Sony Update Downloads

From Exploitee.rs
Revision as of 22:45, 11 February 2011 by Catrane (talk | contribs) (Pad extended. 134 -> 756. Files extended as well.)
Jump to navigationJump to search

Download Links

Asura 2010.10.21

Eagle 2010.10.21

Eagle 2010.12.15 (Current as of Feb 6, 2011)

Format

Download is a conventional zip file, containing a directory structure with a collection of tgz files as well as various others. Contents are mostly obfuscated using a simple xor of some sort. A pattern has yet to be found, but the mask for one file will apply byte-for-byte to any other obfuscated file in the zip.

Obfuscation

Here are the first 756 bytes of the Sony obfuscation hash. It's applied as an xor. I haven't put much work into finding a pattern yet. Here's what I do know:

  • It isn't just a static repeating pattern, or if it is then it's longer than 756 bytes before repeat.
  • The mask for any given byte position is the same across all files, so a static mask that works for one file will work for all files.
  00000000  38 cf 4f aa 7a 8a 2e 3e  2b 41 82 9a ad 31 e9 dc  |8.O.z..>+A...1..|
  00000010  ef 47 2f 0b 26 76 12 fe  5f 5b 58 e1 10 18 7d e6  |.G/.&v.._[X...}.|
  00000020  ad 92 1b 91 8e 90 69 f7  8a 9b 68 d8 98 58 fa 95  |......i...h..X..|
  00000030  63 81 d6 5f 04 7d 29 8b  09 cf b9 21 b8 d9 df dd  |c.._.})....!....|
  00000040  c4 7e 71 d9 3f 35 ea 7b  0d ec 7f d1 a3 76 64 88  |.~q.?5.{.....vd.|
  00000050  a5 8e 27 49 60 c0 a0 bc  77 54 31 e3 d6 6a bf e5  |..'I`...wT1..j..|
  00000060  1b 42 25 da a3 97 b8 e1  ba 54 13 5b 68 31 da ff  |.B%......T.[h1..|
  00000070  1c 5c 15 46 4e 32 f1 76  50 e0 4e f3 ab 9a 28 bb  |.\.FN2.vP.N...(.|
  00000080  b5 cf 2f 50 24 45 f7 ed  b3 5d c8 f6 21 fa aa d8  |../P$E...]..!...|
  00000090  42 4d 49 89 7f 76 c9 72  d8 30 1c 38 cd 09 d5 b7  |BMI..v.r.0.8....|
  000000a0  b0 69 ae 32 bd 0b db 1b  4a fc b5 77 cb 18 ff 32  |.i.2....J..w...2|
  000000b0  7b c6 aa 83 5d 94 22 e3  4c a1 ef bb 56 66 79 63  |{...].".L...Vfyc|
  000000c0  56 43 00 87 b4 69 f4 7c  18 ce 53 c6 3d fd e4 11  |VC...i.|..S.=...|
  000000d0  0e 6e a7 65 60 b2 66 dc  6b d7 01 4a e4 9f d7 84  |.n.e`.f.k..J....|
  000000e0  3c 87 b6 6a 67 ec 8e a3  36 2c ce c0 ab 2e e2 4e  |<..jg...6,.....N|
  000000f0  4f ab 77 f3 0c da d8 e2  b1 98 fe a4 cf 20 a3 6f  |O.w.......... .o|
  00000100  27 cc f9 2b 47 09 e1 f8  a8 f5 a3 84 cd 53 b3 aa  |'..+G........S..|
  00000110  12 cb 95 dc c2 7f 76 df  84 24 83 c8 60 fe dc 99  |......v..$..`...|
  00000120  3c 61 5c d5 4a bd 4b 19  10 ea 2b a9 ed 94 4e 08  |<a\.J.K...+...N.|
  00000130  2e 1e 0b 31 90 b7 47 76  55 40 1b 42 e5 cd 82 07  |[email protected]....|
