Open Surface RT
Discord CommunityXDA Page
  • Open Surface RT Home
  • Get started
    • Secure Boot
    • Windows 10
    • Linux
    • Discord
  • Changelog
  • Common
    • Boot Process
      • Special Boot modes
      • Tegra SoC's
        • Fusée Gelée
          • APX Mode (USB Recovery Mode "RCM")
          • Payloads
            • Dump platform key (SBK)
      • UEFI
        • Secure Boot
          • Windows Bootmanager Exploit
          • Yahallo - Disable Secureboot
        • UEFI Boot Sequence
        • FAT32 isn't FAT32
    • Windows RT
      • Jailbreak Exploits
      • Recovery Toolkit
      • Recovery Images
    • Windows 10
      • Software Support
      • Fake Builds
      • Known Issues
  • Tools
    • Windows Media Builder
    • Surface RT & 2 Jailbreak USB
  • Surface RT
    • Linux
      • Devicetree
        • APX devicetree
        • UEFI devicetree
      • Kernel
        • Kernel source
          • grate-driver
          • Mainline
        • Configure & Build
          • Appended devicetree
        • Prebuilt binaries
      • Booting
        • Kernel parameters
        • UEFI boot
        • APX boot
          • Das U-Boot
          • Fusée Gelée
            • BCT Table
            • NvFlash (Modified)
          • Boot Linux
            • Binaries
            • Prepare SD Card
      • Root Filesystem
        • Distributions
          • postmarketOS
          • Raspberry Pi OS
        • Simple RootFS
      • Trouble Shooting
    • Hardware
      • Tegra3 - Technical Reference Manual
      • J14 OEM Debug Connector
      • UART
        • 1.8V UART with Voltage divider
        • Raspberry Pi UART-Setup
      • GPIOs
        • decode - Pin number to Letter
        • GPIOs in Linux
      • IC's
        • SPI Flash
        • MMC
          • 1 - μSD Card
          • 3 - WIFI SDIO: Marvell: 88W8797
          • 4 - eMMC
        • I2C devices
          • Bus 0 - MS HID
            • 0x00 - Microsoft: Type/Touch Cover
            • 0x28 - [WIP] Microsoft: ?SensorCollection?
              • TBC - Ambient Light Sensor
              • TBC - Kionix: KXTJ9 - Accelerometer
          • Bus 1 - 2nd Board
            • 0x2D
            • 0x39 - Display Panel ThermalZone
            • 0x5B - ATMEL: mXT1386E - TouchController
          • Bus 2 - CAMs
          • Bus 3 - HDMI DDC
          • Bus 4 - System
            • 0x0A - ACPI: Control Method Battery
            • 0x1A - Wolfson: WM8962 - AudioCodec
            • 0x2D - TI: TPS659110 - PMIC
            • 0x4C - onsemi: NCT1008 - Temperatur sensor
            • 0x60 - TI: TPS62361B - Processor Supply
        • LVDS Encoder
      • Display
      • Battery
    • Firmware
      • Extract Firmware
      • Decrypt Firmware
      • Encrypt Firmware
      • BCT
      • RPMB partition on EMMC
    • UEFI
      • ACPI Tables
        • DSDT
        • SSDT
        • WDSA
        • MADT / APIC
        • Not interesting (yet)
          • BGRT
          • CSRT
          • DBG2
          • FACP
          • FPDT
          • MSDM
          • RSDP
          • TMP2
          • XSDT
      • Memory Mapping
      • Device Tables
      • PinMux
      • Compiling GRUB2
  • Surface RT2
    • Hardware
      • Specifications
      • ACPI (DSDT) Tables
      • Memory Mapping
      • EFI System Tables
      • BCT Table
      • IC's
      • Display
      • Battery
  • Other devices
    • Lenovo Ideapad Yoga 11
      • Linux
  • Development
    • !!! PLEASE READ !!!
      • !TODO for everyone
      • CTS devNotes
        • initrd
        • !TODO
          • Surface RT
          • Surface 2
        • battery
        • TZ Exploit - CTS
        • tCover Linux support
          • Kernel module
        • Dump Bootrom
        • git for dummys [WIP!] (like me)
      • Leander devNotes
        • !TODO
        • UEFI Privilege Escalation Exploit Documentation
          • Yahallo: Free memory access
          • UEFI Privilege Escalation: Execute code in Secure mode
          • Removing trustzone
        • EFI linux booting
          • Configs we already tried
          • Qemu emulation
            • GDB Debugging
              • VSCode integration
        • EFI Signing / Secure Boot
      • GRUB2 Booting Notes
      • Cross Compiling
      • Interesting Repo's
      • Devicetree information
      • Do gifs work?
      • Uboot information
      • jwa4 Notes
        • Windows Media Builder
        • Surface RT & 2 Jailbreak USB
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Surface RT
  2. Firmware

