diff --git a/README.md b/README.md index 17fa933..58c3375 100644 --- a/README.md +++ b/README.md @@ -152,9 +152,11 @@ Tip: if you have split ROM (.ROM-00 and .ROM-01), extract both into the same fol ※ Support `dump_dec_hdrs` option ## Philips UPG (Autorun.upg, 2SWU3TXV) -**Used in:** Philips pre-TPVision TVs 200?-2013 +**Used in:** Philips pre-TPVision TVs 200?-2013 and some Sony TVs **Notes:** **Depends on keys** - see keys.rs -**Thanks to:** https://github.com/frederic/pflupg-tool +**Thanks to:** https://github.com/frederic/pflupg-tool +**Options:** +`pfl_upg:no_extract_inner_upg` - Do not automatically extract inner UPGs. (Warning: this can cause file collisions sometimes!) ## Philips BDP **Used in:** Philips MediaTek-based Blu-ray players/Home theatre systems diff --git a/src/formats/pfl_upg/include.rs b/src/formats/pfl_upg/include.rs index b79bf5a..ffe662d 100644 --- a/src/formats/pfl_upg/include.rs +++ b/src/formats/pfl_upg/include.rs @@ -2,29 +2,44 @@ use crate::utils::common; use binrw::BinRead; use aes::Aes256; use ecb::{Decryptor, cipher::{BlockDecryptMut, KeyInit, generic_array::GenericArray}}; +use crate::keys; +use rsa::{RsaPublicKey, BigUint}; + +pub fn try_find_key(sig: &[u8], ciphertext: &[u8]) -> Result, Box> { + let mut result: Option<(String, [u8; 32])> = None; + + for (name, n_hex) in keys::PFLUPG { + let n = BigUint::from_bytes_be(&hex::decode(n_hex)?); + let e = BigUint::from_bytes_be(&hex::decode("010001")?); + let pubkey = RsaPublicKey::new(n, e)?; + + let sig_int = BigUint::from_bytes_le(&sig); + let dec_int = rsa::hazmat::rsa_encrypt(&pubkey, &sig_int)?; + let dec_sig = dec_int.to_bytes_le(); + + let aes_key = &dec_sig[20..52]; + let dec_ciphertext = decrypt_aes256_ecb(aes_key.try_into().unwrap(), &ciphertext)?; + + //needs to start with null-termninated filename string + let end = match dec_ciphertext.iter().position(|&b| b == 0) { + Some(pos) => pos, + None => continue, //there is no 0, continue + }; + let fname = &dec_ciphertext[..end]; + if fname.is_ascii() { //is ascii filename + result = Some((name.to_string(), aes_key.try_into().unwrap())); + break + } + } + + Ok(result) +} -pub static AUTO_FWS: &[(&str, &str)] = &[ - ("Q5551", "q5551"), - ("Q5553", "q5551"), - ("Q554E", "q5551"), - ("Q554M", "q5551"), - ("QF1EU", "qf1eu"), - ("QF2EU", "qf1eu"), - ("Q591E", "q591e"), - ("Q522E", "q522e"), - ("Q582E", "q522e"), - ("Q5481", "q5481"), - ("Q5431", "q5431"), - ("Q5492", "q5492"), - ("S5551", "q5551"), //Sharp -]; type Aes256EcbDec = Decryptor; -pub fn decrypt_aes256_ecb(key: &[u8], ciphertext: &[u8]) -> Result, Box> { - let key_array: [u8; 32] = key.try_into()?; - - let mut decryptor = Aes256EcbDec::new(&key_array.into()); +pub fn decrypt_aes256_ecb(key: [u8; 32], ciphertext: &[u8]) -> Result, Box> { + let mut decryptor = Aes256EcbDec::new(&key.into()); let mut buffer = ciphertext.to_vec(); for chunk in buffer.chunks_exact_mut(16) { @@ -38,7 +53,7 @@ pub fn