Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure to decode latest Samsung DSRD.enc firmware files. #7

Open
Hashnoob opened this issue Apr 26, 2018 · 14 comments
Open

Failure to decode latest Samsung DSRD.enc firmware files. #7

Hashnoob opened this issue Apr 26, 2018 · 14 comments

Comments

@Hashnoob
Copy link

@Hashnoob Hashnoob commented Apr 26, 2018

Hi Dominic,

Thanks for writing this utility it has been very useful to me and many others.

Issue: This utility is unable to decode the DSRD.enc file from the firmware package below.
https://s3.ap-northeast-2.amazonaws.com/global.semi.static/Samsung_SSD_850_EVO_EMT02B6Q_Win.iso

Is there any chance for an update in the future?

Thanks

@ddcc
Copy link
Owner

@ddcc ddcc commented Apr 27, 2018

I took a quick look, and the mechanism is different; the code refers to a base64 header and some AES-like encryption. But I don't have the time right now to actually reverse it.

I'm curious; aside from reverse engineering the firmware, what is the use case for changing the DSRD file?

Loading

@Hashnoob
Copy link
Author

@Hashnoob Hashnoob commented Apr 27, 2018

Hey Dominic,
I appreciate the quick reply, I know this is an old project. This utility has allowed people to fix their Samsung SSD's with corrupted firmware, usually caused by Samsung Magician funny enough.

The firmware packages have a "safety feature" that only detect compatible drives, but fails to include compatible drives with corrupted firmware. By modifying the DSRD.enc file you can bypass the SSD checks and it will allow you to select any drive on the system. Allowing you to restore the corrupted firmware.

DSRD.enc - Edit example:

<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>ALL</CURFW>
<NEWFW>EMT03B6Q</NEWFW>
<IFW>EMT02B6Q.bin</IFW>
<PWR>T</PWR>
</SSD>

If only Samsung would not make things so difficult.

Either way thanks for taking a look at it!

Loading

@Qwertylex
Copy link

@Qwertylex Qwertylex commented Feb 2, 2020

It actually didn't need any real reverse engineering.
Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with:
openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

Loading

@ddcc
Copy link
Owner

@ddcc ddcc commented Feb 5, 2020

Haha, great job!

Loading

@chrivers
Copy link

@chrivers chrivers commented Apr 9, 2020

I've implemented a solution for decrypting modern firmwares:

https://github.com/chrivers/samsung-firmware-magic

Big surprise, it's still just terrible obfuscation.

Loading

@phoenixyj
Copy link

@phoenixyj phoenixyj commented Apr 21, 2020

With this method, can I update the Samsung PM981A to the firmware of the 970 EVO Plus? The PM981A is said to have the same hardware as the 970 EVO Plus, except that the firmware is different, the PM981A is for OEMs and the 970 EVO Plus is retail.

Loading

@chrivers
Copy link

@chrivers chrivers commented Apr 21, 2020

I can only speak for what my tool does - it helps decrypt (deobfuscate) modern firmware images.

As such, it could enable people who wish to pursue this further, a path towards that goal.

However, as far as I know, there's no known open-source method of applying these updates. It would hypothetically be possible to unpack the firmware files, modify them, use the tool (with a slight modification) to repack them, and give those files back to samsung magician.

That's outside of the scope for my little PoC project, I'm afraid :)

Loading

@igor222222
Copy link

@igor222222 igor222222 commented Mar 14, 2021

Hello, help to solve the problem !! I have a samsung mzmte256hmhp-000mv drive, but the system and the Samsung program do not see it, but the BIOS does! Help restore the firmware !!

Loading

@marcosscriven
Copy link

@marcosscriven marcosscriven commented Mar 21, 2021

It actually didn't need any real reverse engineering.
Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with:
openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

@Qwertylex - Just want to report this almost works for me, with the key extracted in a similar way.

However, somehow I'm getting a bit of padding before/after the XML:

_icianMAG_@*!.8&<C5>^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
^@^@^@^@^@^@^@^@^@^@^@

Loading

@Qwertylex
Copy link

@Qwertylex Qwertylex commented Apr 1, 2021

@marcosscriven interesting. could you link me to that firmware?

Loading

@marcosscriven
Copy link

@marcosscriven marcosscriven commented Apr 1, 2021

@Qwertylex - It's the one for Samsung_SSD_970_EVO_Plus_2B2QEXM7 extracted from the ISO in the firmware section of https://www.samsung.com/semiconductor/minisite/ssd/download/tools/

Loading

@Qwertylex
Copy link

@Qwertylex Qwertylex commented Apr 2, 2021

So, I actually got this before, last year. I failed to mention it and never bothered to look into it.
But that 'padding before' is actually a file header which contains a magic signature and the file length.
It is at the start of the file and 32 bytes long, the first 16 bytes is the magic, the next 16 bytes contains a 32 bit Little Endian file size padded with zeros.
As for the 'padding after' that is to be expected with encrypting in AES256 like this, unless your file happens to fall in just the right size for a block it has to be padded out to be the right size.

I made a script to decrypt, get the file size, and chop off the header and padding at the end: https://github.com/Qwertylex/samdecrypt.sh/blob/main/samdecrypt.sh

example:

~/sam $ 7z x Samsung_SSD_970_EVO_Plus_2B2QEXM7.iso
~/sam $ mkdir x; cd x
~/sam/x $ 7z x ../initrd; 7z x initrd\~
~/sam/x $ cd root/fumagician
~/sam/x/root/fumagician $ ./samdecrypt.sh DSRD.enc
~/sam/x/root/fumagician $ cat DSRD.bin
<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
~/sam/x/root/fumagician $ ./samdecrypt.sh 2B2QEXM7.enc
~/sam/x/root/fumagician $ 7z x 2B2QEXM7.bin

which 2B2QEXM7.bin is actually a normal .zip and extracts the following:

2B2QEXM7_00190411.enc
2B2QEXM7_10190411.enc
2B2QEXM7_20190411.enc

which can be decrypted with the same samdecrypt.sh as above

Loading

@xyzzy42
Copy link

@xyzzy42 xyzzy42 commented Apr 2, 2021

The samdecrypt.sh script worked for me on Samsung_SSD_960_EVO_3B7QCXE7.iso using the key 57633f2c1f8937565e935799356cd41f2366e0d1a74acfd6b6375dbab5e2e644

Loading

@Qwertylex
Copy link

@Qwertylex Qwertylex commented Apr 3, 2021

Here's an easy way to find the key.
strings fumagician | grep -E '^[A-Za-z0-9+/]{42}[AEIMQUYcgkosw048]=$' | base64 -d | xxd -p -c 32
I've updated my repo to reflect this and added @xyzzy42 's key to the known_keys.txt file

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants