Skip to content

Instantly share code, notes, and snippets.

@Niksac
Forked from hexkyz/tx_unpack.py
Created July 17, 2018 14:43
Show Gist options
  • Save Niksac/f1dcfab6e13e2f011ecc9ec068b9315e to your computer and use it in GitHub Desktop.
Save Niksac/f1dcfab6e13e2f011ecc9ec068b9315e to your computer and use it in GitHub Desktop.
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
typedef struct boot_dat_hdr
{
unsigned char ident[0x10];
unsigned char sha2_s2[0x20];
unsigned int s2_dst;
unsigned int s2_size;
unsigned int s2_enc;
unsigned char pad[0x10];
unsigned int s3_size;
unsigned char pad2[0x90];
unsigned char sha2_hdr[0x20];
} boot_dat_hdr_t;
"""
def aes_ctr_dec(buf, key, iv):
ctr = Counter.new(128, initial_value=long(iv.encode('hex'), 16))
return AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(buf)
f = open("boot.dat", "rb")
b = f.read()
f.close()
boot_ver = struct.unpack("I", b[0x0C:0x10])[0]
s2_base, s2_size = struct.unpack("II", b[0x30:0x38])
s2_key = "47E6BFB05965ABCD00E2EE4DDF540261".decode("hex")
s2_ctr = "8E4C7889CBAE4A3D64797DDA84BDB086".decode("hex")
if boot_ver == 0x302E3156: # TX BOOT V1.0
arm64_key = "35D8FFC4AA1BAB9514825EB0658FB493".decode("hex")
arm64_ctr = "C38EA26FF3CCE98FD8D5ED431D9D5B94".decode("hex")
arm64_off = 0x53BAB0
arm64_size = 0x36370
arm64_base = 0x80FFFE00
fb_key = "E2AC05206A701C9AA514D2B2B7C9F395".decode("hex")
fb_ctr = "46FAB59AF0E469EF116614DEC366D15F".decode("hex")
fb_off = 0x17BAB0
fb_size = 0x3C0000
fb_base = 0xF0000000
payload80_key = "030D865B7E458B10AD5706F6E227F4EB".decode("hex")
payload80_ctr = "AFFC93692EBD2E3D252339F01E03416B".decode("hex")
payload80_off = 0x5F40
payload80_size = 0x175B70
payload80_base = 0x80000000
elif boot_ver == 0x312E3156: # TX BOOT V1.1
arm64_key = "51A39F0B46BAE4691AD39A698146E865".decode("hex")
arm64_ctr = "7A307ED7F1ECC792F0E821ECD6999853".decode("hex")
arm64_off = 0x53BAE0
arm64_size = 0x36370
arm64_base = 0x80FFFE00
fb_key = "27BABEE3DCFEF100C744A2388B57E957".decode("hex")
fb_ctr = "0B88AC25AFAF9B92D81372331AD66E24".decode("hex")
fb_off = 0x17BAE0
fb_size = 0x3C0000
fb_base = 0xF0000000
payload80_key = "8D6FEABE0F3936145A474D3F05D33679".decode("hex")
payload80_ctr = "2846EFA9DACB065C51C71C154F0E9EA2".decode("hex")
payload80_off = 0x5F50
payload80_size = 0x175B90
payload80_base = 0x80000000
elif boot_ver == 0x322E3156: # TX BOOT V1.2
arm64_key = "22429923901AF74ED6944992C824ACFE".decode("hex")
arm64_ctr = "590BE04550CC6139921D1C95241F34AC".decode("hex")
arm64_off = 0x53BAD0
arm64_size = 0x36370
arm64_base = 0x80FFFE00
fb_key = "E483A884AB59D5D0014404C2EB698517".decode("hex")
fb_ctr = "55A60F59F29DD518B4CAA59D0E3D1629".decode("hex")
fb_off = 0x17BAD0
fb_size = 0x3C0000
fb_base = 0xF0000000
payload80_key = "AF8F5811D075F5317924E5C1DD70A531".decode("hex")
payload80_ctr = "78219A2BB518BF9E302AFF75CE5862E1".decode("hex")
payload80_off = 0x5F50
payload80_size = 0x175B80
payload80_base = 0x80000000
elif boot_ver == 0x332E3156: # TX BOOT V1.3
arm64_key = "0DA0D677361625E81FD6DF236B9450D5".decode("hex")
