search

lzghzr / MDR_Proxy

索尼无线耳机更新程序headphones本地代理工具
MIT License
210 stars 44 forks source link

Decrypt firmware. #31

Open tenshi0xx opened 5 months ago

tenshi0xx commented 5 months ago

Is it possible to decrypt Sony Linkbuds S firmware (LS-900N)? Thanks in advance

tenshi0xx commented 5 months ago

I want to know the way to decrypt it since i want to create custom firmware.

ramikg commented 5 months ago

Short answer: Not really.

For Sony headphones with the Airoha firmware, the encrypted part starts at offset 0x1000 of the firmware file, as can be seen using the Airoha firmware parser. I've written a Python script for decrypting the encrypted part (given the key & IV, of course).

Note that successfully decrypting the firmware won't be simple, if at all possible: Since Airoha used good encryption (AES-128), brute-forcing the key/IV is not feasible. Assuming the key & IV are not lying around somewhere on the internet, the only way to get them would be to extract them from the hardware. This may be anywhere from not so simple to virtually impossible.

Here are some other things that can be done:

  1. Build alternative firmware from scratch (e.g. taking inspiration from AirReps, which have non-encrypted Airoha firmware). This is out of reach for most people.
  2. Interact with the headphones via Bluetooth and hope to find some useful feature/bug.

Update: I've edited my answer to reflect the fact that the mentioned decryptor has been verified to be probably correct.

tenshi0xx commented 5 months ago

Short answer: Not really.

For Sony headphones with the Airoha firmware, the encrypted part starts at offset 0x1000 of the firmware file, as can be seen using the Airoha firmware parser. I've written a Python script for decrypting the encrypted part (given the key, of course).

Note that successfully decrypting the firmware won't be simple, if at all possible:

  1. The script is based on the decryption algorithm available online (e.g. in this EVK). My script may have incorrectly implemented the decryption algorithm (I haven't tested it).
  2. Since Airoha used good encryption (AES-128), brute-forcing the key/IV is not feasible. Assuming the key & IV are not lying around somewhere on the internet, the only way to get them would be to extract them from the hardware. This may be anywhere from not so simple to virtually impossible.

Here are some things that can be done:

  1. Verify that the algorithm in the Python script is correct. Here are a couple of ways to achieve this:

    1. Build and encrypt dummy firmware using the EVK. Then try decrypting it with the script.
    2. Find a non-Sony device with encrypted Airoha firmware, and hope it has easily guessable key & IV.
  2. Build alternative firmware from scratch (e.g. taking inspiration from AirReps, which have non-encrypted Airoha firmware). This is out of reach for most people.

OK so, is there's a way to dump the key from the headphones itself? is UART possible?

I did try your decryption script, when the firmware is decrypted, Binwalk identify it as image

It seems it's not working, is there's any way to get the key from the earbuds itself? Plus, is the firmware decryption is in the earbuds itself and not the Headphone Connect app?

ramikg commented 4 months ago

OK so, is there's a way to dump the key from the headphones itself? is UART possible?

As I've mentioned in my previous comment, perhaps. I am not familiar with such attempts, so you are pretty much on your own here.

I did try your decryption script, when the firmware is decrypted, Binwalk identify it as image

It seems it's not working

Providing a wrong key or IV will result in garbage output.

is there's any way to get the key from the earbuds itself?

See answer to first question.

Plus, is the firmware decryption is in the earbuds itself and not the Headphone Connect app?

AFAIU, the app simply transmits the encrypted firmware to the headphones. It does not decrypt it at any point.