[docs] Add draft Beken key extraction docs
This commit is contained in:
Kuba Szczodrzyński
48
docs/platform/beken-72xx/keys.md
Normal file
48
docs/platform/beken-72xx/keys.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Finding encryption keys
|
||||
|
||||
## Introduction
|
||||
|
||||
!!! tip inline end
|
||||
Before proceeding with this method, try using [ltchiptool](../../flashing/tools/ltchiptool.md)'s `Get chip info`
|
||||
function. It will read eFuse, which may reveal the raw encryption key. If you see all `00000000`s, then the eFuse
|
||||
is readout-protected and the key cannot be extracted in this simple way.
|
||||
|
||||
3-rd party firmware for Beken chips must be compiled with a flash encryption key matching the one programmed into
|
||||
the chip. Incorrect keys will make the firmware unable to run.
|
||||
|
||||
The [`bk72xx-bootloader-dump`](https://github.com/libretiny-eu/bk72xx-bootloader-dump) firmware might make it easier
|
||||
to find the encryption key of BK7231N/BK7231T chips.
|
||||
|
||||
The key is made of four 32-bit integers; the default key is usually `510fb093 a3cbeadc 5993a17e c7adeb03`
|
||||
(used by Beken and Tuya on most devices), but devices with different keys have been recently discovered
|
||||
(likely from other manufacturers).
|
||||
|
||||
If your device doesn't use the default keys (i.e. 3-rd party firmware doesn't boot up, or it hangs on bootloader logs),
|
||||
you can try using this firmware file to extract the keys from the bootloader.
|
||||
|
||||
## Why this works (and when it doesn't)
|
||||
|
||||
The bootloader has its own copy of the keys. It uses that to encrypt firmware on-the-fly when applying OTA updates.
|
||||
|
||||
Files downloaded during an OTA update are *not* encrypted using the main encryption keys, so the bootloader
|
||||
must encrypt them before flashing to the app partition. **This method works by flashing firmware directly to the**
|
||||
**OTA partition**. It is then unpacked and encrypted properly by the bootloader.
|
||||
|
||||
However, OTA update packages *are* encrypted using AES - for this method to work, the AES key must be known in advance.
|
||||
|
||||
Most of the time, a simple `0123456789ABCDEF` key is used for OTA AES. We have seen manufacturers using different
|
||||
keys - this method will not work in that case.
|
||||
|
||||
Additionally, OTA packages **don't have to** be encrypted - some bootloaders allow that, some don't. Using an
|
||||
unencrypted package is worth trying if your device uses a non-standard OTA AES key.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
1. A working computer with a working UART flashing setup. The preferred flashing tool is
|
||||
[ltchiptool](../../flashing/tools/ltchiptool.md). You should have at least some prior experience with dumping
|
||||
or flashing firmware.
|
||||
2. **A full factory firmware dump** of the device you're working on. This is mostly in case something goes wrong,
|
||||
but may also be necessary to read OTA partition offsets from.
|
||||
3. A serial terminal (such as the [`ltchiptool-terminal`](https://github.com/libretiny-eu/ltchiptool-terminal) plugin).
|
||||
|
||||
## To be continued
|
||||
Reference in New Issue
Block a user