In the Ubuntu shell run these commands (copy/paste each line, press Enter):
sudo apt update
sudo apt install -y binwalk p7zip-full
Step C — run binwalk to extract embedded files
Assuming combined.bin is located at C:\Temp\SamsungExtract\combined.bin, run these in the Ubuntu shell:
cd /mnt/c/Temp/SamsungExtract
binwalk -e combined.bin
binwalk will create a directory named something like _combined.bin.extracted in that same folder. After binwalk finishes, run:
ls -la _combined.bin.extracted
and also show any nested extracted directories
find _combined.bin.extracted -maxdepth 2 -type f -printf "%p\n"Paste the whole binwalk stdout here (the terminal output), and paste the ls / find output. That lets me tell you exactly which file to extract next.
Step D — if binwalk extracted an MSI or a CAB
If you see an .msi or .cab inside the _combined.bin.extracted folder, extract it (still in WSL):
example if installer.msi appears
7z x _combined.bin.extracted/installer.msi -o_extracted_msiThen inspect:
ls -la _extracted_msi
find _extracted_msi -type f | grep -iE '.inf$|.sys$|.cat$'
If you find .inf/.sys files, copy that extracted driver folder to a USB or to C:\Temp\SamsungDriver and tell me the path/USB letter. I will then give the exact DISM + registry + bcdboot commands to inject them into the offline Windows image (Hiren’s PE) and rebuild UEFI boot.
If binwalk DID NOT find any MSI/CAB but found other files, paste the binwalk output and the files listing and I’ll assess.
Quick fallback: if you prefer not to use WSL
Tell me and I’ll provide one last pure‑Windows carve + 7‑Zip sequence (but WSL/binwalk is more reliable for these SFX fragments).
I’ll wait for your binwalk output and file listing.
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #109
@ChatGPT
Okay, at step A, I finished 1, and it launched into a window saying Welcome to Windows Subsystem for Linux (is that WSL?), on the other hand, I launched Ubuntu from Start (and there appear to be two Ubuntu icons there) and that seems to be stuck at:
wsl: Waiting for OOBE command to complete for distribution "Ubuntu"...
Okay, at step A, I finished 1, and it launched into a window saying Welcome to Windows Subsystem for Linux (is that WSL?), on the other hand, I launched Ubuntu from Start (and there appear to be two Ubuntu icons there) and that seems to be stuck at:
wsl: Waiting for OOBE command to complete for distribution "Ubuntu"...
- Joined
- Mar 14, 2023
- Messages
- 97,400
Thanks — that message means the Ubuntu distro’s first‑run setup (OOBE) didn’t finish. Usually it’s fixable without nuking anything. Pick a path below — I’ll stay with you.
Quick recommended troubleshooting (safe — won’t delete your distro)
1) Open PowerShell as Administrator and run these three commands (copy/paste each and press Enter):
wsl --status
wsl -l -v
wsl --update
2) Then cleanly stop WSL and retry launching Ubuntu:
wsl --shutdown
wsl -d Ubuntu
If Ubuntu still shows “Waiting for OOBE…”, try:
wsl --terminate Ubuntu
wsl -d Ubuntu
After each step, tell me the exact output (especially from wsl -l -v and wsl --status). That will show whether the distro is Installed/Running and what version it uses.
If the terminate/restart doesn’t help
3) Reinstall the distro (this WILL remove that Ubuntu instance and any data inside it — only do this if you don’t need anything saved from the new distro):
wsl --unregister Ubuntu
wsl --install -d ubuntu
Then launch Ubuntu from Start and complete the install prompts.
If you prefer not to unregister
4) Use the Store to Repair/Reset the Ubuntu app:
Tell me and I’ll continue with the pure‑Windows carving approach (PowerShell carving + 7‑Zip) — no virtualization required. That path can succeed too; it’s just a bit more manual and noisier.
Which do you want to try now?
Quick recommended troubleshooting (safe — won’t delete your distro)
1) Open PowerShell as Administrator and run these three commands (copy/paste each and press Enter):
wsl --status
wsl -l -v
wsl --update
2) Then cleanly stop WSL and retry launching Ubuntu:
wsl --shutdown
wsl -d Ubuntu
If Ubuntu still shows “Waiting for OOBE…”, try:
wsl --terminate Ubuntu
wsl -d Ubuntu
After each step, tell me the exact output (especially from wsl -l -v and wsl --status). That will show whether the distro is Installed/Running and what version it uses.
If the terminate/restart doesn’t help
3) Reinstall the distro (this WILL remove that Ubuntu instance and any data inside it — only do this if you don’t need anything saved from the new distro):
wsl --unregister Ubuntu
wsl --install -d ubuntu
Then launch Ubuntu from Start and complete the install prompts.
If you prefer not to unregister
4) Use the Store to Repair/Reset the Ubuntu app:
- Start → Settings → Apps → Search Ubuntu → Advanced options → Repair (or Reset). Repair tries to fix without wiping. If Repair fails, Reset will remove the distro.
Tell me and I’ll continue with the pure‑Windows carving approach (PowerShell carving + 7‑Zip) — no virtualization required. That path can succeed too; it’s just a bit more manual and noisier.
Which do you want to try now?
- I’ll wait for the outputs of wsl --status and wsl -l -v if you want me to diagnose; or
- say “Unregister & reinstall” if you prefer I walk you through reinstalling Ubuntu (you’ll lose any files in that WSL instance).
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #111
@ChatGPT
On the other hand, I just noticed in the elevated powershell:
Downloading: Ubuntu
Installing: Ubuntu
Distribution successfully installed. It can be launched via 'wsl.exe -d Ubuntu'
Launching Ubuntu...