arm64_ctr = "B368ECA0F8C078908F6B979613D0E52A".decode("hex")
arm64_off = 0x53BB00
arm64_size = 0x36370
arm64_base = 0x80FFFE00
fb_key = "1E76718F0BAF7D8BB72ECCE4F657DAF8".decode("hex")
fb_ctr = "4B0D81D9F44B8458F1EA93324C40BCD1".decode("hex")
fb_off = 0x17BB00
fb_size = 0x3C0000
fb_base = 0xF0000000
payload80_key = "5B52BF7DED400C967FB0B2E013B55E68".decode("hex")
payload80_ctr = "A1E038CE082F2C26052BE75F111CE3D1".decode("hex")
payload80_off = 0x5F70
payload80_size = 0x175B90
payload80_base = 0x80000000
else:
exit()
# Create main folder
if not os.path.exists("./sxos/"):
os.mkdir("./sxos/")
os.chdir("./sxos/")
# Create folder for the initial boot files
if not os.path.exists("./init/"):
os.mkdir("./init/")
os.chdir("./init/")
# Decrypt Stage2 IRAM payload
f = open("stage2_{0:08X}.bin".format(s2_base), "wb")
f.write(aes_ctr_dec(b[0x100:0x100+s2_size], s2_key, s2_ctr))
f.close()
# Decrypt ARM64 memory training blob
f = open("arm64_{0:08X}.bin".format(arm64_base), "wb")
f.write(aes_ctr_dec(b[arm64_off:arm64_off+arm64_size], arm64_key, arm64_ctr))
f.close()
# Decrypt initial framebuffer binary
f = open("fb_{0:08X}.bin".format(fb_base), "wb")
f.write(aes_ctr_dec(b[fb_off:fb_off+fb_size], fb_key, fb_ctr))
f.close()
# Create folder for the obfuscation payloads
if not os.path.exists("../payloads/"):
os.mkdir("../payloads/")
os.chdir("../payloads/")
# Decrypt first layer's obfuscation payload
f = open("payload_{0:08X}.bin".format(payload80_base), "wb")
f.write(aes_ctr_dec(b[payload80_off:payload80_off+payload80_size], payload80_key, payload80_ctr))
f.close()
if boot_ver == 0x302E3156: # TX BOOT V1.0
payload90_key = "7F5ADF4D874E452E03D49127A42F1E76".decode("hex")
payload90_ctr = "94251152C910E701397BE2DB4F1C6CA8".decode("hex")
payload90_off = 0xC0B8D0
payload90_size = 0xF5B20
payload90_base = 0x90000000
payload98_key = "7D3903433AFF4454E7C4494CF78B2C27".decode("hex")
payload98_ctr = "47A6B1EE20DDB7CDBB4A486C42638D54".decode("hex")
payload98_off = 0xD013F0
payload98_size = 0xBC290
payload98_base = 0x98000000
payloadA0_key = "470248AF0FD18221C7920635705980F6".decode("hex")
payloadA0_ctr = "4CC30D28126D38749F755A506B21EE15".decode("hex")
payloadA0_off = 0xDBD680
payloadA0_size = 0x1154D0
payloadA0_base = 0xA0000000
bootloader_key = "C9B5A5746CF37F46417DD6842B48361B".decode("hex")
bootloader_ctr = "40FBE01C573B0C286BC7956455475788".decode("hex")
bootloader_off = 0x571E20
bootloader_size = 0x20FC0
bootloader_base = 0x88000000
assets_key = "677EC85A86F798AFD6B8BC046B65F0F5".decode("hex")
assets_ctr = "31C8DBE98486D59CD69DA7C470A69A0B".decode("hex")
assets_off = 0x592DE0
assets_size = 0x4C0400
assets_base = 0x88020FC0
fw_key = "31756DA6C12CA907C050861D60A5E0A5".decode("hex")
fw_ctr = "DA0F8243F83358F15F431FF6F674C099".decode("hex")
fw_off = 0
fw_size = 0x1154D0
elif boot_ver == 0x312E3156: # TX BOOT V1.1
payload90_key = "7013D0DDA6F8C9149163EA51A67018B1".decode("hex")
payload90_ctr = "E3D4923757E97D29CFAD58896D53EE85".decode("hex")
payload90_off = 0xC0B900
payload90_size = 0xF5B20
