Difference between revisions of "Sony Update Downloads"

From Exploitee.rs
(Updated pad. 756 -> 1095 bytes.)
(Add note about test findings.)
Line 14: Line 14:
 
* It isn't just a static repeating pattern, or if it is then it's longer than 1095 bytes before repeat.
 
* It isn't just a static repeating pattern, or if it is then it's longer than 1095 bytes before repeat.
 
* The mask for any given byte position is the same across all files, so a static mask that works for one file will work for all files.
 
* The mask for any given byte position is the same across all files, so a static mask that works for one file will work for all files.
 +
* I tried applying the first 1024 bytes of the mask starting at every byte position in the RfHid_v0156_2010091601_NL.hex and only found valid content when applied to the start of the file.  This pretty well establishes that there's no repetition of the mask.
 
<pre>
 
<pre>
 
00000000  38 cf 4f aa 7a 8a 2e 3e  2b 41 82 9a ad 31 e9 dc  |8.O.z..>+A...1..|
 
00000000  38 cf 4f aa 7a 8a 2e 3e  2b 41 82 9a ad 31 e9 dc  |8.O.z..>+A...1..|

Revision as of 17:58, 12 February 2011

Download Links

Asura 2010.10.21

Eagle 2010.10.21

Eagle 2010.12.15 (Current as of Feb 6, 2011)

Format

Download is a conventional zip file, containing a directory structure with a collection of tgz files as well as various others. Contents are mostly obfuscated using a simple xor of some sort. A pattern has yet to be found, but the mask for one file will apply byte-for-byte to any other obfuscated file in the zip.

Obfuscation

Here are the first 1095 bytes of the Sony obfuscation hash. It's applied as an xor. I haven't put much work into finding a pattern yet. Here's what I do know:

