Talk:Keys: Difference between revisions

From PS5 Developer wiki
Jump to navigation Jump to search
No edit summary
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Portability =
= Script to Decrypt CP Box EMC blob and preserve header =


== hid_auth ==
* (trim 0x80 bytes, entrypoint at 0x100C00)


<pre>
<source lang="python3">
ED E7 41 CC 7F D6 0E 1F 2D B0 89 16 1F C0 EB 66
import struct
7C A4 DA 59 40 CE 19 54 00 90 1D BF 59 25 EE 4F
from binascii import unhexlify as uhx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
from binascii import hexlify as hx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
from Crypto.Cipher import AES
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
from Crypto.Hash import SHA, HMAC
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
import os
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
import sys
</pre>
 
CIPHERKEYSEMC = ['F0332357C8CFAE7E7E26E52BE9E3AED4']
CIPHERKEYSEAP = ['262555E3CF062B070B5AA2CDDF3A5D0E']
HASHERKEYEMC  = ['00000000000000000000000000000000']
HASHERKEYEAP  = ['1EE22F6A189E7D99A28B9A96D3C4DBA2']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</source>
 
= Script to Encrypt CP Box EMC blob (Requires Header from Decrypt Script) =
 
<source lang="python3">
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC
 
import os
import sys
 
CIPHERKEYSEMC = ['F0332357C8CFAE7E7E26E52BE9E3AED4']
CIPHERKEYSEAP = ['262555E3CF062B070B5AA2CDDF3A5D0E']
HASHERKEYEMC  = ['00000000000000000000000000000000']
HASHERKEYEAP  = ['1EE22F6A189E7D99A28B9A96D3C4DBA2']
ZEROS128 =      ['00000000000000000000000000000000']
 
def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
   
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)
 
def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
   
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
   
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
 
def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
               
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
           
           
 
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
</source>
 
= Script to Decrypt or Encrypt EAP Kernel =
 
<source lang="python3">
#!/usr/bin/env python
 
import sys, os, struct
import hashlib, hmac
 
from binascii import unhexlify as uhx
 
from Crypto.Cipher import AES
from itertools import cycle
 
try:
# Python 2
from itertools import izip
except:
    pass
 
def as_uint32(x):
    return x & 0xFFFFFFFF
 
def align_up(x, alignment):
    return (x + (alignment - 1)) & ~(alignment - 1)
 
def align_down(x, alignment):
return x & ~(alignment - 1)
 
def sha1(data):
    return hashlib.sha1(data).digest()
 
def hmac_sha1(key, data):
return hmac.new(key=key, msg=data, digestmod=hashlib.sha1).digest()
 
def xor_string(key, data):
# Python 2
try:
return ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(data, cycle(key)))
# Python 3
except:
return bytes(x ^ y for x, y in zip(data, cycle(key)))
 
def aes_encrypt_ecb(key, input):
    aes = AES.new(key, AES.MODE_ECB)
    output = aes.encrypt(input)
    return output
 
def aes_decrypt_ecb(key, input):
    aes = AES.new(key, AES.MODE_ECB)
    output = aes.decrypt(input)
    return output
 
def aes_encrypt_cbc_cts(key, iv, data):
result = b''
size = len(data)
if size == 0:
return result
crypto = AES.new(key, AES.MODE_CBC, iv)
size_aligned = align_down(size, crypto.block_size)
result = crypto.encrypt(data[:size_aligned])
size_left = size - size_aligned
if size_left > 0:
assert size_left < crypto.block_size
crypto = AES.new(key, AES.MODE_ECB)
if size_aligned > AES.block_size:
tmp = crypto.encrypt(result[size_aligned - AES.block_size:size_aligned])
else:
tmp = crypto.encrypt(iv)
result += xor_string(data[size_aligned:], tmp[:size_left])
#assert aes_decrypt_cbc_cts(key, iv, result) == data
return result
 
