Airreps Firmware Key

[tenshi0xx]

Hey, it's me again, so a question for the Airreps is do you have some key of it to decrypt, i really want to know

Also how do i can connect to you, i have wechat discord telegram and email

[ramikg]

_Previous discussion, for context: https://github.com/lzghzr/MDR_Proxy/issues/31_

The only encrypted Airoha firmware I've ever encountered is for Sony headphones. Unfortunately, I do not know the key of even one such firmware file.

Regarding the AirReps, as mentioned above, all firmware files I've encountered for these devices were not encrypted. Instead, they were just compressed using LZMA. (As the parser indicates via the compression_type field.) To decompress such firmware, extract the compressed part (which probably starts at offset 0x1000), and use 7-Zip or a similar utility to decompress it.

Regarding communication, please use GitHub issues or discussions.

[tenshi0xx]

_Previous discussion, for context: lzghzr/MDR_Proxy#31_

The only encrypted Airoha firmware I've ever encountered is for Sony headphones. Unfortunately, I do not know the key of even one such firmware file.

Regarding the AirReps, as mentioned above, all firmware files I've encountered for these devices were not encrypted. Instead, they were just compressed using LZMA. (As the parser indicates via the compression_type field.) To decompress such firmware, extract the compressed part (which probably starts at offset 0x1000), and use 7-Zip or a similar utility to decompress it.

Regarding communication, please use GitHub issues or discussions.

i tried to extract the compressed part by editing your script, however i have no luck to decompress it using 7zip, would you mind helping me the airreps by the way.

[ramikg]

I've added a --no-decrypt option to the script.

Try running it as follows:

cd decryptor
pip install -Ur requirements.txt

python airoha_decrypt.py --from=fw.compressed --to=fw.decompressed --no-decrypt

[tenshi0xx]

python airoha_decrypt.py --from=fw.compressed --to=fw.decompressed --no-decrypt

Weird...if i modify your script like this it will decompress the file...

import argparse
import lzma
import os
import struct

ENCRYPTED_PART_OFFSET_STRING = '0x1000'

class AirohaDecompressInputAndOutputFilesMustBeDifferent(Exception):
    pass

def _parse_args():
    parser = argparse.ArgumentParser()

    parser.add_argument('--from', dest='_from', metavar='FROM', type=argparse.FileType('rb'), required=True,
                        help='LZMA compressed firmware file.')
    parser.add_argument('--to', required=True,
                        help='Decompressed firmware file.')
    parser.add_argument('--offset', type=lambda x: int(x, 0), default=ENCRYPTED_PART_OFFSET_STRING,
                        help=f'Offset of the compressed part in the input file. Default is {ENCRYPTED_PART_OFFSET_STRING}.')
    return parser.parse_args()

def _decompress(compressed_data, offset=0):
    # Skip to the offset where the LZMA compressed data starts
    compressed_data = compressed_data[offset:]
    # CPython can't handle an initialized size field in the LZMA header, so we set it to -1
    fixed_lzma = compressed_data[:5] + struct.pack('<Q', 0xFFFFFFFFFFFFFFFF) + compressed_data[5+8:]
    return lzma.decompress(fixed_lzma, format=lzma.FORMAT_ALONE)

if __name__ == '__main__':
    args = _parse_args()

    if os.path.exists(args.to) and os.path.samefile(args._from.name, args.to):
        raise AirohaDecompressInputAndOutputFilesMustBeDifferent()

    with args._from as compressed_file:
        compressed_data = compressed_file.read()

    output_data = _decompress(compressed_data, args.offset)

    with open(args.to, 'wb') as output:
        output.write(output_data)

however this will not work for opening in 7zip or so....

[ramikg]

You're right, the offset was ignored when passing --no-decrypt. I've fixed the script.

Regarding 7-Zip, you don't need it if you've used the script. You can now do whatever you want with the decompressed file.

[tenshi0xx]

quick question here, despite the firmware has been decrypted, there are no ways to modify it

RG8geW91IGhhdmUgdGhlIGxhdGVzdCBhaXJvaGEgc2RrIGZvciBhaXJyZXBzLCB3aXRob3V0IGl0IGkgY2FuJ3QgZXZlbiBtb2RpZnkgYW55dGhpbmcsIG9yIGlmIHlvdSBrbm93IGhvdyB0byBtb2RpZnkgdGhlIGZpcm13YXJlIGZpbGUgcGxlYXNlIHRlbGwgbWUu

Base64

[ramikg]

Do you have the latest airoha sdk for airreps, without it i can't even modify anything, or if you know how to modify the firmware file please tell me.

Unfortunately the answer is no for both questions. I've never dealt with AirReps.

Best of luck.