TalAloni
diff --git a/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableHeader.cs‎
Lines changed: 59 additions & 0 deletions b/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableHeader.cs‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableHelper.cs‎
Lines changed: 71 additions & 0 deletions b/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableHelper.cs‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableVerification.cs‎
Lines changed: 112 additions & 0 deletions b/‎QualcommLibrary/ApplicationExecutable/ApplicationExecutableVerification.cs‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎QualcommLibrary/Components/BouncyCastle.Crypto.dll‎
1.43 MB b/‎QualcommLibrary/Components/BouncyCastle.Crypto.dll‎
1.43 MB
diff --git a/‎QualcommLibrary/Helpers/CertificateHelper.cs‎
Lines changed: 59 additions & 0 deletions b/‎QualcommLibrary/Helpers/CertificateHelper.cs‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎QualcommLibrary/Helpers/CertificateValidationHelper.cs‎
Lines changed: 89 additions & 0 deletions b/‎QualcommLibrary/Helpers/CertificateValidationHelper.cs‎
Lines changed: 89 additions & 0 deletions
@@ -0,0 +1,59 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Utilities;
+
+namespace QualcommLibrary
+{
+    public class ApplicationExecutableHeader
+    {
+        public const int CodeStartOffset = 0x28;
+        public const int Length = 0x28;
+
+        public uint Identifier;
+        public uint Version;
+        public uint LoadingAddress;
+        public uint FileSize; // (header + body + signature + certificate store)
+        public uint CodeSize; // The size of the executable (without the header / signature / certificate store)
+        public uint SignatureAddress;
+        public uint SignatureLength;
+        public uint CertificateStoreAddress;
+        public uint CertificateStoreLength;
+
+        public ApplicationExecutableHeader(byte[] buffer)
+        {
+            Identifier = LittleEndianConverter.ToUInt32(buffer, 0x00);
+            Version = LittleEndianConverter.ToUInt32(buffer, 0x04);
+            LoadingAddress = LittleEndianConverter.ToUInt32(buffer, 0x0C);
+            FileSize = LittleEndianConverter.ToUInt32(buffer, 0x10);
+            CodeSize = LittleEndianConverter.ToUInt32(buffer, 0x14);
+            SignatureAddress = LittleEndianConverter.ToUInt32(buffer, 0x18);
+            SignatureLength = LittleEndianConverter.ToUInt32(buffer, 0x1C);
+            CertificateStoreAddress = LittleEndianConverter.ToUInt32(buffer, 0x20);
+            CertificateStoreLength = LittleEndianConverter.ToUInt32(buffer, 0x24);
+        }
+
+        public uint SignatureOffset
+        {
+            get
+            {
+                return CodeStartOffset + SignatureAddress - LoadingAddress;
+            }
+        }
+
+        public uint CertificateStoreOffset
+        {
+            get
+            {
+                return CodeStartOffset + CertificateStoreAddress - LoadingAddress;
+            }
+        }
+
+        public static bool IsChainedExecutable(byte[] imageBytes)
+        {
+            uint version = LittleEndianConverter.ToUInt32(imageBytes, 0x04);
+            uint expectedVersion = 0x03;
+            return version == expectedVersion;
+        }
+    }
+}
@@ -0,0 +1,71 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+using Utilities;
+
+namespace QualcommLibrary
+{
+    public class ApplicationExecutableHelper
+    {
+        public static byte[] ExtractCode(byte[] imageBytes)
+        {
+            ApplicationExecutableHeader header = new ApplicationExecutableHeader(imageBytes);
+            return ByteReader.ReadBytes(imageBytes, (int)ApplicationExecutableHeader.CodeStartOffset, (int)header.CodeSize);
+        }
+
+        public static byte[] ExtractSignature(byte[] imageBytes)
+        {
+            ApplicationExecutableHeader header = new ApplicationExecutableHeader(imageBytes);
+            return ByteReader.ReadBytes(imageBytes, (int)header.SignatureOffset, (int)header.SignatureLength);
+        }
+
+        public static List<byte[]> ExtractCertificates(byte[] imageBytes)
+        {
