Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from Crypto.Cipher import AES
- from Crypto.Util import Counter
- import struct
- import hashlib
- from binascii import hexlify, unhexlify
- """
- typedef struct boot_dat_hdr
- {
- unsigned char ident[0x10];
- unsigned char sha2_s2[0x20];
- unsigned int s2_dst;
- unsigned int s2_size;
- unsigned int s2_enc;
- unsigned char pad[0x10];
- unsigned int s3_size;
- unsigned char pad2[0x90];
- unsigned char sha2_hdr[0x20];
- } boot_dat_hdr_t;
- """
- def aes_ctr_dec(buf, key, iv):
- ctr = Counter.new(128, initial_value=int(hexlify(iv), 16))
- return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)
- boot = open('boot_recompiled.dat', 'wb')
- with open('data_80000000.bin', 'rb') as fh:
- data = fh.read()
- with open('stage2_40020000.bin', 'rb') as fh:
- # patch 0x5DA0 -> 32 bytes (sha2-256 of data.bin)
- stage2 = bytearray(fh.read())
- sha256 = hashlib.new('sha256')
- sha256.update(data)
- stage2[0x5DA0 : 0x5DA0 + 0x20] = sha256.digest()
- stage2 = bytes(stage2)
- header = b''
- # ident
- header += b'\x54\x58\x20\x42\x4F\x4F\x54\x00\x00\x00\x00\x00\x56\x31\x2E\x30'
- # sha2-256 of stage2_40020000.bin
- sha256 = hashlib.new('sha256')
- sha256.update(stage2)
- header += sha256.digest()
- # todo: s2_dst, hardcoded :\
- header += b'\x00\x00\x02\x40'
- # s2_size
- header += struct.pack('I', len(stage2))
- # s2_enc
- header += struct.pack('I', 1)
- # add 0x10 padding
- header += b'\x00' * 0x10
- # s3_size, hardcoded :\
- header += b'\x50\x2B\xED\x00'
- # 0x90 padding
- header += b'\x00' * 0x90
- # write sha2_hdr
- sha256 = hashlib.new('sha256')
- sha256.update(header)
- header += sha256.digest()
- # write header
- boot.write(header)
- # write stage2 encrypted
- s2_key = unhexlify("47E6BFB05965ABCD00E2EE4DDF540261")
- s2_ctr = unhexlify("8E4C7889CBAE4A3D64797DDA84BDB086")
- boot.write(aes_ctr_dec(stage2, s2_key, s2_ctr))
- # write data
- data_key = unhexlify("030D865B7E458B10AD5706F6E227F4EB")
- data_ctr = unhexlify("AFFC93692EBD2E3D252339F01E03416B")
- data_off = 0x5F40
- data_size = 0x175B70
- data_base = 0x80000000
- with open('data_80000000.bin', 'rb') as fh:
- boot.write(aes_ctr_dec(fh.read(), data_key, data_ctr))
- # write fb
- fb_key = unhexlify("E2AC05206A701C9AA514D2B2B7C9F395")
- fb_ctr = unhexlify("46FAB59AF0E469EF116614DEC366D15F")
- fb_off = 0x17BAB0
- fb_size = 0x3C0000
- fb_base = 0xF0000000
- with open('fb_F0000000.bin', 'rb') as fh:
- boot.write(aes_ctr_dec(fh.read(), fb_key, fb_ctr))
- # write arm64
- arm64_key = unhexlify("35D8FFC4AA1BAB9514825EB0658FB493")
- arm64_ctr = unhexlify("C38EA26FF3CCE98FD8D5ED431D9D5B94")
- arm64_off = 0x53BAB0
- arm64_size = 0x36370
- arm64_base = 0x80FFFE00
- with open('arm64_80FFFE00.bin', 'rb') as fh:
- boot.write(aes_ctr_dec(fh.read(), arm64_key, arm64_ctr))
- # write the unecripted part from original boot.dat 0x571e20
- with open('boot.dat', 'rb') as fh:
- fh.seek(0x571E20, 0)
- boot.write(fh.read())
- boot.close()
Add Comment
Please, Sign In to add comment