Possible way to self-sign Recovery and Rom's on S7, Just need some help.

[lavavex]

Hey, I noticed while looking through the Stock Firmware AP file, that in meta-data/fota.zip there are .jar files that have to do with package signing. Only issue is that the zip is password protected. If someone has the Compute power and skills to decrypt a zip and look at the jar files and ****, maybe we could find a way to sign our own TWRP recoveries and roms. Just a thought, i'll post a link to the fota.zip file i was talking about in a bit if anyone wants to take a crack at it. (Google drive is taking forever to upload cause of AT&T's ****ty DSL speeds, sorry)
Download Link: htt*ps:/*/drive.*google*.com/file/*d/0B9tb-svjqaVD*b3Y0V0tXR3drSzA/vie*w?usp=sharing (Remove all *'s from link, stupid 10 post until you can post links limitation)

Thanks,
Lavavex

 

[adfree]

Did you saw this Thread?

https://forum.xda-developers.com/an...signing-boot-images-android-verified-t3600606


About fota.zip...

Did you heard about plain text attack?

In few Seconds... minutes done... no password required but you can unpack.

Best Regards

 

[adfree]

Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...


Here are the 3 keys to decrypt if somebody want try...

2b4d493c
6142b289
1b7024aa

Key0
Key1
Key2

I have used Advanced Archive Password Recovery from elcomsoft...

Best Regards

 

[osm0sis]

Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...


Here are the 3 keys to decrypt if somebody want try...

2b4d493c
6142b289
1b7024aa

Key0
Key1
Key2

I have used Advanced Archive Password Recovery from elcomsoft...

Best Regards

Which will allow unpacking of the above zip? I thought it needed a zip password.

 

[adfree]

Which will allow unpacking of the above zip? I thought it needed a zip password.

We never found the Password... but for Decryption you need only these 3 Keys...

They can be easily found in few Minutes... with the right Tool...

2b4d493c
6142b289
1b7024aa

Here Key0 Key1 Key2 for Samsungs fota.zip...

This is really no rocket science...

Simple read about plain-text attack...

You can see all filenames...
You can see all filesizes etc...

Many files are floating around the Internet... to create ZIP for attack...
Then result is in few Minutes possible... :angel:

Use these 3 Keys in Tool:

Advanced Archive Password Recovery

And try self to unpack...

Best Regards

Edit 1.
Screenshot added...
Then maybe more clear...
Trial Version have mabye limtations... but to see it work... it is enough to play with trial.

 

[TheF|ipSide]

@adfree or to anyone who can answer.
Quick question, what are the legal limitations to what is going on here? I may or not have a file from inside the fota.zip, but will sharing it put me in the legal wrong? If it is within the legal boundaries, I'd be happy to upload it for anyone to take a look at, but I don't want to land on the wrong side of the law by doing so. Please do let me know, as this is the most exciting development we've had when it comes to bootloader unlocking in a while. Also, it seems as though we can't view the entirety of the contents of the fota.zip with the trial version of the zip extraction tool mentioned in this thread, so if someone with more knowledge about this can confirm we could unlock our bootloaders with the contents of the zip (based on what is currently known about this), I'd be happy to bite the bullet of paying for the premium version given we can do this within the boundaries of the law.
Thanks.

 

[adfree]

1.
Maybe you can answer your question self...
Samsung PROTECTED this ZIP with password.

2.
IMHO it is Kernel related...
Yeah I know... Boot is every irritating...
But it is not sboot.bin related...

3.
About decrypting all files...
There are floating around Command Line Tool...

pkcrack

Try to Google it...
I have not tried...
I am 1 click Button user...

Best Regards

 

[osm0sis]

zipdecrypt from the pkcrack package plus those 3 keys worked flawlessly. :good:

Edit: Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.

 

[MrSteelX]

the password for that zip is fotatest1234

 

[Drdra3]

Correct. All fota zips passwords are fotatest1234

 

[Delgoth]

Correct. All fota zips passwords are fotatest1234

@lavavex , @osm0sis

Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.

Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?

 

[osm0sis]

@lavavex , @osm0sis

Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.

Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?

Presumably what I previously said still stands:

Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.