pfl_upg: change key detection ope, add some sony keys, add extraction of nested UPG

This commit is contained in:
theubusu
2026-05-05 19:27:51 +02:00
parent 196662d218
commit f4345b75f1
4 changed files with 111 additions and 95 deletions
+4 -2
View File
@@ -152,9 +152,11 @@ Tip: if you have split ROM (.ROM-00 and .ROM-01), extract both into the same fol
※ Support `dump_dec_hdrs` option
## Philips UPG (Autorun.upg, 2SWU3TXV)
**Used in:** Philips pre-TPVision TVs 200?-2013
**Used in:** Philips pre-TPVision TVs 200?-2013 and some Sony TVs
**Notes:** **Depends on keys** - see keys.rs
**Thanks to:** https://github.com/frederic/pflupg-tool
**Thanks to:** https://github.com/frederic/pflupg-tool
**Options:**
`pfl_upg:no_extract_inner_upg` - Do not automatically extract inner UPGs. (Warning: this can cause file collisions sometimes!)
## Philips BDP
**Used in:** Philips MediaTek-based Blu-ray players/Home theatre systems
+37 -22
View File
@@ -2,29 +2,44 @@ use crate::utils::common;
use binrw::BinRead;
use aes::Aes256;
use ecb::{Decryptor, cipher::{BlockDecryptMut, KeyInit, generic_array::GenericArray}};
use crate::keys;
use rsa::{RsaPublicKey, BigUint};
pub fn try_find_key(sig: &[u8], ciphertext: &[u8]) -> Result<Option<(String, [u8; 32])>, Box<dyn std::error::Error>> {
let mut result: Option<(String, [u8; 32])> = None;
for (name, n_hex) in keys::PFLUPG {
let n = BigUint::from_bytes_be(&hex::decode(n_hex)?);
let e = BigUint::from_bytes_be(&hex::decode("010001")?);
let pubkey = RsaPublicKey::new(n, e)?;
let sig_int = BigUint::from_bytes_le(&sig);
let dec_int = rsa::hazmat::rsa_encrypt(&pubkey, &sig_int)?;
let dec_sig = dec_int.to_bytes_le();
let aes_key = &dec_sig[20..52];
let dec_ciphertext = decrypt_aes256_ecb(aes_key.try_into().unwrap(), &ciphertext)?;
//needs to start with null-termninated filename string
let end = match dec_ciphertext.iter().position(|&b| b == 0) {
Some(pos) => pos,
None => continue, //there is no 0, continue
};
let fname = &dec_ciphertext[..end];
if fname.is_ascii() { //is ascii filename
result = Some((name.to_string(), aes_key.try_into().unwrap()));
break
}
}
Ok(result)
}
pub static AUTO_FWS: &[(&str, &str)] = &[
("Q5551", "q5551"),
("Q5553", "q5551"),
("Q554E", "q5551"),
("Q554M", "q5551"),
("QF1EU", "qf1eu"),
("QF2EU", "qf1eu"),
("Q591E", "q591e"),
("Q522E", "q522e"),
("Q582E", "q522e"),
("Q5481", "q5481"),
("Q5431", "q5431"),
("Q5492", "q5492"),
("S5551", "q5551"), //Sharp
];
type Aes256EcbDec = Decryptor<Aes256>;
pub fn decrypt_aes256_ecb(key: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
let key_array: [u8; 32] = key.try_into()?;
let mut decryptor = Aes256EcbDec::new(&key_array.into());
pub fn decrypt_aes256_ecb(key: [u8; 32], ciphertext: &[u8]) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
let mut decryptor = Aes256EcbDec::new(&key.into());
let mut buffer = ciphertext.to_vec();
