#!/usr/bin/env python # # Copyright 2018 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Helper tool for performing an authenticated AVB unlock of an Android Things device. This tool communicates with an Android Things device over fastboot to perform an authenticated AVB unlock. The user provides unlock credentials valid for the device they want to unlock, likely obtained from the Android Things Developer Console. The tool handles the sequence of fastboot commands to complete the challenge-response unlock protocol. Unlock credentials can be provided to the tool in one of two ways: 1) by providing paths to the individual credential files using the '--pik_cert', '--puk_cert', and '--puk' command line swtiches, or 2) by providing a path to a zip archive containing the three credential files, named as follows: - Product Intermediate Key (PIK) certificate: 'pik_certificate.*\.bin' - Product Unlock Key (PUK) certificate: 'puk_certificate.*\.bin' - PUK private key: 'puk.*\.pem' You can also provide one or more archives and/or one or more directories containing such zip archives. In either scenario, the tool will search all of the provided credential archives for a match against the product ID of the device being unlocked and automatically use the first match. This tool also clears the factory partition persistent digest unless the --clear_factory_digest=false option is used. There is no harm to clear this digest even if changes to the factory partition are not planned. Dependencies: - Python 2.7.x, 3.2.x, or newer (for argparse) - PyCrypto 2.5 or newer (for PKCS1_v1_5 and RSA PKCS#8 PEM key import) - Android SDK Platform Tools (for fastboot), in PATH - https://developer.android.com/studio/releases/platform-tools """ HELP_DESCRIPTION = """Performs an authenticated AVB unlock of an Android Things device over fastboot, given valid unlock credentials for the device.""" HELP_USAGE = """ %(prog)s [-h] [-v] [-s SERIAL] [--clear_factory_digest=true|false] unlock_creds.zip [unlock_creds_2.zip ...] %(prog)s --pik_cert pik_cert.bin --puk_cert puk_cert.bin --puk puk.pem""" HELP_EPILOG = """examples: %(prog)s unlock_creds.zip %(prog)s unlock_creds.zip unlock_creds_2.zip -s SERIAL %(prog)s path_to_dir_with_multiple_unlock_creds/ %(prog)s --pik_cert pik_cert.bin --puk_cert puk_cert.bin --puk puk.pem""" import sys ver = sys.version_info if (ver[0] < 2) or (ver[0] == 2 and ver[1] < 7) or (ver[0] == 3 and ver[1] < 2): print('This script requires Python 2.7+ or 3.2+') sys.exit(1) import argparse import binascii import os import re import shutil import struct import subprocess import tempfile import zipfile # Requires PyCrypto 2.5 (or newer) for PKCS1_v1_5 and support for importing # PEM-encoded RSA keys try: from Crypto.Hash import SHA512 from Crypto.PublicKey import RSA from Crypto.Signature import PKCS1_v1_5 except ImportError as e: print('PyCrypto 2.5 or newer required, missing or too old: ' + str(e)) class UnlockCredentials(object): """Helper data container class for the 3 unlock credentials involved in an AVB authenticated unlock operation. """ def __init__(self, intermediate_cert_file, unlock_cert_file, unlock_key_file, source_file=None): # The certificates are AvbAtxCertificate structs as defined in libavb_atx, # not an X.509 certificate. Do a basic length sanity check when reading # them. EXPECTED_CERTIFICATE_SIZE = 1620 with open(intermediate_cert_file, 'rb') as f: self._intermediate_cert = f.read() if len(self._intermediate_cert) != EXPECTED_CERTIFICATE_SIZE: raise ValueError('Invalid intermediate key certificate length.') with open(unlock_cert_file, 'rb') as f: self._unlock_cert = f.read() if len(self._unlock_cert) != EXPECTED_CERTIFICATE_SIZE: raise ValueError('Invalid product unlock key certificate length.') with open(unlock_key_file, 'rb') as f: self._unlock_key = RSA.importKey(f.read()) if not self._unlock_key.has_private(): raise ValueError('Unlock key was not an RSA private key.') self._source_file = source_file @property def intermediate_cert(self): return self._intermediate_cert @property def unlock_cert(self): return self._unlock_cert @property def unlock_key(self): return self._unlock_key @property def source_file(self): return self._source_file @classmethod def from_credential_archive(cls, archive): """Create UnlockCredentials from an unlock credential zip archive. The zip archive must contain the following three credential files, named as follows: - Product Intermediate Key (PIK) certificate: 'pik_certificate.*\.bin' - Product Unlock Key (PUK) certificate: 'puk_certificate.*\.bin' - PUK private key: 'puk.*\.pem' This uses @contextlib.contextmanager so we can clean up the tempdir created to unpack the zip contents into. Arguments: - archive: Filename of zip archive containing unlock credentials. Raises: ValueError: If archive is either missing a required file or contains multiple files matching one of the filename formats. """ def _find_one_match(contents, regex, desc): r = re.compile(regex) matches = list(filter(r.search, contents)) if not matches: raise ValueError( "Couldn't find {} file (matching regex '{}') in archive {}".format( desc, regex, archive)) elif len(matches) > 1: raise ValueError( "Found multiple files for {} (matching regex '{}') in archive {}" .format(desc, regex, archive)) return matches[0] tempdir = tempfile.mkdtemp() try: with zipfile.ZipFile(archive, mode='r') as zip: contents = zip.namelist() pik_cert_re = r'^pik_certificate.*\.bin$' pik_cert = _find_one_match(contents, pik_cert_re, 'intermediate key (PIK) certificate') puk_cert_re = r'^puk_certificate.*\.bin$' puk_cert = _find_one_match(contents, puk_cert_re, 'unlock key (PUK) certificate') puk_re = r'^puk.*\.pem$' puk = _find_one_match(contents, puk_re, 'unlock key (PUK)') zip.extractall(path=tempdir, members=[pik_cert, puk_cert, puk]) return cls( intermediate_cert_file=os.path.join(tempdir, pik_cert), unlock_cert_file=os.path.join(tempdir, puk_cert), unlock_key_file=os.path.join(tempdir, puk), source_file=archive) finally: shutil.rmtree(tempdir) class UnlockChallenge(object): """Helper class for parsing the AvbAtxUnlockChallenge struct returned from 'fastboot oem at-get-vboot-unlock-challenge'. The file provided to the constructor should be the full 52-byte AvbAtxUnlockChallenge struct, not just the challenge itself. """ def __init__(self, challenge_file): CHALLENGE_STRUCT_SIZE = 52 PRODUCT_ID_HASH_SIZE = 32 CHALLENGE_DATA_SIZE = 16 with open(challenge_file, 'rb') as f: data = f.read() if len(data) != CHALLENGE_STRUCT_SIZE: raise ValueError('Invalid unlock challenge length.') self._version, self._product_id_hash, self._challenge_data = struct.unpack( '