payload90_base = 0x90000000
payload98_key = "28E56A613F36B70FE295E22A44DA918E".decode("hex")
payload98_ctr = "82566B8311E419CD238F9454994A6904".decode("hex")
payload98_off = 0xD01420
payload98_size = 0xBC290
payload98_base = 0x98000000
payloadA0_key = "7A0E46F3E362CCBC9988171F9EA89F47".decode("hex")
payloadA0_ctr = "8074330C69CA88D593EFF15670E78989".decode("hex")
payloadA0_off = 0xDBD6B0
payloadA0_size = 0x115870
payloadA0_base = 0xA0000000
bootloader_key = "9C333852BBABC82FE5AD8C8D7EC05BF7".decode("hex")
bootloader_ctr = "7214E2B09A5C7B9DC54FDB8C46CFFD59".decode("hex")
bootloader_off = 0x571E50
bootloader_size = 0x20FC0
bootloader_base = 0x88000000
assets_key = "B9501029CBB75F277EE8315F26DD4BCE".decode("hex")
assets_ctr = "6C99263F2A07EFBA2A5A9609F02746BB".decode("hex")
assets_off = 0x592E10
assets_size = 0x4C0400
assets_base = 0x88020FC0
fw_key = "78176C951176AE5B0B6784F45B8553FC".decode("hex")
fw_ctr = "56B409BC21DB9A7FEC8ED64C5A7E09D0".decode("hex")
fw_off = 0
fw_size = 0x115870
elif boot_ver == 0x322E3156: # TX BOOT V1.2
payload90_key = "3DE87D8E1A24E06B2D50F6100AA09B4C".decode("hex")
payload90_ctr = "94162463FF6B54FE9B6683F72CE79760".decode("hex")
payload90_off = 0xC0B8F0
payload90_size = 0xF5B20
payload90_base = 0x90000000
payload98_key = "5EBBF535CA7C7EE6C97A770CB1AA7E37".decode("hex")
payload98_ctr = "BF9BA9CB3E2328ACD4676CE106081B3D".decode("hex")
payload98_off = 0xD01410
payload98_size = 0xBC290
payload98_base = 0x98000000
payloadA0_key = "9EBBBD4F4A5CC82B705431DFF5AA260A".decode("hex")
payloadA0_ctr = "8A7923E459F12ED38CD533EFF69727D9".decode("hex")
payloadA0_off = 0xDBD6A0
payloadA0_size = 0x120530
payloadA0_base = 0xA0000000
bootloader_key = "F1A4E1EE2F279BB55A0C16D0373961BC".decode("hex")
bootloader_ctr = "BC40537AB5F23088B9F1DD51FB0BB1D7".decode("hex")
bootloader_off = 0x571E40
bootloader_size = 0x20FC0
bootloader_base = 0x88000000
assets_key = "8D0CC65A2DE679BDB3D73C3F11734E0E".decode("hex")
assets_ctr = "6CA93EAEEC84E218918F68DBFF8C95E9".decode("hex")
assets_off = 0x592E00
assets_size = 0x4C0400
assets_base = 0x88020FC0
fw_key = "84BB031A9E20D2BEAA10CE85BD4157BF".decode("hex")
fw_ctr = "DC986E7B0FF4DD433F21D655B082BF43".decode("hex")
fw_off = 0
fw_size = 0x120530
elif boot_ver == 0x332E3156: # TX BOOT V1.3
payload90_key = "36FC59BEBA2AABC77D124668E025350E".decode("hex")
payload90_ctr = "E773714BD860B532A356F2C6A07B843E".decode("hex")
payload90_off = 0xC0B920
payload90_size = 0xF5B20
payload90_base = 0x90000000
payload98_key = "9334A1F1943C16B2506BB1D9EBF33F93".decode("hex")
payload98_ctr = "7BE8A72FBA0943AE57E93E6F6D6FB46A".decode("hex")
payload98_off = 0xD01440
payload98_size = 0xBC290
payload98_base = 0x98000000
payloadA0_key = "F1AC8CB71383F07FAF34C12879025BEE".decode("hex")
payloadA0_ctr = "86B9D01C6FFAAF157CE31AE1162A7C48".decode("hex")
payloadA0_off = 0xDBD6D0
payloadA0_size = 0x1312E0
payloadA0_base = 0xA0000000
bootloader_key = "C439958095F3AC5CA361E46481A778B4".decode("hex")
bootloader_ctr = "07E32283C45EC5215DEFDBB199AD2F5B".decode("hex")