for chunk in buffer.chunks_exact_mut(16) {
@@ -38,7 +53,7 @@ pub fn decrypt_aes256_ecb(key: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, Box<
#[derive(BinRead)]
pub struct Header {
_magic_bytes: [u8; 8],
pub header_size: u32,
pub header_size: u32, //data start
pub data_size: u32,
_crc32: u32,
pub mask: u32,
@@ -73,7 +88,7 @@ impl FileHeader {
pub fn has_extended_name(&self) -> bool {
(self.attributes[2] & (1 << 7)) != 0
}
pub fn _is_package(&self) -> bool {
(self.attributes[3] & (1 << 1)) != 0
pub fn is_package(&self) -> bool {
(self.attributes[3] & (1 << 2)) != 0
}
}
+56 -63
View File
@@ -1,16 +1,13 @@
mod include;
use std::any::Any;
use crate::AppContext;
use crate::{AppContext, InputTarget};
use rsa::{RsaPublicKey, BigUint};
use hex::decode;
use std::path::Path;
use std::io::{Read, Cursor, Write};
use std::fs::{self, OpenOptions};
use std::io::{Cursor, Write};
use std::fs::{self, File, OpenOptions};
use binrw::BinReaderExt;
use crate::utils::common;
use crate::keys;
use include::*;
pub fn is_pfl_upg_file(app_ctx: &AppContext) -> Result<Option<Box<dyn Any>>, Box<dyn std::error::Error>> {
@@ -31,66 +28,42 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box<dyn Any>) -> Result<(), B
let signature = common::read_exact(&mut file, 128)?;
let _ = common::read_exact(&mut file, 32)?; //unknown
let version_bytes = common::read_exact(&mut file, header.header_size as usize - 704)?;
let version_bytes = common::read_exact(&mut file, header.header_size as usize - 704)?; //704 is base header size
let version = common::string_from_bytes(&version_bytes);
println!("\nVersion: {}", version);
println!("Description: \n{}", header.description());
if header.description() != "" { //look ugly when empty
println!("--- Description --- \n{}", header.description());
println!("-------------------");
}
println!("Data size: {}", header.data_size);
let mut decrypted_data;
let mut data;
if header.is_encrypted() {
println!("File is encrypted.");
let mut key = None;
let mut n_hex = None;
//find key
for (firmware, value) in AUTO_FWS {
if version.starts_with(firmware) {
key = Some(value);
break;
}
}
if key.is_none() {
return Err("This firmware is not supported!".into());
println!("\nFile is encrypted.");
//get some data as test ciphertext for key finding
let ciphertext = common::read_file(&mut file, header.header_size as u64, 64)?;
let aes_key;
if let Some((key_name, key)) = try_find_key(&signature, &ciphertext)? {
println!("Matched pubkey: {}, AES key: {}", key_name, hex::encode(key));
aes_key = key;
} else {
return Err("Matching key not found, cannot decrypt data".into());
}
//get key
for (prefix, value) in keys::PFLUPG {
if key == Some(prefix) {
n_hex = Some(value);
break;
}
}
let e_hex = "010001";
let n = BigUint::from_bytes_be(&decode(n_hex.unwrap())?);
let e = BigUint::from_bytes_be(&decode(e_hex)?);