decrypt_aes256_ecb(key: &[u8], ciphertext: &[u8]) -> Result, Box< #[derive(BinRead)] pub struct Header { _magic_bytes: [u8; 8], - pub header_size: u32, + pub header_size: u32, //data start pub data_size: u32, _crc32: u32, pub mask: u32, @@ -73,7 +88,7 @@ impl FileHeader { pub fn has_extended_name(&self) -> bool { (self.attributes[2] & (1 << 7)) != 0 } - pub fn _is_package(&self) -> bool { - (self.attributes[3] & (1 << 1)) != 0 + pub fn is_package(&self) -> bool { + (self.attributes[3] & (1 << 2)) != 0 } } \ No newline at end of file diff --git a/src/formats/pfl_upg/mod.rs b/src/formats/pfl_upg/mod.rs index 45889f8..97c8314 100644 --- a/src/formats/pfl_upg/mod.rs +++ b/src/formats/pfl_upg/mod.rs @@ -1,16 +1,13 @@ mod include; use std::any::Any; -use crate::AppContext; +use crate::{AppContext, InputTarget}; -use rsa::{RsaPublicKey, BigUint}; -use hex::decode; use std::path::Path; -use std::io::{Read, Cursor, Write}; -use std::fs::{self, OpenOptions}; +use std::io::{Cursor, Write}; +use std::fs::{self, File, OpenOptions}; use binrw::BinReaderExt; use crate::utils::common; -use crate::keys; use include::*; pub fn is_pfl_upg_file(app_ctx: &AppContext) -> Result>, Box> { @@ -31,66 +28,42 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box) -> Result<(), B let signature = common::read_exact(&mut file, 128)?; let _ = common::read_exact(&mut file, 32)?; //unknown - let version_bytes = common::read_exact(&mut file, header.header_size as usize - 704)?; + let version_bytes = common::read_exact(&mut file, header.header_size as usize - 704)?; //704 is base header size let version = common::string_from_bytes(&version_bytes); println!("\nVersion: {}", version); - println!("Description: \n{}", header.description()); + if header.description() != "" { //look ugly when empty + println!("--- Description --- \n{}", header.description()); + println!("-------------------"); + } println!("Data size: {}", header.data_size); - let mut decrypted_data; + let mut data; if header.is_encrypted() { - println!("File is encrypted."); - let mut key = None; - let mut n_hex = None; - - //find key - for (firmware, value) in AUTO_FWS { - if version.starts_with(firmware) { - key = Some(value); - break; - } - } - if key.is_none() { - return Err("This firmware is not supported!".into()); + println!("\nFile is encrypted."); + + //get some data as test ciphertext for key finding + let ciphertext = common::read_file(&mut file, header.header_size as u64, 64)?; + let aes_key; + if let Some((key_name, key)) = try_find_key(&signature, &ciphertext)? { + println!("Matched pubkey: {}, AES key: {}", key_name, hex::encode(key)); + aes_key = key; + } else { + return Err("Matching key not found, cannot decrypt data".into()); } - //get key - for (prefix, value) in keys::PFLUPG { - if key == Some(prefix) { - n_hex = Some(value); - break; - } - } - - let e_hex = "010001"; - - let n = BigUint::from_bytes_be(&decode(n_hex.unwrap())?); - let e = BigUint::from_bytes_be(&decode(e_hex)?); - let pubkey = RsaPublicKey::new(n, e)?; - - let signature_int = BigUint::from_bytes_le(&signature); - - let decrypted_int = rsa::hazmat::rsa_encrypt(&pubkey, &signature_int)?; - let decrypted = decrypted_int.to_bytes_le(); - - let aes_key = &decrypted[20..52]; - println!