+            List<byte[]> certificates = new List<byte[]>();
+            ApplicationExecutableHeader header = new ApplicationExecutableHeader(imageBytes);
+            byte[] certificateStoreBytes = ByteReader.ReadBytes(imageBytes, (int)header.CertificateStoreOffset, (int)header.CertificateStoreLength);
+            int offset = 0;
+            while (offset < certificateStoreBytes.Length - 4)
+            {
+                ushort type = BigEndianReader.ReadUInt16(certificateStoreBytes, ref offset);
+                if (type == 0x3082) // ASN.1 SEQUENCE
+                {
+                    ushort length = BigEndianReader.ReadUInt16(certificateStoreBytes, ref offset);
+                    offset -= 4;
+                    byte[] certificateBytes = ByteReader.ReadBytes(certificateStoreBytes, ref offset, length + 4);
+                    certificates.Add(certificateBytes);
+                }
+                else
+                {
+                    break;
+                }
+            }
+            return certificates;
+        }
+
+        public static void ExtractFileComponents(string imagePath, string outputDirectory)
+        {
+            string filenameWithoutExtention = Path.GetFileNameWithoutExtension(imagePath);
+            if (!outputDirectory.EndsWith("\\"))
+            {
+                outputDirectory += "\\";
+            }
+            byte[] imageBytes = File.ReadAllBytes(imagePath);
+            ApplicationExecutableHeader header = new ApplicationExecutableHeader(imageBytes);
+            string codeFilename = String.Format("{0}\\{1}-code-0x{2}.bin", outputDirectory, filenameWithoutExtention, header.LoadingAddress.ToString("X"));
+            string signatureFilename = String.Format("{0}\\{1}-Signature.bin", outputDirectory, filenameWithoutExtention);
+
+            byte[] code = ExtractCode(imageBytes);
+            File.WriteAllBytes(codeFilename, code);
+            byte[] signatureBytes = ExtractSignature(imageBytes);
+            File.WriteAllBytes(signatureFilename, signatureBytes);
+            List<byte[]> certificates = ExtractCertificates(imageBytes);
+            for (int index = 0; index < certificates.Count; index++)
+            {
+                string certificateFilename = String.Format("{0}\\{1}-Certificate-L{2}.cer", outputDirectory, filenameWithoutExtention, index + 1);
+                File.WriteAllBytes(certificateFilename, certificates[index]);
+            }
+        }
+    }
+}
@@ -0,0 +1,112 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using Utilities;
+
+namespace QualcommLibrary
+{
+    public class ApplicationExecutableVerification
+    {
+        public static byte[] GetRootCertificateHash(byte[] imageBytes)
+        {
+            List<byte[]> certificates = ApplicationExecutableHelper.ExtractCertificates(imageBytes);
+            int rootCertificateIndex = CertificateValidationHelper.GetRootCertificateIndex(certificates);
+            if (rootCertificateIndex == -1)
+            {
+                return null;
+            }
+
+            byte[] rootCertificate = certificates[rootCertificateIndex];
+            return SHA256.Create().ComputeHash(rootCertificate);
+        }
+
+        public static bool VerifyRootCertificateHash(byte[] imageBytes, byte[] oemPKHash)
+        {
+            byte[] rootCertificateHash = GetRootCertificateHash(imageBytes);
+            if (rootCertificateHash == null)
+            {
+                return false;
+            }
+            return ByteUtils.AreByteArraysEqual(rootCertificateHash, oemPKHash);
+        }
+
+        public static bool VerifyCertificateStore(byte[] imageBytes)
+        {
+            List<byte[]> certificates = ApplicationExecutableHelper.ExtractCertificates(imageBytes);
+            return CertificateValidationHelper.VerifyCertificateChain(certificates);
+        }
+
+        public static bool VerifyImageSignature(byte[] imageBytes, byte[] softwareID, byte[] hardwareID)
+        {
+            if (softwareID.Length != 8)
+            {
+                throw new ArgumentException("SoftwareID should be 8 bytes long");
+            }
+
+            if (hardwareID.Length != 8)
