Sony Android TV Users

sosimple · May 2, 2023

oldman20 said:
Thank, but what app?

I have link to this page adb appcontrol. If you're referring to the launcher, in the youtube video description i have link also and info..

55TT55 · May 19, 2023

dabyd64 said:

First, let me tell you've made a great work collecting all that info!

You'll be happy that I also recently started to look at this.
Mine is a similar model (KDL55W808C, MT5890).

Edit: Crap, these certs/keys can be copied simply from ADB

Sadly, my eMMC is starting to fail, causing slowdowns and such, someday it'll die in the usual endless bootloop.
Researching how to replace the emmc, I learned about the rmpb partitions (That was new to me).
Crap, rpmb is only accessible if you first program a OTP key, which is done at the factory.
Anyways, I found a full flash dump here.
After some binary analysis I extracted the u-boot environment, which gave all the partition offsets:

Code:

all=load boot recovery userdata cache system
android_env=reloadenv
autostart=yes
baudrate=115200
boot=update boot boot.img
bootargs=lpj=120000 console=ttyMT0,115200n1 root=/dev/mmcblk0p5 vmalloc=700mb quiet  mtdparts=mt53xx-emmc:2M(uboot),2M(uboot_env),1M(eeprom_A),8M(perm),20M(boot),1M(reserved),1M(channelA),1M(channelB),14M(pq),1M(aq),4M(bootlogo),2M(tzbp),100M(linux_rootfsA),159M(basic),233M(3rd_rw),1M(hdmi),124M(3rd_ro),1M(panel),1M(ci),1M(edid),1M(svc),1M(ddb),38M(epg),3M(adsp),1024M(data_demo),1M(wfdp),1M(ddri),1M(mlfw),5M(ldat),6M(mafw),1M(dfw1),1M(dfw2),5M(pdat),2M(bdat),2M(ndat),1M(fdat),1M(udat),2M(bdix),1M(minf),10M(bedat),2048M(upgrade),1M(misc),20M(recovery),1800M(system),8627M(userdata),600M(cache),1M(sdcard),1M(udt),1M(arib_nvram),4M(sapost),1M(hdmieqfw),1M(version),1M(reserved1),1M(reserved2),1M(reserved3),1M(reserved4),1M(reserved5),1M(reserved6),1M(reserved7),1M(reserved8),1M(reserved9),1M(reserved10),1M(reserved11)
bootcmd=eboot.lzo boot
bootdelay=0
cache=update cache cache.img
gpu4kionsize=0
gpu4ksize=0
gpu4kstart=813600768
gpufhdionsize=0
gpufhdsize=0
gpufhdstart=883724288
kmem24ksize=0x2f290000
kmem2fhdsize=0x32870000
kmem2size=0x2f290000
kmem2start=0x40000000
kmem4ksize=0x307e9000
kmemfhdsize=0x34ac9000
kmemsize=0x307e9000
loadaddr=0x2000000
mtdids=emmc0=mt53xx-emmc
mtdparts=mt53xx-emmc:2M(uboot),2M(uboot_env),1M(eeprom_A),8M(perm),20M(boot),1M(reserved),1M(channelA),1M(channelB),14M(pq),1M(aq),4M(bootlogo),2M(tzbp),100M(linux_rootfsA),159M(basic),233M(3rd_rw),1M(hdmi),124M(3rd_ro),1M(panel),1M(ci),1M(edid),1M(svc),1M(ddb),38M(epg),3M(adsp),1024M(data_demo),1M(wfdp),1M(ddri),1M(mlfw),5M(ldat),6M(mafw),1M(dfw1),1M(dfw2),5M(pdat),2M(bdat),2M(ndat),1M(fdat),1M(udat),2M(bdix),1M(minf),10M(bedat),2048M(upgrade),1M(misc),20M(recovery),1800M(system),8627M(userdata),600M(cache),1M(sdcard),1M(udt),1M(arib_nvram),4M(sapost),1M(hdmieqfw),1M(version),1M(reserved1),1M(reserved2),1M(reserved3),1M(reserved4),1M(reserved5),1M(reserved6),1M(reserved7),1M(reserved8),1M(reserved9),1M(reserved10),1M(reserved11)
nandfs_env=setenv bootargs root=/dev/mtdblock3 console=ttyMT0,115200n1 mtdparts=${mtdparts};setenv bootcmd nboot.jffs2 kernel; setenv autostart yes; saveenv
partition=emmc0,0
ramdisk_env=setenv bootargs root=/dev/ram console=ttyMT0,115200n1 mtdparts=${mtdparts};setenv bootcmd nboot.jffs2 kernel rootfs; setenv autostart yes; setenv ramdisk yes; saveenv
recovery=update recovery recovery.img
recovery_cmd=eboot.lzo recovery
system=update system system.img
tzsize=48m
usbfile_env=setenv bootargs root=/dev/ram console=ttyMT0,115200n1 mtdparts=${mtdparts}
userdata=update userdata userdata.img

