I just want to document here alternative method of firmware decryption and extraction without using Python-based SamyGO Patcher or Decryptor. While I wasn't able to match proper version of Python and crypto libs, I've tried to do this process manually from bash employing basic Linux commands and utilities. Here goes the instruction.
My device: Samsung HT-E4200 (w/ loader problem) https://forum.samygo.tv/viewtopic.php?t=14202
Tested Firmware: B-FIRHT7WWC (versions: 1013.0, 1015.1, 1024.0)
Host: Dell Latitude 7370
Host OS: Ubuntu 20.04
OpenSSL: 1.1.1f
Prerequisites:
- Tools: OpenSSL, crc32, file xor utility
- Samsung genuine firmware ZIP
- Secret keys embedded in this version of SamyGO patcher:
- Assumed you work from the folder containing unzipped encrypted files (*.sec)
(0) Preparation: firmware code is xor hash (see info.txt file, secret passphrase is taken from SamyGO: https://github.com/george-hopkins/samygo-patcher.git
(1) File name assignment and length calculation in 16-byte blocks
(2) Truncate RSA signature at the tail
(3) AES-128 decrypt with OpenSSL (basic Key Derivation Function)
(4) De-XORing (using this utility https://github.com/mightbesimon/XOR-file-encryption)
(5) Validate decryption process by checking CRC32
(6) Unsquash image and store in sub-folder
Here is the command line snippet (repeat steps from (1) till (6) for all encrypted files:
Code: Select all
# (0) Preparation: firmware code is xor hash (see infor.txt file, secret passphrase is taken from SamyGO
xor_hash=B-FIRHT7WWC
echo -n "d6442d-7b46b2f4-0f11-4623-af63-8bb0a0d54c80-a22fbe2c-1bb5-49cc-b194-25c0f2b870f4" | sha1sum | head -c 40 > secret_sha1.txt
# (1) File name assignment and length in 16-byte blocks
filename=exe.img.sec // change it in next repeat for other files to decrypt: Image.sec, rootfs.img.sec
length=$(( (`du -b $filename | cut -f1`-260)/16 ))
# (2) Truncate RSA signature at the tail
dd if=$filename of=${filename%sec}enc bs=16 count=$length
# (3) AES-128 decrypt with OpenSSL (basic Key Derivation Function)
openssl aes-128-cbc -d -p -salt -md md5 -kfile secret_sha1.txt -in ${filename%sec}enc -out ${filename%sec}xor
# (4) De-XORing (https://github.com/mightbesimon/XOR-file-encryption)
# xor-files utility from github didn't work correctly introducing one byte shift with every dexor
./xor ${filename%sec}xor $xor_hash; mv new-${filename%sec}xor ${filename%.sec}
# (5) Validate decryption process by checking CRC32
crc32 ${filename%.sec}; cat validinfo.txt
# (6) Unsquash image and store in sub-folder
unsquashfs -d ${filename%.img.sec} ${filename%.sec}
Code: Select all
# (7) Copy loader bin images (optional)
mkdir ./fw_img/
cp ./exe/*.bin ./fw_img/
cp ./exe/LDVER_* ./fw_img/