scratch/libretiny
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
libretiny/docs/platform/beken-72xx/keys.md
Kuba Szczodrzyński 03c723c73d [docs] Add draft Beken key extraction docs
2024-01-06 19:20:03 +01:00

49 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# Finding encryption keys
## Introduction
!!! tip inline end
Before proceeding with this method, try using [ltchiptool](../../flashing/tools/ltchiptool.md)'s `Get chip info`
function. It will read eFuse, which may reveal the raw encryption key. If you see all `00000000`s, then the eFuse
is readout-protected and the key cannot be extracted in this simple way.
3-rd party firmware for Beken chips must be compiled with a flash encryption key matching the one programmed into
the chip. Incorrect keys will make the firmware unable to run.
The [`bk72xx-bootloader-dump`](https://github.com/libretiny-eu/bk72xx-bootloader-dump) firmware might make it easier
to find the encryption key of BK7231N/BK7231T chips.
The key is made of four 32-bit integers; the default key is usually `510fb093 a3cbeadc 5993a17e c7adeb03`
(used by Beken and Tuya on most devices), but devices with different keys have been recently discovered
(likely from other manufacturers).
If your device doesn't use the default keys (i.e. 3-rd party firmware doesn't boot up, or it hangs on bootloader logs),
you can try using this firmware file to extract the keys from the bootloader.
## Why this works (and when it doesn't)
The bootloader has its own copy of the keys. It uses that to encrypt firmware on-the-fly when applying OTA updates.
Files downloaded during an OTA update are *not* encrypted using the main encryption keys, so the bootloader
must encrypt them before flashing to the app partition. **This method works by flashing firmware directly to the**
**OTA partition**. It is then unpacked and encrypted properly by the bootloader.
However, OTA update packages *are* encrypted using AES - for this method to work, the AES key must be known in advance.
Most of the time, a simple `0123456789ABCDEF` key is used for OTA AES. We have seen manufacturers using different
keys - this method will not work in that case.
Additionally, OTA packages **don't have to** be encrypted - some bootloaders allow that, some don't. Using an
unencrypted package is worth trying if your device uses a non-standard OTA AES key.
## Prerequisites
1. A working computer with a working UART flashing setup. The preferred flashing tool is
[ltchiptool](../../flashing/tools/ltchiptool.md). You should have at least some prior experience with dumping
or flashing firmware.
2. **A full factory firmware dump** of the device you're working on. This is mostly in case something goes wrong,
but may also be necessary to read OTA partition offsets from.
3. A serial terminal (such as the [`ltchiptool-terminal`](https://github.com/libretiny-eu/ltchiptool-terminal) plugin).
## To be continued
Reference in New Issue View Git Blame Copy Permalink