System partition (1800MB) uses squashfs, stored at an offset of 3853MB.
A simple dd command can be used to extract it:

Code:

dd if=User_0x0000000000_0x03AB800000_backup.bin of=system.bin bs=1M count=1800 skip=3853

I also extracted part of my emmc, to compare. The pinout can be seen here:

SONY-KDL-43W807C-SONY-KDL-50W805C-EMMC-H26M52103FMR-2.jpg

However, the I/O works at 1.8V, while SD readers do it 3.3V. Not good, might work, or might break something.
I used a cheap Aliexpress TXS108 level translator, "A" side goes to 1.8V signals, "B" to 3.3V ones. You have to enable the output by connecting OE to VA.
To avoid interference with the CPU, I had to find and remove the resistors that connected D0-D7, CMD, CLK and RST.

Follow this pinout:

You can either connect only D0 (1-bit mode) or D0-D3 (4-bit, much faster if it works). The unused signals can be left floating.
The connection is exactly the same as the SD pinout (Don't connect VDD, only VSS/GND):

I broke a microSD adapter and soldered the wires on it.
Keep the wires as short as possible! This is critical!

Sadly, my emmc was broken at 5.15GB, I tried few times, it always crashed in the same place, the reader rejected the card throwing a lot of block errors.
So I couldn't extract the full system partition... but wait!
I could mount it and see the contents, I might have been lucky, the damaged zone was unused, or I didn't open any file stored in the bad area.
I opened a lot of files!

I found something that might be very interesting:

Code:

/etc/security/otacerts.zip

Inside there's a file called "testkey.x509.pem".
Decoding it shows this:

Code:

