How do I find the decryption key of an android app using Frida?

[agg00]

Hi everyone! I've been reverse-engineering an Android app for a set of Bluetooth headphones, and my goal is to find the keys to decrypt the firmware. I obtained the firmware by intercepting the traffic between the device and the server.

In the code, I've found some parts that look like they should handle decryption, but it doesn't seem like these methods are actually being used in the application. I'm having difficulty tracking down the keys or identifying where and how they are applied to decrypt the firmware.

Here is the code I found that seems to handle the decryption process, but it doesn't appear to be utilized within the app.

    public final long k(k6.o oVar) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            try {
                cipher.init(2, new SecretKeySpec(this.f20556b, "AES"), new IvParameterSpec(this.f20557c));
                k6.m mVar = new k6.m(this.f20555a, oVar);
                this.f20558d = new CipherInputStream(mVar, cipher);
                mVar.a();
                return -1L;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e10) {
                throw new RuntimeException(e10);
            }
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e11) {
            throw new RuntimeException(e11);
        }
    }    public final long k(k6.o oVar) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            try {
                cipher.init(2, new SecretKeySpec(this.f20556b, "AES"), new IvParameterSpec(this.f20557c));
                k6.m mVar = new k6.m(this.f20555a, oVar);
                this.f20558d = new CipherInputStream(mVar, cipher);
                mVar.a();
                return -1L;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e10) {
                throw new RuntimeException(e10);
            }
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e11) {
            throw new RuntimeException(e11);
        }
    }

 

I've been using Frida to hook methods and classes related to encryption, but despite finding relevant classes for AES encryption (like com.android.org.conscrypt.OpenSSLEvpCipherAES$AES$CTR and com.android.org.conscrypt.OpenSSLAeadCipherAES$GCM), I can't seem to find where the actual decryption keys are being used or how the firmware is decrypted.

If anyone has any insights on how I can track the usage of keys or what I might be missing, I’d really appreciate any help or suggestions!

Thanks in advance!! :)