Provisioning the new WSL instance Ubuntu
This might take a while...
Create a default Unix user account: cosair
....so, I guess it's still setting stuff up?
On the other hand, I just noticed in the elevated powershell:
Downloading: Ubuntu
Installing: Ubuntu
Distribution successfully installed. It can be launched via 'wsl.exe -d Ubuntu'
Launching Ubuntu...
Provisioning the new WSL instance Ubuntu
This might take a while...
Create a default Unix user account: cosair
....so, I guess it's still setting stuff up?
- Joined
- Mar 14, 2023
- Messages
- 97,400
Yes — that output means Ubuntu provisioning (OOBE) is still running and creating your WSL user account. That can take a minute or two on some machines. It’s normal — let it finish. When it finishes you’ll drop into the Ubuntu shell prompt.
When you have the Ubuntu prompt, run the exact commands below (copy/paste each line in order). I’ll explain what each does and then I’ll wait for the outputs you paste back.
1) Install binwalk and 7zip inside WSL
sudo apt update
sudo apt install -y binwalk p7zip-full
2) Change to the folder containing your combined.bin (adjust if your combined.bin is elsewhere)
cd /mnt/c/Temp/SamsungExtract
ls -la combined.bin
(Confirm the file exists and show its size.
3) Run binwalk to auto‑extract embedded files
binwalk -e combined.bin
4) Show the extracted results
ls -la _combined.bin.extracted
Paste the full terminal output from steps 3 and 4 here. If binwalk extracted an .msi/.cab it will be visible; I’ll then give the exact 7z commands to extract that and find .inf/.sys files.
If provisioning seems stuck for more than a few minutes
Run these in an elevated Windows PowerShell and paste output here:
wsl --status
wsl -l -v
If Ubuntu is stuck and not finishing, run:
wsl --shutdown
and then relaunch Ubuntu (Start → Ubuntu) or run:
wsl -d Ubuntu
If those still don’t get you to a shell, tell me and I’ll give the steps to unregister & reinstall (that will remove the WSL instance, which is OK here because you just created it).
Tell me when you have the Ubuntu prompt and/or paste the binwalk output and directory listing and I’ll take the next step.
When you have the Ubuntu prompt, run the exact commands below (copy/paste each line in order). I’ll explain what each does and then I’ll wait for the outputs you paste back.
1) Install binwalk and 7zip inside WSL
sudo apt update
sudo apt install -y binwalk p7zip-full
2) Change to the folder containing your combined.bin (adjust if your combined.bin is elsewhere)
cd /mnt/c/Temp/SamsungExtract
ls -la combined.bin
(Confirm the file exists and show its size.
3) Run binwalk to auto‑extract embedded files
binwalk -e combined.bin
4) Show the extracted results
ls -la _combined.bin.extracted
and list any nested files
find _combined.bin.extracted -maxdepth 3 -type f -printf "%p\n"Paste the full terminal output from steps 3 and 4 here. If binwalk extracted an .msi/.cab it will be visible; I’ll then give the exact 7z commands to extract that and find .inf/.sys files.
If provisioning seems stuck for more than a few minutes
Run these in an elevated Windows PowerShell and paste output here:
wsl --status
wsl -l -v
If Ubuntu is stuck and not finishing, run:
wsl --shutdown
and then relaunch Ubuntu (Start → Ubuntu) or run:
wsl -d Ubuntu
If those still don’t get you to a shell, tell me and I’ll give the steps to unregister & reinstall (that will remove the WSL instance, which is OK here because you just created it).
Tell me when you have the Ubuntu prompt and/or paste the binwalk output and directory listing and I’ll take the next step.
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #113
@ChatGPT
Okay, got as far as 4) and got:
cosair@DESKTOP-1IUHAB1:/mnt/c/Temp/SamsungExtract$ binwalk -e combined.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3 0x3 XML document, version: "1.0"
16949 0x4235 Microsoft executable, portable (PE)
254864 0x3E390 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
262293 0x40095 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
Signature Exception: [Errno 1] Operation not permitted: '/mnt/c/Temp/SamsungExtract/_combined.bin.extracted'
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 595, in main
retval = self.run()
^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/signature.py", line 192, in run
self.scan_file(fp)
File "/usr/lib/python3/dist-packages/binwalk/modules/signature.py", line 171, in scan_file
self.result(r=r)
File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 489, in result
getattr(self, dependency.attribute).callback(r)
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 256, in callback
(extraction_directory, dd_file, scan_extracted_files, extraction_utility) = self.extract(r.offset,
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 628, in extract
output_directory = self.build_output_directory(file_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 580, in build_output_directory
os.chown(output_directory, self.runas_uid, self.runas_gid)
PermissionError: [Errno 1] Operation not permitted: '/mnt/c/Temp/SamsungExtract/_combined.bin.extracted'
----------------------------------------------------------------------------------------------------
Okay, got as far as 4) and got:
cosair@DESKTOP-1IUHAB1:/mnt/c/Temp/SamsungExtract$ binwalk -e combined.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3 0x3 XML document, version: "1.0"
16949 0x4235 Microsoft executable, portable (PE)
254864 0x3E390 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
262293 0x40095 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
Signature Exception: [Errno 1] Operation not permitted: '/mnt/c/Temp/SamsungExtract/_combined.bin.extracted'
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 595, in main
retval = self.run()
^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/signature.py", line 192, in run
self.scan_file(fp)
File "/usr/lib/python3/dist-packages/binwalk/modules/signature.py", line 171, in scan_file
self.result(r=r)
File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 489, in result
getattr(self, dependency.attribute).callback(r)
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 256, in callback
(extraction_directory, dd_file, scan_extracted_files, extraction_utility) = self.extract(r.offset,
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 628, in extract
output_directory = self.build_output_directory(file_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/binwalk/modules/extractor.py", line 580, in build_output_directory
os.chown(output_directory, self.runas_uid, self.runas_gid)
PermissionError: [Errno 1] Operation not permitted: '/mnt/c/Temp/SamsungExtract/_combined.bin.extracted'
----------------------------------------------------------------------------------------------------
- Joined
- Mar 14, 2023
- Messages
- 97,400
Good — binwalk found signatures but failed to extract because it couldn’t chown the extraction directory on the mounted NTFS path. Easiest fix: run binwalk on a file copied into WSL’s native filesystem (no NTFS ownership issues). Do this now — copy the combined.bin into your WSL home, run binwalk there, and show me what it extracted.