  • It isn't just a static repeating pattern, or if it is then it's longer than 1095 bytes before repeat.
  • The mask for any given byte position is the same across all files, so a static mask that works for one file will work for all files.
  • I tried applying the first 1024 bytes of the mask starting at every byte position in the RfHid_v0156_2010091601_NL.hex and only found valid content when applied to the start of the file. This pretty well establishes that there's no repetition of the mask.
00000000  38 cf 4f aa 7a 8a 2e 3e  2b 41 82 9a ad 31 e9 dc  |8.O.z..>+A...1..|
00000010  ef 47 2f 0b 26 76 12 fe  5f 5b 58 e1 10 18 7d e6  |.G/.&v.._[X...}.|
00000020  ad 92 1b 91 8e 90 69 f7  8a 9b 68 d8 98 58 fa 95  |......i...h..X..|
00000030  63 81 d6 5f 04 7d 29 8b  09 cf b9 21 b8 d9 df dd  |c.._.})....!....|
00000040  c4 7e 71 d9 3f 35 ea 7b  0d ec 7f d1 a3 76 64 88  |.~q.?5.{.....vd.|
00000050  a5 8e 27 49 60 c0 a0 bc  77 54 31 e3 d6 6a bf e5  |..'I`...wT1..j..|
00000060  1b 42 25 da a3 97 b8 e1  ba 54 13 5b 68 31 da ff  |.B%......T.[h1..|
00000070  1c 5c 15 46 4e 32 f1 76  50 e0 4e f3 ab 9a 28 bb  |.\.FN2.vP.N...(.|
00000080  b5 cf 2f 50 24 45 f7 ed  b3 5d c8 f6 21 fa aa d8  |../P$E...]..!...|
00000090  42 4d 49 89 7f 76 c9 72  d8 30 1c 38 cd 09 d5 b7  |BMI..v.r.0.8....|
000000a0  b0 69 ae 32 bd 0b db 1b  4a fc b5 77 cb 18 ff 32  |.i.2....J..w...2|
000000b0  7b c6 aa 83 5d 94 22 e3  4c a1 ef bb 56 66 79 63  |{...].".L...Vfyc|
000000c0  56 43 00 87 b4 69 f4 7c  18 ce 53 c6 3d fd e4 11  |VC...i.|..S.=...|
000000d0  0e 6e a7 65 60 b2 66 dc  6b d7 01 4a e4 9f d7 84  |.n.e`.f.k..J....|
000000e0  3c 87 b6 6a 67 ec 8e a3  36 2c ce c0 ab 2e e2 4e  |<..jg...6,.....N|
000000f0  4f ab 77 f3 0c da d8 e2  b1 98 fe a4 cf 20 a3 6f  |O.w.......... .o|
00000100  27 cc f9 2b 47 09 e1 f8  a8 f5 a3 84 cd 53 b3 aa  |'..+G........S..|
00000110  12 cb 95 dc c2 7f 76 df  84 24 83 c8 60 fe dc 99  |......v..$..`...|
00000120  3c 61 5c d5 4a bd 4b 19  10 ea 2b a9 ed 94 4e 08  |<a\.J.K...+...N.|
00000130  2e 1e 0b 31 90 b7 47 76  55 40 1b 42 e5 cd 82 07  |[email protected]|
00000140  6c 75 61 3d 51 6f 91 ed  4e 3b e7 d0 68 7b ab 93  |lua=Qo..N;..h{..|
00000150  b9 64 e7 82 80 0b b0 7a  1b da d0 70 a8 65 95 da  |.d.....z...p.e..|
00000160  8b 06 37 34 0f 78 a2 35  87 f5 81 6b 0a ce 7d 28  |..74.x.5...k..}(|
00000170  15 97 8c 8a 84 df b0 17  c7 ef 88 b3 41 61 3a a9  |............Aa:.|
00000180  83 2f b8 7d 0e 9f 93 d9  2e 63 21 0e eb 81 64 a6  |./.}.....c!...d.|
00000190  b7 f0 db ab dc cd fc 15  d5 4f fb 96 dd 28 fe d7  |.........O...(..|
000001a0  17 be 8f 96 f0 3e 84 bc  d6 2e 80 d4 60 62 05 0a  |.....>......`b..|
000001b0  f9 12 87 b1 56 7e 46 47  19 1f 84 73 df 42 ca cf  |....V~FG...s.B..|
000001c0  f8 ff 96 de 87 ba 13 2b  12 c8 f8 76 ea 2d 56 23  |.......+...v.-V#|
000001d0  44 32 93 84 a4 5b 78 8a  1c 00 fb 82 9d 91 3c f4  |D2...[x.......<.|
000001e0  5c 2a 7f 13 f8 4a 74 2f  e4 5a 8e 34 28 51 c3 04  |\*...Jt/.Z.4(Q..|
