| 179 |
theseven |
1 |
#!/usr/bin/env python
|
|
|
2 |
#
|
|
|
3 |
#
|
|
|
4 |
# Copyright 2010 TheSeven
|
|
|
5 |
#
|
|
|
6 |
#
|
|
|
7 |
# This file is part of emBIOS.
|
|
|
8 |
#
|
|
|
9 |
# emBIOS is free software: you can redistribute it and/or
|
|
|
10 |
# modify it under the terms of the GNU General Public License as
|
|
|
11 |
# published by the Free Software Foundation, either version 2 of the
|
|
|
12 |
# License, or (at your option) any later version.
|
|
|
13 |
#
|
|
|
14 |
# emBIOS is distributed in the hope that it will be useful,
|
|
|
15 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
16 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
17 |
# See the GNU General Public License for more details.
|
|
|
18 |
#
|
|
|
19 |
# You should have received a copy of the GNU General Public License
|
|
|
20 |
# along with emBIOS. If not, see <http://www.gnu.org/licenses/>.
|
|
|
21 |
#
|
|
|
22 |
#
|
|
|
23 |
|
|
|
24 |
|
|
|
25 |
import sys
|
| 359 |
theseven |
26 |
import os
|
| 179 |
theseven |
27 |
import struct
|
|
|
28 |
import time
|
| 277 |
theseven |
29 |
import hashlib
|
| 179 |
theseven |
30 |
import libembios
|
|
|
31 |
from libembios import Error
|
|
|
32 |
import libembiosdata
|
|
|
33 |
|
|
|
34 |
|
| 272 |
theseven |
35 |
def s5l8701cryptdfu(data):
|
| 179 |
theseven |
36 |
data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
|
|
|
37 |
header = "87011.0\0\0\x08\0\0" + struct.pack("<I", len(data))
|
|
|
38 |
embios = libembios.Embios()
|
|
|
39 |
embios.write(0x08000000, header.ljust(0x800, "\0") + data)
|
| 180 |
theseven |
40 |
embios.lib.dev.timeout = 20000
|
| 179 |
theseven |
41 |
embios.hmac_sha1(0x08000800, len(data), 0x08000010)
|
|
|
42 |
embios.hmac_sha1(0x08000000, 0x40, 0x08000040)
|
|
|
43 |
embios.aesencrypt(0x08000000, len(data) + 0x800, 1)
|
|
|
44 |
return embios.read(0x08000000, len(data) + 0x800)
|
|
|
45 |
|
|
|
46 |
|
| 272 |
theseven |
47 |
def s5l8701decryptdfu(data):
|
| 179 |
theseven |
48 |
embios = libembios.Embios()
|
|
|
49 |
embios.write(0x08000000, data)
|
| 180 |
theseven |
50 |
embios.lib.dev.timeout = 20000
|
| 179 |
theseven |
51 |
embios.aesdecrypt(0x08000000, len(data), 1)
|
|
|
52 |
return embios.read(0x08000800, len(data) - 0x800)
|
|
|
53 |
|
|
|
54 |
|
| 272 |
theseven |
55 |
def s5l8701cryptfirmware(data):
|
| 179 |
theseven |
56 |
data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
|
| 186 |
theseven |
57 |
header = "\0\0\0\0\x02\0\0\0\x01\0\0\0\x40\0\0\0\0\0\0\0" + struct.pack("<I", len(data))
|
| 179 |
theseven |
58 |
embios = libembios.Embios()
|
|
|
59 |
embios.write(0x08000000, header.ljust(0x800, "\0") + data)
|
| 180 |
theseven |
60 |
embios.lib.dev.timeout = 20000
|
| 179 |
theseven |
61 |
embios.hmac_sha1(0x08000800, len(data), 0x0800001c)
|
|
|
62 |
embios.hmac_sha1(0x08000000, 0x200, 0x080001d4)
|
|
|
63 |
embios.aesencrypt(0x08000800, len(data), 1)
|
|
|
64 |
return embios.read(0x08000000, len(data) + 0x800)
|
|
|
65 |
|
|
|
66 |
|
| 272 |
theseven |
67 |
def s5l8701decryptfirmware(data):
|
| 179 |
theseven |
68 |
embios = libembios.Embios()
|
|
|
69 |
embios.write(0x08000000, data)
|
| 180 |
theseven |
70 |
embios.lib.dev.timeout = 20000
|
| 179 |
theseven |
71 |
embios.aesdecrypt(0x08000800, len(data) - 0x800, 1)
|
|
|
72 |
return embios.read(0x08000800, len(data) - 0x800)
|
|
|
73 |
|
|
|
74 |
|
| 277 |
theseven |
75 |
def s5l8702cryptnor(data):
|
|
|
76 |
data = data.ljust((len(data) + 0xf) & ~0xf, "\0")
|
| 279 |
theseven |
77 |
header = "87021.0\x01\0\0\0\0" + struct.pack("<I", len(data)) + hashlib.sha1(data).digest()[:0x10]
|
| 277 |
theseven |
78 |
embios = libembios.Embios()
|
|
|
79 |
embios.write(0x08000000, header.ljust(0x800, "\0") + data)
