-
Notifications
You must be signed in to change notification settings - Fork 0
Firmware
The firmware files from Teenage Engineering are in the process of being reverse engineered. This is a difficult task because the firmware archive is encrypted, but the zfw files published are not completely encrypted.
This is still a work in progress.
| Offset | Size (in bytes) | Purpose | Notes |
|---|---|---|---|
0x00 |
16 | Flags? | Unconfirmed. The flag at offset 0x04 is known as the key index but all other bytes have been null bytes in every other firmware published. |
0x10 |
95 | Unknown | Only null bytes have been observed in published firmware files. |
0x70 |
16 | Initialization Vector | The IV used for the CBC mode encryption for the encrypted blobs. |
0x80 |
4 | Length | Length of the encrypted payload. This value is in little endian format. |
0x300 |
256 | Encrypted filename | Encrypted blob containing the filename of the encrypted firmware archive. Only firmware_bin_only_with_bootloader.zip has been observed thus far. |
0x400 |
(Until end of file) | Encrypted firmware archive | Encrypted blob containing the firmware archive. The size of this blob will be the length specified above at offset 0x80 plus some additional bytes. Presumably the extra bytes are the padding for the block cipher that's used. |
The OP-Z in upgrade mode provides a USB serial console to the OP-Z. Observing this console during firmware upgrades helped determine some of the information in the table. With some manipulation of firmware files, the serial console can be used somewhat as a padding oracle, which was used to confirm CBC mode is being used by flipping one bit of the IV and observing the first block of the encrypted filename being decrypted to random junk, and the corresponding bit in block 2 being flipped in the plaintext.
The encrypted blobs are encrypted using AES, rather than DES or 3DES, due to the size of the IV used in CBC mode and the size of the blocks being 128-bits. The Blackfin+ chip only supports these three symmetric encryption algorithms. The key size used for AES is 256 bits.
Thus far, each firmware file provided by Teenage Engineering has been encrypted using the same key. This can be confirmed by altering a firmware file, and replacing the IV and the encrypted filename blob from another firmware file and observing the filename is decrypted successfully in the serial console.
The OP-Z can be upgraded and downgraded without issue. Here is a list of all firmwares available from Teenage Engineering as of 25 October 2020:
See release notes at Teenage Engineering Downloads
| Version | URL | SHA256 Hash |
|---|---|---|
| 1.1.9 | Download | a0566fabaacd3e9ab2fd43c7301c45ca24d60b45c136411e0d8ce6652ec3fc51 |
| 1.1.12 | Download | 777c3091d0bf974aba39e7808e2fa8b3624db993ac302170887e455b6a38ccba |
| 1.1.17 | Download | ff32f583dbc97ad26127fb1c9f0ace5934fa5fb4540248917b6002308ca2e0fc |
| 1.1.23 | Download | f8eaf99e9f5edac3c31f87a5ee753a2b07a5e00a46bcd06ab2a6d2be9735ab1e |
| 1.1.27 | Download | 7c259104349e18a06f08dc788df0f19bfd6992d209fd16f9b4c335dab5f285c1 |
| 1.2.5 | Download | 3F7F18CB11D9966311F946BC7FD53EF683B71B69CD64FA171AB33B559C5F2D80 |
| 1.2.8 | Download | E00F8AE832101962EEF47F84F2225F4D5D5F596DC1FD13555CA1DFE71E47F408 |
| 1.2.12 | Download | 5F3767A35CD50E05A7BC77359CB0CD32D1F75ED1FDD60F68E166F2AA57205E15 |
| 1.2.14 | Download | B7D40B9296CE0A2812F3CA90B1DD38D316E0FE829B91302B69B7437BE6858D65 |
| 1.2.17 | Download | 694E030D12E97BFDE81DF233563B2120F1AAEB545BC3D9DF7853769F1A03D1E9 |
| 1.2.20 | Download | 26128428535F83153E4513A8C82ABE868F0ED454FC1A170D913A7B4EC88BC6FD |
| 1.2.26 | Download | A0A0ECD4BAF0E609E1C04EAD3749F96BDCEA4CAD46B1AC246A4E0E57B2B100D3 |
| 1.2.28 | Download | 9126AA2733B05DB84BB51E9C8701DFD834858C86398ED94739D03A43554A1487 |
| 1.2.31 | Download | 8FC1E3A7696CA7FA5937F30D10770A7FD6F631F41D923499DB7480FA6645AADE |