.github/workflows/mikrotik_patch_6.yml

@@ -17,7 +17,7 @@ env:
   CUSTOM_NPK_SIGN_PUBLIC_KEY: ${{ secrets.CUSTOM_NPK_SIGN_PUBLIC_KEY }}
   CUSTOM_CLOUD_PUBLIC_KEY: ${{ secrets.CUSTOM_CLOUD_PUBLIC_KEY }}
   MIKRO_LICENSE_PUBLIC_KEY: ${{ secrets.MIKRO_LICENSE_PUBLIC_KEY }}
-  MIKRO_NPK_SIGN_PUBLIC_KEY: ${{ secrets.MIKRO_NPK_SIGN_PUBLIC_KEY }}
+  MIKRO_NPK_SIGN_PUBLIC_LKEY: ${{ secrets.MIKRO_NPK_SIGN_PUBLIC_LKEY }}
   MIKRO_CLOUD_PUBLIC_KEY: ${{ secrets.MIKRO_CLOUD_PUBLIC_KEY }}
   MIKRO_LICENCE_URL: ${{ secrets.MIKRO_LICENCE_URL }}
   CUSTOM_LICENCE_URL: ${{ secrets.CUSTOM_LICENCE_URL }}

.github/workflows/mikrotik_patch_7.yml

@@ -16,7 +16,7 @@ env:
   CUSTOM_NPK_SIGN_PUBLIC_KEY: ${{ secrets.CUSTOM_NPK_SIGN_PUBLIC_KEY }}
   CUSTOM_CLOUD_PUBLIC_KEY: ${{ secrets.CUSTOM_CLOUD_PUBLIC_KEY }}
   MIKRO_LICENSE_PUBLIC_KEY: ${{ secrets.MIKRO_LICENSE_PUBLIC_KEY }}
-  MIKRO_NPK_SIGN_PUBLIC_KEY: ${{ secrets.MIKRO_NPK_SIGN_PUBLIC_KEY }}
+  MIKRO_NPK_SIGN_PUBLIC_LKEY: ${{ secrets.MIKRO_NPK_SIGN_PUBLIC_LKEY }}
   MIKRO_CLOUD_PUBLIC_KEY: ${{ secrets.MIKRO_CLOUD_PUBLIC_KEY }}
   MIKRO_LICENCE_URL: ${{ secrets.MIKRO_LICENCE_URL }}
   CUSTOM_LICENCE_URL: ${{ secrets.CUSTOM_LICENCE_URL }}

mikro.py

@@ -1,7 +1,8 @@
-import random
+
 import struct
 from sha256 import SHA256
 from toyecc import AffineCurvePoint, getcurvebyname, FieldElement,ECPrivateKey,ECPublicKey,Tools
+from toyecc.Random import secure_rand_int_between
 
 
 MIKRO_BASE64_CHARACTER_TABLE = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
@@ -38,8 +39,8 @@ def mikro_softwareid_encode(id:int)->str:
   assert(isinstance(id, int))
   ret = ''
   for i in range(8):
-    ret += chr(SOFTWARE_ID_CHARACTER_TABLE[id % len(SOFTWARE_ID_CHARACTER_TABLE)])
-    id //= len(SOFTWARE_ID_CHARACTER_TABLE)
+    ret += chr(SOFTWARE_ID_CHARACTER_TABLE[id % 0x23])
+    id //= 0x23
     if i == 3:
       ret += '-'
   return ret
@@ -166,7 +167,7 @@ def mikro_kcdsa_sign(data:bytes,private_key:bytes)->bytes:
     private_key:ECPrivateKey = ECPrivateKey(Tools.bytestoint_le(private_key), curve)
     public_key:ECPublicKey = private_key.pubkey
     while True:
-        nonce_secret = random.SystemRandom().randint(1, curve.n - 1)
+        nonce_secret = secure_rand_int_between(1, curve.n - 1)
         nonce_point = nonce_secret * curve.G
         nonce = int(nonce_point.x) % curve.n
         nonce_hash = mikro_sha256(Tools.inttobytes_le(nonce,32))
@@ -204,4 +205,4 @@ def mikro_kcdsa_verify(data:bytes, signature:bytes, public_key:bytes)->bool:
         nonce = int((public_key * signature + curve.G * data_hash).x) 
         if mikro_sha256(Tools.inttobytes_le(nonce,32))[:len(nonce_hash)] == nonce_hash:
             return True
-    return False
+    return False