000001f0  c5 aa db 93 62 8b 92 41  bc 18 a5 47 94 06 b3 ed  |....b..A...G....|
00000200  fb 8c 5b 08 d1 62 0d 59  9e 37 26 ff a9 40 63 a7  |..[..b.Y.7&[email protected]|
00000210  d3 f3 e6 30 ea 22 bc 3a  64 9c d9 fe 94 7c f2 3b  |...0.".:d....|.;|
00000220  34 4d ce 2c b4 c5 22 56  b4 e8 ad 31 ed 3b 66 b8  |4M.,.."V...1.;f.|
00000230  38 86 e3 0d fa 77 8a 79  35 0a 7c 23 95 9f 15 2c  |8....w.y5.|#...,|
00000240  9b c9 95 86 40 cf 92 7c  bd 37 36 c2 33 4b 09 c2  |[email protected]|.76.3K..|
00000250  5c b1 a6 23 b2 ef d4 0c  f5 a5 24 90 12 85 6a 03  |\..#......$...j.|
00000260  7b e5 61 48 d8 2f e6 1e  de 7e bb 18 e6 f5 b1 69  |{.aH./...~.....i|
00000270  f1 f3 d1 32 dc e2 8f 99  1b f2 a6 71 90 3d 08 ed  |...2.......q.=..|
00000280  05 c1 fe c1 c7 12 f9 33  a2 18 3f 52 76 9e 0e 6e  |.......3..?Rv..n|
00000290  3d 94 dd cb 04 b7 4b 40  93 96 8f 01 df e1 57 d2  |[email protected]|
000002a0  0e e9 20 e2 bb c6 b6 36  27 d6 82 91 48 90 87 9f  |.. ....6'...H...|
000002b0  23 ea d5 78 2d 93 80 0a  ca 37 e3 40 85 6a 01 ad  |#[email protected]|
000002c0  c2 e7 5b d8 da 17 71 97  65 0a 00 4b 2f 3d ea 3c  |..[...q.e..K/=.<|
000002d0  a0 06 ce 9a 3a d7 5d de  c0 82 4b 02 85 c7 36 bb  |....:.]...K...6.|
000002e0  72 18 b1 0c 5b 39 73 1c  4c d0 cf 1a 70 fa 76 ba  |r...[9s.L...p.v.|
000002f0  55 c5 ce dd 51 6c 38 a7  74 c5 e2 d6 e1 fb 01 1b  |U...Ql8.t.......|
00000300  c2 e3 d4 ff 3b 0c 9e 53  eb 67 e1 ce 80 65 ec d9  |....;..S.g...e..|
00000310  95 e5 f7 8e 45 64 fd 5d  29 6a c4 fe cc ce f0 61  |....Ed.])j.....a|
00000320  97 58 97 82 d5 69 b6 af  34 fe d1 ff 9c 4f b9 01  |.X...i..4....O..|
00000330  0e 27 92 f8 60 52 ee 03  e7 9a e7 42 f0 62 f6 87  |.'..`R.....B.b..|
00000340  cd 3b d2 de d4 57 29 15  d2 9b 6e 8f 8a 37 8d 1e  |.;...W)...n..7..|
00000350  98 3e d0 b7 a1 83 a5 cb  7c c4 d4 60 1f 61 ea a6  |.>......|..`.a..|
00000360  56 fc b3 75 e5 fc c2 1e  cd 6f a9 1b 82 25 41 97  |V..u.....o...%A.|
00000370  16 d1 13 e3 90 c2 e8 48  ce 20 cc dc 91 d6 95 12  |.......H. ......|
00000380  d2 bd c6 94 8e 65 16 7f  da a4 64 11 95 76 b9 30  |.....e....d..v.0|
00000390  11 c8 d9 96 ef d6 b7 ea  d9 c1 a9 85 b7 d5 36 5f  |..............6_|
000003a0  c7 84 24 67 98 56 7a 2e  98 6c 14 7f de 5e 79 bf  |..$g.Vz..l...^y.|
000003b0  b1 10 1a 6f 64 ba 3b 05  ea 7a f0 57 a2 de d9 9b  |...od.;..z.W....|
000003c0  9b 1c 36 c8 2c 6a 31 b5  80 66 e8 0f c3 dc d3 84  |..6.,j1..f......|
000003d0  08 09 f2 11 74 6e 01 a4  74 c6 7d 70 f4 92 0f 63  |....tn..t.}p...c|
000003e0  c2 b2 5f bc e9 ba bd 76  56 ff 6b 69 90 a3 a1 a8  |.._....vV.ki....|
000003f0  4c 68 2d 53 06 63 14 87  b6 b6 a1 95 a6 98 40 33  |[email protected]|
00000400  f5 1e 8a 22 fe 24 ff b6  d3 29 98 17 c4 af e0 06  |...".$...)......|
00000410  50 ee eb b2 40 be a9 45  e8 45 69 cb cf be e6 73  |[email protected]|
00000420  09 5a 63 58 45 21 53 61  f1 b3 7f 4c 36 0f a6 70  |.ZcXE!Sa...L6..p|
00000430  d0 5e 80 c0 3b f1 89 ba  0f 5e e2 33 01 83 b9 c9  |.^..;....^.3....|
00000440  e8 9e 25 43 ce ff 5f                           |..%C.._|
00000447