def aes_decrypt_cbc_cts(key, iv, data):
result = b''
size = len(data)
if size == 0:
return result
crypto = AES.new(key, AES.MODE_CBC, iv)
size_aligned = align_down(size, crypto.block_size)
result = crypto.decrypt(data[:size_aligned])
size_left = size - size_aligned
if size_left > 0:
assert size_left < crypto.block_size
crypto = AES.new(key, AES.MODE_ECB)
if size_aligned > AES.block_size:
tmp = crypto.encrypt(data[size_aligned - AES.block_size:size_aligned])
else:
tmp = crypto.encrypt(iv)
result += xor_string(data[size_aligned:], tmp[:size_left])
#assert aes_encrypt_cbc_cts(key, iv, result) == data
return result
 
if len(sys.argv) < 4:
    script_file_name = os.path.split(sys.argv[0])[1]
    print('usage: {0} <input file> <output file> <enc/dec> [personality]'.format(script_file_name))
    sys.exit()
 
input_file_path = sys.argv[1]
if not os.path.isfile(input_file_path):
    print('error: invalid input file specified')
    sys.exit()
 
output_file_path = sys.argv[2]
if os.path.exists(output_file_path) and not os.path.isfile(output_file_path):
    print('error: invalid output file specified')
    sys.exit()
 
mode = sys.argv[3].lower()
if mode != 'enc' and mode != 'dec':
    print('error: invalid mode')
    sys.exit()
 
# total = 128 bits, symbol = 6 bits
# uid max length = 8 symbols = 48 bits
 
uid_alphabet = ' abcdefghijklmnopqrstuvwxyz' # 5 bits per symbol, 3 bits per byte
uid_max_length = 8
 
def personalize(seed, personality):
    if len(seed) != 16:
        return False
 
    personality = personality.strip()
    if len(personality) == 0:
        print('error: empty personality')
        return False
    if len(personality) > uid_max_length:
        print('error: too large personality')
        return False
 
    personality = personality.lower().ljust(uid_max_length, ' ')
    seed = list(seed)
    pos = 0
    for c in personality:
        idx = uid_alphabet.find(c)
        if idx < 0:
            print('error: invalid character at personality: {0}'.format(c))
            return False
 
        c = ord(seed[pos + 0]) & ~0b00010011
        c |= (idx & 0b10000)
        c |= (idx & 0b10)
        c |= (idx & 0b1)
        seed[pos + 0] = chr(c)
 
        c = ord(seed[pos + 1]) & ~0b00001100
        c |= (idx & 0b1000)
        c |= (idx & 0b100)
        seed[pos + 1] = chr(c)
 
        pos += 2
 
    return ''.join(seed)
 
def unpersonalize(seed):
    if len(seed) != 16:
        return False
 
    personality = ''
    seed = list(seed)
    pos = 0
    for i in range(uid_max_length):
        c1, c2, idx = ord(seed[i * 2 + 0]), ord(seed[i * 2 + 1]), 0
 
        idx |= (c1 & 0b10000)
        idx |= (c1 & 0b10)
        idx |= (c1 & 0b1)
 
        idx |= (c2 & 0b1000)
        idx |= (c2 & 0b100)
 
        personality += uid_alphabet[idx]
 
    return personality
 
seed = os.urandom(16)
if len(sys.argv) > 4:
    seed = personalize(seed, sys.argv[4])
    if seed == False:
        sys.exit()
 
MAGIC = 0x12EBC95C
EXPECTED_VERSION = 0x10000
PARTITION_SIZE = 16 * 1024 * 1024
BLOB_MAGIC = 0x4B726E00
SECTOR_SIZE = 0x200
HEADER_FMT = '<II16s20s'
BLOB_INFO_FMT = '<III456x'
 
