New firmware image format for QSW-M2116P-2T2S devices

[AlexAltea]

I've entered the QSW rabbit hole while trying to debug abnormally high CPU usage and temps on my QSW-M2116P-2T2S.

First thing I've noticed is that the two latest available firmware images have different formats; none of them plain TAR files, so they cannot be extracted/passed to decfile.sh. Both were released on the same day, as part of the same update chain. These are:

QSW-M2116P-1.1.0.22052.img

Identical format to all previous QSW-M2116P-2T2S firmware images. The header looks like:

00000000: ded5 d4ed 4d4c 7b98 0200 0000 5c00 0000  ....ML{.....\...
00000010: 54ef 2500 6a61 6775 6172 3263 0000 0000  T.%.jaguar2c....
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 6a61 6775 6172 3200 0000 0000  ....jaguar2.....
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0700 0000 0100 0000 0100 0000  ................
00000060: 2000 0000 1000 0000 1b0d 8662 39a1 fb75   ..........b9..u
00000070: f4d1 8d78 0b22 ada1 0000 0000 0000 0000  ...x."..........
00000080: 64a9 2200 54a9 2200 fd37 7a58 5a00 0001  d.".T."..7zXZ...
00000090: 6922 de36 0200 2101 0800 0000 d80f 2313  i".6..!.......#.
000000a0: e287 63ef fe5d 004f 6050 0f80 dd97 f03d  ..c..].O`P.....=
000000b0: 2cf2 e113 5a68 f368 3616 6875 22d1 d9ff  ,...Zh.h6.hu"...

And there's what looks like a .tar.xz signature at 0x88. Obviously not a .tar file like QSW firmware images for other devices.

I haven't managed to extract it yet...

QSW-M2116P-2.0.0.22052.img

Format changes. Now the header is \x24\x51\x5e\xbe\x08\x0a\x46\x05 followed by:

MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64

MIIG2QYJKoZIhvcNAQcCoIIGyjCCBsYCAQExDTALBglghkgBZQMEAgEwVAYJKoZI
hvcNAQcBoEcERVNIQTEoUVNXLU0yMTE2UC0yLjAuMC5pbWcpPSBhNDc5NzY3MmIy
[...]
La12wv/Eak8EB0WJMn1gzK9UJRLrMH/o8G3XuG1mfbKezDrLn9j2GFiuYq8burL+
cTy04pT2+xrJdPNZ6j3Fsu5HbOmS9jwQAytGRMU=

-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIFANEthgUwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYT
AlRXMQ8wDQYDVQQIDAZUYWl3YW4xDzANBgNVBAcMBlRhaXBlaTENMAsGA1UECgwE
[...]
hFiyL2wYXaj7JspixGIMgiEH7rDdQzzTOckfILal4B/IVAL7VDb7XNbHj3d9nkIj
WeexPUNm5tjK2MKnFelheLM4ho2hORLgAhgbnKop9VmQEonOMj54bWZuEA==
-----END CERTIFICATE-----

Followed by the data.

---

What's surprising is that on 2023-05-17 you release this repository and announce it on Reddit, and then, QNAP issues a double update 2 weeks later (the actual build is dated 2023-05-22, only 5 days later) where they change the firmware image format. May be a coincidence, but it's rather suspicious.

I have seen a similar double-update pattern on other QSW switches as well, but the firmware image format remains the same:

• https://www.qnap.com/en/download?model=qsw-m2108-2c&category=firmware
• https://www.qnap.com/en/download?model=qsw-m2108-2s&category=firmware