let pubkey = RsaPublicKey::new(n, e)?;
let signature_int = BigUint::from_bytes_le(&signature);
let decrypted_int = rsa::hazmat::rsa_encrypt(&pubkey, &signature_int)?;
let decrypted = decrypted_int.to_bytes_le();
let aes_key = &decrypted[20..52];
println!("AES key: {}\n", hex::encode(aes_key));
//for encrypted data we need to read file to end
let mut encrypted_data = Vec::new();
file.read_to_end(&mut encrypted_data)?;
//need to align to 16 bytes for AES blocksize
let encrypted_data = common::read_exact(&mut file, (header.data_size as usize + 0xf) & !0xf)?;
println!("Decrypting data...");
decrypted_data = decrypt_aes256_ecb(aes_key, &encrypted_data)?;
decrypted_data.truncate(header.data_size as usize);
data = decrypt_aes256_ecb(aes_key, &encrypted_data)?;
data.truncate(header.data_size as usize); //discard padding
} else {
println!("File is not encrypted.");
decrypted_data = common::read_exact(&mut file, header.data_size as usize)?;
data = common::read_exact(&mut file, header.data_size as usize)?;
}
let mut data_reader = Cursor::new(decrypted_data);
let mut data_reader = Cursor::new(data);
while (data_reader.position() as usize) < data_reader.get_ref().len() {
let file_header: FileHeader = data_reader.read_le()?;
@@ -104,7 +77,6 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box<dyn Any>) -> Result<(), B
let file_name = if file_header.has_extended_name() {
let ex_name_size = file_header.header_size - 76; //76 is base file header size
//println!("extended name {}, org name: {}", ex_name_size, file_header.file_name());
let ex_name_bytes = common::read_exact(&mut data_reader, ex_name_size as usize)?;
common::string_from_bytes(&ex_name_bytes)
} else {
@@ -115,23 +87,44 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box<dyn Any>) -> Result<(), B
let data = common::read_exact(&mut data_reader, file_header.stored_size as usize)?;
let output_path = Path::new(&app_ctx.output_dir).join(file_name.trim_start_matches('/'));
let output_path_parent = output_path.parent().expect("Failed to get parent of the output path!");
//prevent collisions
if output_path_parent.exists() && output_path_parent.is_file() {
println!("[!] Warning: File collision detected, Skipping this file!");
continue
}
fs::create_dir_all(&app_ctx.output_dir)?;
if let Some(parent) = output_path.parent() {
fs::create_dir_all(parent)?;
}
fs::create_dir_all(&app_ctx.output_dir)?;
//pfl upg inside pfl upg! DUMB code!
if file_header.is_package() && !app_ctx.has_option("pfl_upg:no_extract_inner_upg"){
println!("- Extracting inner UPG...");
//save this as temp file
let temp_path = Path::new(&app_ctx.output_dir).join("inner_upg_temp");
let mut temp_file = OpenOptions::new().write(true).create(true).open(&temp_path)?;
temp_file.write_all(&data[..file_header.real_size as usize])?;
//REOPEN temp file and make ctx
let r_temp_file = File::open(&temp_path)?;
