BD - C6900 Firmware Decrypt

[Denny]

today by the way done , decrypt of RUF files for BlurRay Player.


mkey using for decryption is :

Code: Select all

unsigned char mkey[] = {0xEA,0xEA,0x51,0x2D,0xA9,0x1F,0x87,0xE1,0xC4,0x15,0x4C,0x3E,0xDB,0x7A,0xAD,0xB8}; 

binary of 1st squashfs start at 0x800 and it contains multiple files, the splitting needs to be done.


who need, enjoy:)

Denny


and copmplete routine is :

Code: Select all

typedef struct {
	char				type[6];
	char				endian[4];
	char				valuex[2];
	char				string[32];
	char				model1[8];
	char				model2[32];
	char				model3[31];
	char				model4[5];
	char				size[4];

} sam_flash_struct_t;

sam_flash_struct_t *flash_file;

int main(int argc, char * argv[])
{
	unsigned int   filesize, i, n, b;
	FILE *inputfp,*outputfp;
	unsigned char buffer[1024];
	unsigned char *inbuf,*outbuf;
	unsigned char iv_init[0x10]= {0,};

	unsigned char mkey[] = {0xEA,0xEA,0x51,0x2D,0xA9,0x1F,0x87,0xE1,0xC4,0x15,0x4C,0x3E,0xDB,0x7A,0xAD,0xB8};
	int decrypt_point = 0;

	memset (buffer, 0, sizeof(buffer));

	for (b = 1; b < argc; b++) {
		unsigned char iv[16];
		int paramlen = strlen(argv[b]);
		memset(buffer, 0, 1024);
		
		memcpy(buffer, argv[b], paramlen -4);
		
		memcpy(iv, iv_init, 16);
		inputfp  = fopen(argv[b], "rb");
		outputfp = fopen((char*)buffer, "wb");
		fseek(inputfp,0,2); 
		filesize=ftell(inputfp); 
		rewind(inputfp);

		inbuf =(unsigned char*) malloc(filesize);
		outbuf =(unsigned char*) malloc(filesize + 0x40);
		memset (outbuf, 0, filesize + 0x40);
		fread(inbuf, sizeof(unsigned char), filesize, inputfp);
		flash_file=(sam_flash_struct_t *) inbuf;
		decrypt_point= ( flash_file->size[0] << 24) | ( flash_file->size[1] << 16) | ( flash_file->size[2] << 8) | ( flash_file->size[3]);
		
		memcpy(outbuf, inbuf, 0x800);

		for (i =  0x800; i < decrypt_point + 0x800; i+=16) {
			unsigned char *out = outbuf + i;
			aes_decrypt_128(inbuf + i, outbuf + i, mkey);
			for(n = 0; n < 16; n++)
				out[n] ^= iv[n];
			memcpy(iv, inbuf + i, 16);

		}
		memcpy(outbuf + decrypt_point + 0x800, inbuf + decrypt_point + 0x800, filesize -decrypt_point-0x800); 
		fwrite(outbuf, 1,filesize , outputfp);
		fclose(outputfp);
		fclose(inputfp);
		free(outbuf);
		free(inbuf);
	}
	return 0;
}

[Denny]

include spliting of each files :

Code: Select all

typedef struct {
	unsigned char	v1[4];
	unsigned char	v2[4];
	unsigned char	v3[4];
	unsigned char	v4[4];
} sam_flash_struct_t1;


typedef struct {
	char				type[6];
	char				endian[4];
	char				valuex[2];
	char				string[32];
	char				model1[8];
	char				model2[32];
	char				model3[31];
	char				model4[5];
	char				size[4];

} sam_flash_struct_t;

sam_flash_struct_t *flash_file;

sam_flash_struct_t1 *flash_subbiles;

unsigned int swap_endian(unsigned char * val ) {

	return  ( val[0] << 24) | ( val[1] << 16) | ( val[2] << 8) | (val[3]);

}


int main(int argc, char * argv[])
{
	unsigned int   filesize, i, n, b;
	FILE *inputfp,*outputfp;
	unsigned char buffer[1024];
	unsigned char *inbuf,*outbuf;
	unsigned char iv_init[0x10]= {0,};
	unsigned char mkey[] = {0xEA,0xEA,0x51,0x2D,0xA9,0x1F,0x87,0xE1,0xC4,0x15,0x4C,0x3E,0xDB,0x7A,0xAD,0xB8};

	int decrypt_point = 0;
	int subfile_count = 0;
	unsigned char *buff;
	unsigned char *p_buf;

	memset (buffer, 0, sizeof(buffer));

	for (b = 1; b < argc; b++) {
		unsigned char iv[16];
		int paramlen = strlen(argv[b]);
		memset(buffer, 0, 1024);
		