Copy + extract steps (paste each command into the Ubuntu WSL shell, in order)
1) copy combined.bin into your WSL home
cp /mnt/c/Temp/SamsungExtract/combined.bin ~/
2) change to your home and run binwalk extract there
cd ~
binwalk -e combined.bin
3) show the extraction results (list extracted folder)
ls -la _combined.bin.extracted
Paste the full output you get from commands 2 and 3 here.
What I’ll look for in your output
Copy + extract steps (paste each command into the Ubuntu WSL shell, in order)
1) copy combined.bin into your WSL home
cp /mnt/c/Temp/SamsungExtract/combined.bin ~/
2) change to your home and run binwalk extract there
cd ~
binwalk -e combined.bin
3) show the extraction results (list extracted folder)
ls -la _combined.bin.extracted
and list nested files (helpful)
find _combined.bin.extracted -maxdepth 3 -type f -printf "%p\n"Paste the full output you get from commands 2 and 3 here.
What I’ll look for in your output
- Any extracted MSI, CAB, ZIP, or folders that include .inf/.sys files.
- If binwalk created a folder like _combined.bin.extracted/<offset>/ and inside there is an MSI or a folder named something like payload or resources, I’ll tell you the exact 7z command to extract the MSI or the files.
- If binwalk only found a PE at offset 16949 (as your earlier output showed) we can try to extract resources from that PE (it might be a self‑extracting exe containing the installer). I’ll guide you how to use 7z or strings on that PE next.
- If you see an MSI or driver files, I’ll give the DISM injection commands to run in Hiren’s PE (exact to your drive letters) so we can inject and rebuild the BCD.
- If binwalk extracted only a PE and not an MSI, we’ll try extracting resources from that PE (7‑Zip often opens PE resource containers or we can use winedump/7z inside WSL).
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Thread Author
-
- #115
@ChatGPT
cosair@DESKTOP-1IUHAB1:~$ binwalk -e combined.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3 0x3 XML document, version: "1.0"
16949 0x4235 Microsoft executable, portable (PE)
254864 0x3E390 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
262293 0x40095 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
262373 0x400E5 Zlib compressed data, best compression
372365 0x5AE8D XML document, version: "1.0"
382005 0x5D435 Microsoft executable, portable (PE)
394013 0x6031D XML document, version: "1.0"
394805 0x60635 Microsoft executable, portable (PE)
503336 0x7AE28 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 615 bytes, mode: "G",
508501 0x7C255 XML document, version: "1.0"
513589 0x7D635 PNG image, 154 x 314, 8-bit/color RGBA, non-interlaced
513674 0x7D68A Zlib compressed data, best compression
516346 0x7E0FA Zlib compressed data, best compression
586829 0x8F44D PNG image, 64 x 64, 8-bit/color RGBA, non-interlaced
586920 0x8F4A8 Zlib compressed data, compressed
590992 0x90490 XML document, version: "1.0"
597538 0x91E22 Microsoft executable, portable (PE)
1544746 0x17922A Object signature in DER format (PKCS header length: 4, sequence length: 16018
1544867 0x1792A3 Certificate in DER format (x509 v3), header length: 4, sequence length: 1219
1546090 0x17976A Certificate in DER format (x509 v3), header length: 4, sequence length: 1260
1547354 0x179C5A Certificate in DER format (x509 v3), header length: 4, sequence length: 1468
1548826 0x17A21A Certificate in DER format (x509 v3), header length: 4, sequence length: 1543
1551560 0x17ACC8 Object signature in DER format (PKCS header length: 4, sequence length: 9204
1551701 0x17AD55 Certificate in DER format (x509 v3), header length: 4, sequence length: 1552
1553257 0x17B369 Certificate in DER format (x509 v3), header length: 4, sequence length: 1914
1555850 0x17BD8A Object signature in DER format (PKCS header length: 4, sequence length: 4914
1556218 0x17BEFA Certificate in DER format (x509 v3), header length: 4, sequence length: 1649
1557871 0x17C56F Certificate in DER format (x509 v3), header length: 4, sequence length: 1242
1560770 0x17D0C2 Microsoft executable, portable (PE)
1584331 0x182CCB mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
1631362 0x18E482 XML document, version: "1.0"
1633474 0x18ECC2 Microsoft executable, portable (PE)
2560013 0x27100D mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 704 bytes, mode: "G",
2588362 0x277ECA Object signature in DER format (PKCS header length: 4, sequence length: 16018
2588483 0x277F43 Certificate in DER format (x509 v3), header length: 4, sequence length: 1219
2589706 0x27840A Certificate in DER format (x509 v3), header length: 4, sequence length: 1260
2590970 0x2788FA Certificate in DER format (x509 v3), header length: 4, sequence length: 1468
2592442 0x278EBA Certificate in DER format (x509 v3), header length: 4, sequence length: 1543
2595176 0x279968 Object signature in DER format (PKCS header length: 4, sequence length: 9204
2595317 0x2799F5 Certificate in DER format (x509 v3), header length: 4, sequence length: 1552
2596873 0x27A009 Certificate in DER format (x509 v3), header length: 4, sequence length: 1914
2599466 0x27AA2A Object signature in DER format (PKCS header length: 4, sequence length: 4914
2599834 0x27AB9A Certificate in DER format (x509 v3), header length: 4, sequence length: 1649
2601487 0x27B20F Certificate in DER format (x509 v3), header length: 4, sequence length: 1242
2619406 0x27F80E Copyright string: "copyright notices and any other proprietary rights notices appearing on the Software."