TV
Identity: TV
Verified by: TV
Expires: 21/02/42

Subject Name
C (Country):    JP
ST (State):    Tokyo
L (Locality):    Minato-ku
O (Organization):    Sony Corporation
OU (Organizational Unit):    SVP
CN (Common Name):    TV
Issuer Name
C (Country):    JP
ST (State):    Tokyo
L (Locality):    Minato-ku
O (Organization):    Sony Corporation
OU (Organizational Unit):    SVP
CN (Common Name):    TV
Issued Certificate
Version:    3
Serial Number:    00 A8 65 87 0F 86 8C CE 59
Not Valid Before:    2014-10-06
Not Valid After:    2042-02-21
Certificate Fingerprints
SHA1:    6D 2F 89 58 66 E5 55 23 1E 0C B5 92 B5 8C 7C B1 4B CB 3C 20
MD5:    8C 0E AA 8B 2F E9 7A B0 19 8B 46 06 48 5D 82 81
Public Key Info
Key Algorithm:    RSA
Key Parameters:    05 00
Key Size:    2048
Key SHA1 Fingerprint:    AD E4 3D 16 98 85 B4 60 65 14 D2 8E 5C D2 C4 EF 6F 04 75 C2
Public Key:    30 82 01 0A 02 82 01 01 00 D0 91 B9 78 06 40 10 EC F4 A3 1C 7B 62 55 1F 6E 02 A6 40 B8 36 5A 76 99 7B 72 5C 7A 3B 62 76 D3 40 2B B5 5E DC 7D 4F E2 8B 0C 52 57 A0 4B C6 31 8C 3D 00 4A 8E 7A EA 7A D7 12 24 B6 9B 3E A7 29 C2 22 3E 14 3C D2 30 AF 91 8C E3 97 A6 98 71 5E A5 F8 86 61 AD F4 A1 68 0D 5C A0 E9 06 7A 64 E4 ED E4 8D 6F 4A 93 5E 87 45 B7 9B 66 C5 45 FB D1 E5 6B 0A 39 63 AE C4 92 AB 8C 39 AF D2 6D 26 B0 DD ED 61 E9 5C 09 8D 91 1F CE 2D 37 26 15 53 63 D2 44 6F BB A5 2B B0 2B A1 DE 9B C8 D6 C9 C9 BF DE AB 63 8E 10 A2 D3 75 2C BE 20 6C 0D 7C 08 65 23 B5 F8 56 35 FD FC BE 21 CB 20 BF 88 77 5A F7 E0 EC A8 09 BF A0 D2 80 DE 3E F0 BF 71 23 CC 96 9C 8A 42 1F 68 52 60 94 18 1F 69 3B 86 66 3F 60 BA C3 61 5A E0 4B B4 EF 9F AC 8A EA 28 99 54 1B A2 EB DF 8D AE 25 B2 8E 31 00 64 09 80 66 66 53 02 03 01 00 01
Subject Key Identifier
Key Identifier:    49 61 3E 52 8E 7E 6A 34 CB 68 A0 4F C7 2E CA 48 1A F6 B6 2F
Critical:    No
Extension
Identifier:    2.5.29.35
Value:    30 16 80 14 49 61 3E 52 8E 7E 6A 34 CB 68 A0 4F C7 2E CA 48 1A F6 B6 2F
Critical:    No
Basic Constraints
Certificate Authority:    Yes
Max Path Length:    Unlimited
Critical:    No
Signature
Signature Algorithm:    SHA1 with RSA
Signature Parameters:    05 00
Podpis: 9E 61 30 8C 0B B2 BC 96 A2 0E D2 99 14 E4 4E 0A D7 33 8E 62 A1 02 0D 2D 4B B5 D3 13 37 74 6F 6D D5 F5 5B DC 1E D9 BA 4B 79 BC 20 55 2A B D 15 F5 D1 3E E1 93 28 FA 6D 6D A6 17 EF 6C 8E 01 01 D5 23 03 9B 50 F6 32 1E CE E5 5F 7C 3A 09 4C 89 99 4B BB 28 32 B3 27 32 50 29 E6 8D D7 8A D8 FD 8C 82 5D 8C 1B 0E 8D 0F C7 F1 CD 45 BE 10 41 5D 18 2A BA AC 1E 2C 1F 04 C2 50 C3 60 32 BE D6 DB C7 55 F2 1B 5D E4 0B 0A 0D 34 BD 61 1D 06 C9 64 18 DE 72 2 B 09 D2 8C E6 37 WE 4A 6B 1F 86 66 1B 91 F9 91 25 D5 B4 5A D7 98 37 63 36 FA 44 57 BE A7 88 EA 9C 3B D7 B1 66 82 F4 D3 43 43 DF A8 77 21 70 88 BF 2 7 68 E3 EC 15 ED 01 6B A9 6F 8E 5C B2 5D FB AD 0B 3F AA AD 42 EA 4A 81 B9 28 9C 37 7E D7 56 A6 8A 21 CB 42 F3 71 05 59 6E 6C A1 62 1B 94 DF 75 5C 45 47 D0 73 D2 4B C7 F9 46 79 CE 44[/KOD]

Również ten plik:
[KOD]/etc/recovery-resource.dat[/KOD]
Który jest właściwie plikiem ZIP z kilkoma obrazami odzyskiwania/OTA i... plikiem o nazwie „klucze”.
Wersja 2 jest podejrzana i najwyraźniej są tam 2 klucze, które mogą odnosić się do epk v2?
[KOD]v2 {64,0xe50d3225,{2154194515,822109193,2921706126,2733367181,681137179,2678885098,3763057903,3133366618,2254847840,404 711739,1750229140,2626306591,1898171542,3728666815,3214987904,3773605897,2289523447,566960319,905837758,599128150, 226232421,750657644,279106421,3735774094,3603548607,2715720648,2771103787,3527700411,638931811,533605687,1544129937,37233 21833,3530368688,2878093743,1672397970,3848997433,3309698001,1169660774,1251171975,3991178607,108684516,224174313,291849047 2,2784527969,2795008350, 2441929623,1020407983,3257024020,2604574505,3608290486,2390420090,2352808010,2689320497,2332840535,3699199970,1076606302, 996308691,2071092346,911898265,44449976,1649745774,4104330363,104861932,3499211128},{3536959911,4088013242,1299246660,68889 7714,914308023, 317805236,1391163560,3869920546,838353732,13032414,3930512539,1051727184,2770047608,1590601467,4204110638,2021077204,2575311934,975503193,1906844866,4192894466,2284613250,3975807116,1624598771,3231429753,3 499890874,447250038,1460999863,3979259965,905124847,1347617969,892534907,2475248292,2428621178,1664010626,4051624463,249303 5866,3408090697,1648341073, 714835951,3900217344,1593199007,1088387530,392654907,3693537117,2902249066,3727427178,1142783211,3676880539,2167866134,34 95940986,296325331,301703887,6284344,3887808865,4051288225,1535820293,3653513493,3395169353,3746807467,3179093497,291164744 8,1514235986,2257706952, 2686629724}}[/KOD]1088387530,392654907,3693537117,2902249066,3727427178,1142783211,3676880539,2167866134,3495940986,296325331,301703887,628 4344,3887808865,4051288225,1535820293,3653513493,3395169353,3746807467,3179093497,2911647448,1514235986,2257706952,26866297 24}}[/KOD ]1088387530,392654907,3693537117,2902249066,3727427178,1142783211,3676880539,2167866134,3495940986,296325331,301703887,628 4344,3887808865,4051288225,1535820293,3653513493,3395169353,3746807467,3179093497,2911647448,1514235986,2257706952,26866297 24}}[/KOD ]

