Failure to decode latest Samsung DSRD.enc firmware files.

[Hashnoob]

Hi Dominic,

Thanks for writing this utility it has been very useful to me and many others.

Issue: This utility is unable to decode the DSRD.enc file from the firmware package below.
https://s3.ap-northeast-2.amazonaws.com/global.semi.static/Samsung_SSD_850_EVO_EMT02B6Q_Win.iso

Is there any chance for an update in the future?

Thanks

[ddcc]

I took a quick look, and the mechanism is different; the code refers to a base64 header and some AES-like encryption. But I don't have the time right now to actually reverse it.

I'm curious; aside from reverse engineering the firmware, what is the use case for changing the DSRD file?

[Hashnoob]

Hey Dominic,
I appreciate the quick reply, I know this is an old project. This utility has allowed people to fix their Samsung SSD's with corrupted firmware, usually caused by Samsung Magician funny enough.

The firmware packages have a "safety feature" that only detect compatible drives, but fails to include compatible drives with corrupted firmware. By modifying the DSRD.enc file you can bypass the SSD checks and it will allow you to select any drive on the system. Allowing you to restore the corrupted firmware.

DSRD.enc - Edit example:

<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>ALL</CURFW>
<NEWFW>EMT03B6Q</NEWFW>
<IFW>EMT02B6Q.bin</IFW>
<PWR>T</PWR>
</SSD>

If only Samsung would not make things so difficult.

Either way thanks for taking a look at it!

[Qwertylex]

It actually didn't need any real reverse engineering.
Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with:
openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

[ddcc]

Haha, great job!

[chrivers]

I've implemented a solution for decrypting modern firmwares:

https://github.com/chrivers/samsung-firmware-magic

Big surprise, it's still just terrible obfuscation.

[phoenixyj]

With this method, can I update the Samsung PM981A to the firmware of the 970 EVO Plus? The PM981A is said to have the same hardware as the 970 EVO Plus, except that the firmware is different, the PM981A is for OEMs and the 970 EVO Plus is retail.

[chrivers]

I can only speak for what my tool does - it helps decrypt (deobfuscate) modern firmware images.

As such, it could enable people who wish to pursue this further, a path towards that goal.

However, as far as I know, there's no known open-source method of applying these updates. It would hypothetically be possible to unpack the firmware files, modify them, use the tool (with a slight modification) to repack them, and give those files back to samsung magician.

That's outside of the scope for my little PoC project, I'm afraid :)

[igor222222]

Hello, help to solve the problem !! I have a samsung mzmte256hmhp-000mv drive, but the system and the Samsung program do not see it, but the BIOS does! Help restore the firmware !!

[marcosscriven]

It actually didn't need any real reverse engineering.
Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with:
openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

@Qwertylex - Just want to report this almost works for me, with the key extracted in a similar way.

However, somehow I'm getting a bit of padding before/after the XML:

_icianMAG_@*!.8&<C5>^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
^@^@^@^@^@^@^@^@^@^@^@

[Qwertylex]

@marcosscriven interesting. could you link me to that firmware?

[marcosscriven]

@Qwertylex - It's the one for Samsung_SSD_970_EVO_Plus_2B2QEXM7 extracted from the ISO in the firmware section of https://www.samsung.com/semiconductor/minisite/ssd/download/tools/

[Qwertylex]

So, I actually got this before, last year. I failed to mention it and never bothered to look into it.
But that 'padding before' is actually a file header which contains a magic signature and the file length.
It is at the start of the file and 32 bytes long, the first 16 bytes is the magic, the next 16 bytes contains a 32 bit Little Endian file size padded with zeros.
As for the 'padding after' that is to be expected with encrypting in AES256 like this, unless your file happens to fall in just the right size for a block it has to be padded out to be the right size.

I made a script to decrypt, get the file size, and chop off the header and padding at the end: https://github.com/Qwertylex/samdecrypt.sh/blob/main/samdecrypt.sh

example:

~/sam $ 7z x Samsung_SSD_970_EVO_Plus_2B2QEXM7.iso
~/sam $ mkdir x; cd x
~/sam/x $ 7z x ../initrd; 7z x initrd\~
~/sam/x $ cd root/fumagician
~/sam/x/root/fumagician $ ./samdecrypt.sh DSRD.enc
~/sam/x/root/fumagician $ cat DSRD.bin
<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
~/sam/x/root/fumagician $ ./samdecrypt.sh 2B2QEXM7.enc
~/sam/x/root/fumagician $ 7z x 2B2QEXM7.bin

which 2B2QEXM7.bin is actually a normal .zip and extracts the following:

2B2QEXM7_00190411.enc
2B2QEXM7_10190411.enc
2B2QEXM7_20190411.enc

which can be decrypted with the same samdecrypt.sh as above

[xyzzy42]

The samdecrypt.sh script worked for me on Samsung_SSD_960_EVO_3B7QCXE7.iso using the key 57633f2c1f8937565e935799356cd41f2366e0d1a74acfd6b6375dbab5e2e644

[Qwertylex]

Here's an easy way to find the key.
strings fumagician | grep -E '^[A-Za-z0-9+/]{42}[AEIMQUYcgkosw048]=$' | base64 -d | xxd -p -c 32
I've updated my repo to reflect this and added @xyzzy42 's key to the known_keys.txt file

[LynxZeta]

I decrypted three files from the 850EVO firmware, but what puzzles me is which file is the correct firmware?

icianMAG@*!.8&?
ALL
ALL
EMT01B6Q
EMT02B6Q
EMT02B6Q_01150903.bin
EMT02B6Q_03151015.bin
EMT02B6Q_05151013.bin