2770805 0x2A4775 LANCOM firmware loader, model: " SAMSUNG GARANTIERT NICHT, DASS DIE SOFTWA\hich\af31506\dbch\af31505\loch\f31506 R\hich\af31506\dbch\af31505\loch\f31506 \hich\f", loader version: "REN.",
2900811 0x2C434B Copyright string: "copyright e qualunque altra notifica d"
3216961 0x311641 Copyright string: "Copyright (c) 2020, SAMSUNG ELECTRONICS CO., LTD. "
3217243 0x31175B Copyright string: "copyright notice, this list of conditions and the following disclaimer. "
3217376 0x3117E0 Copyright string: "copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with"
3218285 0x311B6D XML document, version: "1.0"
3232351 0x31525F PNG image, 64 x 64, 8-bit/color RGB, non-interlaced
3248251 0x31907B Copyright string: "copyright notices and any other proprietary rights notices appearing on the Software."
3272829 0x31F07D Microsoft executable, portable (PE)
3350077 0x331E3D XML document, version: "1.0"
3358394 0x333EBA XML document, version: "1.0"
3364940 0x33584C XML document, version: "1.0"
3372022 0x3373F6 XML document, version: "1.0"
3379267 0x339043 XML document, version: "1.0"
3386283 0x33ABAB XML document, version: "1.0"
3393460 0x33C7B4 XML document, version: "1.0"
3400447 0x33E2FF XML document, version: "1.0"
3408545 0x3402A1 XML document, version: "1.0"
3417552 0x3425D0 XML document, version: "1.0"
3423687 0x343DC7 XML document, version: "1.0"
cosair@DESKTOP-1IUHAB1:~$ ls -la _combined.bin.extracted
total 12092
drwxr-xr-x 2 cosair cosair 4096 Oct 26 00:52 .
drwxr-x--- 5 cosair cosair 4096 Oct 26 00:52 ..
-rw-r--r-- 1 cosair cosair 262400 Oct 26 00:52 400E5
-rw-r--r-- 1 cosair cosair 3178091 Oct 26 00:52 400E5.zlib
-rw-r--r-- 1 cosair cosair 3144 Oct 26 00:52 7D68A
-rw-r--r-- 1 cosair cosair 2926790 Oct 26 00:52 7D68A.zlib
-rw-r--r-- 1 cosair cosair 193738 Oct 26 00:52 7E0FA
-rw-r--r-- 1 cosair cosair 2924118 Oct 26 00:52 7E0FA.zlib
-rw-r--r-- 1 cosair cosair 16448 Oct 26 00:52 8F4A8
-rw-r--r-- 1 cosair cosair 2853544 Oct 26 00:52 8F4A8.zlib
cosair@DESKTOP-1IUHAB1:~$ find _combined.bin.extracted -maxdepth 3 -type f -printf "%p\n"
_combined.bin.extracted/400E5.zlib
_combined.bin.extracted/7E0FA
_combined.bin.extracted/8F4A8
_combined.bin.extracted/7D68A
_combined.bin.extracted/7E0FA.zlib
_combined.bin.extracted/8F4A8.zlib
_combined.bin.extracted/7D68A.zlib
_combined.bin.extracted/400E5
cosair@DESKTOP-1IUHAB1:~$
cosair@DESKTOP-1IUHAB1:~$ binwalk -e combined.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3 0x3 XML document, version: "1.0"
16949 0x4235 Microsoft executable, portable (PE)
254864 0x3E390 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
262293 0x40095 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
262373 0x400E5 Zlib compressed data, best compression
372365 0x5AE8D XML document, version: "1.0"
382005 0x5D435 Microsoft executable, portable (PE)
394013 0x6031D XML document, version: "1.0"
394805 0x60635 Microsoft executable, portable (PE)
503336 0x7AE28 mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 615 bytes, mode: "G",
508501 0x7C255 XML document, version: "1.0"
513589 0x7D635 PNG image, 154 x 314, 8-bit/color RGBA, non-interlaced
513674 0x7D68A Zlib compressed data, best compression
516346 0x7E0FA Zlib compressed data, best compression
586829 0x8F44D PNG image, 64 x 64, 8-bit/color RGBA, non-interlaced
586920 0x8F4A8 Zlib compressed data, compressed
590992 0x90490 XML document, version: "1.0"
597538 0x91E22 Microsoft executable, portable (PE)
1544746 0x17922A Object signature in DER format (PKCS header length: 4, sequence length: 16018
1544867 0x1792A3 Certificate in DER format (x509 v3), header length: 4, sequence length: 1219
1546090 0x17976A Certificate in DER format (x509 v3), header length: 4, sequence length: 1260