I kolejny plik:
[kod]/etc/security/mac_permissions.xml[/kod]
[kod]
<?xml version="1.0" encoding="iso-8859-1"?><!-- AUTOGENEROWANY PLIK NIE MODYFIKUJ --><policy><signer signature="308203a130820289a003020102020900d09b8a35ff49e296300d06092a864886f70d01010505003067310b3009060355040613024a50310e300c06035504080c05546f6b796f3112301006035504070c094d696e61746f2d6b7531193017060355040a0c10536f6e7920436f72706f726174696f6e310c300a060355040b0c03535650310b300906035504030c025456301e170d3134313030363037323234385a170d3432303232313037323234385a3067310b3009060355040613024a50310e300c06035504080c05546f6b796f3112301006035504070c094d696e61746f2d6b7531193017060355040a0c10536f6e7920436f72706f726174696f6e310c300a060355040b0c03535650310b300906035504030c02545630820122300d06092a864886f70d01010105000382010f003082010a0282010100b1499bdd1d5a8cafeb5b7aa95faeb79ee0a5414389227a1bcdadb0bec2985e7425fb6e05bf81af93dc24ee8c94afdbaca670305db9fe72778a24a5e4ee7db4625396ba13ec0842d147d11aa1e440ef7f233f3018a08c4668f5e687ef63327fbd819ab14181f72d79f81218b1689249c83d1f86949d1af86624d5b220c3044af65fab19f498e48032247700f55ccae87a9d781ecbd6d5426962dfa99a129b1694e1abf1356f8f0039c88d975fde28da2ac4b6949eb032eb12e259423f9fc97afb5e2681f9bf24166966c55bf8f9794651472981a314eb3ba588d5a324a335b41f258bbb3593e908a687a3e7bfcf61307590d2de92b608f2e0f6d1842db5032f810203010001a350304e301d0603551d0e041604140410e67af70fbace0f4459025c428e685ad73d1d301f0603551d230418301680140410e67af70fbace0f4459025c428e685ad73d1d300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010082822c1230689f44845d98940fda644b0ac12d9c412e5e4b083804702fe415eaca3486a36f0dd4cc6e8e4dd94ab7f27ab971600a107503737e3a88c311998341892b34bd29d6f32768ae199f4c78b470cd73e188f667f131aa6a5491aa2513b78a5fe792486aefd9aa5feea3fea419dbfe52fefa7a98c2d707dc8bf4cfb4f5e4a8f8c1fe7cdf9e30efbe7dd05d3bc33a2a3b1cd919795f2374b8c7de4947e5451accb8d94e49e471d560d821551506d2b76ae7daae3e0690043992988833d984d0711ae16e720378058f4798b3066807f82397b7e3b8b0f9be668120fa6a77c5c0b2cfe70742c03dd4652d50032da6277b224358f247 a6a2d763000578a433cf"><seinfo value="platforma"/></sygnatariusz></policy>

The key files are attached. They were taken from the dump.
Anyways, I compared them with my emmc data, and they were identical.

Then I went withg rootfsa, it's very much the same thing:

Code:

dd if=User_0x0000000000_0x03AB800000_backup.bin of=rootfsa.bin bs=1M count=100 skip=57

There's a lot inside to check, I'm still reviewing the files!