bootloader_off = 0x571E70
bootloader_size = 0x20FC0
bootloader_base = 0x88000000
assets_key = "5E5C65FA5C93C43BD8BA5B7B93A59687".decode("hex")
assets_ctr = "45E156D62914D27529AA7A8B7EAC8A31".decode("hex")
assets_off = 0x592E30
assets_size = 0x4C0400
assets_base = 0x88020FC0
fw_key = "264AAE11C24A65AB99E021788BFE6E66".decode("hex")
fw_ctr = "71C68F4C9CBB2203AC267B917BAC76B0".decode("hex")
fw_off = 0
fw_size = 0x1312E0
else:
exit()
# Decrypt second layer's obfuscation payload
f = open("payload_{0:08X}.bin".format(payload90_base), "wb")
f.write(aes_ctr_dec(b[payload90_off:payload90_off+payload90_size], payload90_key, payload90_ctr))
f.close()
# Decrypt third layer's obfuscation payload
f = open("payload_{0:08X}.bin".format(payload98_base), "wb")
f.write(aes_ctr_dec(b[payload98_off:payload98_off+payload98_size], payload98_key, payload98_ctr))
f.close()
# Decrypt fourth layer's obfuscation payload
f = open("payload_{0:08X}.bin".format(payloadA0_base), "wb")
f.write(aes_ctr_dec(b[payloadA0_off:payloadA0_off+payloadA0_size], payloadA0_key, payloadA0_ctr))
f.close()
# Create folder for the bootloader
if not os.path.exists("../bootloader/"):
os.mkdir("../bootloader/")
os.chdir("../bootloader/")
# Decrypt SX OS bootloader's code and assets
f = open("bootloader_{0:08X}.bin".format(bootloader_base), "wb")
f.write(aes_ctr_dec(b[bootloader_off:bootloader_off+bootloader_size], bootloader_key, bootloader_ctr))
f.write(aes_ctr_dec(b[assets_off:assets_off+assets_size], assets_key, assets_ctr))
f.close()
os.chdir("../payloads/")
# Open final firmware binary (encrypted)
f = open("payload_A0000000.bin", "rb")
b = f.read()
f.close()
# Decrypt final firmware binary
f = open("payload_A0000000_dec.bin", "wb")
f.write(aes_ctr_dec(b[fw_off:fw_off+fw_size], fw_key, fw_ctr))
f.close()
# Open final firmware binary (decrypted)
f = open("payload_A0000000_dec.bin", "rb")
b = f.read()
f.close()
# Create folder for the patcher binaries
if not os.path.exists("../patcher/"):
os.mkdir("../patcher/")
os.chdir("../patcher/")
if (boot_ver == 0x302E3156) or (boot_ver == 0x312E3156): # Old layout
patcher_size = struct.unpack("I", b[0x10:0x14])[0]
patcher_off = struct.unpack("I", b[0x14:0x18])[0]
patcher_base = struct.unpack("I", b[0x18:0x1C])[0]
patcher_crc = struct.unpack("I", b[0x1C:0x20])[0]
patcher_hash = struct.unpack("8I", b[0x50:0x70])
# Parse and store the PK11 patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
patcher_size = struct.unpack("I", b[0x20:0x24])[0]
patcher_off = struct.unpack("I", b[0x24:0x28])[0]
patcher_base = struct.unpack("I", b[0x28:0x2C])[0]
patcher_crc = struct.unpack("I", b[0x2C:0x30])[0]
patcher_hash = struct.unpack("8I", b[0x70:0x90])
# Parse and store the KIP1/INI1 patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
patcher_size = struct.unpack("I", b[0x30:0x34])[0]
patcher_off = struct.unpack("I", b[0x34:0x38])[0]
patcher_base = struct.unpack("I", b[0x38:0x3C])[0]
patcher_crc = struct.unpack("I", b[0x3C:0x40])[0]
patcher_hash = struct.unpack("8I", b[0x90:0xB0])