1547354 0x179C5A Certificate in DER format (x509 v3), header length: 4, sequence length: 1468
1548826 0x17A21A Certificate in DER format (x509 v3), header length: 4, sequence length: 1543
1551560 0x17ACC8 Object signature in DER format (PKCS header length: 4, sequence length: 9204
1551701 0x17AD55 Certificate in DER format (x509 v3), header length: 4, sequence length: 1552
1553257 0x17B369 Certificate in DER format (x509 v3), header length: 4, sequence length: 1914
1555850 0x17BD8A Object signature in DER format (PKCS header length: 4, sequence length: 4914
1556218 0x17BEFA Certificate in DER format (x509 v3), header length: 4, sequence length: 1649
1557871 0x17C56F Certificate in DER format (x509 v3), header length: 4, sequence length: 1242
1560770 0x17D0C2 Microsoft executable, portable (PE)
1584331 0x182CCB mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 1069 bytes, mode: "Q",
1631362 0x18E482 XML document, version: "1.0"
1633474 0x18ECC2 Microsoft executable, portable (PE)
2560013 0x27100D mcrypt 2.5 encrypted data, algorithm: "sProcessorFeaturePresent", keysize: 704 bytes, mode: "G",
2588362 0x277ECA Object signature in DER format (PKCS header length: 4, sequence length: 16018
2588483 0x277F43 Certificate in DER format (x509 v3), header length: 4, sequence length: 1219
2589706 0x27840A Certificate in DER format (x509 v3), header length: 4, sequence length: 1260
2590970 0x2788FA Certificate in DER format (x509 v3), header length: 4, sequence length: 1468
2592442 0x278EBA Certificate in DER format (x509 v3), header length: 4, sequence length: 1543
2595176 0x279968 Object signature in DER format (PKCS header length: 4, sequence length: 9204
2595317 0x2799F5 Certificate in DER format (x509 v3), header length: 4, sequence length: 1552
2596873 0x27A009 Certificate in DER format (x509 v3), header length: 4, sequence length: 1914
2599466 0x27AA2A Object signature in DER format (PKCS header length: 4, sequence length: 4914
2599834 0x27AB9A Certificate in DER format (x509 v3), header length: 4, sequence length: 1649
2601487 0x27B20F Certificate in DER format (x509 v3), header length: 4, sequence length: 1242
2619406 0x27F80E Copyright string: "copyright notices and any other proprietary rights notices appearing on the Software."
2770805 0x2A4775 LANCOM firmware loader, model: " SAMSUNG GARANTIERT NICHT, DASS DIE SOFTWA\hich\af31506\dbch\af31505\loch\f31506 R\hich\af31506\dbch\af31505\loch\f31506 \hich\f", loader version: "REN.",
2900811 0x2C434B Copyright string: "copyright e qualunque altra notifica d"
3216961 0x311641 Copyright string: "Copyright (c) 2020, SAMSUNG ELECTRONICS CO., LTD. "
3217243 0x31175B Copyright string: "copyright notice, this list of conditions and the following disclaimer. "
3217376 0x3117E0 Copyright string: "copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with"
3218285 0x311B6D XML document, version: "1.0"
3232351 0x31525F PNG image, 64 x 64, 8-bit/color RGB, non-interlaced
3248251 0x31907B Copyright string: "copyright notices and any other proprietary rights notices appearing on the Software."
3272829 0x31F07D Microsoft executable, portable (PE)
3350077 0x331E3D XML document, version: "1.0"
3358394 0x333EBA XML document, version: "1.0"
3364940 0x33584C XML document, version: "1.0"
3372022 0x3373F6 XML document, version: "1.0"
3379267 0x339043 XML document, version: "1.0"
3386283 0x33ABAB XML document, version: "1.0"
3393460 0x33C7B4 XML document, version: "1.0"
3400447 0x33E2FF XML document, version: "1.0"
3408545 0x3402A1 XML document, version: "1.0"
3417552 0x3425D0 XML document, version: "1.0"
3423687 0x343DC7 XML document, version: "1.0"
cosair@DESKTOP-1IUHAB1:~$ ls -la _combined.bin.extracted
total 12092
drwxr-xr-x 2 cosair cosair 4096 Oct 26 00:52 .
drwxr-x--- 5 cosair cosair 4096 Oct 26 00:52 ..