  00000140  6c 75 61 3d 51 6f 91 ed  4e 3b e7 d0 68 7b ab 93  |lua=Qo..N;..h{..|
  00000150  b9 64 e7 82 80 0b b0 7a  1b da d0 70 a8 65 95 da  |.d.....z...p.e..|
  00000160  8b 06 37 34 0f 78 a2 35  87 f5 81 6b 0a ce 7d 28  |..74.x.5...k..}(|
  00000170  15 97 8c 8a 84 df b0 17  c7 ef 88 b3 41 61 3a a9  |............Aa:.|
  00000180  83 2f b8 7d 0e 9f 93 d9  2e 63 21 0e eb 81 64 a6  |./.}.....c!...d.|
  00000190  b7 f0 db ab dc cd fc 15  d5 4f fb 96 dd 28 fe d7  |.........O...(..|
  000001a0  17 be 8f 96 f0 3e 84 bc  d6 2e 80 d4 60 62 05 0a  |.....>......`b..|
  000001b0  f9 12 87 b1 56 7e 46 47  19 1f 84 73 df 42 ca cf  |....V~FG...s.B..|
  000001c0  f8 ff 96 de 87 ba 13 2b  12 c8 f8 76 ea 2d 56 23  |.......+...v.-V#|
  000001d0  44 32 93 84 a4 5b 78 8a  1c 00 fb 82 9d 91 3c f4  |D2...[x.......<.|
  000001e0  5c 2a 7f 13 f8 4a 74 2f  e4 5a 8e 34 28 51 c3 04  |\*...Jt/.Z.4(Q..|
  000001f0  c5 aa db 93 62 8b 92 41  bc 18 a5 47 94 06 b3 ed  |....b..A...G....|
  00000200  fb 8c 5b 08 d1 62 0d 59  9e 37 26 ff a9 40 63 a7  |..[..b.Y.7&..@c.|
  00000210  d3 f3 e6 30 ea 22 bc 3a  64 9c d9 fe 94 7c f2 3b  |...0.".:d....|.;|
  00000220  34 4d ce 2c b4 c5 22 56  b4 e8 ad 31 ed 3b 66 b8  |4M.,.."V...1.;f.|
  00000230  38 86 e3 0d fa 77 8a 79  35 0a 7c 23 95 9f 15 2c  |8....w.y5.|#...,|
  00000240  9b c9 95 86 40 cf 92 7c  bd 37 36 c2 33 4b 09 c2  |....@..|.76.3K..|
  00000250  5c b1 a6 23 b2 ef d4 0c  f5 a5 24 90 12 85 6a 03  |\..#......$...j.|
  00000260  7b e5 61 48 d8 2f e6 1e  de 7e bb 18 e6 f5 b1 69  |{.aH./...~.....i|
  00000270  f1 f3 d1 32 dc e2 8f 99  1b f2 a6 71 90 3d 08 ed  |...2.......q.=..|
  00000280  05 c1 fe c1 c7 12 f9 33  a2 18 3f 52 76 9e 0e 6e  |.......3..?Rv..n|
  00000290  3d 94 dd cb 04 b7 4b 40  93 96 8f 01 df e1 57 d2  |[email protected].|
  000002a0  0e e9 20 e2 bb c6 b6 36  27 d6 82 91 48 90 87 9f  |.. ....6'...H...|
  000002b0  23 ea d5 78 2d 93 80 0a  ca 37 e3 40 85 6a 01 ad  |#[email protected]..|
  000002c0  c2 e7 5b d8 da 17 71 97  65 0a 00 4b 2f 3d ea 3c  |..[...q.e..K/=.<|
  000002d0  a0 06 ce 9a 3a d7 5d de  c0 82 4b 02 85 c7 36 bb  |....:.]...K...6.|
  000002e0  72 18 b1 0c 5b 39 73 1c  4c d0 cf 1a 70 fa 76 ba  |r...[9s.L...p.v.|
  000002f0  55 c5 ce dd 51                                    |U...Q|

It could be a large random pad, as someone previously suggested. Or if we're really lucky it could just be a random number sequence accessed via knowing it's seed and which rand algorithm it's using. Or it could be an output feedback cipher, which could be a bugger if they used a non-zero key in the encryption.

