| 179 |
theseven |
1 |
#!/usr/bin/env python
|
|
|
2 |
#
|
|
|
3 |
#
|
|
|
4 |
# Copyright 2010 TheSeven
|
|
|
5 |
#
|
|
|
6 |
#
|
| 427 |
farthen |
7 |
# This file is part of emCORE.
|
| 179 |
theseven |
8 |
#
|
| 427 |
farthen |
9 |
# emCORE is free software: you can redistribute it and/or
|
| 179 |
theseven |
10 |
# modify it under the terms of the GNU General Public License as
|
|
|
11 |
# published by the Free Software Foundation, either version 2 of the
|
|
|
12 |
# License, or (at your option) any later version.
|
|
|
13 |
#
|
| 427 |
farthen |
14 |
# emCORE is distributed in the hope that it will be useful,
|
| 179 |
theseven |
15 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
16 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
17 |
# See the GNU General Public License for more details.
|
|
|
18 |
#
|
|
|
19 |
# You should have received a copy of the GNU General Public License
|
| 427 |
farthen |
20 |
# along with emCORE. If not, see <http://www.gnu.org/licenses/>.
|
| 179 |
theseven |
21 |
#
|
|
|
22 |
#
|
|
|
23 |
|
|
|
24 |
|
|
|
25 |
import sys
|
| 359 |
theseven |
26 |
import os
|
| 179 |
theseven |
27 |
import struct
|
|
|
28 |
import time
|
| 277 |
theseven |
29 |
import hashlib
|
| 427 |
farthen |
30 |
import libemcore
|
|
|
31 |
from libemcore import Error
|
|
|
32 |
import libemcoredata
|
| 179 |
theseven |
33 |
|
|
|
34 |
|
| 272 |
theseven |
35 |
def s5l8701cryptdfu(data):
|
| 179 |
theseven |
36 |
data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
|
| 550 |
theseven |
37 |
header = "87011.0\0\0\x08\0\0" + struct.pack("<I", len(data))
|
| 427 |
farthen |
38 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
39 |
addr = emcore.memalign(0x10, len(data) + 0x800)
|
|
|
40 |
emcore.write(addr, header.ljust(0x800, "\0") + data)
|
|
|
41 |
emcore.hmac_sha1(addr + 0x800, len(data), addr + 0x10)
|
|
|
42 |
emcore.hmac_sha1(addr, 0x40, addr + 0x40)
|
|
|
43 |
emcore.aesencrypt(addr, len(data) + 0x800, 1)
|
|
|
44 |
data = emcore.read(addr, len(data) + 0x800)
|
|
|
45 |
emcore.free(addr)
|
|
|
46 |
return data
|
| 179 |
theseven |
47 |
|
|
|
48 |
|
| 272 |
theseven |
49 |
def s5l8701decryptdfu(data):
|
| 523 |
theseven |
50 |
headersize = struct.unpack("<I", data[8:12])[0]
|
| 427 |
farthen |
51 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
52 |
addr = emcore.memalign(0x10, len(data))
|
|
|
53 |
emcore.write(addr, data)
|
|
|
54 |
emcore.aesdecrypt(addr, len(data), 1)
|
|
|
55 |
data = emcore.read(addr + headersize, len(data) - headersize)
|
|
|
56 |
emcore.free(addr)
|
|
|
57 |
return data
|
| 179 |
theseven |
58 |
|
|
|
59 |
|
| 272 |
theseven |
60 |
def s5l8701cryptfirmware(data):
|
| 179 |
theseven |
61 |
data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
|
| 186 |
theseven |
62 |
header = "\0\0\0\0\x02\0\0\0\x01\0\0\0\x40\0\0\0\0\0\0\0" + struct.pack("<I", len(data))
|
| 427 |
farthen |
63 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
64 |
addr = emcore.memalign(0x10, len(data) + 0x800)
|
|
|
65 |
emcore.write(addr, header.ljust(0x800, "\0") + data)
|
|
|
66 |
emcore.hmac_sha1(addr + 0x800, len(data), addr + 0x1c)
|
|
|
67 |
emcore.hmac_sha1(addr, 0x200, addr + 0x1d4)
|
|
|
68 |
emcore.aesencrypt(addr + 0x800, len(data), 1)
|
|
|
69 |
data = emcore.read(addr, len(data) + 0x800)
|
|
|
70 |
emcore.free(addr)
|
|
|
71 |
return data
|
| 179 |
theseven |
72 |
|
|
|
73 |
|
| 272 |
theseven |
74 |
def s5l8701decryptfirmware(data):
|
| 427 |
farthen |
75 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
76 |
addr = emcore.memalign(0x10, len(data))
|
|
|
77 |
emcore.write(addr, data)
|
|
|
78 |
emcore.aesdecrypt(addr + 0x800, len(data) - 0x800, 1)
|
|
|
79 |
data = emcore.read(addr + 0x800, len(data) - 0x800)
|
|
|
80 |
emcore.free(addr)
|
|
|
81 |
return data
|
| 179 |
theseven |
82 |
|
|
|
83 |
|
| 277 |
theseven |
84 |
def s5l8702cryptnor(data):
|
|
|
85 |
data = data.ljust((len(data) + 0xf) & ~0xf, "\0")
|
| 279 |
theseven |
86 |
header = "87021.0\x01\0\0\0\0" + struct.pack("<I", len(data)) + hashlib.sha1(data).digest()[:0x10]