("AES key: {}\n", hex::encode(aes_key)); - - //for encrypted data we need to read file to end - let mut encrypted_data = Vec::new(); - file.read_to_end(&mut encrypted_data)?; + //need to align to 16 bytes for AES blocksize + let encrypted_data = common::read_exact(&mut file, (header.data_size as usize + 0xf) & !0xf)?; println!("Decrypting data..."); - decrypted_data = decrypt_aes256_ecb(aes_key, &encrypted_data)?; - decrypted_data.truncate(header.data_size as usize); + data = decrypt_aes256_ecb(aes_key, &encrypted_data)?; + data.truncate(header.data_size as usize); //discard padding } else { - println!("File is not encrypted."); - decrypted_data = common::read_exact(&mut file, header.data_size as usize)?; + data = common::read_exact(&mut file, header.data_size as usize)?; } - let mut data_reader = Cursor::new(decrypted_data); + let mut data_reader = Cursor::new(data); while (data_reader.position() as usize) < data_reader.get_ref().len() { let file_header: FileHeader = data_reader.read_le()?; @@ -104,7 +77,6 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box) -> Result<(), B let file_name = if file_header.has_extended_name() { let ex_name_size = file_header.header_size - 76; //76 is base file header size - //println!("extended name {}, org name: {}", ex_name_size, file_header.file_name()); let ex_name_bytes = common::read_exact(&mut data_reader, ex_name_size as usize)?; common::string_from_bytes(&ex_name_bytes) } else { @@ -115,23 +87,44 @@ pub fn extract_pfl_upg(app_ctx: &AppContext, _ctx: Box) -> Result<(), B let data = common::read_exact(&mut data_reader, file_header.stored_size as usize)?; let output_path = Path::new(&app_ctx.output_dir).join(file_name.trim_start_matches('/')); - let output_path_parent = output_path.parent().expect("Failed to get parent of the output path!"); - - //prevent collisions - if output_path_parent.exists() && output_path_parent.is_file() { - println!("[!] Warning: File collision detected, Skipping this file!"); - continue - } + fs::create_dir_all(&app_ctx.output_dir)?; if let Some(parent) = output_path.parent() { fs::create_dir_all(parent)?; } - fs::create_dir_all(&app_ctx.output_dir)?; + //pfl upg inside pfl upg! DUMB code! + if file_header.is_package() && !app_ctx.has_option("pfl_upg:no_extract_inner_upg"){ + println!