I would like to suggest a idea for people who tries to support any new device and are stuck with RSA validation, specially for flashing firmware without doing SPI/UART connections.
During the last days I was playing with https://github.com/vk496/x509hook, a simple POC where I play with LD_PRELOAD feature of Linux. It allows to hook any system/library call and replace with your own implementation. This is widely used for things like:
Monitor memory usage of an application by hooking the free() and malloc() calls (Valgrind)
Hook networks calls to analyze where a app try to connect
Etc...
In my case, I was doing it for SSL certificate validation (and yes, it bypass invalid certs), but the interesting part is here: Why not use it to hook Hash/Signature calls and make them accept any stuff as valid?
There should be only two requirements i guess:
The OEM writter/flashed must be dynamically linked (most probably)
Indeed, LD_PRELOAD is a more generic way, certainly better then patching out the checks in the factory flashing binaries.
As always, the devil is hidden in the details. It's not only just about bypassing the RSA/signature crypto checks, but also about knowing the structure of the factory firmware image and providing images in the 100% compatible format (including some fake RSA signatures in the image), otherwise you would need to handle Bad Image Structure errors as well: