T-VALDEUC Firmware AES key :)

[Denny]

"A435HX:********-****-****-****-************-********-****-****-****-************"

someone should make c code to decrypt whole .sec files as i am occupied by reverse issues.
key is corect just checked hearder ot T-VALDEUC 3008 exe.img.sec


enjoy
denny

[juusso]

I tried samygo.py and here is a result:

Code: Select all

C:\tmp\C>C:\Python26\python.exe
Python 2.7.1 (r271:86832, Nov 27 2010, 18:30:46) [MSC v.1500 32 bit (Intel)] on
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import SamyGO.py
SamyGO Firmware Patcher v0.24 (c) 2010 Erdem U. Altinyurt

                   -=BIG FAT WARNING!=-
            You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
         project home: http://SamyGO.sourceforge.net

For use this script, you have to extract your firmware to a directory first!
usage: python  <path to extracted directory from firmware>
example: python  ./T-CHL7DEUC/
>>> import SamyGO
>>> SamyGO.AESdec("exe.img.sec","A435HX:********-****-****-****-************-********-****-****-****-************"")
secret key :  "A435HX:********-****-****-****-************-********-****-****-****-************"
Decrypting AES...
'exe.img.enc'

>>> SamyGO.xor( 'exe.img.enc' , 'T-VALDEUC')
XOR Key :  T-VALDEUC
Crypto package found, using fast XOR engine.

('exe.img', '4139d0c850e16316cda53d14ea174124', 'T-VALDEUC')
>>>

But finally i got exe.img which is not readable in hex - here i can`t find nor text strings neither any readable code (i didn`t check it with IDA).

Important - after i encrypted back exe.img.enc ->exe.img.sec, the file size differs.

[Denny]

juuso , key match 1000% , in exe.img hearder i get ! in first 16 bytes or hearder "< libFAT" ascii, as i did not play with decrypt algo, i did not check whole . but must be the key

and it is not located in plain

it is here in function CSWUpgradeSecureCore::GetKey(uchar *,uint) :

text:01DE2134 LDR R1, =unk_338D2FB
.text:01DE2138 MOV R2, #0x50
.text:01DE213C BL _ZN5PCMem4CopyEPvPKvm ; PCMem::Copy(void *,void const*,ulong)
.text:01DE2140 MOV R4, #2
.text:01DE2144 MOV R0, R7
.text:01DE2148 STR R4, [SP,#0x80+var_80]
.text:01DE214C STR R4, [SP,#0x80+var_7C]
.text:01DE2150 MOV R1, R6
.text:01DE2154 MOV R2, #0x50
.text:01DE2158 MOV R3, #3
.text:01DE215C BL _ZN11CDrmManager7DecryptEPhijjj ; CDrmManager::Decrypt(uchar *,int,uint,uint,uint)

vice versa in "C" code :

Code: Select all

01de212c   memset(R6, R4, 0x51);
01de213c   _ZN5PCMem4CopyEPvPKvm(R6, unk_338D2FB, 0x50, R3);
01de2140   R4 = 2;
01de2148   var_80 = R4;
01de214c   var_7C = R4;
01de2160   Cond = _ZN11CDrmManager7DecryptEPhijjj(R7, R6, 0x50, 3);

so decrypt sec files should be no big problem.

Denny

[juusso]

SamyGO.AESdec("exe.img.sec","A435HX:********-****-****-****-************-********-****-****-****-************"")

secret key : A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71

yes, i noticed this and i guess, Erdem must re-write patcher to get it working with C series firmware...

[gooseye]

AESdec( filename,key )
This function decrypts AES encrypted exe.img.sec file and writes xor encrypted firmware. If you not give key, it defaults to use key bellow. Returns decrypted/encrypted filename.
>>> SamyGO.AESdec( '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.sec' )
secret key : A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71
Decrypting AES... done
'/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.enc'

... looks like you can pass different key as parameter.

[timoo]

works with decrypter.py and 3007.1 great work denny

[Denny]

ok,
just C code to build it in a tool,
to encrypt file back is not need, coz i plan to make tool like BD C-6900 flash , with folow sequenze running in the TV :

1 . Copy T-VALDEUC image (crypted to USB)
2. Start flash tool , flash tool will decrypt the firmware, flash it as it is in stl0 device , mount it as rw (as exe.bin is FAT!), do modify it, recalculate signature , write it in bml0 cmac device, reboot , new sw is done.


so , for alredy rooted device, no need to do usb upgrade by menue and firmware can be easy patched replaced and so on....



Denny

[juusso]

... looks like you can pass different key as parameter.

Strange, it must use new key.
That`s what i did:
changed samygo.py file line 882-884 to:

Code: Select all

	if len( secret )==0:
		secret = "A435HX:********-****-****-****-************-********-****-****-****-************"
	print 'secret key : ', secret

to use new T-VALDEUC key by default.

It seems, it works!!! T-VALDEUC-2002:

Code: Select all

C:\tmp>c:/python26/python.exe
Python 2.7.1 (r271:86832, Nov 27 2010, 18:30:46) [MSC v.1500 32 bit (Intel)] on
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import SamyGO
SamyGO Firmware Patcher v0.24 (c) 2010 Erdem U. Altinyurt

                   -=BIG FAT WARNING!=-
            You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
         project home: http://SamyGO.sourceforge.net

For use this script, you have to extract your firmware to a directory first!
usage: python  <path to extracted directory from firmware>
example: python  ./T-CHL7DEUC/

>>> SamyGO.AESdec("exe.img.sec")
secret key :  A435HX:********-****-****-****-************-********-****-****-****-************
Decrypting AES...
'exe.img.enc'
>>> SamyGO.xor( 'exe.img.enc' , 'T-VALDEUC')
XOR Key :  T-VALDEUC
Crypto package found, using fast XOR engine.

('exe.img', 'c09e4c8b8be16dce2acedab3d79451ab', 'T-VALDEUC')
>>>

Now i got exe.img file, which seems to be good, because i can read strings in winhex editor cool !


After encrypting i got identical exe.img.sec to original:

Code: Select all

>>> SamyGO.xor( 'exe.img' , 'T-VALDEUC')
XOR Key :  T-VALDEUC
Crypto package found, using fast XOR engine.

('exe.img.enc', '2c544754169074608bbf879d23a97e83', 'T-VALDEUC')
>>> SamyGO.AESenc("exe.img.enc")
secret key :  A435HX:********-****-****-****-************-********-****-****-****-************

Encrypting with AES...
done
'exe.img.sec'
>>>

After this i checked same key with T-MSX5DEUC and T-TDT5DEUC and it won`t work - Denny, could you, please, check these firmwares?

[erdem_ua]

Congratulations.
I will add that key to SamyGO.py permanently and use this if firmware is T-VALDEUC.


Edit:
Unfortunately it's look like that's not a good idea since those firmwares has no info files in it. So XOR keys are absent...
Anyway I could detect XOR key from directory name but it might create more problem that solves...