diff --git a/webif/html/settings/modules/advanced/init.hook b/webif/html/settings/modules/advanced/init.hook
index abecda1..03abd9e 100644
--- a/webif/html/settings/modules/advanced/init.hook
+++ b/webif/html/settings/modules/advanced/init.hook
@@ -13,16 +13,30 @@ if {[cgi_get act] eq "xtelnet"} {
 
 if {[cgi_get act] eq "cryptokey"} {
 	set val [cgi_get cryptokey ""]
-	if {[string length "$val"] == 0} {
-		set val [system encryptionkey]
-		puts "Using native encryption key.<br>"
+	set nkey [system encryptionkey]
+	if {$val eq "" || [string equal -nocase $val $nkey]} {
+		if {[system customencryptionkey] ne ""} {
+			system customencryptionkey $nkey
+			system nugget cryptokey -init
+			puts "Using native encryption key."
+		} else {
+			puts "Native key unchanged."
+		}
+		set cryptokey ""
 	} elseif {[string length $val] != 32} {
-		puts "Encryption key is too short."
-		exit
+		puts "Encryption key must be 32 hexadecimal digits."
+	} else {
+		if {[string equal -nocase $val [system customencryptionkey]]} {
+			puts "Custom key unchanged."
+		} elseif {[set customkey [system customencryptionkey $val]] ne ""} {
+		        set cryptokey $customkey
+			system nugget cryptokey -init
+			puts "Installed new encryption key."
+		} else {
+			puts "Failed to install encryption key $val"
 	}
-	file write "/mod/boot/cryptokey" [binary format H* $val]
-	system nugget cryptokey -init
-	puts "Installed new encryption key."
+	}
+	puts "<br>"
 	exit
 }
 
@@ -33,15 +47,7 @@ set logsize [$settings logsize]
 set logkeep [$settings logkeep]
 set logage [$settings logage]
 
-set cryptokey [system encryptionkey]
-if {![catch {set ck_fd [open "/mod/boot/cryptokey"]}]} {
-	set ck_bytes [$ck_fd read 16]
-	$ck_fd close
-	binary scan $ck_bytes H* ck_key
-	if {[string length $ck_key] == 32} {
-		set cryptokey $ck_key
-	}
-}
+set cryptokey [system customencryptionkey]
 
 handle_int_update pkgdev $pkgdev "Development Package Display"
 handle_int_update rtschedule $rtschedule "Real-time scheduling"
diff --git a/webif/html/settings/modules/advanced/settings.hook b/webif/html/settings/modules/advanced/settings.hook
index 02d0ebe..5e340c8 100755
--- a/webif/html/settings/modules/advanced/settings.hook
+++ b/webif/html/settings/modules/advanced/settings.hook
@@ -60,7 +60,7 @@ puts "
 	<table>
 	<tr><th class=key>
 		Native encryption key
-	</th><td>[system encryptionkey]</td></tr>
+	</th><td><span id=nativekey>[system encryptionkey]</span></td></tr>
 	<tr>
 	<form class=auto id=cryptokey method=post action=$env(SCRIPT_NAME)>
 		<input type=hidden name=act value=cryptokey>
@@ -71,7 +71,21 @@ puts "
 			<small><input value=set type=submit></small>
 			<div id=cryptokey_output></div>
 		</td>
-	</form>
+	</form>"
+puts {
+	<script>
+	$(document).ajaxSuccess(
+		function(ev, jqXHR) {
+		        var ip;
+		        if ((jqXHR.responseText.indexOf("ative ") >= 0) &&
+			    ($("#nativekey").html() == (ip = $("input[name=cryptokey]")).prop("value"))) {
+				 ip.prop("value", "");
+			}
+		}
+	);
+	</script>
+}
+puts "
 	</tr><tr>
 		<td></td>
 		<td class=blood>
diff --git a/webif/include/modversion.jim b/webif/include/modversion.jim
index 85c7493..43b5a36 100755
--- a/webif/include/modversion.jim
+++ b/webif/include/modversion.jim
@@ -20,7 +20,10 @@ puts "<br>Loader Version: [system loaderver]"
 puts "<br>System ID: [system systemid]"
 puts "<br>Serial Number: [system serialno]"
 if {$mws::pagetag eq "Diagnostics"} {
-	puts "<br>Encryption Key: [system encryptionkey]"
+	puts "<br>Native Encryption Key: [system encryptionkey]"
+        if {[set customkey [system customencryptionkey]] ne ""} {
+            puts "<br>Custom Encryption Key: $customkey"
+        }
 }
 puts "<br>Last Boot Reason: [system lastbootreason]"
 
diff --git a/webif/lib/system.class b/webif/lib/system.class
index e0ffb9a..581d70e 100644
--- a/webif/lib/system.class
+++ b/webif/lib/system.class
@@ -143,6 +143,13 @@ proc {system serialno} {} {{serial ""}} {
 	    string range $bytes 9 end]"
 	return $serial
 }
+proc {system keybytestostring} {key_bytes} {
+	binary scan $key_bytes H* key_str                         
+	if {[string length $key_str] == 32} {                    
+		return $key_str
+	}
+	return {}
+}                                                     
 