# CP key
ENC_KEY = uhx('CBCC1E53F42C1CB44D965E233CD792A8')
MAC_KEY = uhx('683D6E2E496687CB5B831DA12BCB001B')
 
if mode == 'dec':
    with open(input_file_path, 'rb') as f:
        # read and decrypt blob info
        magic, version, iv, blob_info_hash = struct.unpack(HEADER_FMT, f.read(struct.calcsize(HEADER_FMT)))
        if magic != MAGIC:
            print('error: invalid header magic: {0:08X}'.format(magic))
            sys.exit()
        if version != EXPECTED_VERSION:
            print('error: invalid version: 0x{0:08X}'.format(version))
            sys.exit()
        #print('iv: {0}'.format(iv.encode('hex').upper()))
        #personality = unpersonalize(iv)
        #print('personality: {0}'.format(personality))
        data = f.read(SECTOR_SIZE - struct.calcsize(HEADER_FMT))
        if data == '' or len(data) != (SECTOR_SIZE - struct.calcsize(HEADER_FMT)):
            print('error: insufficient blob info data')
            print(len(data))
            print(SECTOR_SIZE - struct.calcsize(HEADER_FMT))
            sys.exit()
        data = aes_decrypt_cbc_cts(ENC_KEY, iv, data)
        #print(data.encode('hex'))
        blob_info_calc_hash = hmac_sha1(MAC_KEY, data)
        if blob_info_calc_hash != blob_info_hash:
            print('warning: invalid blob info hash')
 
        # parse blob info
        magic, size, offset = struct.unpack(BLOB_INFO_FMT, data[:struct.calcsize(BLOB_INFO_FMT)])
        if magic != BLOB_MAGIC:
            print('error: invalid blob info magic: 0x{0:08X}'.format(magic))
            #sys.exit()


== ipmi ==
        # read blob data
        f.seek(offset)
        data = f.read(size)
        if data == '' or len(data) != size:
            print(len(data))
            print(size)
            print('error: insufficient blob data')
            sys.exit()


<pre>
    # decrypt blob
53 49 45 49 50 4D 49 00 00 00 00 00 00 00 00 00
    magic, version, iv, blob_hash = struct.unpack(HEADER_FMT, data[:struct.calcsize(HEADER_FMT)])
1A 88 B2 A3 64 E6 A2 8E 78 08 4E 3F 7F 40 FD 01
    if magic != MAGIC:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        print('error: invalid header magic: 0x{0:08X}'.format(magic))
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        sys.exit()
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    if version != EXPECTED_VERSION:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        print('error: invalid version: 0x{0:08X}'.format(version))
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        sys.exit()
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    data = aes_decrypt_cbc_cts(ENC_KEY, iv, data[struct.calcsize(HEADER_FMT):])
</pre>
    blob_calc_hash = hmac_sha1(MAC_KEY, data)
    if blob_calc_hash != blob_hash:
        print('warning: invalid blob hash')


== kdf_ncdt_psk ==
    # write blob
    with open(output_file_path, 'wb') as f:
        f.write(data)
elif mode == 'enc':
    # generate random iv
    iv = seed


<pre>
    with open(input_file_path, 'rb') as f:
53 43 45 5F 4B 44 46 5F 4E 43 44 54 5F 50 53 4B
        # read and encrypt blob data
59 E6 32 88 B0 4E 7F 68 F8 B8 DB 83 86 1E 07 50
        data = f.read()
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        blob_hash = hmac_sha1(MAC_KEY, data)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        data = aes_encrypt_cbc_cts(ENC_KEY, iv, data)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        data = struct.pack(HEADER_FMT, MAGIC, EXPECTED_VERSION, iv, blob_hash) + data
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>


== livedump ==
        # generate and encrypt blob info
        size = len(data)
        tmp_data = struct.pack(BLOB_INFO_FMT, BLOB_MAGIC, size, SECTOR_SIZE)
        blob_info_hash = hmac_sha1(MAC_KEY, tmp_data)
        tmp_data = aes_encrypt_cbc_cts(ENC_KEY, iv, tmp_data)
        tmp_data = struct.pack(HEADER_FMT, MAGIC, EXPECTED_VERSION, iv, blob_info_hash) + tmp_data