("- Extracting inner UPG..."); + + //save this as temp file + let temp_path = Path::new(&app_ctx.output_dir).join("inner_upg_temp"); + let mut temp_file = OpenOptions::new().write(true).create(true).open(&temp_path)?; + temp_file.write_all(&data[..file_header.real_size as usize])?; + + //REOPEN temp file and make ctx + let r_temp_file = File::open(&temp_path)?; + let in_ctx: AppContext = AppContext { + input: InputTarget::File(r_temp_file), + output_dir: output_path, + options: app_ctx.options.clone() + }; + + //do check just in case and extract + if let Some(result) = is_pfl_upg_file(&in_ctx)? { + extract_pfl_upg(&in_ctx, result)?; + } else { + return Err("detection on inner UPG failed!".into()); + } + + //delete temp file + fs::remove_file(&temp_path)?; + + continue + } + let mut out_file = OpenOptions::new().write(true).create(true).open(output_path)?; - out_file.write_all(&data[..file_header.real_size as usize])?; - println!("- Saved file!"); } diff --git a/src/keys.rs b/src/keys.rs index 8f6929e..cad6003 100644 --- a/src/keys.rs +++ b/src/keys.rs @@ -46,15 +46,21 @@ pub static RUF: &[(&str, &str)] = &[ ("BD-P1600", "CB44682CFC0E0C50E1BEA74294ABBAE6"), ]; -//pfl upg keys +//pfl upg pubkeys pub static PFLUPG: &[(&str, &str)] = &[ - ("q5551", "D7EE8ED11AC048ED225D4F5F53F8509E55C5D94256A703C79E4CA78AE93ECE1639FE466363AD962BD6D6DE0C46FD19F363687C1D8A21820740A6E7FF87F41C4900DCE1E26EC122E5D4DFA76BFC8F296816B8D0910325E9DC5CBCC9579CF15FC0253EF7CF4919B7613491A5D7BF75DC1888531C458967FD1CF64B33139550BAA5"), - ("qf1eu", "ACD684155C7CCCB04372A8808514489FA9EE75D305987D1337420241FDBE0AE1F7CDFBB931C9D56C91D36F2CE79D222695B484FF42BCA12CE362C7C9ABBDEEC8E5D6107FADCF2D4DA5DF0693E13ACE54A18AEB21C051F6B62C075A1791985547C1CFF4FB5B6EA7E0A9405A1B2BB71EB89A9B209E0F62BF9794D673179C0E60F1"), - ("q591e", "AFAF89062747CBB29343C4E4EA775E4CFDF5FAFCD92C9DD858A8725201BA54AB973BEFEE04EBF3046910FBBC78B10120AE16D80BA734931E97248BC6B1D4A909F087D37BC0A9C2210FF8A2BE44C00F31E4DD8713A364623637FF75EBBCE9D3A840DB67E0FA910F127F679496F6C21112E3E3AD4ACA459FDE1CC58E300682E6F9"), - ("q522e", "C41BE92C212BAC76B48261E2A1704028287DD7E121C11DA25F709E864FBDC1BD8C7F226F57605A4B42D768CDD629AF9E54011A0967AFC2826331406FB1E90321620738526EA0BEA59F1A0E612AE891C396112F13531F423DF02F94D1C871429549F4D5B30D9CA3EFDCC6D7A96849F7C1788DE8FAAEDD36560337008DF06D612F"), - ("q5481", "9E7DA389815251E82A84A1182807702E72A0B0E0FF707C8E73E2EA71F79D5FAAFFC6E0B90ED16E13A4289C78A7D3BDA90626162AAE169D7BE28D6A635585CC10639C4E312E288EB8F7C5A44518B7E8A26A45C5023C5078A972A4CC219CA020BAF524F7429257B7AD76E1B15390879064C6ED59CC1F20CC04EEC26C9CF7FC0727"), - ("q5431", "C5FD937B301A5CEF4B6C25F187728C99636515D058895FEA469496E2B24907FC7721648841F8AE4C618E215673D0C029752FA970B6F9A7F48C9331293D3B1D43E4DFC7B52914973642CD3E4EE0AD11F5254505038F95CACE0DF21FC769B34E134435D88AB617D2981F66EF45BBC7796CFB1086C5D5672E837204991FE53BC1CF"), - ("q5492", "F28ED197C5C40B7F7356D4EDD5526BC238C812EB59400087BBA2D6402B41BBE695EAAE5F6051F1B5EBAC1756F17FED9DA0678F2E6EE59ABF530847DB9249DD025D00FFC67B2ECFF320E99F5DA8A46B1E41479BA3B5CDC110D247B7AF31E887463C8E7A9929BE511C724FB7B4BACBF055F276ED53687E24543815D5437405B0CB"), + ("TV520_1", "C41BE92C212BAC76B48261E2A1704028287DD7E121C11DA25F709E864FBDC1BD8C7F226F57605A4B42D768CDD629AF9E54011A0967AFC2