#!/usr/bin/env pythonfrom binascii import hexlify as hximport sys, os, s

1. #!/usr/bin/env python
2.  
3. from binascii import hexlify as hx
4.  
5. import sys, os, struct
6. import hashlib, hmac
7.  
8. from Crypto.Cipher import AES
9. from Crypto.Util import Counter
10.  
11. def aes_encrypt_ecb(key, data):
12.     crypto = AES.new(key, AES.MODE_ECB)
13.     return crypto.encrypt(data)
14.  
15. def aes_decrypt_ecb(key, data):
16.     crypto = AES.new(key, AES.MODE_ECB)
17.     return crypto.decrypt(data)
18.  
19. def aes_encrypt_cbc(key, iv, data):
20.     crypto = AES.new(key, AES.MODE_CBC, iv)
21.     return crypto.encrypt(data)
22.  
23. def aes_decrypt_cbc(key, iv, data):
24.     crypto = AES.new(key, AES.MODE_CBC, iv)
25.     return crypto.decrypt(data)
26.  
27. def hmac_sha256(key, data):
28.     return hmac.new(key=key, msg=data, digestmod=hashlib.sha256).digest()
29.  
30. portability_seed_key = 'E973A44C578757A73492625D2CE2D76B'.decode('hex')
31. portability_seed = 'DF0C2552DFC7F4F089B9D52DAA0E572A'.decode('hex')
32.  
33. # generate portability key
34. portability_key = aes_encrypt_ecb(portability_seed_key, portability_seed)
35.  
36. # generate keys from seeds
37. eap_hdd_key_blob_key1_seed = '7A49D928D2243C9C4D6E1EA8F5B4E229317E0DCAD2ABE5C56D2540572FB4B6E3'.decode('hex')
38. eap_hdd_key_blob_key2_seed = '921CE9C8184C5DD476F4B5D3981F7E2F468193ED071E19FFFD66B693534689D6'.decode('hex')
39.  
40. eap_hdd_key_blob_key1 = aes_encrypt_ecb(portability_key, eap_hdd_key_blob_key1_seed)
41. eap_hdd_key_blob_key2 = aes_encrypt_ecb(portability_key, eap_hdd_key_blob_key2_seed)
42.  
43. use_new_blob = False
44.  
45. SFLASH0 = open('sflash0', 'rb')
46. data = SFLASH0.read()
47.  
48. # ICC NVS: block #4, offset 0x200, size 0x40/0x60, magic 0xE5E5E501 (big endian)
49. #eap_hdd_wrapped_key = <PASTE KEY HERE>.decode('hex')
50.  
51. print('[DEBUG] ' + hx(data[0x1C91FC:0x1C9200]))
52.  
53. if data[0x1C91FC:0x1C9200] == '\xE5\xE5\xE5\x01':
54.  
55.     print('[DEBUG] ' + hx(data[0x1C9240:0x1C9250]))
56.  
57. if data[0x1C9240:0x1C9250] == '\xFF' * 16:
58.     eap_hdd_wrapped_key = data[0x1C9200:0x1C9240]
59.     print('[DEBUG] LEN 40 | ' + hx(eap_hdd_wrapped_key))
60. else:
61.     eap_hdd_wrapped_key = data[0x1C9200:0x1C9260]
62.     print('[DEBUG] LEN 60 | ' + hx(eap_hdd_wrapped_key))
63.  
64. # ICC NVS: block #4, offset 0x60, size 0x4
65. #smi_version = 0x03700000
66. #smi_version = 0x03150000
67.  
68. print('[DEBUG] ' + hx(data[0x1C9060:0x1C9064]))
69.  
70. smi_version = struct.unpack('<i',data[0x1C9060:0x1C9064])[0]
71.  
72.  
73.  