<pre>
    # write everything
96 1E 5E 85 B5 3E 77 64 43 E5 F4 45 85 E8 90 0A
    total_size = len(tmp_data) + len(data)
52 5E 06 2A 4C 79 64 69 0F 75 2F 28 71 9C 6B A1
    with open(output_file_path, 'wb') as f:
A8 C2 A0 0D 84 31 E7 17 DD EF 6D 80 F6 5C AE 32
        f.write(tmp_data)
42 1F CB E5 E7 A4 F9 1F 79 2B 25 C7 A1 0C 9E 5A
        f.write(data)
7B 07 82 9F F3 7C 3F B4 66 2F CB F8 E4 0A 63 F2
        padding_size = align_up(total_size, SECTOR_SIZE) - total_size
99 EE B8 6F 06 D5 58 CD 6E 8E 6A F7 5E 48 3A 24
        if padding_size > 0:
CC 73 EA E7 73 2F 44 2F 8B E5 28 FB 19 60 62 50
            f.write(b'\0' * padding_size)
F4 A9 9C A5 9E FC 63 2C 2D CC 67 73 2B 8B 5A DE
        f.seek(PARTITION_SIZE)
</pre>
        f.truncate()
</source>


== logger ==
= Script to Decrypt env.img =


<pre>
<source lang="python3">
15 A0 CB 65 D6 A4 05 27 E6 1C CD DA 2A EF 53 3B
import sys
13 FC 7C 35 24 14 B3 54 3D C7 83 24 6E FC C9 64
import struct
9D F8 40 9A C2 02 09 82 3C 08 61 2B E6 2A 51 79
CF 87 62 61 C0 85 46 C2 A5 DA A1 9B D0 E7 FF 79
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>


== pfs_sd_auth ==
def unscramble(data):
    data_size = len(data)
    num_dwords = data_size // 4
    magic = 0x012BB055 # TODO: constant from header @ 0xC
    new_data = bytearray()
    for i in range(num_dwords):
        value = struct.unpack_from('<I', data, i * 4)[0]
        value, magic = value ^ magic, value
        new_data += struct.pack('<I', value)
    return new_data
   
with open(sys.argv[1],"rb") as file:
    file.seek(0x40)
    data=file.read(0xFF80)
    new_data = unscramble(data)
    with open(sys.argv[2],"wb") as file2:
        file2.write(new_data)
</source>


<pre>
= Fake Keys =
2B CF 69 8E 79 CF DD FA C2 4D 4C 25 BF 35 1E 62
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>


== playready2 ==
This section should explain in what the following keys are fake.


<pre>
<pre>
B6 34 65 57 9E 73 D4 C0 A1 A9 0F F0 51 34 57 50
PK0=C1E20574525331AE3E9ABFDFE3E64EB3AA1FD0CD30E3C286CEB84C0C280574E6
7A 4A FB 4A 3B 94 B2 19 3A B7 9A 79 C5 66 02 BF
PK1=B8F64A4C3DC41A01C039BD1EBCDA3F9E25461024C8817CA8A0281126521884D0
76 51 C1 B9 90 23 37 FF 9A 32 31 6A E6 22 55 47
PK2=5B031A912D8C2C8BACD4A919274827EBF4F855041C6B911DEABD26FCC38B2D86
6F 73 5B 03 C4 6C 89 0B C4 22 A1 68 4D B2 8A 7F
PK3=53C9558316D34E6036A372BDA0238B4AB2D1B3E22074065BDD22DBC8584AD4C7
1B AE 90 5E C6 CA 53 38 E7 79 E5 B7 63 DB 84 FB
PK4=FBF4549BB1278E2336071887439BF819ACBB4292F7DA46729A76217419243C4B
15 E8 06 B2 9D C7 58 5B BB AF 11 91 6E 66 6E F0
PK5=89132F5E01643367499C866DB7B1E7C0C8040EF7DE13516BC7776D97FAB9DB7B
F6 74 CC 4B B7 36 B9 EF 93 AD A9 CB D4 FA 5D 65
PK6=7FF33CBD9689177E5D8FD6BD2AA6BE0553893F63E525447DC5745BB9650CE69A
C4 F5 5A 98 65 13 4A AB 7D 87 F5 88 5C E2 B3 93
PK7=E4767D540A9E9531BDD3FB2302806A953E6920B15B8AE41C4D471B91422510A8
PK9=A5F56F9B07BD524BE2BFFD2C9AA3D80D070A5A5010BEF863F6C64BFA282B76F9
PK10=0DC5A3E6CF63DD71744F1854A6CBF64C13CE4358AE3C2EBE959C8C3B3F6B79B2
 