Searching for what decrypts the dpk files, I searched everything:

Code:

I ran grep -Rls '.dpk'

This was the only one:

Code:

/basic/libmtkapp.so

dabyd64 said:
First, let me tell you've made a great work collecting all that info!

You'll be happy that I also recently started to look at this.
Mine is a similar model (KDL55W808C, MT5890).

Edit: Crap, these certs/keys can be copied simply from ADB

Sadly, my eMMC is starting to fail, causing slowdowns and such, someday it'll die in the usual endless bootloop.
Researching how to replace the emmc, I learned about the rmpb partitions (That was new to me).
Crap, rpmb is only accessible if you first program a OTP key, which is done at the factory.
Anyways, I found a full flash dump here.
After some binary analysis I extracted the u-boot environment, which gave all the partition offsets:

Code:

all=load boot recovery userdata cache system android_env=reloadenv autostart=yes baudrate=115200 boot=update boot boot.img bootargs=lpj=120000 console=ttyMT0,115200n1 root=/dev/mmcblk0p5 vmalloc=700mb quiet mtdparts=mt53xx-emmc:2M(uboot),2M(uboot_env),1M(eeprom_A),8M(perm),20M(boot),1M(reserved),1M(channelA),1M(channelB),14M(pq),1M(aq),4M(bootlogo),2M(tzbp),100M(linux_rootfsA),159M(basic),233M(3rd_rw),1M(hdmi),124M(3rd_ro),1M(panel),1M(ci),1M(edid),1M(svc),1M(ddb),38M(epg),3M(adsp),1024M(data_demo),1M(wfdp),1M(ddri),1M(mlfw),5M(ldat),6M(mafw),1M(dfw1),1M(dfw2),5M(pdat),2M(bdat),2M(ndat),1M(fdat),1M(udat),2M(bdix),1M(minf),10M(bedat),2048M(upgrade),1M(misc),20M(recovery),1800M(system),8627M(userdata),600M(cache),1M(sdcard),1M(udt),1M(arib_nvram),4M(sapost),1M(hdmieqfw),1M(version),1M(reserved1),1M(reserved2),1M(reserved3),1M(reserved4),1M(reserved5),1M(reserved6),1M(reserved7),1M(reserved8),1M(reserved9),1M(reserved10),1M(reserved11) bootcmd=eboot.lzo boot bootdelay=0 cache=update cache cache.img gpu4kionsize=0 gpu4ksize=0 gpu4kstart=813600768 gpufhdionsize=0 gpufhdsize=0 gpufhdstart=883724288 kmem24ksize=0x2f290000 kmem2fhdsize=0x32870000 kmem2size=0x2f290000 kmem2start=0x40000000 kmem4ksize=0x307e9000 kmemfhdsize=0x34ac9000 kmemsize=0x307e9000 loadaddr=0x2000000 mtdids=emmc0=mt53xx-emmc mtdparts=mt53xx-emmc:2M(uboot),2M(uboot_env),1M(eeprom_A),8M(perm),20M(boot),1M(reserved),1M(channelA),1M(channelB),14M(pq),1M(aq),4M(bootlogo),2M(tzbp),100M(linux_rootfsA),159M(basic),233M(3rd_rw),1M(hdmi),124M(3rd_ro),1M(panel),1M(ci),1M(edid),1M(svc),1M(ddb),38M(epg),3M(adsp),1024M(data_demo),1M(wfdp),1M(ddri),1M(mlfw),5M(ldat),6M(mafw),1M(dfw1),1M(dfw2),5M(pdat),2M(bdat),2M(ndat),1M(fdat),1M(udat),2M(bdix),1M(minf),10M(bedat),2048M(upgrade),1M(misc),20M(recovery),1800M(system),8627M(userdata),600M(cache),1M(sdcard),1M(udt),1M(arib_nvram),4M(sapost),1M(hdmieqfw),1M(version),1M(reserved1),1M(reserved2),1M(reserved3),1M(reserved4),1M(reserved5),1M(reserved6),1M(reserved7),1M(reserved8),1M(reserved9),1M(reserved10),1M(reserved11) nandfs_env=setenv bootargs root=/dev/mtdblock3 console=ttyMT0,115200n1 mtdparts=${mtdparts};setenv bootcmd nboot.jffs2 kernel; setenv autostart yes; saveenv partition=emmc0,0 ramdisk_env=setenv bootargs root=/dev/ram console=ttyMT0,115200n1 mtdparts=${mtdparts};setenv bootcmd nboot.jffs2 kernel rootfs; setenv autostart yes; setenv ramdisk yes; saveenv recovery=update recovery recovery.img recovery_cmd=eboot.lzo recovery system=update system system.img tzsize=48m usbfile_env=setenv bootargs root=/dev/ram console=ttyMT0,115200n1 mtdparts=${mtdparts} userdata=update userdata userdata.img

