Missing TBIE key

[milenovic]

Is there any chance to determine TBIE key used in WM232 firmware (V02.04.1604 - V02.04.2120) bootarea.img/rtos.img/normal.img partitions? The correct PRAK key for them is PRAK-2020-01, but none of the TBIE keys available in this repository are correct. Correct UFIE key is UFIE-2020-04.

[mefistotelis]

If you wish to start looking into keys, make sure to read: https://github.com/o-gs/dji-firmware-tools/wiki/Firmware-m0901#boot-process https://github.com/o-gs/dji-firmware-tools/wiki/Firmware-m0801#keys-derivation .. and the whole pages above.

[milenovic]

A year later, I finally found time to keep digging into this again :) I still do not fully understand key derivation process, but I am making progress!

One thing that is confusing me in the Readme and other docs here is the mention of the file wm230_0801_v10.00.07.12_20180126.pro.fw_0801.bootarea_p0_BLLK.bin which is a part of the bootarea.img for the wm230. But for this platform, the TBIE key required to decrypt the bootarea is not (publicly) available. I see that for that file, the sections are identified, their memory addresses are mapped, and even some symbols are available! Having the file would help me understand how to do the same on other BLLK files from other platforms. Could I ask how was the file obtained? Or, could someone upload this file?

[mefistotelis]

Hm, you're right - TBIE-2018-01 is still not public..

Ok then, file attached.

wm230_0801_v10.00.07.12_20180126.pro.fw_0801.bootarea_p0_BLLK.bin.gz

[milenovic]

One year later... Maybe it's time to make the key public? 0x7b, 0xca, 0x59, 0x6f, 0x22, 0x73, 0xc5, 0x19, 0x5e, 0x41, 0x42, 0xaa, 0x3d, 0x20, 0x1e, 0x25

[gogisoft]

Thanks for sharing. Tring to get a Mini 3 gimbal working again on spare time. Does your post imply DJI has ecryprion keys protecting the firmware?

[milenovic]

That question is best answered by fully reading this amazing repository ;)