+            {
+                throw new ArgumentException("HardwareID should be 8 bytes long");
+            }
+
+            byte[] expectedHash = DecryptFileSignature(imageBytes);
+
+            byte[] imageHeader = ByteReader.ReadBytes(imageBytes, 0, ApplicationExecutableHeader.Length);
+            byte[] codeBytes = ApplicationExecutableHelper.ExtractCode(imageBytes);
+
+            HashAlgorithm hashAlgorithm;
+            if (expectedHash.Length == 20)
+            {
+                hashAlgorithm = SHA1.Create();
+            }
+            else if (expectedHash.Length == 32)
+            {
+                hashAlgorithm = SHA256.Create();
+            }
+            else
+            {
+                throw new Exception("Unknown hash algorithm");
+            }
+            byte[] message = hashAlgorithm.ComputeHash(ByteUtils.Concatenate(imageHeader, codeBytes));
+            byte[] hash = HMAC(softwareID, hardwareID, message, hashAlgorithm);
+            return ByteUtils.AreByteArraysEqual(expectedHash, hash);
+        }
+
+        public static byte[] DecryptFileSignature(byte[] imageBytes)
+        {
+            List<byte[]> certificates = ApplicationExecutableHelper.ExtractCertificates(imageBytes);
+            if (certificates.Count > 0)
+            {
+                byte[] certificateBytes = certificates[0];
+                byte[] signatureBytes = ApplicationExecutableHelper.ExtractSignature(imageBytes);
+                RSAParameters rsaParameters = CertificateHelper.GetRSAParameters(certificateBytes);
+                byte[] decodedHash = RSAHelper.DecryptSignature(signatureBytes, rsaParameters);
+                return decodedHash;
+            }
+            else
+            {
+                throw new Exception("According to the header, the file does not contain a certificate");
+            }
+        }
+
+        private static byte[] HMAC(byte[] i_key, byte[] o_key, byte[] message, HashAlgorithm hashAlgorithm)
+        {
+            if (i_key.Length != 8 || o_key.Length != 8)
+            {
+                throw new ArgumentException("i_key and o_key must be 8 bytes long");
+            }
+            byte[] i_key_pad = new byte[8];
+            byte[] o_key_pad = new byte[8];
+            for (int index = 0; index < 8; index++)
+            {
+                i_key_pad[index] = (byte)(i_key[index] ^ 0x36);
+                o_key_pad[index] = (byte)(o_key[index] ^ 0x5C);
+            }
+
+            byte[] innerHash = hashAlgorithm.ComputeHash(ByteUtils.Concatenate(i_key_pad, message));
+            byte[] outerHash = hashAlgorithm.ComputeHash(ByteUtils.Concatenate(o_key_pad, innerHash));
+            return outerHash;
+        }
+    }
+}
@@ -0,0 +1,59 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Utilities;
+
+namespace QualcommLibrary
+{
+    public class CertificateHelper
+    {
+        public static RSAParameters GetRSAParameters(string certificatePath)
+        {
+            byte[] certificateBytes = File.ReadAllBytes(certificatePath);
+            return GetRSAParameters(certificateBytes);
+        }
+
+        public static RSAParameters GetRSAParameters(byte[] certificateBytes)
+        {
+            X509Certificate2 x509certificate = new X509Certificate2(certificateBytes);
+            if (x509certificate.HasPrivateKey)
+            {
+                RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509certificate.PrivateKey;
+                return rsa.ExportParameters(true);
+            }
+            else
+            {
+                RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509certificate.PublicKey.Key;
+                return rsa.ExportParameters(false);
+            }
+        }
+
+        public static X509Certificate2 GetX509Certificate2(string certificatePath)
+        {
+            byte[] certificateBytes = File.ReadAllBytes(certificatePath);
+            X509Certificate2 x509certificate = new X509Certificate2(certificateBytes);
+            return x509certificate;
+        }
+
+        /// <summary>
+        /// TBS: To Be Signed - the portion of the X.509 certificate that is signed with the CA's private key.