let in_ctx: AppContext = AppContext {
input: InputTarget::File(r_temp_file),
output_dir: output_path,
options: app_ctx.options.clone()
};
//do check just in case and extract
if let Some(result) = is_pfl_upg_file(&in_ctx)? {
extract_pfl_upg(&in_ctx, result)?;
} else {
return Err("detection on inner UPG failed!".into());
}
//delete temp file
fs::remove_file(&temp_path)?;
continue
}
let mut out_file = OpenOptions::new().write(true).create(true).open(output_path)?;
out_file.write_all(&data[..file_header.real_size as usize])?;
println!("- Saved file!");
}
+14 -8
View File
@@ -46,15 +46,21 @@ pub static RUF: &[(&str, &str)] = &[
("BD-P1600", "CB44682CFC0E0C50E1BEA74294ABBAE6"),
];
//pfl upg keys
//pfl upg pubkeys
pub static PFLUPG: &[(&str, &str)] = &[
("q5551", "D7EE8ED11AC048ED225D4F5F53F8509E55C5D94256A703C79E4CA78AE93ECE1639FE466363AD962BD6D6DE0C46FD19F363687C1D8A21820740A6E7FF87F41C4900DCE1E26EC122E5D4DFA76BFC8F296816B8D0910325E9DC5CBCC9579CF15FC0253EF7CF4919B7613491A5D7BF75DC1888531C458967FD1CF64B33139550BAA5"),
("qf1eu", "ACD684155C7CCCB04372A8808514489FA9EE75D305987D1337420241FDBE0AE1F7CDFBB931C9D56C91D36F2CE79D222695B484FF42BCA12CE362C7C9ABBDEEC8E5D6107FADCF2D4DA5DF0693E13ACE54A18AEB21C051F6B62C075A1791985547C1CFF4FB5B6EA7E0A9405A1B2BB71EB89A9B209E0F62BF9794D673179C0E60F1"),
("q591e", "AFAF89062747CBB29343C4E4EA775E4CFDF5FAFCD92C9DD858A8725201BA54AB973BEFEE04EBF3046910FBBC78B10120AE16D80BA734931E97248BC6B1D4A909F087D37BC0A9C2210FF8A2BE44C00F31E4DD8713A364623637FF75EBBCE9D3A840DB67E0FA910F127F679496F6C21112E3E3AD4ACA459FDE1CC58E300682E6F9"),
("q522e", "C41BE92C212BAC76B48261E2A1704028287DD7E121C11DA25F709E864FBDC1BD8C7F226F57605A4B42D768CDD629AF9E54011A0967AFC2826331406FB1E90321620738526EA0BEA59F1A0E612AE891C396112F13531F423DF02F94D1C871429549F4D5B30D9CA3EFDCC6D7A96849F7C1788DE8FAAEDD36560337008DF06D612F"),
("q5481", "9E7DA389815251E82A84A1182807702E72A0B0E0FF707C8E73E2EA71F79D5FAAFFC6E0B90ED16E13A4289C78A7D3BDA90626162AAE169D7BE28D6A635585CC10639C4E312E288EB8F7C5A44518B7E8A26A45C5023C5078A972A4CC219CA020BAF524F7429257B7AD76E1B15390879064C6ED59CC1F20CC04EEC26C9CF7FC0727"),
("q5431", "C5FD937B301A5CEF4B6C25F187728C99636515D058895FEA469496E2B24907FC7721648841F8AE4C618E215673D0C029752FA970B6F9A7F48C9331293D3B1D43E4DFC7B52914973642CD3E4EE0AD11F5254505038F95CACE0DF21FC769B34E134435D88AB617D2981F66EF45BBC7796CFB1086C5D5672E837204991FE53BC1CF"),
("q5492", "F28ED197C5C40B7F7356D4EDD5526BC238C812EB59400087BBA2D6402B41BBE695EAAE5F6051F1B5EBAC1756F17FED9DA0678F2E6EE59ABF530847DB9249DD025D00FFC67B2ECFF320E99F5DA8A46B1E41479BA3B5CDC110D247B7AF31E887463C8E7A9929BE511C724FB7B4BACBF055F276ED53687E24543815D5437405B0CB"),
("TV520_1", "C41BE92C212BAC76B48261E2A1704028287DD7E121C11DA25F709E864FBDC1BD8C7F226F57605A4B42D768CDD629AF9E54011A0967AFC2826331406FB1E90321620738526EA0BEA59F1A0E612AE891C396112F13531F423DF02F94D1C871429549F4D5B30D9CA3EFDCC6D7A96849F7C1788DE8FAAEDD36560337008DF06D612F"),
