Decrypt Firmware

The following script processes a SPI dump. It extracts and decrypts the BCT & Bootloader

Decrypt BCT
#!/bin/bash
echo "Extract BCT/Bootloader from SPI flash"
dd if=mtd0Original_CTS.bin     of=BCT_Block_enc.bin           bs=1 count=8192                #extract the BCT block
dd if=mtd0Original_CTS.bin     of=Bootloader_Block_enc.bin    bs=1 count=520192 skip=1048576 #extract the Bootloader block
dd if=BCT_Block_enc.bin        of=BCT_enc.bin                 bs=1 count=6128                #extract BCT from block
dd if=Bootloader_Block_enc.bin of=Bootloader_enc.bin          bs=1 count=517472              #extract Bootloader from block
dd if=BCT_enc.bin              of=BCT_trimmed_enc.bin         bs=1 skip=16                   #extract BCT without hash
dd if=BCT_enc.bin              of=BCT_hash.bin                bs=1 count=16                  #extract BCT hash

echo ""
echo "decrypting Files"
openssl aes-128-cbc -d -K deadbeefdeadc0dedeadd00dfee1dead -iv 00000000000000000000000000000000 -nopad -nosalt -in BCT_enc.bin        -out BCT_dec.bin         #decrypt BCT
openssl aes-128-cbc -d -K deadbeefdeadc0dedeadd00dfee1dead -iv 00000000000000000000000000000000 -nopad -nosalt -in Bootloader_enc.bin -out Bootloader_dec.bin  #decrypt Bootloader

echo ""
echo "Extracted BCT hash"
xxd -ps BCT_hash.bin
echo "Calculated BCT hash"
openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:deadbeefdeadc0dedeadd00dfee1dead BCT_trimmed_enc.bin #hash of enc-BCT           #calc BCT hash

echo ""
echo "Extracted Bootloader hash"
bct_dump BCT_dec.bin | grep AES
echo "Calculated Bootloader hash"
openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:deadbeefdeadc0dedeadd00dfee1dead Bootloader_enc.bin #hash of enc-Bootloader     #calc Bootloader hash

echo ""
echo "remove temp files"
rm BCT_Block_enc.bin
rm BCT_enc.bin
rm BCT_trimmed_enc.bin
rm Bootloader_Block_enc.bin
rm Bootloader_enc.bin

Last updated