freemyipod r523 - Code Review

Repository:	freemyipod
Revision:	< r522‎ \| r523 \| r524 >
Date:	01:34, 6 February 2011
Author:	theseven
Status:	new
Tags:
Comment:	libipodcrypto.py: Adapt to emCORE
Modified paths:	/emcore/trunk/tools/libipodcrypto.py (modified) (history)

Diff [purge]

Index: emcore/trunk/tools/libipodcrypto.py
—	—	@@ -34,20 +34,27 @@
35	35
36	36	def s5l8701cryptdfu(data):
37	37	data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
38		~~- header = "87011.0\0\0\x08\0\0" + struct.pack("<I", len(data))~~
	38	+ header = "87011.0\0\0\0x8\0\0" + struct.pack("<I", len(data))
39	39	emcore = libemcore.Emcore()
40		~~- emcore.write(0x08000000, header.ljust(0x800, "\0") + data)~~
41		~~- emcore.hmac_sha1(0x08000800, len(data), 0x08000010)~~
42		~~- emcore.hmac_sha1(0x08000000, 0x40, 0x08000040)~~
43		~~- emcore.aesencrypt(0x08000000, len(data) + 0x800, 1)~~
44		~~- return emcore.read(0x08000000, len(data) + 0x800)~~
	40	+ addr = emcore.memalign(0x10, len(data) + 0x800)
	41	+ emcore.write(addr, header.ljust(0x800, "\0") + data)
	42	+ emcore.hmac_sha1(addr + 0x800, len(data), addr + 0x10)
	43	+ emcore.hmac_sha1(addr, 0x40, addr + 0x40)
	44	+ emcore.aesencrypt(addr, len(data) + 0x800, 1)
	45	+ data = emcore.read(addr, len(data) + 0x800)
	46	+ emcore.free(addr)
	47	+ return data
45	48
46	49
47	50	def s5l8701decryptdfu(data):
	51	+ headersize = struct.unpack("<I", data[8:12])[0]
48	52	emcore = libemcore.Emcore()
49		~~- emcore.write(0x08000000, data)~~
50		~~- emcore.aesdecrypt(0x08000000, len(data), 1)~~
51		~~- return emcore.read(0x08000800, len(data) - 0x800)~~
	53	+ addr = emcore.memalign(0x10, len(data))
	54	+ emcore.write(addr, data)
	55	+ emcore.aesdecrypt(addr, len(data), 1)
	56	+ data = emcore.read(addr + headersize, len(data) - headersize)
	57	+ emcore.free(addr)
	58	+ return data
52	59
53	60
54	61	def s5l8701cryptfirmware(data):
—	—	@@ -54,18 +61,24 @@
55	62	data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
56	63	header = "\0\0\0\0\x02\0\0\0\x01\0\0\0\x40\0\0\0\0\0\0\0" + struct.pack("<I", len(data))
57	64	emcore = libemcore.Emcore()
58		~~- emcore.write(0x08000000, header.ljust(0x800, "\0") + data)~~
59		~~- emcore.hmac_sha1(0x08000800, len(data), 0x0800001c)~~
60		~~- emcore.hmac_sha1(0x08000000, 0x200, 0x080001d4)~~
61		~~- emcore.aesencrypt(0x08000800, len(data), 1)~~
62		~~- return emcore.read(0x08000000, len(data) + 0x800)~~
	65	+ addr = emcore.memalign(0x10, len(data) + 0x800)
	66	+ emcore.write(addr, header.ljust(0x800, "\0") + data)
	67	+ emcore.hmac_sha1(addr + 0x800, len(data), addr + 0x1c)
	68	+ emcore.hmac_sha1(addr, 0x200, addr + 0x1d4)
	69	+ emcore.aesencrypt(addr + 0x800, len(data), 1)
	70	+ data = emcore.read(addr, len(data) + 0x800)
	71	+ emcore.free(addr)
	72	+ return data
63	73
64	74
65	75	def s5l8701decryptfirmware(data):
66	76	emcore = libemcore.Emcore()
67		~~- emcore.write(0x08000000, data)~~
68		~~- emcore.aesdecrypt(0x08000800, len(data) - 0x800, 1)~~