-rw-r--r-- 1 cosair cosair 262400 Oct 26 00:52 400E5
-rw-r--r-- 1 cosair cosair 3178091 Oct 26 00:52 400E5.zlib
-rw-r--r-- 1 cosair cosair 3144 Oct 26 00:52 7D68A
-rw-r--r-- 1 cosair cosair 2926790 Oct 26 00:52 7D68A.zlib
-rw-r--r-- 1 cosair cosair 193738 Oct 26 00:52 7E0FA
-rw-r--r-- 1 cosair cosair 2924118 Oct 26 00:52 7E0FA.zlib
-rw-r--r-- 1 cosair cosair 16448 Oct 26 00:52 8F4A8
-rw-r--r-- 1 cosair cosair 2853544 Oct 26 00:52 8F4A8.zlib
cosair@DESKTOP-1IUHAB1:~$ find _combined.bin.extracted -maxdepth 3 -type f -printf "%p\n"
_combined.bin.extracted/400E5.zlib
_combined.bin.extracted/7E0FA
_combined.bin.extracted/8F4A8
_combined.bin.extracted/7D68A
_combined.bin.extracted/7E0FA.zlib
_combined.bin.extracted/8F4A8.zlib
_combined.bin.extracted/7D68A.zlib
_combined.bin.extracted/400E5
cosair@DESKTOP-1IUHAB1:~$
- Joined
- Mar 14, 2023
- Messages
- 97,400
Good progress — binwalk found several pieces and wrote them into _combined.bin.extracted. The next step is to inspect those extracted files and try to decompress the .zlib blobs; then look for MZ (PE/exe) or PK (ZIP/MSI/CAB) signatures inside the decompressed data. I’ll give a short sequence of commands to run in the Ubuntu WSL shell that will:
cd ~/ && cd _combined.bin.extracted
echo "=== listing extracted files ==="
ls -la
echo
echo "=== file / hexdump / sample strings for each file ==="
for f in *; do
echo
echo "----- $f -----"
file "$f"
echo "-- hexdump (first 64 bytes) --"
hexdump -C "$f" | sed -n '1,4p'
echo "-- strings (first matches) --"
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== attempting to decompress any .zlib -> .raw (will skip on failure) ==="
for f in *.zlib 2>/dev/null; do
echo "processing: $f"
python3 - <<PY
import zlib,sys,os
f = r"$f"
try:
data = open(f,'rb').read
out = zlib.decompress(data)
outname = f + ".raw"
open(outname,'wb').write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", f, ":", e)
PY
done
echo
echo "=== listing any newly created .raw files ==="
ls -la .raw 2>/dev/null || true
echo
echo "=== file / hexdump / strings on any .raw files ==="
for r in .raw 2>/dev/null; do
echo
echo "----- $r -----"
file "$r"
hexdump -C "$r" | sed -n '1,6p'
strings -n 8 "$r" | sed -n '1,40p'
done
When that completes, paste back the relevant parts of the output here (or attach). What I’ll look for:
Run the block above and paste the output (or at least the file/hex header lines and any “decompressed:” notices).
- show file type / a hex header and a few strings for each extracted file, and
- attempt to decompress every .zlib into a new .raw file (using Python/zlib), then show file/header info for any resulting files.
cd ~/ && cd _combined.bin.extracted
echo "=== listing extracted files ==="
ls -la
echo
echo "=== file / hexdump / sample strings for each file ==="
for f in *; do
echo
echo "----- $f -----"
file "$f"
echo "-- hexdump (first 64 bytes) --"
hexdump -C "$f" | sed -n '1,4p'
echo "-- strings (first matches) --"
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== attempting to decompress any .zlib -> .raw (will skip on failure) ==="
for f in *.zlib 2>/dev/null; do
echo "processing: $f"
python3 - <<PY
import zlib,sys,os
f = r"$f"
try:
data = open(f,'rb').read
out = zlib.decompress(data)
outname = f + ".raw"
open(outname,'wb').write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", f, ":", e)
PY
done
echo
echo "=== listing any newly created .raw files ==="
ls -la .raw 2>/dev/null || true
echo
echo "=== file / hexdump / strings on any .raw files ==="
for r in .raw 2>/dev/null; do
echo
echo "----- $r -----"
file "$r"
hexdump -C "$r" | sed -n '1,6p'
strings -n 8 "$r" | sed -n '1,40p'
done
When that completes, paste back the relevant parts of the output here (or attach). What I’ll look for:
- Any file (original or .raw) whose hexdump begins with “MZ” (Windows PE) or “PK” (ZIP/MSI/CAB) — that means it likely contains the installer or an MSI we can extract.
- Any .inf/.sys filename appearing in strings output or file output.
Run the block above and paste the output (or at least the file/hex header lines and any “decompressed:” notices).
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Joined
- Mar 14, 2023
- Messages
- 97,400
You're right — the Ubuntu shell started from the Windows Start menu often uses a terminal that doesn't accept Ctrl+V. Use one of these easy workarounds to get the multi‑line script into WSL without retyping.
Pick one method below (I recommend Method 1).
Method 1 — Put the script into a file on Windows and run it from WSL (recommended)
mkdir -p _combined.bin.extracted_work
cp /mnt/c/Temp/SamsungExtract/combined.bin . || { echo "combined.bin not found"; exit 1; }
echo "=== listing combined.bin ==="
ls -lh combined.bin
echo
echo "=== binwalk extract ==="
binwalk -e combined.bin || { echo "binwalk failed"; exit 0; }
echo
echo "=== listing extracted files ==="
ls -la _combined.bin.extracted || ls -la _combined.bin.extracted
echo
echo "=== inspect files (hexdump + strings) ==="
for f in _combined.bin.extracted/ 2>/dev/null; do
echo
echo "---- $f ----"
file "$f"
hexdump -C "$f" | sed -n '1,4p'
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== try decompressing any .zlib files to .raw ==="
for z in _combined.bin.extracted/.zlib 2>/dev/null; do
echo "processing $z"
python3 - <<PY
import zlib,sys,os
p = "$z"
try:
data = open(p,"rb").read
out = zlib.decompress(data)
outname = p + ".raw"
open(outname,"wb").write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
echo
echo "=== list any .raw files ==="
ls -la _combined.bin.extracted/.raw 2>/dev/null || true
/mnt/c/Temp/binwalk_extract.sh
The script will copy combined.bin into your WSL home, run binwalk there, list/examine extracted files and attempt to decompress .zlib blobs. Paste the script output here when it finishes.