The approach I used was to find all the obfuscated text files I could, then write a small program to iterate over the hash options for each byte, weed out the ones that yield an invalid result in any of those files, and produce a character-by-character list of the possibilities. This was facilitated by knowing that a shell script is only printable characters and whitespace and the .hex file is only hex characters, colons, and CRLFs. If anybody has strong knowledge of limitations in gzip file content beyond the first 96 bytes, that could be used to further filter the options.

Here are the decoded sections of the obfuscated text files I could find. These are the same in all three versions of the Sony update that I have.

history/board_conf.sh

  #!/bin/sh
  
  chkerr()
  {
    ret=$?
    if [ $ret -ne 0 ]; then
      echo "Error!!!"
      exit 1
    fi
  }
   
  # arguments
  #PRODUCT_TYPE=$1  # asura, eagle, *
  #TRIAL_LEVEL=$2   # evt2, dvt, pvt, pp, mp
  #PANELID=$3       # MONI-Z, M236H1-L01, LTY(Z)320HM02, LTY(Z)400HM02, LTY(Z)460HM02,
  #                 # T315HW07 V0, LTY(Z)400HM03, LTY(Z)460HM03, unknown
  
  # for old installer support (evt only)
  [ ${PRODUCT_TYPE} ]             || PRODUCT_TYPE=$1
  [ ${PANELID} ]                  || PANELID="MONI-Z"
  [ ${TRIAL_LEVEL} ]              || TRIAL_LEVEL="pvt"
  [ ${PRODUCT_TYPE} = "asura_p" ] && PANELID="PANEL"
     mount /dev/sda1 /tmp/mnt1 ; chkerr
  
  printf "product_type = $PRODUCT_TYPE\ntrial_level = $TRIAL_LEVEL\nmodelid = $MODELID\npanelid = $PANELID\n" > /tmp/mnt1/etc/board


history/NBL/batch_sync-vfat.sh (entire file)

  #!/bin/sh
  
  unset -f MOUNT
  
  MOUNT()
  {
      mount | grep "$2" > /dev/null && return 0
  
      if [ "$1" = "/dev/Glob_Spectraa2" ]
      then
          mount -t vfat -o rw,batch_sync,noatime $1 $2 $3 $4
      else
          mount $1 $2 $3 $4
      fi
  }


history/other/check_spectra1_20100929.sh

  #!/bin/sh
  
  #----------------------------------
  # unmount /tmp/mntx
  UMOUNT()
  {
      mount | grep $1 > /dev/null || return 0
  
      umount $1 2> /dev/null
      mount | grep $1 > /dev/null || return 0 ; sleep 1
  
      umount $1 2> /dev/null
      mount | grep $1 > /dev/null || return 0 ; sleep 1
  
      umount $1 2> /dev/null
      mount | grep $1 > /dev/null || return 0 ; sleep 1
  
      umount $1 2> /dev/null
      mount | grep $1 > /dev/null || return 0 ; sleep 1
  
      umount $1 2> /dev/null
      mount | grep $1 > /dev/null || return 0 ; sleep 1
       
      echo Error!!
      exit ${ERROR_CODE}
  }
  #----------------------------------
  # mount /dev/sdax /tmp/mntx
  MOUNT()
  {
      mount | grep "$2" > /dev/null && return 0
  
      mount $1 $2 $3 $4
  }
  
  #----------------------------------


history/other/factory_reset_conditional_keepremote_20101012.sh

  #!/bin/sh
  # last modified 2010/10/12
  #
  # conditional factory-reset for asura / eagle on updating.
  # keep remote pairing
  #   
  # assuming to be placed before history/other/format_sda_xxx.sh in
  # package_list_xxx.txt files.
  #
  # applies factory-reset effect only when CURRENT_DATE which is exported
  # by package_update.sh is the same as or older than BOUNDARY_DATE which
  # is defined below.
  # CURRENT_DATE reflects the value of ro.build.date.utc in the file
  # /system/build.prop on the target.
  # the factory-reset itself in this script is the same as one in the
  # history/other/factory_reset_20100803.sh which is packaged in the
  # GM softoware.
   
