from Crypto.Cipher import AESfrom Crypto.Util import Counterimport structimp

1. from Crypto.Cipher import AES
2. from Crypto.Util import Counter
3. import struct
4.  
5. import hashlib
6. from binascii import hexlify, unhexlify
7.  
8. """
9. typedef struct boot_dat_hdr
10. {
11. unsigned char ident[0x10];
12. unsigned char sha2_s2[0x20];
13. unsigned int s2_dst;
14. unsigned int s2_size;
15. unsigned int s2_enc;
16. unsigned char pad[0x10];
17. unsigned int s3_size;
18. unsigned char pad2[0x90];
19. unsigned char sha2_hdr[0x20];
20. } boot_dat_hdr_t;
21. """
22.  
23. def aes_ctr_dec(buf, key, iv):
24. ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
25. return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)
26.  
27. boot = open('boot_recompiled.dat', 'wb')
28.  
29. with open('data_80000000.bin', 'rb') as fh:
30. data = fh.read()
31.  
32. with open('stage2_40020000.bin', 'rb') as fh:
33. # patch 0x5DA0 -> 32 bytes (sha2-256 of data.bin)
34. stage2 = bytearray(fh.read())
35. sha256 = hashlib.new('sha256')
36. sha256.update(data)
37.  
38. stage2[0x5DA0 : 0x5DA0 + 0x20] = sha256.digest()
39. stage2 = bytes(stage2)
40.  
41. header = b''
42.  
43. # ident
44. header += b'\x54\x58\x20\x42\x4F\x4F\x54\x00\x00\x00\x00\x00\x56\x31\x2E\x30'
45.  
46. # sha2-256 of stage2_40020000.bin
47. sha256 = hashlib.new('sha256')
48. sha256.update(stage2)
49.  
50. header += sha256.digest()
51.  
52. # todo: s2_dst, hardcoded :\
53. header += b'\x00\x00\x02\x40'
54.  
55. # s2_size
56. header += struct.pack('I', len(stage2))
57.  
58. # s2_enc
59. header += struct.pack('I', 1)
60.  
61. # add 0x10 padding
62. header += b'\x00' * 0x10
63.  
64. # s3_size, hardcoded :\
65. header += b'\x50\x2B\xED\x00'
66.  
67. # 0x90 padding
68. header += b'\x00' * 0x90
69.  
70. # write sha2_hdr
71. sha256 = hashlib.new('sha256')
72. sha256.update(header)
73. header += sha256.digest()
74.  
75. # write header
76. boot.write(header)
77.  
78. # write stage2 encrypted
79. s2_key = unhexlify("47E6BFB05965ABCD00E2EE4DDF540261")
80. s2_ctr = unhexlify("8E4C7889CBAE4A3D64797DDA84BDB086")
81.  
82. boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
83.  
84. # write data
85. data_key = unhexlify("030D865B7E458B10AD5706F6E227F4EB")
86. data_ctr = unhexlify("AFFC93692EBD2E3D252339F01E03416B")
87. data_off = 0x5F40
88. data_size = 0x175B70
89. data_base = 0x80000000
90.  
91. with open('data_80000000.bin', 'rb') as fh:
92. boot.write(aes_ctr_dec(fh.read(), data_key, data_ctr))
93.  
94. # write fb
95. fb_key = unhexlify("E2AC05206A701C9AA514D2B2B7C9F395")
96. fb_ctr = unhexlify("46FAB59AF0E469EF116614DEC366D15F")
97. fb_off = 0x17BAB0
98. fb_size = 0x3C0000
99. fb_base = 0xF0000000
100.  
101. with open('fb_F0000000.bin', 'rb') as fh:
102. boot.write(aes_ctr_dec(fh.read(), fb_key, fb_ctr))
103.  
104. # write arm64
105. arm64_key = unhexlify("35D8FFC4AA1BAB9514825EB0658FB493")
106. arm64_ctr = unhexlify("C38EA26FF3CCE98FD8D5ED431D9D5B94")
107. arm64_off = 0x53BAB0
108. arm64_size = 0x36370
109. arm64_base = 0x80FFFE00
110.  
111.  
112. with open('arm64_80FFFE00.bin', 'rb') as fh:
113. boot.write(aes_ctr_dec(fh.read(), arm64_key, arm64_ctr))
114.  
115. # write the unecripted part from original boot.dat 0x571e20
116. with open('boot.dat', 'rb') as fh:
117. fh.seek(0x571E20, 0)
118. boot.write(fh.read())
119.  
120. boot.close()