|
| 427 |
farthen |
87 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
88 |
addr = emcore.memalign(0x10, len(data))
|
|
|
89 |
emcore.write(addr, header.ljust(0x800, "\0") + data)
|
|
|
90 |
emcore.aesencrypt(addr + 0x800, len(data), 2)
|
|
|
91 |
emcore.aesencrypt(addr + 0x10, 0x10, 2)
|
|
|
92 |
emcore.write(addr + 0x40, hashlib.sha1(emcore.read(addr, 0x40)).digest()[:0x10])
|
|
|
93 |
emcore.aesencrypt(addr + 0x40, 0x10, 2)
|
|
|
94 |
data = emcore.read(addr, len(data) + 0x800)
|
|
|
95 |
emcore.free(addr)
|
|
|
96 |
return data
|
| 277 |
theseven |
97 |
|
|
|
98 |
|
|
|
99 |
def s5l8702decryptnor(data):
|
| 427 |
farthen |
100 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
101 |
addr = emcore.memalign(0x10, len(data))
|
|
|
102 |
emcore.write(addr, data[0x800:])
|
|
|
103 |
emcore.aesdecrypt(addr, len(data) - 0x800, 1)
|
|
|
104 |
data = emcore.read(addr, len(data) - 0x800)
|
|
|
105 |
emcore.free(addr)
|
|
|
106 |
return data
|
| 277 |
theseven |
107 |
|
|
|
108 |
|
| 359 |
theseven |
109 |
def s5l8702genpwnage(data):
|
|
|
110 |
cert = open(os.path.dirname(__file__) + "/libipodcrypto/s5l8702pwnage.cer", "rb").read()
|
|
|
111 |
data = data.ljust(max(0x840, (len(data) + 0xf) & ~0xf), "\0")
|
|
|
112 |
header = ("87021.0\x03\0\0\0\0" + struct.pack("<IIII", len(data) - 0x830, len(data) - 0x4f6, len(data) - 0x7b0, 0x2ba)).ljust(0x40, "\0")
|
| 427 |
farthen |
113 |
emcore = libemcore.Emcore()
|
| 523 |
theseven |
114 |
addr = emcore.memalign(0x10, len(data))
|
|
|
115 |
emcore.write(addr, header + hashlib.sha1(header).digest()[:0x10])
|
|
|
116 |
emcore.aesencrypt(addr + 0x40, 0x10, 1)
|
|
|
117 |
data = emcore.read(addr, 0x50) + data + cert.ljust((len(cert) + 0xf) & ~0xf, "\0")
|
|
|
118 |
emcore.free(addr)
|
|
|
119 |
return data
|
| 359 |
theseven |
120 |
|
|
|
121 |
|
| 272 |
theseven |
122 |
def s5l8701cryptdfufile(infile, outfile):
|
| 179 |
theseven |
123 |
infile = open(infile, "rb")
|
|
|
124 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
125 |
outfile.write(s5l8701cryptdfu(infile.read()))
|
| 179 |
theseven |
126 |
infile.close()
|
|
|
127 |
outfile.close()
|
|
|
128 |
|
|
|
129 |
|
| 272 |
theseven |
130 |
def s5l8701decryptdfufile(infile, outfile):
|
| 179 |
theseven |
131 |
infile = open(infile, "rb")
|
|
|
132 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
133 |
outfile.write(s5l8701decryptdfu(infile.read()))
|
| 179 |
theseven |
134 |
infile.close()
|
|
|
135 |
outfile.close()
|
|
|
136 |
|
|
|
137 |
|
| 272 |
theseven |
138 |
def s5l8701cryptfirmwarefile(infile, outfile):
|
| 179 |
theseven |
139 |
infile = open(infile, "rb")
|
|
|
140 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
141 |
outfile.write(s5l8701cryptfirmware(infile.read()))
|
| 179 |
theseven |
142 |
infile.close()
|
|
|
143 |
outfile.close()
|
|
|
144 |
|
|
|
145 |
|
| 272 |
theseven |
146 |
def s5l8701decryptfirmwarefile(infile, outfile):
|
| 179 |
theseven |
147 |
infile = open(infile, "rb")
|
|
|
148 |
outfile = open(outfile, "wb")
|
| 272 |
theseven |
149 |
outfile.write(s5l8701decryptfirmware(infile.read()))
|
| 179 |
theseven |
150 |
infile.close()
|
|
|
151 |
outfile.close()
|
| 277 |
theseven |
152 |
|
|
|
153 |
|
|
|
154 |
def s5l8702cryptnorfile(infile, outfile):
|
|
|
155 |
infile = open(infile, "rb")
|
|
|
156 |
outfile = open(outfile, "wb")
|
|
|
157 |
outfile.write(s5l8702cryptnor(infile.read()))
|
|
|
158 |
infile.close()
|
|
|
159 |
outfile.close()
|
|
|
160 |
|
|
|
161 |
|
|
|
162 |
def s5l8702decryptnorfile(infile, outfile):
|
|
|
163 |
infile = open(infile, "rb")
|
|
|
164 |
outfile = open(outfile, "wb")
|
|
|
165 |
outfile.write(s5l8702decryptnor(infile.read()))
|
|
|
166 |
infile.close()
|
|
|
167 |
outfile.close()
|
| 359 |
theseven |
168 |
|
|
|
169 |
|
|
|
170 |
def s5l8702genpwnagefile(infile, outfile):
|
|
|
171 |
infile = open(infile, "rb")
|
|
|
172 |
outfile = open(outfile, "wb")
|
|
|
173 |
outfile.write(s5l8702genpwnage(infile.read()))
|
|
|
174 |
infile.close()
|
|
|
175 |
outfile.close()
|