  BOUNDARY_DATE=1283319577
  # 1283319577 autobuild_trunk-r8602_trunk-r938_asura (20100901.143920)
  # above is the latest p

history/other/format_sda_20100514.sh

  #!/bin/sh
  
  FDISK_HASH_8G="80dd0463e8cf28c0d2c0836408499e03  -"
  FDISK_HASH_2G="fdd1d1adb5517785c3e556c9c5966b07  -"
  
  #    /dev/sda1 (boot)   will be 0.5GB
  #    /dev/sda2 (misc)   will be   0GB
  #    /dev/sda5 (system) will be 1.5GB
  #    /dev/sda6 (cache)  will be 1.5GB
  #    /dev/sda7 (data)   will be 4.5GB
  # 
  #   Device Boot      Start         End      Blocks  Id System
  #/dev/sda1               1        1908      488432  83 Linux
  #/dev/sda3            1909       30720     7375872   5 Extended
  #/dev/sda5            1909        7631     1465072  83 Linux
  #/dev/sda6            7632       13354     1465072  83 Linux
  #/dev/sda7           13355       30720     4445680  83 Linux
  
  chkerr()           
  {
    if [ $? -ne 0 ]; then
      echo "Error!!"
      exit 1
    fi
  }
  
  FDISK


history/other/RfHid_v0156_2010091601_NL.hex

  :020000040000FA
  :0600000091EF1FF0120059
  :0600080004EF04F01200F9
  :060018000CEF04F01200E1
  :0608000091EF1FF0120051
  :020806000000F0
  :0608080030EF0EF01200BB
  :02080E001200D6
  :060818009EEF0EF012003D
  :06082A00D9CFE6FFE1CF8B
  :10083000D9FFE652060EAC6E800EAB6E939E938A85
  :10084000330EAF6E900EAB6E0001686BDF6A180E50
  :10085000DF5C09E2DF50EA6A690FE96E000EEA2206
  :10086000EF6ADF2AF4D70001816BDF6A180EDF5CC4
  :1008700009E2DF50EA6AE60FE96E020EEA22EF6A49
  :10088000DF2AF4D700018A6B8B6B676B616B626B3D
  :10089000606B896B828382950001C26B0001956B4E
  :1008A00000D0E552E552E7CFD9FF1200000182A146
  :1008B00007D00001CC5104E1010EE66E39DBE552B0
  :1008C00081AC27D0000182B305D00001C25102E102
  :1008D000EFEC0DF00001DA511BE00001C25118E10C
  :1008E0000001CB5105E1DAC0E6FF22DBE55


Here's a small script I wrote to apply the mask to any file. First parameter is the mask file, second is the obfuscated file. Result gets printed. Since it's an xor, you can give it the mask file and plaintext file and it will obfuscate it for you if you'd like to go that way.

  #!/usr/bin/perl
  
  use strict;
  use warnings;
  
  use IO::File;
  
  my $file1 = shift;
  die "Missing filename parameter.\n" unless defined $file1;
  die "File '$file1' does not exist.\n" unless ( -f $file1 );my $fh1 = IO::File->new("< $file1") or die "Unable to open file '$file1'.\n";
  my $file2 = shift;
  die "Missing filename parameter.\n" unless defined $file2;
  die "File '$file2' does not exist.\n" unless ( -f $file2 );my $fh2 = IO::File->new("< $file2") or die "Unable to open file '$file2'.\n";
  
  while ( defined ( my $c1 = getc($fh1) ) )
  {
          my $c2 = getc($fh2);
          $c2 = "\x00" unless defined $c2;
          my $o = $c1 ^ $c2;
          print $o;
  }