It could be a large random pad, as someone previously suggested. Or if we're really lucky it could just be a random number sequence accessed via knowing it's seed and which rand algorithm it's using. Or it could be an output feedback cipher, which could be a bugger if they used a non-zero key in the encryption.

The approach I used was to find all the obfuscated text files I could, then write a small program to iterate over the hash options for each byte, weed out the ones that yield an invalid result in any of those files, and produce a character-by-character list of the possibilities. This was facilitated by knowing that a shell script is only printable characters and whitespace and the .hex file is only hex characters, colons, and CRLFs. If anybody has strong knowledge of limitations in gzip file content beyond the first 96 bytes, that could be used to further filter the options.

Here are the decoded sections of the obfuscated text files I could find. These are the same in all three versions of the Sony update that I have.

history/board_conf.sh (full file)

#!/bin/sh

chkerr()
{
  ret=$?
  if [ $ret -ne 0 ]; then
    echo "Error!!!"
    exit 1
  fi
}

# arguments
#PRODUCT_TYPE=$1  # asura, eagle, *
#TRIAL_LEVEL=$2   # evt2, dvt, pvt, pp, mp
#PANELID=$3       # MONI-Z, M236H1-L01, LTY(Z)320HM02, LTY(Z)400HM02, LTY(Z)460HM02, 
#                 # T315HW07 V0, LTY(Z)400HM03, LTY(Z)460HM03, unknown

# for old installer support (evt only)
[ ${PRODUCT_TYPE} ]             || PRODUCT_TYPE=$1
[ ${PANELID} ]                  || PANELID="MONI-Z"
[ ${TRIAL_LEVEL} ]              || TRIAL_LEVEL="pvt"
[ ${PRODUCT_TYPE} = "asura_p" ] && PANELID="PANEL"

mount /dev/sda1 /tmp/mnt1 ; chkerr

printf "product_type = $PRODUCT_TYPE\ntrial_level = $TRIAL_LEVEL\nmodelid = $MODELID\npanelid = $PANELID\n" > /tmp/mnt1/etc/board.conf
chown 0:0 /tmp/mnt1/etc/board.conf ; chkerr
chmod 444 /tmp/mnt1/etc/board.conf ; chkerr

umount /tmp/mnt1

exit 0


history/other/check_spectra1_20100929.sh

#!/bin/sh

#----------------------------------
# unmount /tmp/mntx
UMOUNT()
{
    mount | grep $1 > /dev/null || return 0

    umount $1 2> /dev/null
    mount | grep $1 > /dev/null || return 0 ; sleep 1

    umount $1 2> /dev/null
    mount | grep $1 > /dev/null || return 0 ; sleep 1

    umount $1 2> /dev/null
    mount | grep $1 > /dev/null || return 0 ; sleep 1

    umount $1 2> /dev/null
    mount | grep $1 > /dev/null || return 0 ; sleep 1

    umount $1 2> /dev/null
    mount | grep $1 > /dev/null || return 0 ; sleep 1

    echo Error!!
    exit ${ERROR_CODE}
}
#----------------------------------
# mount /dev/sdax /tmp/mntx
MOUNT()
{
    mount | grep "$2" > /dev/null && return 0

    mount $1 $2 $3 $4
}

#----------------------------------

mkdir -p /tmp/spe1
MOUNT /dev/Glob_Spectraa1 /tmp/spe1
if [ $? -eq 0 ]; then
    UMOUNT /tmp/spe1
    exit 0
fi

sleep 2
MOUNT /dev/Glob_Spectraa1 /tmp/spe1
if [ $? -eq 0 ]; then
    UMOUNT /tmp/spe1
    exit 0
fi

sleep 2
MOUNT /dev/Glob_Spectraa1 /tmp/spe1
if [ $? -eq 0 ]; then
    UMOUNT /tmp/spe1
    exit 0
fi

echo "spectra1 is no


history/other/factory_reset_conditional_keepremote_20101012.sh

#!/bin/sh
# last modified 2010/10/12
#
# conditional factory-reset for asura / eagle on updating.
# keep remote pairing
#
# assuming to be placed before history/other/format_sda_xxx.sh in
# package_list_xxx.txt files.
#
# applies factory-reset effect only when CURRENT_DATE which is exported
# by package_update.sh is the same as or older than BOUNDARY_DATE which
# is defined below.
# CURRENT_DATE reflects the value of ro.build.date.utc in the file
# /system/build.prop on the target.
# the factory-reset itself in this script is the same as one in the
# history/other/factory_reset_20100803.sh which is packaged in the
# GM softoware.

BOUNDARY_DATE=1283319577
# 1283319577 autobuild_trunk-r8602_trunk-r938_asura (20100901.143920)
# above is the latest package before gtv0830 is introduced.
# 1283318267 autobuild_trunk-r8602_trunk-r938_eagle (20100901.141724)
# 1281411575 [GM] 2.1_2010081002U_eagle (20100810.123847)
# 1281092192 [GM] 2.1_2010080602U_asura (20100806.195537)

#SENTINEL_FILE="/tmp/mnt7/.eclair.4"

[ "${BEAGLECMD}" ] || BEAGLECMD=/bin/sony/beaglecmd

chkerr()
{
  if [ $? -n

history/other/format_sda_20100514.sh

#!/bin/sh

FDISK_HASH_8G="80dd0463e8cf28c0d2c0836408499e03  -"
FDISK_HASH_2G="fdd1d1adb5517785c3e556c9c5966b07  -"

