When generating the MD5 using -z index,name the tool would add the entry but
forgot to increase the file size, hence truncating the file.
Change-Id: Ibd3c594722ab46350cda60d158666fe34a96e922
When compressing, it is possible to tell the tool to add an entry to the MD5
file (index 1), it is still necessary to give an empty file for that index.
To do so, pass the option "-z idx,name" insteas of "-z idx". This will create
an entry of the form "size md5 name". For instance "-z 6,system.img".
When decompressing, if one passes "-z idx,name" instead of "-z idx", the tool
will decompress and check against the value in the MD5 file.
Change-Id: Ifb945f6121644ae9105265d2d83ce6067301c5b2
To decompress some output file(s), simply pass -z <idx> where idx is the index
of the file to decompress, starting from 0. For example
upgtool -e NW_WM_FW.UPG -o tmp/ -m nw-wm1a -z 6 -z 7
to decompress files 6 and 7. To compress file, use the same options:
upgtool -c NW_WM_FW.UPG -m nw-wm1a -z 2 script.sh md5sum.txt system.img
Change-Id: I1ef0b3e02c98e58154f1a959fb1ad70ad2ce6500
In order to avoid the crypto++ mess, the code uses the Windows Cryptography API,
which is standard. There is also some makefile magic to cross-compile:
make PREFIX=i686-w64-mingw32- EXE_EXT=.exe
I selected the option so that it should statically link supports libraries used
by gcc (slsj and libwinpthread).
Change-Id: Iaf07da23afe81ed217fb3921ce13367c5441514d
The new code supports reading and writing UPG files. I kept the old keysig
search code but it only supports the old format (the new format has too long
keys anyway). Since we now have to support two types of encryption(DES and AES),
I reorganized the crypto routines and clean-up some code.
Change-Id: Ie9be220ec2431ec6d0bd11699fa0493b62e1cec2
Split WM1A/WM1Z because they don't have the same KAS. On newer devices, the KAS
is actually 64 bytes, not 60. The strange thing is that "get_dnk_nvp kas" returns
60 bytes whereas "get_dnk_prop kas" returns 64, not sure why.
Change-Id: I944d3d838209ba58388439af0cdf5d7c74f1f7fc
DES ignores the parity bit of each byte (making the 64-bit key really 56-bit),
but the current code skipped the parity bit of each half-byte, thus missing
some keys.
Change-Id: Ia523ebb944e458905b7de1742df151df22166150
Strangely it has the SAME encryption key as the E450. Either they didn't bother
changing it or more likely they have exactly the same internals and a slightly
different case.
Change-Id: I39ab88845b3e40db34160c2e61dde421f391df44
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")
* hint that -o is needed when extracting
Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
We don't know the encryption method, the KAS is completely different but it
might be useful to record it anyway for future purposes. MID extracted from
device, Japanese NW-A35.
Change-Id: I4c4bb5b063da99003b5c316061d8c490b77428a4
We already use Crypto++ for DES anyway, and using OpenSSL is not great because
of its incompatible licence.
Change-Id: I78771b84c1708795a0c0c30afa5bdfe4885dea4e
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