826331406FB1E90321620738526EA0BEA59F1A0E612AE891C396112F13531F423DF02F94D1C871429549F4D5B30D9CA3EFDCC6D7A96849F7C1788DE8FAAEDD36560337008DF06D612F"), + ("TV520_2", "AFAF89062747CBB29343C4E4EA775E4CFDF5FAFCD92C9DD858A8725201BA54AB973BEFEE04EBF3046910FBBC78B10120AE16D80BA734931E97248BC6B1D4A909F087D37BC0A9C2210FF8A2BE44C00F31E4DD8713A364623637FF75EBBCE9D3A840DB67E0FA910F127F679496F6C21112E3E3AD4ACA459FDE1CC58E300682E6F9"), + ("TV543_Q543", "C5FD937B301A5CEF4B6C25F187728C99636515D058895FEA469496E2B24907FC7721648841F8AE4C618E215673D0C029752FA970B6F9A7F48C9331293D3B1D43E4DFC7B52914973642CD3E4EE0AD11F5254505038F95CACE0DF21FC769B34E134435D88AB617D2981F66EF45BBC7796CFB1086C5D5672E837204991FE53BC1CF"), + ("TV543_Q548", "9E7DA389815251E82A84A1182807702E72A0B0E0FF707C8E73E2EA71F79D5FAAFFC6E0B90ED16E13A4289C78A7D3BDA90626162AAE169D7BE28D6A635585CC10639C4E312E288EB8F7C5A44518B7E8A26A45C5023C5078A972A4CC219CA020BAF524F7429257B7AD76E1B15390879064C6ED59CC1F20CC04EEC26C9CF7FC0727"), + ("TV543_Q549", "F28ED197C5C40B7F7356D4EDD5526BC238C812EB59400087BBA2D6402B41BBE695EAAE5F6051F1B5EBAC1756F17FED9DA0678F2E6EE59ABF530847DB9249DD025D00FFC67B2ECFF320E99F5DA8A46B1E41479BA3B5CDC110D247B7AF31E887463C8E7A9929BE511C724FB7B4BACBF055F276ED53687E24543815D5437405B0CB"), + ("TV550", "D7EE8ED11AC048ED225D4F5F53F8509E55C5D94256A703C79E4CA78AE93ECE1639FE466363AD962BD6D6DE0C46FD19F363687C1D8A21820740A6E7FF87F41C4900DCE1E26EC122E5D4DFA76BFC8F296816B8D0910325E9DC5CBCC9579CF15FC0253EF7CF4919B7613491A5D7BF75DC1888531C458967FD1CF64B33139550BAA5"), + ("Fusion", "ACD684155C7CCCB04372A8808514489FA9EE75D305987D1337420241FDBE0AE1F7CDFBB931C9D56C91D36F2CE79D222695B484FF42BCA12CE362C7C9ABBDEEC8E5D6107FADCF2D4DA5DF0693E13ACE54A18AEB21C051F6B62C075A1791985547C1CFF4FB5B6EA7E0A9405A1B2BB71EB89A9B209E0F62BF9794D673179C0E60F1"), + + //sony + ("sony_M5", "9B869BF115627779065064476154D801BCB38DF9BE7CD8A1D6A925C9661D286CB6601633CBDE2675650B55165E4BFA4F62F4BBB3310FC68624D0F6D4D83DAFAA9A1D0E038A8B1BF503ECED1C40C90CBF7DD0585E67AAE17014F3E0608D68B13CAF1D4718F6194E4D68BE04CCC330AB841FD242919F383E8513A5B8A53F5800BD"), + ("sony_M6", "C6283DBEE4D0C9B39B32760A036109FA04999174E6F259959EA66E5AFB4202B74ACACF7389AF00CCAE6AD2FD16CBCA7A100258EC43360C63DC4BFD81C613A3B5CDFA2FF3C7F797E2617EEDBFD4A6F1DEAC3E85076FAE9BF18C35AC4C7DD0EE9510B697615A415A2B69A7FAA24CB433297039ECA23F6E52CBA61BADEC621CECFD"), + ("sony_M7", "CAFA1ECA418A4D5575E9F099E6BCB0083B1A8FC8E47FC7A7779D5BC31D6F84BB191DAF05037FE9F67F1F12401D9AEBABE892D121189C76C6962374AA7DF3EE1DD07994DFD97B150A3E3EFB146BAF9A483F3536B238CED429064DCC087803C1627996F5DBBE23A5E69114F76B55D7CB08C65B5CC81160D4E7FFB9A8C49E724B65"), + ("sony_M8", "ACE08E69569094B1B1A37630986A6F0D689D346471E76018889F610B05B3EB32DFAFE1FD9514EE40E75320E22230F2ADCE8B38C8680DBF013C5D3056033C2647F3DFC1B80D4BCD7FBBCC1FBB665B9D83807E0EF26D15AF1BE8B980F65E139DEE286FE7E3580DAC27C03C6F50AA2233C7BA25C47824DE52BB119F44AD3C80CB71"), ]; //pana dvd keys (no AES)