Decrypt Firmware

The following script processes a SPI dump. It extracts and decrypts the BCT & Bootloader

Decrypt BCT
#!/bin/bash
echo "Extract BCT/Bootloader from mtd0"
dd if=mtd0Original_CTS.bin of=BCT_Block_enc.bin bs=1 count=8192 #extract the BCT block
dd if=mtd0Original_CTS.bin of=Bootloader_Block_enc.bin bs=1 count=520192 skip=1048576 #extract the Bootloader block
dd if=BCT_Block_enc.bin of=BCT_enc.bin bs=1 count=6128 #extract BCT from block
dd if=Bootloader_Block_enc.bin of=Bootloader_enc.bin bs=1 count=517472 #extract Bootloader from block
dd if=BCT_enc.bin of=BCT_trimmed_enc.bin bs=1 skip=16 #extract BCT without hash
dd if=BCT_enc.bin of=BCT_hash.bin bs=1 count=16 #extract BCT hash
echo ""
echo "decrypting Files"
openssl aes-128-cbc -d -K deadbeefdeadc0dedeadd00dfee1dead -iv 00000000000000000000000000000000 -nopad -nosalt -in BCT_enc.bin -out BCT_dec.bin #decrypt BCT
openssl aes-128-cbc -d -K deadbeefdeadc0dedeadd00dfee1dead -iv 00000000000000000000000000000000 -nopad -nosalt -in Bootloader_enc.bin -out Bootloader_dec.bin #decrypt Bootloader
echo ""
echo "Extracted BCT hash"
xxd -ps BCT_hash.bin
echo "Calculated BCT hash"
openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:deadbeefdeadc0dedeadd00dfee1dead BCT_trimmed_enc.bin #hash of enc-BCT #calc BCT hash
echo ""
echo "Extracted Bootloader hash"
bct_dump BCT_dec.bin | grep AES
echo "Calculated Bootloader hash"
openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:deadbeefdeadc0dedeadd00dfee1dead Bootloader_enc.bin #hash of enc-Bootloader #calc Bootloader hash
echo ""
echo "remove temp files"
rm BCT_Block_enc.bin
rm BCT_enc.bin
rm BCT_trimmed_enc.bin
rm Bootloader_Block_enc.bin
rm Bootloader_enc.bin