74. # verify and decrypt eap key blob
75. if use_new_blob:
76.     eap_hdd_key_blob_enc = 'CFFDCB6ECAE612B7A30A9EDBD8F77E261D629DE5E6CA3F22F439211AC033884F4B5D7D16D0A6F65D3173A2586CF819C7C6F437444C1D9499F6EBC4145E0BBAABC1DE7C63ED1F5A1E1946358C7F181B1FAB6DAB31195D8E611A1CB81B9ACF8B38FF21029FAB568C7A1BCC3E2FBEB25B13F1AFD6A3599EEF09EAEBE32684FDDA29'.decode('hex')
77.     eap_hdd_key_blob_sig = '4798B78DD422601F26A32A1FEC5CAB8B256E50958E0B11A31D77DEE201D4D00E'.decode('hex')
78.     eap_hdd_key_blob_iv = '462500ECC487F0A8C2F39511E020CC59'.decode('hex')
79. else:
80.     eap_hdd_key_blob_enc = 'E073B691E177D39642DF2E1D583D0E9A5A49EDF72BE9412E2B433E51490CE973234B84F49E949F03727331D5456F4598F2EDE6D0C11483B84CE3283243D0DE9DC379E915301A805DFAEB292B30374C9BF1C59041509BF11D215C35D5C08E3330807C8229C930FAB88672C4CF7DACA881C323D72346CA07921DB806FC242A2ED1'.decode('hex')
81.     eap_hdd_key_blob_sig = 'ED4F32C095847C6D3143EFFD61E7582F75F24465855C4E94DAF34885D8D03463'.decode('hex')
82.     eap_hdd_key_blob_iv = '3286EA97F3E92C434E1DC170C9289003'.decode('hex')
83.  
84. selected_key = eap_hdd_key_blob_key1
85. computed_signature = hmac_sha256(selected_key[0x10:0x20], eap_hdd_key_blob_enc)
86. if computed_signature != eap_hdd_key_blob_sig:
87.     selected_key = eap_hdd_key_blob_key2
88.     computed_signature = hmac_sha256(selected_key[0x10:0x20], eap_hdd_key_blob_enc)
89.     if computed_signature != eap_hdd_key_blob_sig:
90.         print('error: invalid signature')
91.         sys.exit()
92. eap_hdd_key_blob = aes_decrypt_cbc(selected_key[0x00:0x10], eap_hdd_key_blob_iv, eap_hdd_key_blob_enc)
93. if not eap_hdd_key_blob.startswith('SCE_EAP_HDD__KEY'):
94.     print('error: invalid magic')
95.     sys.exit()
96.  
97. eap_hdd_key_blob = 'SCE_EAP_HDD__KEY' + \
98.     'BB6CD66DDC671FAC3664F7BF5049BAA8C4687904BC31CF4F2F4E9F89FA458793811745E7C7E80D460FAF2326550BD7E4D2A0A0D9729DE5D2117D70676F1D55748DC17CDF29C86A855F2AE9A1AD3E915F0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
99.  
100. if use_new_blob:
101.     eap_hdd_unwrapped_key = aes_decrypt_cbc(eap_hdd_key_blob[0x60:0x70], '\0' * 0x10, eap_hdd_wrapped_key[:0x40])
102. else:
103.     eap_hdd_unwrapped_key = aes_decrypt_cbc(eap_hdd_key_blob[0x50:0x60], '\0' * 0x10, eap_hdd_wrapped_key[:0x40])
104. #print('eap_hdd_unwrapped_key', eap_hdd_unwrapped_key.encode('hex').upper())
105.  
106. eap_hdd_key_offset = 0x10 if (smi_version == 0xFFFFFFFF or smi_version < 0x4000000) else 0x20
107. eap_hdd_unwrapped_key_dec = aes_decrypt_cbc(eap_hdd_key_blob[eap_hdd_key_offset:eap_hdd_key_offset + 0x10], '\0' * 0x10, eap_hdd_unwrapped_key)
108. if eap_hdd_unwrapped_key_dec[0x10:0x20] != '\0' * 0x10:
109.     eap_hdd_unwrapped_key_dec = aes_decrypt_cbc(eap_hdd_key_blob[eap_hdd_key_offset:eap_hdd_key_offset + 0x10], '\0' * 0x10, eap_hdd_wrapped_key[:0x10])
110.  
111. if use_new_blob:
112.     eap_partition_key = hmac_sha256(eap_hdd_unwrapped_key_dec[:0x10], eap_hdd_key_blob[0x40:0x50])
113. else:
114.     eap_partition_key = hmac_sha256(eap_hdd_unwrapped_key_dec[:0x10], eap_hdd_key_blob[0x30:0x40])
115.  
116. tweak_key = eap_partition_key[0x00:0x10]
117. data_key = eap_partition_key[0x10:0x20]
118.  
119. print('XTS data key:', data_key.encode('hex').upper())
120. print('XTS tweak key:', tweak_key.encode('hex').upper())