Skip to content

Finding encryption keys

Introduction

Tip

Before proceeding with this method, try using ltchiptool's Get chip info function. It will read eFuse, which may reveal the raw encryption key. If you see all 00000000s, then the eFuse is readout-protected and the key cannot be extracted in this simple way.

3-rd party firmware for Beken chips must be compiled with a flash encryption key matching the one programmed into the chip. Incorrect keys will make the firmware unable to run.

The bk72xx-bootloader-dump firmware might make it easier to find the encryption key of BK7231N/BK7231T chips.

The key is made of four 32-bit integers; the default key is usually 510fb093 a3cbeadc 5993a17e c7adeb03 (used by Beken and Tuya on most devices), but devices with different keys have been recently discovered (likely from other manufacturers).

If your device doesn't use the default keys (i.e. 3-rd party firmware doesn't boot up, or it hangs on bootloader logs), you can try using this firmware file to extract the keys from the bootloader.

Why this works (and when it doesn't)

The bootloader has its own copy of the keys. It uses that to encrypt firmware on-the-fly when applying OTA updates.

Files downloaded during an OTA update are not encrypted using the main encryption keys, so the bootloader must encrypt them before flashing to the app partition. This method works by flashing firmware directly to the OTA partition. It is then unpacked and encrypted properly by the bootloader.

However, OTA update packages are encrypted using AES - for this method to work, the AES key must be known in advance.

Most of the time, a simple 0123456789ABCDEF key is used for OTA AES. We have seen manufacturers using different keys - this method will not work in that case.

Additionally, OTA packages don't have to be encrypted - some bootloaders allow that, some don't. Using an unencrypted package is worth trying if your device uses a non-standard OTA AES key.

Prerequisites

  1. A working computer with a working UART flashing setup. The preferred flashing tool is ltchiptool. You should have at least some prior experience with dumping or flashing firmware.
  2. A full factory firmware dump of the device you're working on. This is mostly in case something goes wrong, but may also be necessary to read OTA partition offsets from.
  3. A serial terminal (such as the ltchiptool-terminal plugin).

To be continued