|
|
|
80 |
embios.lib.dev.timeout = 20000
|
| 279 |
theseven |
81 |
embios.aesencrypt(0x08000800, len(data), 2)
|
|
|
82 |
embios.aesencrypt(0x08000010, 0x10, 2)
|
| 277 |
theseven |
83 |
embios.write(0x08000040, hashlib.sha1(embios.read(0x08000000, 0x40)).digest()[:0x10])
|
| 279 |
theseven |
84 |
embios.aesencrypt(0x08000040, 0x10, 2)
|
| 277 |
theseven |
85 |
return embios.read(0x08000000, len(data) + 0x800)
|
|
|
86 |
|
|
|
87 |
|
|
|
88 |
def s5l8702decryptnor(data):
|
|
|
89 |
embios = libembios.Embios()
|
|
|
90 |
embios.write(0x08000000, data[0x800:])
|
|
|
91 |
embios.lib.dev.timeout = 20000
|
|
|
92 |
embios.aesdecrypt(0x08000000, len(data) - 0x800, 1)
|
|
|
93 |
return embios.read(0x08000000, len(data) - 0x800)
|
|
|
94 |
|
|
|
95 |
|
| 359 |
theseven |
96 |
def s5l8702genpwnage(data):
|
|
|
97 |
cert = open(os.path.dirname(__file__) + "/libipodcrypto/s5l8702pwnage.cer", "rb").read()
|
|
|
98 |
data = data.ljust(max(0x840, (len(data) + 0xf) & ~0xf), "\0")
|
|
|
99 |
header = ("87021.0\x03\0\0\0\0" + struct.pack("<IIII", len(data) - 0x830, len(data) - 0x4f6, len(data) - 0x7b0, 0x2ba)).ljust(0x40, "\0")
|
|
|
100 |
embios = libembios.Embios()
|
|
|
101 |
embios.write(0x08000000, header + hashlib.sha1(header).digest()[:0x10])
|
|
|
102 |
embios.lib.dev.timeout = 5000
|
|
|
103 |
embios.aesencrypt(0x08000040, 0x10, 1)
|
|
|
104 |
return embios.read(0x08000000, 0x50) + data + cert.ljust((len(cert) + 0xf) & ~0xf, "\0")
|
|
|
105 |
|
|
|
106 |
|
| 272 |
theseven |
107 |
def s5l8701cryptdfufile(infile, outfile):
|
| 179 |
theseven |
108 |
infile = open(infile, "rb")
|
|
|
109 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
110 |
outfile.write(s5l8701cryptdfu(infile.read()))
|
| 179 |
theseven |
111 |
infile.close()
|
|
|
112 |
outfile.close()
|
|
|
113 |
|
|
|
114 |
|
| 272 |
theseven |
115 |
def s5l8701decryptdfufile(infile, outfile):
|
| 179 |
theseven |
116 |
infile = open(infile, "rb")
|
|
|
117 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
118 |
outfile.write(s5l8701decryptdfu(infile.read()))
|
| 179 |
theseven |
119 |
infile.close()
|
|
|
120 |
outfile.close()
|
|
|
121 |
|
|
|
122 |
|
| 272 |
theseven |
123 |
def s5l8701cryptfirmwarefile(infile, outfile):
|
| 179 |
theseven |
124 |
infile = open(infile, "rb")
|
|
|
125 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
126 |
outfile.write(s5l8701cryptfirmware(infile.read()))
|
| 179 |
theseven |
127 |
infile.close()
|
|
|
128 |
outfile.close()
|
|
|
129 |
|
|
|
130 |
|
| 272 |
theseven |
131 |
def s5l8701decryptfirmwarefile(infile, outfile):
|
| 179 |
theseven |
132 |
infile = open(infile, "rb")
|
|
|
133 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
134 |
outfile.write(s5l8701decryptfirmware(infile.read()))
|
| 179 |
theseven |
135 |
infile.close()
|
|
|
136 |
outfile.close()
|
| 277 |
theseven |
137 |
|
|
|
138 |
|
|
|
139 |
def s5l8702cryptnorfile(infile, outfile):
|
|
|
140 |
infile = open(infile, "rb")
|
|
|
141 |
outfile = open(outfile, "wb")
|
|
|
142 |
outfile.write(s5l8702cryptnor(infile.read()))
|
|
|
143 |
infile.close()
|
|
|
144 |
outfile.close()
|
|
|
145 |
|
|
|
146 |
|
|
|
147 |
def s5l8702decryptnorfile(infile, outfile):
|
|
|
148 |
infile = open(infile, "rb")
|
|
|
149 |
outfile = open(outfile, "wb")
|
|
|
150 |
outfile.write(s5l8702decryptnor(infile.read()))
|
|
|
151 |
infile.close()
|
|
|
152 |
outfile.close()
|
| 359 |
theseven |
153 |
|
|
|
154 |
|
|
|
155 |
def s5l8702genpwnagefile(infile, outfile):
|
|
|
156 |
infile = open(infile, "rb")
|
|
|
157 |
outfile = open(outfile, "wb")
|
|
|
158 |
outfile.write(s5l8702genpwnage(infile.read()))
|
|
|
159 |
infile.close()
|
|
|
160 |
outfile.close()
|