System partition (1800MB) uses squashfs, stored at an offset of 3853MB.
A simple dd command can be used to extract it:

Code:

dd if=User_0x0000000000_0x03AB800000_backup.bin of=system.bin bs=1M count=1800 skip=3853

I also extracted part of my emmc, to compare. The pinout can be seen here:

However, the I/O works at 1.8V, while SD readers do it 3.3V. Not good, might work, or might break something.
I used a cheap Aliexpress TXS108 level translator, "A" side goes to 1.8V signals, "B" to 3.3V ones. You have to enable the output by connecting OE to VA.
To avoid interference with the CPU, I had to find and remove the resistors that connected D0-D7, CMD, CLK and RST.

Follow this pinout:

You can either connect only D0 (1-bit mode) or D0-D3 (4-bit, much faster if it works). The unused signals can be left floating.
The connection is exactly the same as the SD pinout (Don't connect VDD, only VSS/GND):

I broke a microSD adapter and soldered the wires on it.
Keep the wires as short as possible! This is critical!

Sadly, my emmc was broken at 5.15GB, I tried few times, it always crashed in the same place, the reader rejected the card throwing a lot of block errors.
So I couldn't extract the full system partition... but wait!
I could mount it and see the contents, I might have been lucky, the damaged zone was unused, or I didn't open any file stored in the bad area.
I opened a lot of files!

I found something that might be very interesting:

Code:

/etc/security/otacerts.zip

Inside there's a file called "testkey.x509.pem".
Decoding it shows this:

Code:

