Airoha Firmware Decryption for XM4/5/6 devices (Custom Voicepack, etc)

[mos9527]

Coming from #44. The AES/IV pair for the offical firmware can be found via burte-forcing LZMA headers with a flash dump.

https://github.com/ramikg/airoha-firmware-parser can be used to operate on the files directly should a KEY/IV pair be found. The POC script here prove to be sufficent to locate the keys should a flash dump and a firmware file be provided. (coded by GPT5.5, referencing https://github.com/HelgeSverre/sony-vp-extract)

#!/usr/bin/env python3
from Crypto.Cipher import AES
from pathlib import Path
import argparse, hashlib, lzma, struct

SBOX_SIG = bytes.fromhex("637c777bf26b6fc53001672bfed7ab76")
COMMON_DICTS = (0x4000, 0x8000, 0x10000, 0x100000)
MAX_UNPACKED = 128 * 1024 * 1024

def u32(b, off): return struct.unpack_from("<I", b, off)[0]
def u64(b, off): return struct.unpack_from("<Q", b, off)[0]
def bxor(a, b): return bytes(x ^ y for x, y in zip(a, b))
def asciiish(b): return "".join(chr(x) if 32 <= x < 127 else "." for x in b)

def find_ascii16(buf):
    out = []
    for i in range(len(buf) - 16):
        s = buf[i:i + 16]
        if buf[i + 16] == 0 and all(32 < c < 127 for c in s):
            out.append((i, s))
    return out

def parse_lzma_header(p):
    if len(p) < 13 or p[0] != 0x5D:
        return None
    dict_size = u32(p, 1)
    unpacked = u64(p, 5)
    props = p[0]
    lc, lp, pb = props % 9, (props // 9) % 5, (props // 9) // 5
    if dict_size not in COMMON_DICTS or not (0 < unpacked <= MAX_UNPACKED):
        return None
    if lc > 8 or lp > 4 or pb > 4:
        return None
    return lc, lp, pb, dict_size, unpacked

def full_decompress(body, key, iv):
    dec = AES.new(key, AES.MODE_CBC, iv).decrypt(body)
    hdr = parse_lzma_header(dec[:13])
    if hdr is None:
        raise ValueError("not an LZMA-alone header after decrypt")
    lc, lp, pb, dict_size, unpacked = hdr
    filters = [{"id": lzma.FILTER_LZMA1, "lc": lc, "lp": lp, "pb": pb, "dict_size": dict_size}]
    d = lzma.LZMADecompressor(format=lzma.FORMAT_RAW, filters=filters)
    out = d.decompress(dec[13:], max_length=unpacked)
    return dec, hdr, out, d

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--flash", default="firmware/XM6_headphones_flash_dump.bin")
    ap.add_argument("--oracle", default="firmware/3.0.0_UPG_enc_secureboot_SAMD_RIKYU.0033c792a09955fa023cd106e8dbd522638e5f5c.bin")
    ap.add_argument("--full", action="store_true")
    args = ap.parse_args()

    flash = Path(args.flash).read_bytes()
    blob = Path(args.oracle).read_bytes()
    body = blob[0x1000:]

    if len(body) % 16:
        raise SystemExit(f"oracle body is not AES-block aligned: {len(body)}")

    print(f"flash_size {len(flash)}")
    print(f"oracle_size {len(blob)} body_len {len(body)}")
    print(f"sbox_sig 0x{flash.find(SBOX_SIG):x}")
    print(f"header compression=0x{blob[0x104]:x} body_size={u32(blob, 0x10a)} hint={u32(blob, 0x13a)}")

    candidates = find_ascii16(flash)
    print(f"ascii16_candidates {len(candidates)}")

    by_prefix = {}
    for off, s in candidates:
        by_prefix.setdefault(s[:5], []).append((off, s))

    c0 = body[:16]
    expected_prefixes = [bytes([0x5D]) + struct.pack("<I", d) for d in COMMON_DICTS]
    hits = []

    for key_off, key in candidates:
        mid = AES.new(key, AES.MODE_ECB).decrypt(c0)
        for expected in expected_prefixes:
            needed_iv_prefix = bxor(mid[:5], expected)
            for iv_off, iv in by_prefix.get(needed_iv_prefix, []):
                p0 = bxor(mid, iv)
                hdr = parse_lzma_header(p0)
                if hdr:
                    hits.append((key_off, key, iv_off, iv, hdr, p0))
                    print(f"hit key@0x{key_off:x}={key.decode()} iv@0x{iv_off:x}={iv.decode()}")
                    print(f"dec0 {p0.hex()} lzma={hdr}")

    if args.full and hits:
        key_off, key, iv_off, iv, hdr, _ = hits[0]
        dec, hdr, out, d = full_decompress(body, key, iv)
        print(f"confirmed key@0x{key_off:x} iv@0x{iv_off:x}")
        print(f"dec[:32] {dec[:32].hex()}")
        print(f"out_len {len(out)} eof={d.eof} needs_input={d.needs_input}")
        print(f"sha256 {hashlib.sha256(out).hexdigest()}")
        print(f"out[:64] {out[:64].hex()} {asciiish(out[:64])}")

if __name__ == "__main__":
    main()

• Firmware can be downloaded from https://github.com/lzghzr/MDR_Proxy#%E9%99%84%E5%BD%95-appendix
• Thanks @morgenstern09 for graciously providing the flash dumps for the XM5 buds and the XM6.