("TV520_2", "AFAF89062747CBB29343C4E4EA775E4CFDF5FAFCD92C9DD858A8725201BA54AB973BEFEE04EBF3046910FBBC78B10120AE16D80BA734931E97248BC6B1D4A909F087D37BC0A9C2210FF8A2BE44C00F31E4DD8713A364623637FF75EBBCE9D3A840DB67E0FA910F127F679496F6C21112E3E3AD4ACA459FDE1CC58E300682E6F9"),
("TV543_Q543", "C5FD937B301A5CEF4B6C25F187728C99636515D058895FEA469496E2B24907FC7721648841F8AE4C618E215673D0C029752FA970B6F9A7F48C9331293D3B1D43E4DFC7B52914973642CD3E4EE0AD11F5254505038F95CACE0DF21FC769B34E134435D88AB617D2981F66EF45BBC7796CFB1086C5D5672E837204991FE53BC1CF"),
("TV543_Q548", "9E7DA389815251E82A84A1182807702E72A0B0E0FF707C8E73E2EA71F79D5FAAFFC6E0B90ED16E13A4289C78A7D3BDA90626162AAE169D7BE28D6A635585CC10639C4E312E288EB8F7C5A44518B7E8A26A45C5023C5078A972A4CC219CA020BAF524F7429257B7AD76E1B15390879064C6ED59CC1F20CC04EEC26C9CF7FC0727"),
("TV543_Q549", "F28ED197C5C40B7F7356D4EDD5526BC238C812EB59400087BBA2D6402B41BBE695EAAE5F6051F1B5EBAC1756F17FED9DA0678F2E6EE59ABF530847DB9249DD025D00FFC67B2ECFF320E99F5DA8A46B1E41479BA3B5CDC110D247B7AF31E887463C8E7A9929BE511C724FB7B4BACBF055F276ED53687E24543815D5437405B0CB"),
("TV550", "D7EE8ED11AC048ED225D4F5F53F8509E55C5D94256A703C79E4CA78AE93ECE1639FE466363AD962BD6D6DE0C46FD19F363687C1D8A21820740A6E7FF87F41C4900DCE1E26EC122E5D4DFA76BFC8F296816B8D0910325E9DC5CBCC9579CF15FC0253EF7CF4919B7613491A5D7BF75DC1888531C458967FD1CF64B33139550BAA5"),
("Fusion", "ACD684155C7CCCB04372A8808514489FA9EE75D305987D1337420241FDBE0AE1F7CDFBB931C9D56C91D36F2CE79D222695B484FF42BCA12CE362C7C9ABBDEEC8E5D6107FADCF2D4DA5DF0693E13ACE54A18AEB21C051F6B62C075A1791985547C1CFF4FB5B6EA7E0A9405A1B2BB71EB89A9B209E0F62BF9794D673179C0E60F1"),
//sony
("sony_M5", "9B869BF115627779065064476154D801BCB38DF9BE7CD8A1D6A925C9661D286CB6601633CBDE2675650B55165E4BFA4F62F4BBB3310FC68624D0F6D4D83DAFAA9A1D0E038A8B1BF503ECED1C40C90CBF7DD0585E67AAE17014F3E0608D68B13CAF1D4718F6194E4D68BE04CCC330AB841FD242919F383E8513A5B8A53F5800BD"),
("sony_M6", "C6283DBEE4D0C9B39B32760A036109FA04999174E6F259959EA66E5AFB4202B74ACACF7389AF00CCAE6AD2FD16CBCA7A100258EC43360C63DC4BFD81C613A3B5CDFA2FF3C7F797E2617EEDBFD4A6F1DEAC3E85076FAE9BF18C35AC4C7DD0EE9510B697615A415A2B69A7FAA24CB433297039ECA23F6E52CBA61BADEC621CECFD"),
("sony_M7", "CAFA1ECA418A4D5575E9F099E6BCB0083B1A8FC8E47FC7A7779D5BC31D6F84BB191DAF05037FE9F67F1F12401D9AEBABE892D121189C76C6962374AA7DF3EE1DD07994DFD97B150A3E3EFB146BAF9A483F3536B238CED429064DCC087803C1627996F5DBBE23A5E69114F76B55D7CB08C65B5CC81160D4E7FFB9A8C49E724B65"),
("sony_M8", "ACE08E69569094B1B1A37630986A6F0D689D346471E76018889F610B05B3EB32DFAFE1FD9514EE40E75320E22230F2ADCE8B38C8680DBF013C5D3056033C2647F3DFC1B80D4BCD7FBBCC1FBB665B9D83807E0EF26D15AF1BE8B980F65E139DEE286FE7E3580DAC27C03C6F50AA2233C7BA25C47824DE52BB119F44AD3C80CB71"),
];
//pana dvd keys (no AES)