TV Identity: TV Verified by: TV Expires: 21/02/42 Subject Name C (Country): JP ST (State): Tokyo L (Locality): Minato-ku O (Organization): Sony Corporation OU (Organizational Unit): SVP CN (Common Name): TV Issuer Name C (Country): JP ST (State): Tokyo L (Locality): Minato-ku O (Organization): Sony Corporation OU (Organizational Unit): SVP CN (Common Name): TV Issued Certificate Version: 3 Serial Number: 00 A8 65 87 0F 86 8C CE 59 Not Valid Before: 2014-10-06 Not Valid After: 2042-02-21 Certificate Fingerprints SHA1: 6D 2F 89 58 66 E5 55 23 1E 0C B5 92 B5 8C 7C B1 4B CB 3C 20 MD5: 8C 0E AA 8B 2F E9 7A B0 19 8B 46 06 48 5D 82 81 Public Key Info Key Algorithm: RSA Key Parameters: 05 00 Key Size: 2048 Key SHA1 Fingerprint: AD E4 3D 16 98 85 B4 60 65 14 D2 8E 5C D2 C4 EF 6F 04 75 C2 Public Key: 30 82 01 0A 02 82 01 01 00 D0 91 B9 78 06 40 10 EC F4 A3 1C 7B 62 55 1F 6E 02 A6 40 B8 36 5A 76 99 7B 72 5C 7A 3B 62 76 D3 40 2B B5 5E DC 7D 4F E2 8B 0C 52 57 A0 4B C6 31 8C 3D 00 4A 8E 7A EA 7A D7 12 24 B6 9B 3E A7 29 C2 22 3E 14 3C D2 30 AF 91 8C E3 97 A6 98 71 5E A5 F8 86 61 AD F4 A1 68 0D 5C A0 E9 06 7A 64 E4 ED E4 8D 6F 4A 93 5E 87 45 B7 9B 66 C5 45 FB D1 E5 6B 0A 39 63 AE C4 92 AB 8C 39 AF D2 6D 26 B0 DD ED 61 E9 5C 09 8D 91 1F CE 2D 37 26 15 53 63 D2 44 6F BB A5 2B B0 2B A1 DE 9B C8 D6 C9 C9 BF DE AB 63 8E 10 A2 D3 75 2C BE 20 6C 0D 7C 08 65 23 B5 F8 56 35 FD FC BE 21 CB 20 BF 88 77 5A F7 E0 EC A8 09 BF A0 D2 80 DE 3E F0 BF 71 23 CC 96 9C 8A 42 1F 68 52 60 94 18 1F 69 3B 86 66 3F 60 BA C3 61 5A E0 4B B4 EF 9F AC 8A EA 28 99 54 1B A2 EB DF 8D AE 25 B2 8E 31 00 64 09 80 66 66 53 02 03 01 00 01 Subject Key Identifier Key Identifier: 49 61 3E 52 8E 7E 6A 34 CB 68 A0 4F C7 2E CA 48 1A F6 B6 2F Critical: No Extension Identifier: 2.5.29.35 Value: 30 16 80 14 49 61 3E 52 8E 7E 6A 34 CB 68 A0 4F C7 2E CA 48 1A F6 B6 2F Critical: No Basic Constraints Certificate Authority: Yes Max Path Length: Unlimited Critical: No Signature Signature Algorithm: SHA1 with RSA Signature Parameters: 05 00 Signature: 9E 61 30 8C 0B B2 BC 96 A2 0E D2 99 14 E4 4E 0A D7 33 8E 62 A1 02 0D 2D 4B B5 D3 13 37 74 6F 6D D5 F5 5B DC 1E D9 BA 4B 79 BC 20 55 2A BD 15 F5 D1 3E E1 93 28 FA 6D 6D A6 17 EF 6C 8E 01 01 D5 23 03 9B 50 F6 32 1E CE E5 5F 7C 3A 09 4C 89 99 4B BB 28 32 B3 27 32 50 29 E6 8D D7 8A D8 FD 8C 82 5D 8C 1B 0E 8D 0F C7 F1 CD 45 BE 10 41 5D 18 2A BA AC 1E 2C 1F 04 C2 50 C3 60 32 BE D6 DB C7 55 F2 1B 5D E4 0B 0A 0D 34 BD 61 1D 06 C9 64 18 DE 72 2B 09 D2 8C E6 37 EC 4A 6B 1F 86 66 1B 91 F9 91 25 D5 B4 5A D7 98 37 63 36 FA 44 57 BE A7 88 EA 9C 3B D7 B1 66 82 F4 D3 43 43 DF A8 77 21 70 88 BF 27 68 E3 EC 15 ED 01 6B A9 6F 8E 5C B2 5D FB AD 0B 3F AA AD 42 EA 4A 81 B9 28 9C 37 7E D7 56 A6 8A 21 CB 42 F3 71 05 59 6E 6C A1 62 1B 94 DF 75 5C 45 47 D0 73 D2 4B C7 F9 46 79 CE 44

Also this file:

Code:

/etc/recovery-resource.dat

Which is actually a ZIP file with several Recovery/OTA pictures and... a file called "keys".
The v2 is suspicious, and clearly there 2 keys, which might refer to epk v2?

Code:

v2 {64,0xe50d3225,{2154194515,822109193,2921706126,2733367181,681137179,2678885098,3763057903,3133366618,2254847840,404711739,1750229140,2626306591,1898171542,3728666815,3214987904,3773605897,2289523447,566960319,905837758,599128150,226232421,750657644,279106421,3735774094,3603548607,2715720648,2771103787,3527700411,638931811,533605687,1544129937,3723321833,3530368688,2878093743,1672397970,3848997433,3309698001,1169660774,1251171975,3991178607,108684516,224174313,2918490472,2784527969,2795008350,2441929623,1020407983,3257024020,2604574505,3608290486,2390420090,2352808010,2689320497,2332840535,3699199970,1076606302,996308691,2071092346,911898265,44449976,1649745774,4104330363,104861932,3499211128},{3536959911,4088013242,1299246660,688897714,914308023,317805236,1391163560,3869920546,838353732,13032414,3930512539,1051727184,2770047608,1590601467,4204110638,2021077204,2575311934,975503193,1906844866,4192894466,2284613250,3975807116,1624598771,3231429753,3499890874,447250038,1460999863,3979259965,905124847,1347617969,892534907,2475248292,2428621178,1664010626,4051624463,2493035866,3408090697,1648341073,714835951,3900217344,1593199007,1088387530,392654907,3693537117,2902249066,3727427178,1142783211,3676880539,2167866134,3495940986,296325331,301703887,6284344,3887808865,4051288225,1535820293,3653513493,3395169353,3746807467,3179093497,2911647448,1514235986,2257706952,2686629724}}