Here's an non-exhaustive list of all AES Key/IV pairs Airoha devices used:

Device	Key	IV	Key (Hex)	IV (Hex)
WH-1000XM6	ieteaJieca0hiSie	oyoquooGhah8ieG3	69657465614a69656361306869536965	6f796f71756f6f476861683869654733
WF-1000XM5	Eo9eigaepuHeipoh	eiyieyaaxoz7Oida	456f3965696761657075486569706f68	6569796965796161786f7a374f696461
WH-1000XM4 (from https://github.com/HelgeSverre/sony-vp-extract)	eibohjeCh6uegahf	miefeinuShu9eilo	6569626f686a65436836756567616866	6d69656665696e755368753965696c6f

• NOTE: Using the Hex value with Rami's decryptor requires the --reverse-key-and-iv flag. E.g.

python .\decryptor\airoha_decrypt.py --from ..\firmware\3.0.0_UPG_enc_secureboot_SAMD_RIKYU.0033c792a09955fa023cd106e8dbd522638e5f5c.bin --key 69657465614a69656361306869536965 --iv 6f796f71756f6f476861683869654733 --reverse-key-and-iv --to 3.0.0_UPG_enc_secureboot_SAMD_RIKYU.dec.bin

[mos9527]

TODO:

• Update instructions on dumping the flash. Possibly via https://github.com/auracast-research/race-toolkit?
• Voice pack replacement on the images themselves, which https://github.com/HelgeSverre/sony-vp-extract has already done

[mos9527]

Addenum:

• Rami's Airoha FW pattern is made for 010 Editor. If you don't have a license, I've ported this to the free ImHex Editor which can be used instead to parse the UPG packages (undecrypted) with the following template:

// Ported from the 010-Editor template available at https://github.com/ramikg/airoha-firmware-parser
#pragma author ramikg, mos9527
#pragma description Airoha Encrypted Firmware Package
#pragma endian little

enum CompressionType : u8 {
    None = 0,
    Lzma = 1,
    LzmaAes = 2,
};

enum IntegrityCheckType : u8 {
    Crc32 = 0,
    Sha256 = 1,
    Sha256Rsa = 2,
};

enum TlvType : u16 {
    BasicInfo = 0x11,
    MoverInfo = 0x12,
    VersionInfo = 0x13,
    IntegrityVerifyInfo = 0x14,
    DeviceNameInfo = 0x20,
    DeviceTypeInfo = 0x21,
    IsNvdmIncompatibleFlag = 0xF0,
};

fn tlv_type_name(TlvType value) {
    match (value) {
        (TlvType::BasicInfo): return "BASIC_INFO";
        (TlvType::MoverInfo): return "MOVER_INFO";
        (TlvType::VersionInfo): return "VERSION_INFO";
        (TlvType::IntegrityVerifyInfo): return "INTEGRITY_VERIFY_INFO";
        (TlvType::DeviceNameInfo): return "DEVICE_NAME_INFO";
        (TlvType::DeviceTypeInfo): return "DEVICE_TYPE_INFO";
        (TlvType::IsNvdmIncompatibleFlag): return "IS_NVDM_INCOMPATIBLE_FLAG";
        (_): return "UNKNOWN";
    }
};

struct Sha256Checksum {
    u8 bytes[32];
};

struct Section {
    u32 source_offset [[comment("Offset within the encrypted package")]];
    u32 decompressed_size;
    u32 dest_offset [[comment("Destination offset in flash")]];
};

struct BasicInfo {
    CompressionType compression_type;
    IntegrityCheckType integrity_check_type;

    u32 firmware_offset;
    u32 firmware_size;
};

struct BasicInfoTlv {
    TlvType type [[format("tlv_type_name")]];
    u16 length;

    BasicInfo value [[inline]];
};

struct VersionInfo {
    char version_string[parent.length];
};

struct MoverInfo {
    u32 number_of_sections;

    Section sections_table[number_of_sections] [[inline]];
};

struct IntegrityVerifyInfo {
    u32 number_of_checksums;

    Sha256Checksum checksums[number_of_checksums] [[name("SHA256 Checksums")]];
};

struct DeviceNameInfo {
    char device_name[parent.length];
};

struct DeviceTypeInfo {
    char device_type[parent.length];
};

struct IsNvdmIncompatibleFlag {
    u8 is_nvdm_incompatible;
    if (parent.length > sizeof(is_nvdm_incompatible)) {
        u8 reserved[parent.length - sizeof(is_nvdm_incompatible)];
    }
};

struct UnknownTlvValue {
    u8 value[parent.length];
};

struct TlvOrTerminator {
    TlvType type [[format("tlv_type_name")]];

    if (type == 0xFFFF) {
        break;
    } else {
        u16 length;

        match (type) {
            (TlvType::BasicInfo): BasicInfo value [[inline]];
            (TlvType::VersionInfo): VersionInfo value [[inline]];
            (TlvType::MoverInfo): MoverInfo value [[inline]];
            (TlvType::IntegrityVerifyInfo): IntegrityVerifyInfo value [[inline]];
            (TlvType::DeviceNameInfo): DeviceNameInfo value [[inline]];
            (TlvType::DeviceTypeInfo): DeviceTypeInfo value [[inline]];
            (TlvType::IsNvdmIncompatibleFlag): IsNvdmIncompatibleFlag value [[inline]];
            (_): UnknownTlvValue value [[inline]];
        }
    }
};

struct AirohaFirmware {
    Sha256Checksum file_checksum [[comment("SHA-256 over bytes from 0x100 to EOF")]];
    u8 padding1[224];

    BasicInfoTlv basic_info [[name("BASIC_INFO")]];
    TlvOrTerminator tlvs[while(true)] [[name("TLVs")]];

    if ($ < basic_info.value.firmware_offset) {
        padding[basic_info.value.firmware_offset - $];
    }

    u8 firmware[basic_info.value.firmware_size] [[name("Encrypted/Compressed Firmware Body")]];
};

AirohaFirmware firmware @ 0x00;