		memcpy(buffer, argv[b], paramlen -4);
		
		memcpy(iv, iv_init, 16);
		inputfp  = fopen(argv[b], "rb");
		outputfp = fopen((char*)buffer, "wb");
		fseek(inputfp,0,2); 
		filesize=ftell(inputfp); 
		rewind(inputfp);

		inbuf =(unsigned char*) malloc(filesize);
		outbuf =(unsigned char*) malloc(filesize + 0x40);
		memset (outbuf, 0, filesize + 0x40);
		fread(inbuf, sizeof(unsigned char), filesize, inputfp);
		flash_file=(sam_flash_struct_t *) inbuf;
		decrypt_point= ( flash_file->size[0] << 24) | ( flash_file->size[1] << 16) | ( flash_file->size[2] << 8) | ( flash_file->size[3]);
		subfile_count= inbuf[0xc1];


		memcpy(outbuf, inbuf, 0x800);

		for (i =  0x800; i < decrypt_point + 0x800; i+=16) {
			unsigned char *out = outbuf + i;
			aes_decrypt_128(inbuf + i, outbuf + i, mkey);
			for(n = 0; n < 16; n++)
				out[n] ^= iv[n];
			memcpy(iv, inbuf + i, 16);

		}
		memcpy(outbuf + decrypt_point + 0x800, inbuf + decrypt_point + 0x800, filesize -decrypt_point-0x800); 
		fwrite(outbuf, 1,filesize , outputfp);
		fclose(outputfp);
		fclose(inputfp);
		
		free(inbuf);
		buff =outbuf + 0x800;
		p_buf=outbuf +  0x120;
		
		for (i = 0; i < subfile_count; ) {
			int f, s;
			flash_subbiles = (sam_flash_struct_t1*) p_buf;
			f = swap_endian(flash_subbiles->v1);
			s = swap_endian(flash_subbiles->v2);
			if (f) {
				char file_out [100];
				sprintf(file_out, "%s_%d",buffer, f); 
				outputfp = fopen((char*)file_out, "wb");
				fwrite(buff, 1,   s , outputfp);
				fclose(outputfp);
				buff += s;
				i++;
			}

			p_buf += 0x40;
		}
		free(outbuf);
	}
	return 0;
}

[mirsev]

Unbelievable! Where did you find the encryption key?

[Denny]

just checked structure:

Code: Select all

1.  -> exe.img
2.  -> bml0/5 & bml0/7
3.  -> appdata.img
4.  -> rootfs ??
5.  -> ?????
6.  -> bml0/1
7.  -> bml0/20
9.  -> cmac.bin
10. -> key.bin

i checked other keys for other BD player sw, but not matching, so if someone need, just upload exeDSP somwhere and pm a link.

mirsev , in exeDSP


Denny

[mirsev]

The file #5 can be a firmware for blu-ray disc drive.

What do you think about flash_subfiles->v3 and something at the end of the file (40 bytes). Looks like checksums for every file and digital signature...

[habee]

Could you check the app_player exe from an Samsung Bluray BD-C5500?

http://www.multiupload.com/T1NF58ZOMY

Thanks

habee

[Denny]

took me longer to download the firmware from server as to find the key,

decrypt routine should be same as up posted, just replace key.


take look here http://forum.samygo.tv/viewtopic.php?f=18&t=1814


Denny

[marcelru]

Hi card2000,

Good job!

I just tried to compile your code on fedora 14, x86_64, but I can't seem to find the routine aes_decrypt_128.
Just a quick question: which library/header supplies this routine. Can't find it on a Fedora repo, and google isn't very helpful either.

grtz,

marcelr

[Denny]

marcelru

Code: Select all

 aes_decrypt_128(inbuf + i, outbuf + i, mkey);

is own api call, you can include aes.c from flash_c6900 source code tree and replace it by call :

Code: Select all

AES_128(mkey, outbuf + i, inbuf + i);

Denny

[mirsev]

I used openssl library for aes128 decryption. Here is a source code which should compile cleanly. I also tried to calculate crc32 checksum of firmware parts but this code is commented out now.

decrypt_fw.c

Code: Select all

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <zlib.h>


typedef struct {
	unsigned char                   v1[4];
	unsigned char                   v2[4];
	unsigned char                   v3[4];
	unsigned char                   v4[4];
} sam_flash_struct_t1;


typedef struct {
	char                            type[6];
	char                            endian[4];
	char                            valuex[2];
	char                            string[32];
	char                            model1[8];
	char                            model2[32];
	char                            model3[31];
	char                            model4[5];
	unsigned char                   size[4];