PKA0=3F3B86299E4598147DD1A9A8D314081FE8EE67DDFBAE20
PKA1=2D85350A3BC10ED683101EBBCAC799A5D1B87F6C32A833
PKA2=45DE1F88B189E2D453FEAEA559F02157A21F3DB92C7826
PKA3=B7C26B663BDDE355D1B516B7CE9F0D41A82A61FDC7A6B6
PKA4=6CB6896E6D2C61B33817C2927B032EC7FBE01D0B8BC75E
</pre>
</pre>

Latest revision as of 06:13, 1 January 2025

Script to Decrypt CP Box EMC blob and preserve header[edit source]

  • (trim 0x80 bytes, entrypoint at 0x100C00)
import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC

import os
import sys

CIPHERKEYSEMC = ['F0332357C8CFAE7E7E26E52BE9E3AED4']
CIPHERKEYSEAP = ['262555E3CF062B070B5AA2CDDF3A5D0E']
HASHERKEYEMC  = ['00000000000000000000000000000000']
HASHERKEYEAP  = ['1EE22F6A189E7D99A28B9A96D3C4DBA2']
ZEROS128 =      ['00000000000000000000000000000000']

def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
    
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)

def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])

def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read(0x80)
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                hdr = emc_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            if type == uhx('68'):
                print 'EAP'
                hdr = eap_decrypt_header(data)
                body_aes_key  = hdr[0x30:0x40]
                body_hmac_key = hdr[0x40:0x50]
                body_hmac = hdr[0x50:0x64]
                zeroes = hdr[0x64:0x6C]
                print(hx(zeroes))
                header_hmac = hdr[0x6C:0x80]
                body_len = struct.unpack('<L', hdr[0xc:0x10])[0]
                print body_len
                ehdr = hdr[:0x6C]
                ebody = f.read(body_len)
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), ehdr, SHA)
                body = aes_decrypt_cbc(body_aes_key, uhx(ZEROS128[0]), ebody)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                print hx(body_hmac)
                print hx(header_hmac)
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+body)
            
            

if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

Script to Encrypt CP Box EMC blob (Requires Header from Decrypt Script)[edit source]

import struct
from binascii import unhexlify as uhx
from binascii import hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import SHA, HMAC

import os
import sys

CIPHERKEYSEMC = ['F0332357C8CFAE7E7E26E52BE9E3AED4']
CIPHERKEYSEAP = ['262555E3CF062B070B5AA2CDDF3A5D0E']
HASHERKEYEMC  = ['00000000000000000000000000000000']
HASHERKEYEAP  = ['1EE22F6A189E7D99A28B9A96D3C4DBA2']
ZEROS128 =      ['00000000000000000000000000000000']

def aes_decrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).decrypt(input)
    
def aes_encrypt_cbc(key, iv, input):
    return AES.new(key, AES.MODE_CBC, iv).encrypt(input)

def emc_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def emc_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEMC[0]), uhx(ZEROS128[0]), hdr[0x30:])
    
def eap_decrypt_header(hdr):
    return hdr[:0x30] + aes_decrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])
    
def eap_encrypt_header(hdr):
    return hdr[:0x30] + aes_encrypt_cbc(uhx(CIPHERKEYSEAP[0]), uhx(ZEROS128[0]), hdr[0x30:0x80])

def main(argc, argv):
        with open(sys.argv[1], 'rb') as f:
            data = f.read()
            type = data[7:8]
            if type == uhx('48'):
                print 'EMC'
                
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEMC[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = emc_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            if type == uhx('68'):
                print 'EAP'
                body_len = struct.unpack('<L', data[0xc:0x10])[0]
                body = data[0x80:0x80+body_len]
                body_aes_key  = data[0x30:0x40]
                ebody = aes_encrypt_cbc(body_aes_key, uhx(ZEROS128[0]), body)
                body_hmac_key = data[0x40:0x50]
                bhmac = HMAC.new(body_hmac_key, ebody, SHA)
                hdr = (data[0:0x50] + uhx(bhmac.hexdigest()) + data[0x64:0x6C])
                hhmac = HMAC.new(uhx(HASHERKEYEAP[0]), hdr, SHA)
                hdr = (hdr + uhx(hhmac.hexdigest()))
                hdr = eap_encrypt_header(hdr)
                print bhmac.hexdigest()
                print hhmac.hexdigest()
                with open(sys.argv[1] + '.bin', 'wb') as g:
                    g.write(hdr+ebody)
            
