drive_firmware icon indicating copy to clipboard operation
drive_firmware copied to clipboard

Published 20 hours ago verified publisher icon ddcc

Failure to decode latest Samsung DSRD.enc firmware files.

Open Hashnoob opened this issue 6 years ago • 16 comments

Hi Dominic,

Thanks for writing this utility it has been very useful to me and many others.

Issue: This utility is unable to decode the DSRD.enc file from the firmware package below. https://s3.ap-northeast-2.amazonaws.com/global.semi.static/Samsung_SSD_850_EVO_EMT02B6Q_Win.iso

Is there any chance for an update in the future?

Thanks

Hashnoob avatar Apr 26 '18 17:04 Hashnoob

I took a quick look, and the mechanism is different; the code refers to a base64 header and some AES-like encryption. But I don't have the time right now to actually reverse it.

I'm curious; aside from reverse engineering the firmware, what is the use case for changing the DSRD file?

ddcc avatar Apr 27 '18 05:04 ddcc

Hey Dominic, I appreciate the quick reply, I know this is an old project. This utility has allowed people to fix their Samsung SSD's with corrupted firmware, usually caused by Samsung Magician funny enough.

The firmware packages have a "safety feature" that only detect compatible drives, but fails to include compatible drives with corrupted firmware. By modifying the DSRD.enc file you can bypass the SSD checks and it will allow you to select any drive on the system. Allowing you to restore the corrupted firmware.

DSRD.enc - Edit example:

<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>ALL</CURFW>
<NEWFW>EMT03B6Q</NEWFW>
<IFW>EMT02B6Q.bin</IFW>
<PWR>T</PWR>
</SSD>

If only Samsung would not make things so difficult.

Either way thanks for taking a look at it!

Hashnoob avatar Apr 27 '18 08:04 Hashnoob

It actually didn't need any real reverse engineering. Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with: openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

Qwertylex avatar Feb 02 '20 05:02 Qwertylex

Haha, great job!

ddcc avatar Feb 05 '20 19:02 ddcc

I've implemented a solution for decrypting modern firmwares:

https://github.com/chrivers/samsung-firmware-magic

Big surprise, it's still just terrible obfuscation.

chrivers avatar Apr 09 '20 00:04 chrivers

With this method, can I update the Samsung PM981A to the firmware of the 970 EVO Plus? The PM981A is said to have the same hardware as the 970 EVO Plus, except that the firmware is different, the PM981A is for OEMs and the 970 EVO Plus is retail.

phoenixyj avatar Apr 21 '20 09:04 phoenixyj

I can only speak for what my tool does - it helps decrypt (deobfuscate) modern firmware images.

As such, it could enable people who wish to pursue this further, a path towards that goal.

However, as far as I know, there's no known open-source method of applying these updates. It would hypothetically be possible to unpack the firmware files, modify them, use the tool (with a slight modification) to repack them, and give those files back to samsung magician.

That's outside of the scope for my little PoC project, I'm afraid :)

chrivers avatar Apr 21 '20 10:04 chrivers

Hello, help to solve the problem !! I have a samsung mzmte256hmhp-000mv drive, but the system and the Samsung program do not see it, but the BIOS does! Help restore the firmware !!

igor222222 avatar Mar 14 '21 15:03 igor222222

It actually didn't need any real reverse engineering. Simply running strings fumagician and scrolling down with your eyes until you find something that looks like base64, I dunno ... say.. gzeDiyNFqnZizZAqlzHvUvRQYnW1fKfNnDa1Zb+ZPNE=.. then end up with: openssl enc -aes-256-ecb -d -in DSRD.enc -out DSRD.bin -nopad -K 8337838b2345aa7662cd902a9731ef52f4506275b57ca7cd9c36b565bf993cd1

@Qwertylex - Just want to report this almost works for me, with the key extracted in a similar way.