# Parse and store the kernel patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
# Create folder for the actual firmware binaries
if not os.path.exists("../firmware/"):
os.mkdir("../firmware/")
os.chdir("../firmware/")
kip_size = struct.unpack("I", b[0x40:0x44])[0]
kip_off = struct.unpack("I", b[0x44:0x48])[0]
kip_base = struct.unpack("I", b[0x48:0x4C])[0]
kip_crc = struct.unpack("I", b[0x4C:0x50])[0]
kip_hash = struct.unpack("8I", b[0xB0:0xD0])
# Parse and store the Loader KIP1
f = open("kip_{0:08X}.bin".format(kip_base), "wb")
f.write(b[kip_off:kip_off+kip_size])
f.close()
else: # New layout
patcher_size = struct.unpack("I", b[0x00:0x04])[0]
patcher_off = struct.unpack("I", b[0x04:0x08])[0]
patcher_base = struct.unpack("I", b[0x08:0x0C])[0]
patcher_crc = struct.unpack("I", b[0x0C:0x10])[0]
patcher_hash = struct.unpack("8I", b[0x10:0x30])
# Parse and store the PK11 patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
patcher_size = struct.unpack("I", b[0x30:0x34])[0]
patcher_off = struct.unpack("I", b[0x34:0x38])[0]
patcher_base = struct.unpack("I", b[0x38:0x3C])[0]
patcher_crc = struct.unpack("I", b[0x3C:0x40])[0]
patcher_hash = struct.unpack("8I", b[0x40:0x60])
# Parse and store the KIP1/INI1 patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
patcher_size = struct.unpack("I", b[0x60:0x64])[0]
patcher_off = struct.unpack("I", b[0x64:0x68])[0]
patcher_base = struct.unpack("I", b[0x68:0x6C])[0]
patcher_crc = struct.unpack("I", b[0x6C:0x70])[0]
patcher_hash = struct.unpack("8I", b[0x70:0x90])
# Parse and store the kernel patcher
f = open("patcher_{0:08X}.bin".format(patcher_base), "wb")
f.write(b[patcher_off:patcher_off+patcher_size])
f.close()
# Create folder for the actual firmware binaries
if not os.path.exists("../firmware/"):
os.mkdir("../firmware/")
os.chdir("../firmware/")
kip_size = struct.unpack("I", b[0x90:0x94])[0]
kip_off = struct.unpack("I", b[0x94:0x98])[0]
kip_base = struct.unpack("I", b[0x98:0x9C])[0]
kip_crc = struct.unpack("I", b[0x9C:0xA0])[0]
kip_hash = struct.unpack("8I", b[0xA0:0xC0])
# Parse and store the Loader KIP1
f = open("kip_{0:08X}.bin".format(kip_base), "wb")
f.write(b[kip_off:kip_off+kip_size])
f.close()
kip_size = struct.unpack("I", b[0xC0:0xC4])[0]
kip_off = struct.unpack("I", b[0xC4:0xC8])[0]
kip_base = struct.unpack("I", b[0xC8:0xCC])[0]
kip_crc = struct.unpack("I", b[0xCC:0xD0])[0]
kip_hash = struct.unpack("8I", b[0xD0:0xF0])
# Parse and store the sm KIP1
f = open("kip_{0:08X}.bin".format(kip_base), "wb")
f.write(b[kip_off:kip_off+kip_size])
f.close()
# New KIP file in V1.3
if boot_ver == 0x332E3156:
kip_size = struct.unpack("I", b[0xF0:0xF4])[0]
kip_off = struct.unpack("I", b[0xF4:0xF8])[0]
kip_base = struct.unpack("I", b[0xF8:0xFC])[0]
kip_crc = struct.unpack("I", b[0xFC:0x100])[0]
kip_hash = struct.unpack("8I", b[0x100:0x120])
# Parse and store the fs.mitm KIP1
f = open("kip_{0:08X}.bin".format(kip_base), "wb")
f.write(b[kip_off:kip_off+kip_size])
f.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment