chore: add support for aea.DecryptConfig and B64SymKey arg

api/server/routes/ipsw/ipsw.go

@@ -85,7 +85,11 @@ func getFsFiles(pemDB string) gin.HandlerFunc {
 		}
 
 		if filepath.Ext(dmgPath) == ".aea" {
-			dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDbPath)
+			dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+				Input:  dmgPath,
+				Output: filepath.Dir(dmgPath),
+				PemDB:  pemDbPath,
+			})
 			if err != nil {
 				c.AbortWithStatusJSON(http.StatusInternalServerError, types.GenericError{Error: fmt.Sprintf("failed to parse AEA encrypted DMG: %v", err)})
 			}

cmd/ipsw/cmd/fw/aea.go

@@ -159,7 +159,12 @@ var aeaCmd = &cobra.Command{
 					return fmt.Errorf("failed to read pem file: %v", err)
 				}
 			}
-			out, err := aea.Decrypt(args[0], output, pemData, pemDB)
+			out, err := aea.Decrypt(&aea.DecryptConfig{
+				Input:       args[0],
+				Output:      output,
+				PrivKeyData: pemData,
+				PemDB:       pemDB,
+			})
 			if err != nil {
 				return fmt.Errorf("failed to parse AEA: %v", err)
 			}

cmd/ipsw/cmd/mdevs.go

@@ -104,7 +104,11 @@ var mdevsCmd = &cobra.Command{
 			log.Debugf("Found extracted %s", dmgPath)
 		}
 		if filepath.Ext(dmgPath) == ".aea" {
-			dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+			dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+				Input:  dmgPath,
+				Output: filepath.Dir(dmgPath),
+				PemDB:  pemDB,
+			})
 			if err != nil {
 				return fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 			}

cmd/ipsw/cmd/sb/sb_diff.go

@@ -118,7 +118,11 @@ var sbDiffCmd = &cobra.Command{
 				}
 
 				if filepath.Ext(dmgPath) == ".aea" {
-					dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+					dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+						Input:  dmgPath,
+						Output: filepath.Dir(dmgPath),
+						PemDB:  pemDB,
+					})
 					if err != nil {
 						return fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 					}

internal/commands/ent/ent.go

@@ -259,7 +259,7 @@ func DiffDatabases(db1, db2 map[string]string, conf *Config) (string, error) {
 	return dat.String(), nil
 }
 
-func scanEnts(ipswPath, dmgPath, dmgType, pemDB string) (map[string]string, error) {
+func scanEnts(ipswPath, dmgPath, dmgType, pemDbPath string) (map[string]string, error) {
 	// check if filesystem DMG already exists (due to previous mount command)
 	if _, err := os.Stat(dmgPath); os.IsNotExist(err) {
 		dmgs, err := utils.Unzip(ipswPath, "", func(f *zip.File) bool {
@@ -278,7 +278,11 @@ func scanEnts(ipswPath, dmgPath, dmgType, pemDB string) (map[string]string, erro
 
 	if filepath.Ext(dmgPath) == ".aea" {
 		var err error
-		dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+		dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  dmgPath,
+			Output: filepath.Dir(dmgPath),
+			PemDB:  pemDbPath,
+		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}

internal/commands/mount/mount.go

@@ -42,7 +42,7 @@ func (c Context) Unmount() error {
 }
 
 // DmgInIPSW will mount a DMG from an IPSW
-func DmgInIPSW(path, typ, pemDB string) (*Context, error) {
+func DmgInIPSW(path, typ, pemDbPath string) (*Context, error) {
 	ipswPath := filepath.Clean(path)
 
 	i, err := info.Parse(ipswPath)
@@ -101,7 +101,11 @@ func DmgInIPSW(path, typ, pemDB string) (*Context, error) {
 
 	if filepath.Ext(extractedDMG) == ".aea" {
 		defer os.Remove(extractedDMG) // remove the encrypted AEA DMG decrypting and mounting
-		extractedDMG, err = aea.Decrypt(extractedDMG, filepath.Dir(extractedDMG), nil, pemDB)
+		extractedDMG, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  extractedDMG,
+			Output: filepath.Dir(extractedDMG),
+			PemDB:  pemDbPath,
+		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}