However, somehow I'm getting a bit of padding before/after the XML:

_icianMAG_@*!.8&<C5>^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
^@^@^@^@^@^@^@^@^@^@^@

marcosscriven avatar Mar 21 '21 20:03 marcosscriven

@marcosscriven interesting. could you link me to that firmware?

Qwertylex avatar Apr 01 '21 08:04 Qwertylex

@Qwertylex - It's the one for Samsung_SSD_970_EVO_Plus_2B2QEXM7 extracted from the ISO in the firmware section of https://www.samsung.com/semiconductor/minisite/ssd/download/tools/

marcosscriven avatar Apr 01 '21 08:04 marcosscriven

So, I actually got this before, last year. I failed to mention it and never bothered to look into it. But that 'padding before' is actually a file header which contains a magic signature and the file length. It is at the start of the file and 32 bytes long, the first 16 bytes is the magic, the next 16 bytes contains a 32 bit Little Endian file size padded with zeros. As for the 'padding after' that is to be expected with encrypting in AES256 like this, unless your file happens to fall in just the right size for a block it has to be padded out to be the right size.

I made a script to decrypt, get the file size, and chop off the header and padding at the end: https://github.com/Qwertylex/samdecrypt.sh/blob/main/samdecrypt.sh

example:

~/sam $ 7z x Samsung_SSD_970_EVO_Plus_2B2QEXM7.iso
~/sam $ mkdir x; cd x
~/sam/x $ 7z x ../initrd; 7z x initrd\~
~/sam/x $ cd root/fumagician
~/sam/x/root/fumagician $ ./samdecrypt.sh DSRD.enc
~/sam/x/root/fumagician $ cat DSRD.bin
<SSD>
<SN>ALL</SN>
<MOD>ALL</MOD>
<CURFW>1B2QEXM7</CURFW>
<NEWFW>2B2QEXM7</NEWFW>
<MFW>2B2QEXM7_00190411.bin</MFW>
<MFW>2B2QEXM7_10190411.bin</MFW>
<MFW>2B2QEXM7_20190411.bin</MFW>
</SSD>
~/sam/x/root/fumagician $ ./samdecrypt.sh 2B2QEXM7.enc
~/sam/x/root/fumagician $ 7z x 2B2QEXM7.bin

which 2B2QEXM7.bin is actually a normal .zip and extracts the following:

2B2QEXM7_00190411.enc
2B2QEXM7_10190411.enc
2B2QEXM7_20190411.enc

which can be decrypted with the same samdecrypt.sh as above

Qwertylex avatar Apr 02 '21 03:04 Qwertylex

The samdecrypt.sh script worked for me on Samsung_SSD_960_EVO_3B7QCXE7.iso using the key 57633f2c1f8937565e935799356cd41f2366e0d1a74acfd6b6375dbab5e2e644

xyzzy42 avatar Apr 02 '21 23:04 xyzzy42

Here's an easy way to find the key. strings fumagician | grep -E '^[A-Za-z0-9+/]{42}[AEIMQUYcgkosw048]=$' | base64 -d | xxd -p -c 32 I've updated my repo to reflect this and added @xyzzy42 's key to the known_keys.txt file

Qwertylex avatar Apr 03 '21 18:04 Qwertylex

I decrypted three files from the 850EVO firmware, but what puzzles me is which file is the correct firmware?

icianMAG@*!.8&? <SSD> <SN>ALL</SN> <MOD>ALL</MOD> <CURFW>EMT01B6Q</CURFW> <NEWFW>EMT02B6Q</NEWFW> <MFW>EMT02B6Q_01150903.bin</MFW> <MFW>EMT02B6Q_03151015.bin</MFW> <MFW>EMT02B6Q_05151013.bin</MFW> </SSD>

LynxZeta avatar Sep 24 '23 16:09 LynxZeta

This simple script I wrote can decrypt ANY Samsung SSD firmware directly from the ISO file. https://gist.github.com/Zibri/3b3c34c3ce36ec6c6f57618eeda6f200

Zibri avatar Jan 18 '24 11:01 Zibri