I kolejny plik:
[kod]/etc/security/mac_permissions.xml[/kod]
[kod]
<?xml version="1.0" encoding="iso-8859-1"?><policy><signer signature="308203a130820289a003020102020900d09b8a35ff49e296300d06092a864886f70d01010505003067310b3009060355040613024a50310e300c06035504080c05546f6b796f3112301006035504070c094d696e61746f2d6b7531193017060355040a0c10536f6e7920436f72706f726174696f6e310c300a060355040b0c03535650310b300906035504030c025456301e170d3134313030363037323234385a170d3432303232313037323234385a3067310b3009060355040613024a50310e300c06035504080c05546f6b796f3112301006035504070c094d696e61746f2d6b7531193017060355040a0c10536f6e7920436f72706f726174696f6e310c300a060355040b0c03535650310b300906035504030c02545630820122300d06092a864886f70d01010105000382010f003082010a0282010100b1499bdd1d5a8cafeb5b7aa95faeb79ee0a5414389227a1bcdadb0bec2985e7425fb6e05bf81af93dc24ee8c94afdbaca670305db9fe72778a24a5e4ee7db4625396ba13ec0842d147d11aa1e440ef7f233f3018a08c4668f5e687ef63327fbd819ab14181f72d79f81218b1689249c83d1f86949d1af86624d5b220c3044af65fab19f498e48032247700f55ccae87a9d781ecbd6d5426962dfa99a129b1694e1abf1356f8f0039c88d975fde28da2ac4b6949eb032eb12e259423f9fc97afb5e2681f9bf24166966c55bf8f9794651472981a314eb3ba588d5a324a335b41f258bbb3593e908a687a3e7bfcf61307590d2de92b608f2e0f6d1842db5032f810203010001a350304e301d0603551d0e041604140410e67af70fbace0f4459025c428e685ad73d1d301f0603551d230418301680140410e67af70fbace0f4459025c428e685ad73d1d300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010082822c1230689f44845d98940fda644b0ac12d9c412e5e4b083804702fe415eaca3486a36f0dd4cc6e8e4dd94ab7f27ab971600a107503737e3a88c311998341892b34bd29d6f32768ae199f4c78b470cd73e188f667f131aa6a5491aa2513b78a5fe792486aefd9aa5feea3fea419dbfe52fefa7a98c2d707dc8bf4cfb4f5e4a8f8c1fe7cdf9e30efbe7dd05d3bc33a2a3b1cd919795f2374b8c7de4947e5451accb8d94e49e471d560d821551506d2b76ae7daae3e0690043992988833d984d0711ae16e720378058f4798b3066807f82397b7e3b8b0f9be668120fa6a77c5c0b2cfe70742c03dd4652d50032da6277b224358f247 a6a2d763000578a433cf"><seinfo value="platforma"/></sygnatariusz></policy>
[/kod]

W załączeniu pliki kluczy. Zostały zabrane ze śmietnika.
W każdym razie porównałem je z moimi danymi emmc i były identyczne.

Potem poszedłem z rootfsa, to bardzo to samo:
[KOD]dd if=User_0x0000000000_0x03AB800000_backup.bin of=rootfsa.bin bs=1M count=100 skip=57[/KOD]

W środku jest dużo do sprawdzenia, wciąż przeglądam pliki!

Szukając, co odszyfrowuje pliki dpk, przeszukałem wszystko:

Code:

Uruchomiłem grep -Rls '.dpk'

To był jedyny:
[kod]/basic/libmtkapp.so[/kod]

Hello, do you already know how to read the rpmb key from the emmc memory in a Sony TV?

AssAssiN FtC · Aug 19, 2023

Hello everyone. I have the Sony x900h with android 10. Was trying to access pro mode and the button combination doesn't seem to work and I do not have the pro mode tool. Was wondering can anyone rip the pro mode tool apk and post it and if so would it work if I installed it? So frustrating. Just want to screen mirror my windows laptop

hecko · Sep 7, 2023

Is someone able to extract the boot.img out of a sony pkg update file?

Topics

Topics

Search

Sony Android TV Users

sosimple

Senior Member

55TT55

New member

AssAssiN FtC

Senior Member

hecko

Member

Similar threads

Top Liked Posts

New posts