Dear readers,
Lets start from the beginning, roughly six months ago:
1) My trusty GT-I9300 died, had two for spare parts but ... SDS;
2) I got a Note 2, got blown off the road and ended up in the canal :( Phone was soaked, dead;
2) I bought an Xperia Z3+;
3) I unlocked the bootloader;
4) flashed AOSP.
Result: warranty void on day one!
I picked this phone for modability, sadly there are not that any developers active for this device and I have been slowly patching AOSP from Sony with some changes here and there trying to get a CM13 build going. But due to the dive into the water with my car, I have no desktop PC/laptop (both were i7 quad's) and my dualcore iMac makes development kinda tiresome.
Anyway, little did I know that upon unlocking the bootloader my DRM keys would be lost and on that note I did not really care either.
But today I accidentally started working on CM again and figured that the DRM messages about Widevine in logcat should be eliminated. So I looked into solutions, but the DRM "fix" wasn't creative enough (no sources, wtf?) for me and I set my aim on the culprit of it all: the TA partition!
I've probably been looking at it for at least half a day now and hallucinating due to sleep deprivation. BUT, I do NOT believe Sony just scrapped the DRM keys because you unlocked the device. The keys have come from somewhere, and the best thing about keys is: they can be reproduced!
So I have been looking through dumps, comparing things and found out that the keys are most likely "destroyed". I say "destroyed", because I believe there is a good chance of restoring them!
Gory details about the TA partition (post mortem):
CKb keys look like they are "blanked" with:
00XX 0000 0000 YY00
00XX 0000 0000 YY00
(I think XX represents the date (04-02, second of April) and YY represents the time (22:29) when I voided my warranty!
A CKb key is a simple Counter Key, so most likely easily recovered given enough data...
I noticed that there was a SQLite3 database file inside the TA partition, I extracted it and it holds the following data:
CREATE TABLE keytable ( dbAppId BLOB, dbUserId BLOB, dbKeyId BLOB UNIQUE, dbEncKeyType BLOB, dbData BLOB);
Looking at the last column of the table I noticed this:
The first entry = 31
The second entry is 313038
The third 323135
And the fourth 333232...
The dbData column increases with 10097 every time, could it be related to the CKb?
For the rest it looks like everything in the TA partition everything is in fact intact, except for CKb and AUTHCERT="UNKNOWN" for Marlin (not 100% sure if that is present pre-unlock)!
Marlin X509 certificates are intact.
HUK is the Hardware Unique Key, stored on a quite a few places.
Widevine looks intact.
So, why do I focus on the CKb? Simple, look at these reasons:
CBk is used in TLS/SSL authentication (requirement for NEMO (Marlin));
It is used in QSEE. < this is patched with the DRM "Fix";
It can be encoded as RSA and/or SHA1, and is easily verified in SBL with CRC.
TA unlock/lock data is passed as 0x0000000000000000.
If you use 10097 as a CRC polinomal, the last bit of your message changes (in this case your UID for ScubaKey and drm-client swap).
So, my question is:
Is there anyone with a backup of his TA partition that could send me a dump of this folder:
/dev/block/platform/soc.0/<bootdevid>.sdhci/by-name
You can leave userdata, system abd apps_log for what they are. I just want to compare bits spread over the other partitions.
I will need a dump from a locked state and one from an unlocked state where TA is not restored to see what actually gets changed.
You can PM me on the forum or sent an e-mail to my username at gmail.com, I will make you an account on my PC to drop the files!
Lets start from the beginning, roughly six months ago:
1) My trusty GT-I9300 died, had two for spare parts but ... SDS;
2) I got a Note 2, got blown off the road and ended up in the canal :( Phone was soaked, dead;
2) I bought an Xperia Z3+;
3) I unlocked the bootloader;
4) flashed AOSP.
Result: warranty void on day one!
I picked this phone for modability, sadly there are not that any developers active for this device and I have been slowly patching AOSP from Sony with some changes here and there trying to get a CM13 build going. But due to the dive into the water with my car, I have no desktop PC/laptop (both were i7 quad's) and my dualcore iMac makes development kinda tiresome.
Anyway, little did I know that upon unlocking the bootloader my DRM keys would be lost and on that note I did not really care either.
But today I accidentally started working on CM again and figured that the DRM messages about Widevine in logcat should be eliminated. So I looked into solutions, but the DRM "fix" wasn't creative enough (no sources, wtf?) for me and I set my aim on the culprit of it all: the TA partition!
I've probably been looking at it for at least half a day now and hallucinating due to sleep deprivation. BUT, I do NOT believe Sony just scrapped the DRM keys because you unlocked the device. The keys have come from somewhere, and the best thing about keys is: they can be reproduced!
So I have been looking through dumps, comparing things and found out that the keys are most likely "destroyed". I say "destroyed", because I believe there is a good chance of restoring them!
Gory details about the TA partition (post mortem):
CKb keys look like they are "blanked" with:
00XX 0000 0000 YY00
00XX 0000 0000 YY00
(I think XX represents the date (04-02, second of April) and YY represents the time (22:29) when I voided my warranty!
A CKb key is a simple Counter Key, so most likely easily recovered given enough data...
I noticed that there was a SQLite3 database file inside the TA partition, I extracted it and it holds the following data:
CREATE TABLE keytable ( dbAppId BLOB, dbUserId BLOB, dbKeyId BLOB UNIQUE, dbEncKeyType BLOB, dbData BLOB);
Looking at the last column of the table I noticed this:
The first entry = 31
The second entry is 313038
The third 323135
And the fourth 333232...
The dbData column increases with 10097 every time, could it be related to the CKb?
For the rest it looks like everything in the TA partition everything is in fact intact, except for CKb and AUTHCERT="UNKNOWN" for Marlin (not 100% sure if that is present pre-unlock)!
Marlin X509 certificates are intact.
HUK is the Hardware Unique Key, stored on a quite a few places.
Widevine looks intact.
So, why do I focus on the CKb? Simple, look at these reasons:
CBk is used in TLS/SSL authentication (requirement for NEMO (Marlin));
It is used in QSEE. < this is patched with the DRM "Fix";
It can be encoded as RSA and/or SHA1, and is easily verified in SBL with CRC.
TA unlock/lock data is passed as 0x0000000000000000.
If you use 10097 as a CRC polinomal, the last bit of your message changes (in this case your UID for ScubaKey and drm-client swap).
So, my question is:
Is there anyone with a backup of his TA partition that could send me a dump of this folder:
/dev/block/platform/soc.0/<bootdevid>.sdhci/by-name
You can leave userdata, system abd apps_log for what they are. I just want to compare bits spread over the other partitions.
I will need a dump from a locked state and one from an unlocked state where TA is not restored to see what actually gets changed.
You can PM me on the forum or sent an e-mail to my username at gmail.com, I will make you an account on my PC to drop the files!
from xda-developers http://ift.tt/2d0lDg0
via IFTTT
No comments:
Post a Comment