            

if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

Script to Decrypt or Encrypt EAP Kernel[edit source]

#!/usr/bin/env python

import sys, os, struct
import hashlib, hmac

from binascii import unhexlify as uhx

from Crypto.Cipher import AES
from itertools import cycle

try:
	# Python 2
	from itertools import izip
except:
    pass

def as_uint32(x):
    return x & 0xFFFFFFFF

def align_up(x, alignment):
    return (x + (alignment - 1)) & ~(alignment - 1)

def align_down(x, alignment):
	return x & ~(alignment - 1)

def sha1(data):
    return hashlib.sha1(data).digest()

def hmac_sha1(key, data):
	return hmac.new(key=key, msg=data, digestmod=hashlib.sha1).digest()

def xor_string(key, data):
	# Python 2
	try:
		return ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(data, cycle(key)))
	# Python 3
	except:
		return bytes(x ^ y for x, y in zip(data, cycle(key)))

def aes_encrypt_ecb(key, input):
    aes = AES.new(key, AES.MODE_ECB)
    output = aes.encrypt(input)
    return output

def aes_decrypt_ecb(key, input):
    aes = AES.new(key, AES.MODE_ECB)
    output = aes.decrypt(input)
    return output

def aes_encrypt_cbc_cts(key, iv, data):
	result = b''
	size = len(data)
	if size == 0:
		return result
	crypto = AES.new(key, AES.MODE_CBC, iv)
	size_aligned = align_down(size, crypto.block_size)
	result = crypto.encrypt(data[:size_aligned])
	size_left = size - size_aligned
	if size_left > 0:
		assert size_left < crypto.block_size
		crypto = AES.new(key, AES.MODE_ECB)
		if size_aligned > AES.block_size:
			tmp = crypto.encrypt(result[size_aligned - AES.block_size:size_aligned])
		else:
			tmp = crypto.encrypt(iv)
		result += xor_string(data[size_aligned:], tmp[:size_left])
	#assert aes_decrypt_cbc_cts(key, iv, result) == data
	return result

def aes_decrypt_cbc_cts(key, iv, data):
	result = b''
	size = len(data)
	if size == 0:
		return result
	crypto = AES.new(key, AES.MODE_CBC, iv)
	size_aligned = align_down(size, crypto.block_size)
	result = crypto.decrypt(data[:size_aligned])
	size_left = size - size_aligned
	if size_left > 0:
		assert size_left < crypto.block_size
		crypto = AES.new(key, AES.MODE_ECB)
		if size_aligned > AES.block_size:
			tmp = crypto.encrypt(data[size_aligned - AES.block_size:size_aligned])
		else:
			tmp = crypto.encrypt(iv)
		result += xor_string(data[size_aligned:], tmp[:size_left])
	#assert aes_encrypt_cbc_cts(key, iv, result) == data
	return result

if len(sys.argv) < 4:
    script_file_name = os.path.split(sys.argv[0])[1]
    print('usage: {0} <input file> <output file> <enc/dec> [personality]'.format(script_file_name))
    sys.exit()

input_file_path = sys.argv[1]
if not os.path.isfile(input_file_path):
    print('error: invalid input file specified')
    sys.exit()

output_file_path = sys.argv[2]
if os.path.exists(output_file_path) and not os.path.isfile(output_file_path):
    print('error: invalid output file specified')
    sys.exit()

mode = sys.argv[3].lower()
if mode != 'enc' and mode != 'dec':
    print('error: invalid mode')
    sys.exit()