69		~~- return emcore.read(0x08000800, len(data) - 0x800)~~
	77	+ addr = emcore.memalign(0x10, len(data))
	78	+ emcore.write(addr, data)
	79	+ emcore.aesdecrypt(addr + 0x800, len(data) - 0x800, 1)
	80	+ data = emcore.read(addr + 0x800, len(data) - 0x800)
	81	+ emcore.free(addr)
	82	+ return data
70	83
71	84
72	85	def s5l8702cryptnor(data):
—	—	@@ -72,19 +85,25 @@
73	86	data = data.ljust((len(data) + 0xf) & ~0xf, "\0")
74	87	header = "87021.0\x01\0\0\0\0" + struct.pack("<I", len(data)) + hashlib.sha1(data).digest()[:0x10]
75	88	emcore = libemcore.Emcore()
76		~~- emcore.write(0x08000000, header.ljust(0x800, "\0") + data)~~
77		~~- emcore.aesencrypt(0x08000800, len(data), 2)~~
78		~~- emcore.aesencrypt(0x08000010, 0x10, 2)~~
79		~~- emcore.write(0x08000040, hashlib.sha1(emcore.read(0x08000000, 0x40)).digest()[:0x10])~~
80		~~- emcore.aesencrypt(0x08000040, 0x10, 2)~~
81		~~- return emcore.read(0x08000000, len(data) + 0x800)~~
	89	+ addr = emcore.memalign(0x10, len(data))
	90	+ emcore.write(addr, header.ljust(0x800, "\0") + data)
	91	+ emcore.aesencrypt(addr + 0x800, len(data), 2)
	92	+ emcore.aesencrypt(addr + 0x10, 0x10, 2)
	93	+ emcore.write(addr + 0x40, hashlib.sha1(emcore.read(addr, 0x40)).digest()[:0x10])
	94	+ emcore.aesencrypt(addr + 0x40, 0x10, 2)
	95	+ data = emcore.read(addr, len(data) + 0x800)
	96	+ emcore.free(addr)
	97	+ return data
82	98
83	99
84	100	def s5l8702decryptnor(data):
85	101	emcore = libemcore.Emcore()
86		~~- emcore.write(0x08000000, data[0x800:])~~
87		~~- emcore.aesdecrypt(0x08000000, len(data) - 0x800, 1)~~
88		~~- return emcore.read(0x08000000, len(data) - 0x800)~~
	102	+ addr = emcore.memalign(0x10, len(data))
	103	+ emcore.write(addr, data[0x800:])
	104	+ emcore.aesdecrypt(addr, len(data) - 0x800, 1)
	105	+ data = emcore.read(addr, len(data) - 0x800)
	106	+ emcore.free(addr)
	107	+ return data
89	108
90	109
91	110	def s5l8702genpwnage(data):
—	—	@@ -92,9 +111,12 @@
93	112	data = data.ljust(max(0x840, (len(data) + 0xf) & ~0xf), "\0")
94	113	header = ("87021.0\x03\0\0\0\0" + struct.pack("<IIII", len(data) - 0x830, len(data) - 0x4f6, len(data) - 0x7b0, 0x2ba)).ljust(0x40, "\0")
95	114	emcore = libemcore.Emcore()
96		~~- emcore.write(0x08000000, header + hashlib.sha1(header).digest()[:0x10])~~
97		~~- emcore.aesencrypt(0x08000040, 0x10, 1)~~
98		~~- return emcore.read(0x08000000, 0x50) + data + cert.ljust((len(cert) + 0xf) & ~0xf, "\0")~~
	115	+ addr = emcore.memalign(0x10, len(data))
	116	+ emcore.write(addr, header + hashlib.sha1(header).digest()[:0x10])
	117	+ emcore.aesencrypt(addr + 0x40, 0x10, 1)
	118	+ data = emcore.read(addr, 0x50) + data + cert.ljust((len(cert) + 0xf) & ~0xf, "\0")
	119	+ emcore.free(addr)
	120	+ return data
99	121
100	122
101	123	def s5l8701cryptdfufile(infile, outfile):

freemyipod r523 - Code Review

Diff [purge]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Info

Reverse engineering Results

Exploiting

Other Guides

Tools