Added fw modifications required to unpack real world player dumps.
Documented more fwu header fields, magic numbers and finite field arithmetics (extended Euclidean for inverse, long division for reducing modulo field_poly).
v3 encryption used is standard RC4 with the key additionally ciphered by the Elliptic Curve Integrated Encryption Scheme.
Either sect233k1 (NIST K-233) or sect163r2 (NIST B-163) curves can be used, with the former overwhelmingly prevailing, being hardwired in SDK's maker.exe. Using a private/public key scheme is superfluous because both are stored in the firmware, with the added level of complexity likely serving the purpose of obfuscation. The private key is generated at random with each invokation.
None of KDF or MAC from ECIES are used, RC4 key is directly xored with the shared secret. The random number r used to calculate rG isn't stored, but that's unimportant since only krG == rkG is actually used in the encryption.
Change-Id: Ieacf8cc744bc90c7c5582dd724b2c10a41bfc191
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.
Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
If no output prefix is specified, a default is picked:
- filename with extension replaced by .afi for FWU files
- filename with extension replaced by .fw/ for AFI files
- filename without extension and with / for FW files
Change-Id: I6497b8f4a49f1238e5db738429f687cad3ae8a5a