# total = 128 bits, symbol = 6 bits
# uid max length = 8 symbols = 48 bits

uid_alphabet = ' abcdefghijklmnopqrstuvwxyz' # 5 bits per symbol, 3 bits per byte
uid_max_length = 8

def personalize(seed, personality):
    if len(seed) != 16:
        return False

    personality = personality.strip()
    if len(personality) == 0:
        print('error: empty personality')
        return False
    if len(personality) > uid_max_length:
        print('error: too large personality')
        return False

    personality = personality.lower().ljust(uid_max_length, ' ')
    seed = list(seed)
    pos = 0
    for c in personality:
        idx = uid_alphabet.find(c)
        if idx < 0:
            print('error: invalid character at personality: {0}'.format(c))
            return False

        c = ord(seed[pos + 0]) & ~0b00010011
        c |= (idx & 0b10000)
        c |= (idx & 0b10)
        c |= (idx & 0b1)
        seed[pos + 0] = chr(c)

        c = ord(seed[pos + 1]) & ~0b00001100
        c |= (idx & 0b1000)
        c |= (idx & 0b100)
        seed[pos + 1] = chr(c)

        pos += 2

    return ''.join(seed)

def unpersonalize(seed):
    if len(seed) != 16:
        return False

    personality = ''
    seed = list(seed)
    pos = 0
    for i in range(uid_max_length):
        c1, c2, idx = ord(seed[i * 2 + 0]), ord(seed[i * 2 + 1]), 0

        idx |= (c1 & 0b10000)
        idx |= (c1 & 0b10)
        idx |= (c1 & 0b1)

        idx |= (c2 & 0b1000)
        idx |= (c2 & 0b100)

        personality += uid_alphabet[idx]

    return personality

seed = os.urandom(16)
if len(sys.argv) > 4:
    seed = personalize(seed, sys.argv[4])
    if seed == False:
        sys.exit()

MAGIC = 0x12EBC95C
EXPECTED_VERSION = 0x10000
PARTITION_SIZE = 16 * 1024 * 1024
BLOB_MAGIC = 0x4B726E00
SECTOR_SIZE = 0x200
HEADER_FMT = '<II16s20s'
BLOB_INFO_FMT = '<III456x'

# CP key
ENC_KEY = uhx('CBCC1E53F42C1CB44D965E233CD792A8')
MAC_KEY = uhx('683D6E2E496687CB5B831DA12BCB001B')

if mode == 'dec':
    with open(input_file_path, 'rb') as f:
        # read and decrypt blob info
        magic, version, iv, blob_info_hash = struct.unpack(HEADER_FMT, f.read(struct.calcsize(HEADER_FMT)))
        if magic != MAGIC:
            print('error: invalid header magic: {0:08X}'.format(magic))
            sys.exit()
        if version != EXPECTED_VERSION:
            print('error: invalid version: 0x{0:08X}'.format(version))
            sys.exit()
        #print('iv: {0}'.format(iv.encode('hex').upper()))
        #personality = unpersonalize(iv)
        #print('personality: {0}'.format(personality))
        data = f.read(SECTOR_SIZE - struct.calcsize(HEADER_FMT))
        if data == '' or len(data) != (SECTOR_SIZE - struct.calcsize(HEADER_FMT)):
            print('error: insufficient blob info data')
            print(len(data))
            print(SECTOR_SIZE - struct.calcsize(HEADER_FMT))
            sys.exit()
        data = aes_decrypt_cbc_cts(ENC_KEY, iv, data)
        #print(data.encode('hex'))
        blob_info_calc_hash = hmac_sha1(MAC_KEY, data)
        if blob_info_calc_hash != blob_info_hash:
            print('warning: invalid blob info hash')

        # parse blob info
        magic, size, offset = struct.unpack(BLOB_INFO_FMT, data[:struct.calcsize(BLOB_INFO_FMT)])
        if magic != BLOB_MAGIC:
            print('error: invalid blob info magic: 0x{0:08X}'.format(magic))
            #sys.exit()

        # read blob data
        f.seek(offset)
        data = f.read(size)
        if data == '' or len(data) != size:
            print(len(data))
            print(size)
            print('error: insufficient blob data')
            sys.exit()

    # decrypt blob
    magic, version, iv, blob_hash = struct.unpack(HEADER_FMT, data[:struct.calcsize(HEADER_FMT)])
    if magic != MAGIC:
        print('error: invalid header magic: 0x{0:08X}'.format(magic))
        sys.exit()
    if version != EXPECTED_VERSION:
        print('error: invalid version: 0x{0:08X}'.format(version))
        sys.exit()
    data = aes_decrypt_cbc_cts(ENC_KEY, iv, data[struct.calcsize(HEADER_FMT):])
    blob_calc_hash = hmac_sha1(MAC_KEY, data)
    if blob_calc_hash != blob_hash:
        print('warning: invalid blob hash')