#    /dev/sda1 (boot)   will be 0.5GB
#    /dev/sda2 (misc)   will be   0GB
#    /dev/sda5 (system) will be 1.5GB
#    /dev/sda6 (cache)  will be 1.5GB
#    /dev/sda7 (data)   will be 4.5GB
#
#   Device Boot      Start         End      Blocks  Id System
#/dev/sda1               1        1908      488432  83 Linux
#/dev/sda3            1909       30720     7375872   5 Extended
#/dev/sda5            1909        7631     1465072  83 Linux
#/dev/sda6            7632       13354     1465072  83 Linux
#/dev/sda7           13355       30720     4445680  83 Linux

chkerr()
{
  if [ $? -ne 0 ]; then
    echo "Error!!"
    exit 1
  fi
}

FDISK_HASH_CUR=`fdisk /dev/sda -l | md5sum`
if [ "${FDISK_HASH_CUR}" = "${FDISK_HASH_8G}" ] || [ "`mount | grep "/dev/sda6"`" ]; then

  echo "clean sda1 & sda5"

  umount /dev/sda1  2> /dev/null
  umount /dev/sda5  2> /dev/null

  sleep 2

  mkfs.ext2 /dev/sda1  > /dev/null; chkerr
  mkfs.ext3 /dev/sda5  > /dev/null; chkerr
  exit 0
fi

ech

history/other/RfHid_v0156_2010091601_NL.hex

:020000040000FA
:0600000091EF1FF0120059
:0600080004EF04F01200F9
:060018000CEF04F01200E1
:0608000091EF1FF0120051
:020806000000F0
:0608080030EF0EF01200BB
:02080E001200D6
:060818009EEF0EF012003D
:06082A00D9CFE6FFE1CF8B
:10083000D9FFE652060EAC6E800EAB6E939E938A85
:10084000330EAF6E900EAB6E0001686BDF6A180E50
:10085000DF5C09E2DF50EA6A690FE96E000EEA2206
:10086000EF6ADF2AF4D70001816BDF6A180EDF5CC4
:1008700009E2DF50EA6AE60FE96E020EEA22EF6A49
:10088000DF2AF4D700018A6B8B6B676B616B626B3D
:10089000606B896B828382950001C26B0001956B4E
:1008A00000D0E552E552E7CFD9FF1200000182A146
:1008B00007D00001CC5104E1010EE66E39DBE552B0
:1008C00081AC27D0000182B305D00001C25102E102
:1008D000EFEC0DF00001DA511BE00001C25118E10C
:1008E0000001CB5105E1DAC0E6FF22DBE5520BD077
:1008F0000D0E0001DA5D07E3DA51180804E3DAC0EF
:10090000E6FF16DBE5521C0E0001DA5D01E0DA6B52
:100910000DD081BC0BD00001C25108E1170E0001BF
:10092000DA5D04E1220EE66E03DBE55200D0120030
:10093000D9CFE6FFE1CFD9FFE6520001010E8C6F5F
:10094000AB50DF6E8D6B060EDF1403E0AECF8DF083
:1009500005D0AECF8DF00BD800018C6F8C0501E176
:1009600064DF0

Here's a small script I wrote to apply the mask to any file. First parameter is the mask file, second is the obfuscated file. Result gets printed. Since it's an xor, you can give it the mask file and plaintext file and it will obfuscate it for you if you'd like to go that way.

  #!/usr/bin/perl
  
  use strict;
  use warnings;
  
  use IO::File;
  
  my $file1 = shift;
  die "Missing filename parameter.\n" unless defined $file1;
  die "File '$file1' does not exist.\n" unless ( -f $file1 );my $fh1 = IO::File->new("< $file1") or die "Unable to open file '$file1'.\n";
  my $file2 = shift;
  die "Missing filename parameter.\n" unless defined $file2;
  die "File '$file2' does not exist.\n" unless ( -f $file2 );my $fh2 = IO::File->new("< $file2") or die "Unable to open file '$file2'.\n";
  
  while ( defined ( my $c1 = getc($fh1) ) )
  {
          my $c2 = getc($fh2);
          $c2 = "\x00" unless defined $c2;
          my $o = $c1 ^ $c2;
          print $o;
  }