+        /// </summary>
+        // http://www.codeproject.com/Questions/252741/Where-is-the-signature-value-in-the-certificate
+        public static byte[] ExtractTbsCertificate(byte[] certificateBytes)
+        {
+            if (certificateBytes[0] == 0x30 && certificateBytes[1] == 0x82)
+            {
+                if (certificateBytes[4] == 0x30 && certificateBytes[5] == 0x82)
+                {
+                    ushort length = BigEndianConverter.ToUInt16(certificateBytes, 6);
+                    return ByteReader.ReadBytes(certificateBytes, 4, 4 + (int)length);
+                }
+            }
+            throw new ArgumentException("The given certificate is not a BER-encoded ASN.1 X.509 certificate");
+        }
+    }
+}
@@ -0,0 +1,89 @@
+using System;
+using System.Collections.Generic;
+using System.Security;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Utilities;
+
+namespace QualcommLibrary
+{
+    public class CertificateValidationHelper
+    {
+        public static byte[] SHA_160_PKCS_ID = new byte[] { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 };
+        public static byte[] SHA_256_PKCS_ID = new byte[] { 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
+
+        public static int GetRootCertificateIndex(List<byte[]> certificates)
+        {
+            int index;
+            for (index = 0; index < certificates.Count; index++)
+            {
+                byte[] certificateBytes = certificates[index];
+                X509Certificate2 certificate = new X509Certificate2(certificateBytes);
+                if (certificate.Issuer == certificate.Subject)
+                {
+                    return index;
+                }
+            }
+            return -1;
+        }
+
+        public static bool VerifyCertificateChain(List<byte[]> certificates)
+        {
+            int rootCertificateIndex = GetRootCertificateIndex(certificates);
+            if (rootCertificateIndex == -1)
+            {
+                return false;
+            }
+
+            for (int index = 0; index < rootCertificateIndex; index++)
+            {
+                byte[] certificateBytes = certificates[index];
+                X509Certificate2 certificate = new X509Certificate2(certificateBytes);
+                byte[] issuingCertificateBytes = certificates[index + 1];
+                bool isValid = ValidateCertificate(issuingCertificateBytes, certificateBytes);
+                if (!isValid)
+                {
+                    return false;
+                }
+            }
+
+            return ValidateCertificate(certificates[rootCertificateIndex], certificates[rootCertificateIndex]);
+        }
+
+        public static bool ValidateCertificate(byte[] issuingCertificate, byte[] certificateToValidate)
+        {
+            RSAParameters rsaParameters = CertificateHelper.GetRSAParameters(issuingCertificate);
+            byte[] certificateSignature = ByteReader.ReadBytes(certificateToValidate, certificateToValidate.Length - 256, 256);
+            byte[] decodedSignature = RSAHelper.DecryptSignature(certificateSignature, rsaParameters);
+            byte[] tbsCertificate = CertificateHelper.ExtractTbsCertificate(certificateToValidate);
+            if (StartsWith(decodedSignature, SHA_256_PKCS_ID))
+            {
+                byte[] expectedHash = ByteReader.ReadBytes(decodedSignature, SHA_256_PKCS_ID.Length, 32);
+                byte[] hash = SHA256Managed.Create().ComputeHash(tbsCertificate);
+                return ByteUtils.AreByteArraysEqual(hash, expectedHash);
+
+            }
+            else if (StartsWith(decodedSignature, SHA_160_PKCS_ID))
+            {
+                byte[] expectedHash = ByteReader.ReadBytes(decodedSignature, SHA_160_PKCS_ID.Length, 20);
+                byte[] hash = SHA1Managed.Create().ComputeHash(tbsCertificate);
+                return ByteUtils.AreByteArraysEqual(hash, expectedHash);
+            }
+            else
+            {
+                throw new NotImplementedException("Unsupported Signature PKCS ID");
+            }
+        }
+
+        public static bool StartsWith(byte[] array1, byte[] array2)
+        {
+            if (array1.Length >= array2.Length)
+            {
+                byte[] start = ByteReader.ReadBytes(array1, 0, array2.Length);
+                return ByteUtils.AreByteArraysEqual(start, array2);
+            }
+            return false;
+        }
+    }
+}