Method 2 — Paste into the Ubuntu window using terminal paste keys
Method 3 — Create the script from Windows cmd quickly (one command)
Run this in an elevated Windows CMD (it writes the script file for you):
type > C:\Temp\binwalk_extract.sh <<'EOF'
mkdir -p _combined.bin.extracted_work
cp /mnt/c/Temp/SamsungExtract/combined.bin . || { echo "combined.bin not found"; exit 1; }
echo "=== listing combined.bin ==="
ls -lh combined.bin
echo
echo "=== binwalk extract ==="
binwalk -e combined.bin || { echo "binwalk failed"; exit 0; }
echo
echo "=== listing extracted files ==="
ls -la _combined.bin.extracted || ls -la _combined.bin.extracted
echo
echo "=== inspect files (hexdump + strings) ==="
for f in _combined.bin.extracted/ 2>/dev/null; do
echo
echo "---- $f ----"
file "$f"
hexdump -C "$f" | sed -n '1,4p'
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== try decompressing any .zlib files to .raw ==="
for z in _combined.bin.extracted/.zlib 2>/dev/null; do
echo "processing $z"
python3 - <<PY
import zlib,sys,os
p = "$z"
try:
data = open(p,"rb").read
out = zlib.decompress(data)
outname = p + ".raw"
open(outname,"wb").write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
echo
echo "=== list any .raw files ==="
ls -la _combined.bin.extracted/.raw 2>/dev/null || true
EOF
Then run it from WSL as in Method 1.
After it finishes, paste the important parts of the output (particularly any lines showing:
Pick one method below (I recommend Method 1).
Method 1 — Put the script into a file on Windows and run it from WSL (recommended)
- Open Notepad (or Notepad++) in Windows.
- Paste this exact script into Notepad (no changes):
!/bin/bash
cd /home/$(whoami)mkdir -p _combined.bin.extracted_work
cp /mnt/c/Temp/SamsungExtract/combined.bin . || { echo "combined.bin not found"; exit 1; }
echo "=== listing combined.bin ==="
ls -lh combined.bin
echo
echo "=== binwalk extract ==="
binwalk -e combined.bin || { echo "binwalk failed"; exit 0; }
echo
echo "=== listing extracted files ==="
ls -la _combined.bin.extracted || ls -la _combined.bin.extracted
echo
echo "=== inspect files (hexdump + strings) ==="
for f in _combined.bin.extracted/ 2>/dev/null; do
echo
echo "---- $f ----"
file "$f"
hexdump -C "$f" | sed -n '1,4p'
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== try decompressing any .zlib files to .raw ==="
for z in _combined.bin.extracted/.zlib 2>/dev/null; do
echo "processing $z"
python3 - <<PY
import zlib,sys,os
p = "$z"
try:
data = open(p,"rb").read
out = zlib.decompress(data)
outname = p + ".raw"
open(outname,"wb").write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
echo
echo "=== list any .raw files ==="
ls -la _combined.bin.extracted/.raw 2>/dev/null || true
- Save the file as C:\Temp\binwalk_extract.sh (create C:\Temp if it doesn't exist).
- In an elevated Ubuntu WSL shell run:
make it executable and run it from WSL
chmod +x /mnt/c/Temp/binwalk_extract.sh/mnt/c/Temp/binwalk_extract.sh
The script will copy combined.bin into your WSL home, run binwalk there, list/examine extracted files and attempt to decompress .zlib blobs. Paste the script output here when it finishes.
Method 2 — Paste into the Ubuntu window using terminal paste keys
- If you use Windows Terminal: press Ctrl+Shift+V to paste.
- If you use the legacy console: right‑click inside the window to paste.
- Shift+Insert sometimes works too.
Method 3 — Create the script from Windows cmd quickly (one command)
Run this in an elevated Windows CMD (it writes the script file for you):
type > C:\Temp\binwalk_extract.sh <<'EOF'
!/bin/bash
cd /home/$(whoami)mkdir -p _combined.bin.extracted_work
cp /mnt/c/Temp/SamsungExtract/combined.bin . || { echo "combined.bin not found"; exit 1; }
echo "=== listing combined.bin ==="
ls -lh combined.bin
echo
echo "=== binwalk extract ==="
binwalk -e combined.bin || { echo "binwalk failed"; exit 0; }
echo
echo "=== listing extracted files ==="
ls -la _combined.bin.extracted || ls -la _combined.bin.extracted
echo
echo "=== inspect files (hexdump + strings) ==="
for f in _combined.bin.extracted/ 2>/dev/null; do
echo
echo "---- $f ----"
file "$f"
hexdump -C "$f" | sed -n '1,4p'
strings -n 8 "$f" | sed -n '1,20p'
done
echo
echo "=== try decompressing any .zlib files to .raw ==="
for z in _combined.bin.extracted/.zlib 2>/dev/null; do
echo "processing $z"
python3 - <<PY
import zlib,sys,os
p = "$z"
try:
data = open(p,"rb").read
out = zlib.decompress(data)
outname = p + ".raw"
open(outname,"wb").write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
echo
echo "=== list any .raw files ==="
ls -la _combined.bin.extracted/.raw 2>/dev/null || true
EOF
Then run it from WSL as in Method 1.
After it finishes, paste the important parts of the output (particularly any lines showing:
- decompressed: <file>.raw
- file headers that start with "MZ" or "PK"
- any .inf or .sys names shown by strings)
Nomad of Norad
Fantastic Member
- Joined
- Jan 9, 2009
- Messages
- 319
- Joined
- Mar 14, 2023
- Messages
- 97,400
Nice work — binwalk already found pieces inside combined.bin and wrote them into _combined.bin.extracted (you pasted that output).