internal/diff/diff.go

@@ -318,7 +318,11 @@ func mountDMG(ctx *Context) (err error) {
 		utils.Indent(log.Debug, 2)(fmt.Sprintf("Found extracted %s", ctx.SystemOsDmgPath))
 	}
 	if filepath.Ext(ctx.SystemOsDmgPath) == ".aea" {
-		ctx.SystemOsDmgPath, err = aea.Decrypt(ctx.SystemOsDmgPath, filepath.Dir(ctx.SystemOsDmgPath), nil, ctx.PemDB)
+		ctx.SystemOsDmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  ctx.SystemOsDmgPath,
+			Output: filepath.Dir(ctx.SystemOsDmgPath),
+			PemDB:  ctx.PemDB,
+		})
 		if err != nil {
 			return fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}

internal/search/search.go

@@ -39,7 +39,11 @@ func scanDmg(ipswPath, dmgPath, dmgType, pemDB string, handler func(string, stri
 	}
 	if filepath.Ext(dmgPath) == ".aea" {
 		var err error
-		dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+		dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  dmgPath,
+			Output: filepath.Dir(dmgPath),
+			PemDB:  pemDB,
+		})
 		if err != nil {
 			return fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}

internal/utils/macos.go

@@ -604,7 +604,11 @@ func ExtractFromDMG(ipswPath, dmgPath, destPath, pemDB string, pattern *regexp.R
 
 	if filepath.Ext(dmgPath) == ".aea" {
 		var err error
-		dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+		dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  dmgPath,
+			Output: filepath.Dir(dmgPath),
+			PemDB:  pemDB,
+		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}

pkg/aea/decrypt.go

@@ -253,27 +253,45 @@ func aeaDecrypt(in, out string, akey []byte) (string, error) {
 	return out, nil
 }
 
-func Decrypt(in, out string, privKeyData []byte, pemDB string) (string, error) {
-	metadata, err := Info(in)
+type DecryptConfig struct {
+	Input       string // Input AEA file
+	Output      string // Output directory
+	PrivKeyData []byte // Private key data
+	B64SymKey   string // Base64 encoded Symmetric encryption key
+	PemDB       string // Path to PEM database
+
+	symEncKey []byte // Symmetric encryption key bytes
+}
+
+func Decrypt(c *DecryptConfig) (string, error) {
+	metadata, err := Info(c.Input)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse AEA: %v", err)
 	}
 
-	wkey, err := metadata.DecryptFCS(privKeyData, pemDB)
-	if err != nil {
-		return "", fmt.Errorf("failed to HPKE decrypt fcs-key: %v", err)
+	if c.B64SymKey == "" {
+		c.symEncKey, err = metadata.DecryptFCS(c.PrivKeyData, c.PemDB)
+		if err != nil {
+			return "", fmt.Errorf("failed to HPKE decrypt fcs-key: %v", err)
+		}
+		c.B64SymKey = base64.StdEncoding.EncodeToString(c.symEncKey)
+	} else {
+		c.symEncKey, err = base64.StdEncoding.WithPadding(base64.StdPadding).DecodeString(c.B64SymKey)
+		if err != nil {
+			return "", fmt.Errorf("failed to decode base64 sym key: %v", err)
+		}
 	}
 
 	// if true {
 	if _, err := os.Stat(aeaBinPath); os.IsNotExist(err) { // 'aea' binary NOT found (linux/windows)
 		log.Info("Using pure Go implementation for AEA decryption")
-		return aeaDecrypt(in, filepath.Join(out, filepath.Base(strings.TrimSuffix(in, filepath.Ext(in)))), wkey)
+		return aeaDecrypt(c.Input, filepath.Join(c.Output, filepath.Base(strings.TrimSuffix(c.Input, filepath.Ext(c.Input)))), c.symEncKey)
 	}
 	// use 'aea' binary (as is the fastest way to decrypt AEA on macOS)
 	return aea(
-		in,
-		filepath.Join(out, filepath.Base(strings.TrimSuffix(in, filepath.Ext(in)))),
-		base64.StdEncoding.EncodeToString(wkey),
+		c.Input,
+		filepath.Join(c.Output, filepath.Base(strings.TrimSuffix(c.Input, filepath.Ext(c.Input)))),
+		c.B64SymKey,
 	)
 }
 

pkg/dyld/extract.go

@@ -188,7 +188,11 @@ func Extract(ipsw, destPath, pemDB string, arches []string, driverkit, all bool)
 	}
 
 	if filepath.Ext(dmgPath) == ".aea" {
-		dmgPath, err = aea.Decrypt(dmgPath, filepath.Dir(dmgPath), nil, pemDB)
+		dmgPath, err = aea.Decrypt(&aea.DecryptConfig{
+			Input:  dmgPath,
+			Output: filepath.Dir(dmgPath),
+			PemDB:  pemDB,
+		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse AEA encrypted DMG: %v", err)
 		}