} sam_flash_struct_t;

sam_flash_struct_t             *flash_file;

sam_flash_struct_t1            *flash_subfiles;

unsigned int swap_endian(unsigned char *val)
{

	return (val[0] << 24) | (val[1] << 16) | (val[2] << 8) | (val[3]);

}


void aes_decrypt_128(const unsigned char *in, unsigned char *out, unsigned char *key)
{

	AES_KEY                         akey;

	AES_set_decrypt_key(key, 128, &akey);
	AES_decrypt(in, out, &akey);
}

void print128(unsigned char *bytes)
{
	int                             j;

	for (j = 0; j < 16; j++) {
		printf("%02x", bytes[j]);
		//printf(" ");
	}
}

int main(int argc, char *argv[])
{
	unsigned int                    filesize, i, n, b;
	FILE                           *inputfp, *outputfp;
	unsigned char                   buffer[1024];
	unsigned char                  *inbuf, *outbuf;
	unsigned char                   iv_init[0x10] = { 0, };
	unsigned char                   mkey[] =
	    { 0xEA, 0xEA, 0x51, 0x2D, 0xA9, 0x1F, 0x87, 0xE1, 0xC4, 0x15, 0x4C, 0x3E, 0xDB, 0x7A, 0xAD, 0xB8 };

	int                             decrypt_point = 0;
	int                             subfile_count = 0;
	unsigned char                  *buff;
	unsigned char                  *p_buf;

	memset(buffer, 0, sizeof(buffer));

	for (b = 1; b < argc; b++) {
		unsigned char                   iv[16];
		int                             paramlen = strlen(argv[b]);

		memset(buffer, 0, 1024);
		memcpy(buffer, argv[b], paramlen - 4);
		memcpy(iv, iv_init, 16);
		inputfp = fopen(argv[b], "rb");
		//outputfp = fopen((char *)buffer, "wb");
		fseek(inputfp, 0, SEEK_END);
		filesize = ftell(inputfp);
		fseek(inputfp, 0, SEEK_SET);

		inbuf = (unsigned char *)malloc(filesize);
		outbuf = (unsigned char *)malloc(filesize + 0x40);
		memset(outbuf, 0, filesize + 0x40);
		fread(inbuf, filesize, 1, inputfp);
		flash_file = (sam_flash_struct_t *) inbuf;
		decrypt_point = swap_endian(&flash_file->size[0]);
		subfile_count = inbuf[0xc1];

		memcpy(outbuf, inbuf, 0x800);

		for (i = 0x800; i < decrypt_point + 0x800; i += 16) {
			unsigned char                  *out = outbuf + i;

			aes_decrypt_128(inbuf + i, outbuf + i, mkey);
			for (n = 0; n < 16; n++)
				out[n] ^= iv[n];
			memcpy(iv, inbuf + i, 16);

		}
		memcpy(outbuf + decrypt_point + 0x800, inbuf + decrypt_point + 0x800, filesize - decrypt_point - 0x800);
		//fwrite(outbuf, filesize, 1, outputfp);
		//fclose(outputfp);
		fclose(inputfp);

		buff = outbuf + 0x800;
		p_buf = outbuf + 0x120;
//#define CRC32	adler32
#define CRC32	crc32
		for (i = 0; i < subfile_count;) {
			int                             f, s;
			//unsigned long			crc32e = 0, crc32d = 0;

			flash_subfiles = (sam_flash_struct_t1 *) p_buf;
			f = swap_endian(flash_subfiles->v1);
			s = swap_endian(flash_subfiles->v2);
			if (f) {
				//crc32e = lzma_crc32(buff-outbuf+inbuf, s, 0);
				//crc32d = lzma_crc32(buff, s, 0);
				//crc32e = CRC32(0L, Z_NULL, 0);
				//crc32d = CRC32(0L, Z_NULL, 0);
				//memcpy(&crc32e, flash_subfiles->v3, 4);
				//memcpy(&crc32d, flash_subfiles->v3, 4);
				//crc32e = swap_endian(flash_subfiles->v3);
				//crc32d = crc32e;
				//crc32e = CRC32(crc32e, buff-outbuf+inbuf, s);
				//crc32d = CRC32(crc32d, buff, s);
				//printf("Part %2d: crc32e = %08lx, crc32d = %08lx\n", f, crc32e, crc32d);
				
				char                            file_out[100];

				sprintf(file_out, "%s_%02d", buffer, f);
				outputfp = fopen((char *)file_out, "wb");
				fwrite(buff, s, 1, outputfp);
				fclose(outputfp);
				buff += s;
				i++;
			}

			p_buf += 0x40;
		}
		free(inbuf);
		free(outbuf);
	}
	return 0;
}