Can anyone provide a signed Idb

boogiepop · December 1, 2024, 10:59pm

So i am working on a new python based maskrom tool and part of it is to parse, create, edit of IDBlocks.

So far i have implemented most of the things and it can parse the idblock on a given flashdump or any file like object.

ie below:

found idb: block=64, hashtype=1, numentries=2, signature=b"\x11]\xef\x1b\xb4\x17\xf5\xd9\xc98\xdd\x0b\xc7\xf1pX\xfb\x00\xf4'm\xb8\x19\\\xb1\x166\x00\xa6\xd2\x887", entries=[counter=1, blocks=116, offset=4, hash=b'\\\xbe\x80_\xa5\xd6\xefY\xd4\xe0\xab\x02\xe5\xee?\x05C\xe2e\xbf\x0f\xcaO\xa83\x7f\xfd$\xc3\x89\x07s', counter=2, blocks=464, offset=120, hash=b"\x85?K\xe1'+\xc6\x06\xe6\x8e\x96\x9d{\x06\xfaE\xa2\xfbG$E<\x92Y1\xb5\xac\xf3\x13.p\xfb"]
found idb: block=1088, hashtype=1, numentries=2, signature=b"\x11]\xef\x1b\xb4\x17\xf5\xd9\xc98\xdd\x0b\xc7\xf1pX\xfb\x00\xf4'm\xb8\x19\\\xb1\x166\x00\xa6\xd2\x887", entries=[counter=1, blocks=116, offset=4, hash=b'\\\xbe\x80_\xa5\xd6\xefY\xd4\xe0\xab\x02\xe5\xee?\x05C\xe2e\xbf\x0f\xcaO\xa83\x7f\xfd$\xc3\x89\x07s', counter=2, blocks=464, offset=120, hash=b"\x85?K\xe1'+\xc6\x06\xe6\x8e\x96\x9d{\x06\xfaE\xa2\xfbG$E<\x92Y1\xb5\xac\xf3\x13.p\xfb"]
found idb: block=2112, hashtype=1, numentries=2, signature=b"\x11]\xef\x1b\xb4\x17\xf5\xd9\xc98\xdd\x0b\xc7\xf1pX\xfb\x00\xf4'm\xb8\x19\\\xb1\x166\x00\xa6\xd2\x887", entries=[counter=1, blocks=116, offset=4, hash=b'\\\xbe\x80_\xa5\xd6\xefY\xd4\xe0\xab\x02\xe5\xee?\x05C\xe2e\xbf\x0f\xcaO\xa83\x7f\xfd$\xc3\x89\x07s', counter=2, blocks=464, offset=120, hash=b"\x85?K\xe1'+\xc6\x06\xe6\x8e\x96\x9d{\x06\xfaE\xa2\xfbG$E<\x92Y1\xb5\xac\xf3\x13.p\xfb"]
found idb: block=3136, hashtype=1, numentries=2, signature=b"\x11]\xef\x1b\xb4\x17\xf5\xd9\xc98\xdd\x0b\xc7\xf1pX\xfb\x00\xf4'm\xb8\x19\\\xb1\x166\x00\xa6\xd2\x887", entries=[counter=1, blocks=116, offset=4, hash=b'\\\xbe\x80_\xa5\xd6\xefY\xd4\xe0\xab\x02\xe5\xee?\x05C\xe2e\xbf\x0f\xcaO\xa83\x7f\xfd$\xc3\x89\x07s', counter=2, blocks=464, offset=120, hash=b"\x85?K\xe1'+\xc6\x06\xe6\x8e\x96\x9d{\x06\xfaE\xa2\xfbG$E<\x92Y1\xb5\xac\xf3\x13.p\xfb"]
found idb: block=4160, hashtype=1, numentries=2, signature=b"\x11]\xef\x1b\xb4\x17\xf5\xd9\xc98\xdd\x0b\xc7\xf1pX\xfb\x00\xf4'm\xb8\x19\\\xb1\x166\x00\xa6\xd2\x887", entries=[counter=1, blocks=116, offset=4, hash=b'\\\xbe\x80_\xa5\xd6\xefY\xd4\xe0\xab\x02\xe5\xee?\x05C\xe2e\xbf\x0f\xcaO\xa83\x7f\xfd$\xc3\x89\x07s', counter=2, blocks=464, offset=120, hash=b"\x85?K\xe1'+\xc6\x06\xe6\x8e\x96\x9d{\x06\xfaE\xa2\xfbG$E<\x92Y1\xb5\xac\xf3\x13.p\xfb"]

github.com

hbiyik/maskrom/blob/3eda5c2a417c96f559d34b203637f355d7c418f4/src/maskrom/idb.py#L51