    # write blob
    with open(output_file_path, 'wb') as f:
        f.write(data)
elif mode == 'enc':
    # generate random iv
    iv = seed

    with open(input_file_path, 'rb') as f:
        # read and encrypt blob data
        data = f.read()
        blob_hash = hmac_sha1(MAC_KEY, data)
        data = aes_encrypt_cbc_cts(ENC_KEY, iv, data)
        data = struct.pack(HEADER_FMT, MAGIC, EXPECTED_VERSION, iv, blob_hash) + data

        # generate and encrypt blob info
        size = len(data)
        tmp_data = struct.pack(BLOB_INFO_FMT, BLOB_MAGIC, size, SECTOR_SIZE)
        blob_info_hash = hmac_sha1(MAC_KEY, tmp_data)
        tmp_data = aes_encrypt_cbc_cts(ENC_KEY, iv, tmp_data)
        tmp_data = struct.pack(HEADER_FMT, MAGIC, EXPECTED_VERSION, iv, blob_info_hash) + tmp_data

    # write everything
    total_size = len(tmp_data) + len(data)
    with open(output_file_path, 'wb') as f:
        f.write(tmp_data)
        f.write(data)
        padding_size = align_up(total_size, SECTOR_SIZE) - total_size
        if padding_size > 0:
            f.write(b'\0' * padding_size)
        f.seek(PARTITION_SIZE)
        f.truncate()

Script to Decrypt env.img[edit source]

import sys
import struct

def unscramble(data):
    data_size = len(data)
    num_dwords = data_size // 4
    magic = 0x012BB055 # TODO: constant from header @ 0xC
    new_data = bytearray()
    for i in range(num_dwords):
        value = struct.unpack_from('<I', data, i * 4)[0]
        value, magic = value ^ magic, value
        new_data += struct.pack('<I', value)
    return new_data
    
with open(sys.argv[1],"rb") as file:
    file.seek(0x40)
    data=file.read(0xFF80)
    new_data = unscramble(data)
    with open(sys.argv[2],"wb") as file2:
        file2.write(new_data)

Fake Keys[edit source]

This section should explain in what the following keys are fake.

PK0=C1E20574525331AE3E9ABFDFE3E64EB3AA1FD0CD30E3C286CEB84C0C280574E6
PK1=B8F64A4C3DC41A01C039BD1EBCDA3F9E25461024C8817CA8A0281126521884D0
PK2=5B031A912D8C2C8BACD4A919274827EBF4F855041C6B911DEABD26FCC38B2D86
PK3=53C9558316D34E6036A372BDA0238B4AB2D1B3E22074065BDD22DBC8584AD4C7
PK4=FBF4549BB1278E2336071887439BF819ACBB4292F7DA46729A76217419243C4B
PK5=89132F5E01643367499C866DB7B1E7C0C8040EF7DE13516BC7776D97FAB9DB7B
PK6=7FF33CBD9689177E5D8FD6BD2AA6BE0553893F63E525447DC5745BB9650CE69A
PK7=E4767D540A9E9531BDD3FB2302806A953E6920B15B8AE41C4D471B91422510A8
PK9=A5F56F9B07BD524BE2BFFD2C9AA3D80D070A5A5010BEF863F6C64BFA282B76F9
PK10=0DC5A3E6CF63DD71744F1854A6CBF64C13CE4358AE3C2EBE959C8C3B3F6B79B2

PKA0=3F3B86299E4598147DD1A9A8D314081FE8EE67DDFBAE20
PKA1=2D85350A3BC10ED683101EBBCAC799A5D1B87F6C32A833
PKA2=45DE1F88B189E2D453FEAEA559F02157A21F3DB92C7826
PKA3=B7C26B663BDDE355D1B516B7CE9F0D41A82A61FDC7A6B6
PKA4=6CB6896E6D2C61B33817C2927B032EC7FBE01D0B8BC75E