Solved: The files are encrypted, see stackoverflow

Hope it is ok to ask technical questions in this channel!

I found a folder of files on one of my back drives which was copied from a very old Sony Ericson cell phone or a SAMSUNG Galaxy S2.

The folder is called DCIM and in a sub folder called Camera there are files with a .jpg extension.

This files are not standard JPG files. They start with the following header:

0000000 0000 0000 3900 c0d8 ac5f d196 2d63 2421
0000010 0003 0200 0000 0010 0200 2d8c 0904 0103
0000020 0000 0000 0000 0000 e960 2861 7025 ba0e
0000030 2424 dcfa 3e3b ee64 0800 c87b a43a a90d
0000040 7287 b815 7ca4 9680 ed65 6216 5f08 4f43
0000050 534e 4c4f 0045 0000 9000 b3e9 1333 92b9
0000060 0002 0000 0000 0000 0000 0000 0000 0000
0000070 0000 0000 0000 0000 0000 0000 0000 0000

And the last bytes look like this:

039fea0 60ff 01fa 6b1e 8ef5 7c6f e69f fd9e 1589
039fef0 2199 dbd9 13fe 337d 2e9f d862 e252 080d

(obtained via hexdump -n 1024 filename.jpg).

The file command just returns ‘data’.

The jpgrecovery command simply does not process this files.

The strings command finds an embedded string “_CONSOLE” !

If I open the file in a file viewer (shotwell, GIMP, Firefox, Google Chrome), I get the error that the file starts with 0 0, which is correct, as seen in the above hexdump.

Using identify from the imagemagick package results in:

20140207_142030.jpg JPG 0x0 16-bit sRGB 3.625MiB 0.000u 0:00.002
identify-im6.q16: Not a JPEG file: starts with 0x00 0x00 `20140207_142030.jpg' @ error/jpeg.c/JPEGErrorHandler/338.

All this commands were executed on Debian 12.

I have hundreds of files with this JPG extension and for each file the header is starting with 0 0 in this folder, so I assume the problem is not corruption of one file.

My questions:

  1. What kind of file format is this?
  2. How can I convert the files to JPGs?

Edit: Added the output of some suggested data/commands to questions Edit: Mark as solved, thanks to @hades@[email protected] .

Thanks a lot to everyone helping to figure this out/pointing me in the right direction! <3

  • @[email protected]
    link
    fedilink
    76 months ago

    I would try magick identify from imagemagick. If that doesn’t work, I would try strings just to see if it has any metadata at all. Cameras usually store their model name somewhere.

  • Max-P
    link
    fedilink
    26 months ago

    What kind of filename do they have? How big are they?

    My guess would be that they’re Android thumbnail files or some sort of hidden metadata file. Possibly some raw jpeg because all the parameters are expected to be fixed size so they didn’t bother with the header. Or it’s a custom header.

    But even then, that’s a lot of zeros for an image format.

    Does it seem to have a JPEG header later in the file? It could be a header followed by a normal JPEG file too.

  • @[email protected]
    link
    fedilink
    26 months ago

    If you still have the card those came off of you can put it back in a galaxy (or any android device?) and export them. Pretty sure the phone uses some kind of error correction scheme to deal with failing sd cards.

  • @Langehund
    link
    26 months ago

    So looks like according the stack overflow link from @[email protected] above, your files are individually encrypted. Based on the solution comment, there should be a .MetaEcfsFile with the Samsung file encryption metadata in the SD card root directory if this is true. If so, you would likely need to plug the SD card into a Samsung phone (unclear if it needs to be original phone, same model, or just Samsung in general) and use the “Biometrics and security” menu to hopefully decrypt the SD card. If you still have a newer Samsung galaxy, I’d try with that one first before attempting to locate an older model. And if that doesn’t work, it might require the original phone. Backup SD before doing any of this.

    • @Langehund
      link
      36 months ago

      Looking a bit further, it seems your only luck would be with your original device since the encryption probably relies on some hardware specific keys. Samsung’s guide says even factory resetting the original phone prior to decrypting would be enough to make the SD card unreadable.