 proc {system encryptionkey} {} {{key ""}} {
 	if {$key ne ""} { return $key }
@@ -152,8 +159,46 @@ proc {system encryptionkey} {} {{key ""}} {
 	$fd seek 0xcb800
 	append bytes [$fd read 10]
 	$fd close
-	binary scan $bytes H* key
-	return $key
+	return [system keybytestostring $bytes]
+}
+
+proc {system customencryptionkey} {{key ""}} {{keyfile "/mod/boot/cryptokey"}} {
+
+        set ck_fd {}
+        try {
+            if {$key eq ""} {
+                set ck_fd [open $keyfile r]
+                set ck_bytes [$ck_fd read 16]
+                return [system keybytestostring $ck_bytes]
+            } elseif {[string equal -nocase $key [system encryptionkey]]} {
+                file delete -force $keyfile
+                return $key
+            } else {
+                set ck_bytes [binary format H* $key]
+                set test [system keybytestostring $ck_bytes]
+                if {![string equal -nocase $test $key]} {
+                    throw 1 "Invalid custom key"
+                }
+                if {[file exists $keyfile]} {
+                    # attempt not to truncate on update until written
+                    set access r+
+                } else {
+                    set access w
+                }
+                set ck_fd [open $keyfile $access]
+                $ck_fd seek 0
+                $ck_fd puts -nonewline $ck_bytes
+                $ck_fd close
+                set ck_fd {}
+                return $key
+            }
+        } on error {msg opts} {
+           return {}
+        } finally {
+            if {$ck_fd ne {}} {
+                $ck_fd close
+            }
+        }
 }
 
 proc {system loaderver} {} {{ver ""}} {
diff --git a/webif/lib/ts.class b/webif/lib/ts.class
index bcfe270..526814a 100644
--- a/webif/lib/ts.class
+++ b/webif/lib/ts.class
@@ -863,16 +863,9 @@ ts method getkey {mode} {
 	}
 	if { $mode ne "dlna" } {
 		# also try other keys, such as this - same as active?
-		try {
-			set fd [open "/mod/boot/cryptokey"]
-			set bytes [$fd read 16]
-			binary scan $bytes H* key
-			if {[string length $key] == 32} {
-				ladd keys $key
-			}
-		} on error {} {
-		} finally {
-			catch {$fd close}
+		set key [system customencryptionkey]
+		if {$key ne ""} {
+			ladd keys $key
 		}
 
 		# the native key

Native encryption key -	[system encryptionkey]
[system encryptionkey]
	diff --git a/webif/include/modversion.jim b/webif/include/modversion.jim index 85c7493..43b5a36 100755 --- a/webif/include/modversion.jim +++ b/webif/include/modversion.jim @@ -20,7 +20,10 @@ puts " Loader Version: [system loaderver]" puts " System ID: [system systemid]" puts " Serial Number: [system serialno]" if {$mws::pagetag eq "Diagnostics"} { - puts " Encryption Key: [system encryptionkey]" + puts " Native Encryption Key: [system encryptionkey]" + if {[set customkey [system customencryptionkey]] ne ""} { + puts " Custom Encryption Key: $customkey" + } } puts " Last Boot Reason: [system lastbootreason]" diff --git a/webif/lib/system.class b/webif/lib/system.class index e0ffb9a..581d70e 100644 --- a/webif/lib/system.class +++ b/webif/lib/system.class @@ -143,6 +143,13 @@ proc {system serialno} {} {{serial ""}} { string range $bytes 9 end]" return $serial } +proc {system keybytestostring} {key_bytes} { + binary scan $key_bytes H* key_str + if {[string length $key_str] == 32} { + return $key_str + } + return {} +} proc {system encryptionkey} {} {{key ""}} { if {$key ne ""} { return $key } @@ -152,8 +159,46 @@ proc {system encryptionkey} {} {{key ""}} { $fd seek 0xcb800 append bytes [$fd read 10] $fd close - binary scan $bytes H* key - return $key + return [system keybytestostring $bytes] +} + +proc {system customencryptionkey} {{key ""}} {{keyfile "/mod/boot/cryptokey"}} { + + set ck_fd {} + try { + if {$key eq ""} { + set ck_fd [open $keyfile r] + set ck_bytes [$ck_fd read 16] + return [system keybytestostring $ck_bytes] + } elseif {[string equal -nocase $key [system encryptionkey]]} { + file delete -force $keyfile + return $key + } else { + set ck_bytes [binary format H* $key] + set test [system keybytestostring $ck_bytes] + if {![string equal -nocase $test $key]} { + throw 1 "Invalid custom key" + } + if {[file exists $keyfile]} { + # attempt not to truncate on update until written + set access r+ + } else { + set access w + } + set ck_fd [open $keyfile $access] + $ck_fd seek 0 + $ck_fd puts -nonewline $ck_bytes + $ck_fd close + set ck_fd {} + return $key + } + } on error {msg opts} { + return {} + } finally { + if {$ck_fd ne {}} { + $ck_fd close + } + } } proc {system loaderver} {} {{ver ""}} { diff --git a/webif/lib/ts.class b/webif/lib/ts.class index bcfe270..526814a 100644 --- a/webif/lib/ts.class +++ b/webif/lib/ts.class @@ -863,16 +863,9 @@ ts method getkey {mode} { } if { $mode ne "dlna" } { # also try other keys, such as this - same as active? - try { - set fd [open "/mod/boot/cryptokey"] - set bytes [$fd read 16] - binary scan $bytes H* key - if {[string length $key] == 32} { - ladd keys $key - } - } on error {} { - } finally { - catch {$fd close} + set key [system customencryptionkey] + if {$key ne ""} { + ladd keys $key } # the native key