    _pack_ = 1
    _fields_ = [
        ("magic", ctypes.c_char * 4),
        ("reserved0", ctypes.c_byte * 4),
        ("offset", ctypes.c_uint16),
        ("numentries", ctypes.c_uint16),
        ("flags", ctypes.c_uint32),
        ("reserved1", ctypes.c_byte * 104),
        ("entries", c_idbentry_v2 * 4),
        ("reserved2", ctypes.c_byte * 1064),
        ("signature", ctypes.c_byte * 512),
        ]




def hashblock(buffer, hashtype, given=None):
    if not hashtype < len(IDBHASH):
        # signed?
        raise defs.IdbException(f"Unknown hash type {hashtype}")
    hashfunc = IDBHASH[hashtype]
    if not hashfunc:
        raise defs.IdbException(f"Unhashed idb")

I noticed that the signature or hash value of Idblock is unnecessarily long (512 bytes) and i think this is somehow used to sign the Idb. And the known algos used to fill the area is only hashing but not signing.

github.com

hbiyik/maskrom/blob/3eda5c2a417c96f559d34b203637f355d7c418f4/src/maskrom/idb.py#L23




You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
"""


import ctypes
import hashlib
import operator
from maskrom import defs


IDBHASH = [None, hashlib.sha256, hashlib.sha512]
IDBV2_MAGIC = b"RKNS"




class c_idbentry_v2(ctypes.Structure):
   _pack_ = 1
   _fields_ = [
       ("offset", ctypes.c_uint16),
       ("blocks", ctypes.c_uint16),
       ("address", ctypes.c_uint32),
       ("flag", ctypes.c_uint32),

Can someone provide me a signed idb dump to analyze how this works (preferably with the public key to verify), or any additional technical information about the structure details of the IDB.

@DualTachyon tagging in the hope that you somehow have a working secure boot.

Kwiboo · December 1, 2024, 11:18pm

Please take a look at WIP: rkimage: sign idbloader v2 · Kwiboo/u-boot-rockchip@cb2827f, it adds idblock v2 signing to U-Boot mkimage, still need cleanup and documentation on how to use before it is ready for upstream.

A few commands that can be used to sign and validate the signature.

# generate a certificate using openssl
openssl req -batch -newkey rsa:4096 -sha256 -new -nodes -x509 -keyout rksign.key -out rksign.crt
openssl x509 -in rksign.crt -noout -pubkey > rksign.pem

# configure rk_sign_tool (for validation)
../rkbin/tools/rk_sign_tool cc --chip 3588
../rkbin/tools/rk_sign_tool lk --key rksign.key --pubkey rksign.pem

# sign idbloader using mkimage
tools/mkimage -n rk3588 -T rksd -d ../rkbin/bin/rk35/rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.18.bin:spl/u-boot-spl.bin idbloader.img -k . -g rksign

# validate signed idbloader using rk_sign_tool
../rkbin/tools/rk_sign_tool vb --idb idbloader.img

boogiepop · December 1, 2024, 11:22pm

yummy!!! you are great thanks a lot…

so it is “RKSS” now… RKNS = Rockchip normal software, RKSS= Rockchip Signed Software, just wildly guessing…

DualTachyon · December 1, 2024, 11:53pm

Attached is a signed binary with the public key that runs on my devices. I generated it with https://github.com/DualTachyon/rk3588-tools

test.zip (4.5 KB)

boogiepop · December 2, 2024, 10:17am

great!, thanks a lot for the blob, also the your code has a lot of clarifications that i was looking for.