patch.py

@@ -84,22 +84,12 @@ def patch_initrd_xz(initrd_xz:bytes,key_dict:dict,ljust=True):
         if old_public_key in new_initrd:
             print(f'initrd public key patched {old_public_key[:16].hex().upper()}...')
             new_initrd = new_initrd.replace(old_public_key,new_public_key)
-    preset = 6
-    new_initrd_xz = lzma.compress(new_initrd,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": preset }] )
-    while len(new_initrd_xz) > len(initrd_xz) and preset < 9:
-        print(f'preset:{preset}')
-        print(f'new initrd xz size:{len(new_initrd_xz)}')
-        print(f'old initrd xz size:{len(initrd_xz)}')
-        preset += 1
-        new_initrd_xz = lzma.compress(new_initrd,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": preset }] )
-    if len(new_initrd_xz) > len(initrd_xz):
-        new_initrd_xz = lzma.compress(new_initrd,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": 9 | lzma.PRESET_EXTREME,'dict_size': 32*1024*1024,"lc": 4,"lp": 0, "pb": 0,}] )
+    new_initrd_xz = lzma.compress(new_initrd,check=lzma.CHECK_CRC32,filters=[{"id": lzma.FILTER_LZMA2, "preset": 9,}] )
     if ljust:
-        print(f'preset:{preset}')
+        assert len(new_initrd_xz) <= len(initrd_xz),'new initrd xz size is too big'
         print(f'new initrd xz size:{len(new_initrd_xz)}')
         print(f'old initrd xz size:{len(initrd_xz)}')
         print(f'ljust size:{len(initrd_xz)-len(new_initrd_xz)}')
-        assert len(new_initrd_xz) <= len(initrd_xz),'new initrd xz size is too big'
         new_initrd_xz = new_initrd_xz.ljust(len(initrd_xz),b'\0')
     return new_initrd_xz
 
@@ -260,13 +250,13 @@ def patch_squashfs(path,key_dict):
                         print(f'{file} public key patched {old_public_key[:16].hex().upper()}...')
                         data = data.replace(old_public_key,new_public_key)
                         open(file,'wb').write(data)
+                data = open(file,'rb').read()
                 url_dict = {
                     os.environ['MIKRO_LICENCE_URL'].encode():os.environ['CUSTOM_LICENCE_URL'].encode(),
                     os.environ['MIKRO_UPGRADE_URL'].encode():os.environ['CUSTOM_UPGRADE_URL'].encode(),
                     os.environ['MIKRO_CLOUD_URL'].encode():os.environ['CUSTOM_CLOUD_URL'].encode(),
                     os.environ['MIKRO_CLOUD_PUBLIC_KEY'].encode():os.environ['CUSTOM_CLOUD_PUBLIC_KEY'].encode(),
                 }
-                data = open(file,'rb').read()
                 for old_url,new_url in url_dict.items():
                     if old_url in data:
                         print(f'{file} url patched {old_url.decode()[:7]}...')
@@ -341,7 +331,7 @@ if __name__ == '__main__':
     args = parser.parse_args()
     key_dict = {
         bytes.fromhex(os.environ['MIKRO_LICENSE_PUBLIC_KEY']):bytes.fromhex(os.environ['CUSTOM_LICENSE_PUBLIC_KEY']),
-        bytes.fromhex(os.environ['MIKRO_NPK_SIGN_PUBLIC_KEY']):bytes.fromhex(os.environ['CUSTOM_NPK_SIGN_PUBLIC_KEY'])
+        bytes.fromhex(os.environ['MIKRO_NPK_SIGN_PUBLIC_LKEY']):bytes.fromhex(os.environ['CUSTOM_NPK_SIGN_PUBLIC_KEY'])
     }
     kcdsa_private_key = bytes.fromhex(os.environ['CUSTOM_LICENSE_PRIVATE_KEY'])
     eddsa_private_key = bytes.fromhex(os.environ['CUSTOM_NPK_SIGN_PRIVATE_KEY'])