Encrypt Firmware

#!/bin/bash
echo "Build FlashImage from BCT/Bootloader"

# Change these 3 variables
BCT=<yourBCT>
Bootloader=<yourBootloader>
key=<yourKey>



cp $BCT tmp_bct.bin
cp $Bootloader tmp_bootloader.bin
###############################################################################
########### BOOTLOADER ########################################################
###############################################################################

#pad bootloader to be 16Byte aligned
bootloaderLength=$(stat --printf="%s" tmp_bootloader.bin)
while [ $((bootloaderLength%16)) -ne 0 ]; do
	echo -n -e \\x00 >> tmp_bootloader.bin
	bootloaderLength=$(stat --printf="%s" tmp_bootloader.bin)
done

# encrypt bootloader
echo "test"
openssl aes-128-cbc -e -K $key -iv 00000000000000000000000000000000 -nopad -nosalt -in tmp_bootloader.bin -out tmp_bootloader_enc.bin #-nopad
echo "test"

# calc bootloader hash of encrypted bootloader
bootloaderHash=$(openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$key tmp_bootloader_enc.bin | cut -d' ' -f2)
# get length of encrypted bootloader
bootloaderLength=$(stat --printf="%s" tmp_bootloader_enc.bin)
# set bootloader load address
bootloaderLoadAddress=0x80108000
# set bootloader entry point
bootloaderEntryPoint=0x80108000 

# Swap endianess of Length, LoadAddress, EntryPoint
v=$(printf "%08x" $bootloaderLength)
bootloaderLength=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
v=$(printf "%08x" $bootloaderLoadAddress)
bootloaderLoadAddress=${v:6:2}${v:4:2}${v:2:2}${v:0:2}
v=$(printf "%08x" $bootloaderEntryPoint)
bootloaderEntryPoint=${v:6:2}${v:4:2}${v:2:2}${v:0:2}

# add bootloader data to BCT
echo $bootloaderLoadAddress 	| xxd -r -p | dd conv=notrunc of=tmp_bct.bin seek=3940 bs=1
echo $bootloaderEntryPoint	| xxd -r -p | dd conv=notrunc of=tmp_bct.bin seek=3944 bs=1
echo $bootloaderHash		| xxd -r -p | dd conv=notrunc of=tmp_bct.bin seek=3952 bs=1
echo $bootloaderLength 	| xxd -r -p | dd conv=notrunc of=tmp_bct.bin seek=3936 bs=1

#create bootloader block
dd if=/dev/zero of=tmp_bootloader_block.bin bs=1 count=520192
#put bootloader in block
dd conv=notrunc if=tmp_bootloader_enc.bin of=tmp_bootloader_block.bin bs=1


###############################################################################
########### BCT ###############################################################
###############################################################################
# remove HASH from BCT
dd if=tmp_bct.bin of=tmp_bct_trimmed.bin bs=1 skip=16

# encrypt BCT
openssl aes-128-cbc -e -K $key -iv 00000000000000000000000000000000 -nopad -nosalt -in tmp_bct_trimmed.bin -out tmp_bct_trimmed_enc.bin

# hash encrypted BCT
BCT_hash=$(openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$key tmp_bct_trimmed_enc.bin | cut -d' ' -f2)

#create BCT_block image
dd if=/dev/zero of=tmp_bct_block.bin bs=1 count=8192  
#put hash in Image
echo $BCT_hash 		| xxd -r -p | dd conv=notrunc of=tmp_bct_block.bin seek=0 bs=1
#put BCT in Image
dd conv=notrunc if=tmp_bct_trimmed_enc.bin of=tmp_bct_block.bin seek=16 bs=1



###############################################################################
########### Flash Image########################################################
###############################################################################
# create spi flash image with ones/zeros
dd if=/dev/zero bs=512 count=8192 |   tr '\000' '\377' > flashImage.bin # to proof that dumped image is same as generated
#dd if=/dev/zero of=flashImage.bin bs=512 count=8192 # for flashing

#put BCT_Block in image
dd conv=notrunc if=tmp_bct_block.bin of=flashImage.bin seek=0 bs=1

#put Bootloader_block in image
dd conv=notrunc if=tmp_bootloader_block.bin of=flashImage.bin seek=1048576 bs=1



###############################################################################
########### Remove Tmp files ##################################################
###############################################################################
rm tmp_*.bin
PreviousDecrypt FirmwareNextBCT

Last updated 3 years ago

Was this helpful?