Next we need to (A) decompress the .zlib blobs binwalk produced, (B) inspect the resulting files for “MZ” (PE) or “PK” (ZIP/MSI/CAB) headers, and (C) if we find a PE/MSI/CAB then extract it (7‑Zip/lessmsi) to look for .inf/.sys. I’ll give very small, copy/paste friendly commands to run inside your Ubuntu WSL shell (one command at a time). If a command fails, paste the error/output back and I’ll interpret it.
Step 1 — switch to the extracted directory
(In WSL)
cd ~/ _combined.bin.extracted
Run this single command (paste it exactly into the WSL shell and press Enter):
for z in *.zlib 2>/dev/null; do \
echo "---- $z ----"; \
python3 - <<'PY'
import zlib,sys,os
p = os.environ['ZFILE']
try:
data = open(p,'rb').read
out = zlib.decompress(data)
outname = p + '.raw'
open(outname,'wb').write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
Important: before running the above, set the env var used by the little Python snippet — run this exact 2-line helper instead if the single-liner above trips you:
for z in *.zlib 2>/dev/null; do export ZFILE="$z" && echo "---- $z ----" && python3 -c "import zlib,os; p=os.getenv('ZFILE'); \
try:\n d=open(p,'rb').read; open(p+'.raw','wb').write(zlib.decompress(d); print('decompressed',p+'.raw')\nexcept Exception as e: print('failed',p,e)"; done
Either variant will produce files like 400E5.zlib.raw (or 400E5.zlib.raw — look for *.raw).
Step 3 — identify headers in all files (look for MZ/PK)
Now list files and show the first bytes and some printable strings:
Paste the output (or the lines that show any file starting with "MZ" or "PK" or filenames that contain .inf/.sys). You can paste only the relevant chunks if output is huge.
What I’ll look for next
Tell me the host (Windows) drive letter where you want to copy it (e.g., C:\Temp\SamsungDriver or a USB drive letter like E
If decompress step fails or you want me to run a different decompression command, tell me which of the two variants you prefer (the single multiline Python block or the simpler loop), and paste any error output.
Summary / reassurance
Next we need to (A) decompress the .zlib blobs binwalk produced, (B) inspect the resulting files for “MZ” (PE) or “PK” (ZIP/MSI/CAB) headers, and (C) if we find a PE/MSI/CAB then extract it (7‑Zip/lessmsi) to look for .inf/.sys. I’ll give very small, copy/paste friendly commands to run inside your Ubuntu WSL shell (one command at a time). If a command fails, paste the error/output back and I’ll interpret it.
Step 1 — switch to the extracted directory
(In WSL)
cd ~/ _combined.bin.extracted
If that path doesn’t exist, run:
cd ~/ && ls -la
Step 2 — decompress every .zlib to a .raw fileRun this single command (paste it exactly into the WSL shell and press Enter):
for z in *.zlib 2>/dev/null; do \
echo "---- $z ----"; \
python3 - <<'PY'
import zlib,sys,os
p = os.environ['ZFILE']
try:
data = open(p,'rb').read
out = zlib.decompress(data)
outname = p + '.raw'
open(outname,'wb').write(out)
print("decompressed:", outname, "size:", len(out)
except Exception as e:
print("failed to decompress", p, ":", e)
PY
done
Important: before running the above, set the env var used by the little Python snippet — run this exact 2-line helper instead if the single-liner above trips you:
for z in *.zlib 2>/dev/null; do export ZFILE="$z" && echo "---- $z ----" && python3 -c "import zlib,os; p=os.getenv('ZFILE'); \
try:\n d=open(p,'rb').read; open(p+'.raw','wb').write(zlib.decompress(d); print('decompressed',p+'.raw')\nexcept Exception as e: print('failed',p,e)"; done
Either variant will produce files like 400E5.zlib.raw (or 400E5.zlib.raw — look for *.raw).
Step 3 — identify headers in all files (look for MZ/PK)
Now list files and show the first bytes and some printable strings:
list files
ls -lashow header + few strings for every file (original and .raw)
for f in *; do echo; echo ">>> $f"; file "$f"; hexdump -C "$f" | sed -n '1,4p'; strings -n 8 "$f" | sed -n '1,20p'; donePaste the output (or the lines that show any file starting with "MZ" or "PK" or filenames that contain .inf/.sys). You can paste only the relevant chunks if output is huge.
What I’ll look for next
- If any file’s hexdump shows the ASCII header "MZ" → it’s a Windows PE (exe/dll). We’ll try to open that with 7z or extract resources from it to find an embedded MSI/CAB. Command I’ll give then: 7z l <file> and/or binwalk -e <file>.
- If any file’s hexdump shows "PK\x03\x04" → it’s a ZIP/MSI/CAB archive. We’ll extract it with 7z and look for .inf/.sys.
- If strings show .inf or driver names, that’s promising — we’ll copy that extracted folder to Windows and inject with DISM.
- running binwalk again on the .raw files, or
- extracting strings and searching for ".inf" or "nvme" to find offsets to carve further.
Tell me the host (Windows) drive letter where you want to copy it (e.g., C:\Temp\SamsungDriver or a USB drive letter like E
If decompress step fails or you want me to run a different decompression command, tell me which of the two variants you prefer (the single multiline Python block or the simpler loop), and paste any error output.
Summary / reassurance
- You’re on the right track: binwalk already located multiple blobs and PNG/PE signatures. Next we decompress the .zlib files and inspect their headers — that typically reveals a PE/MSI/CAB we can extract to get .inf/.sys. The commands above will do that; paste the results and I’ll tell you the exact extraction → DISM steps next.