I don't have one of these newer BS firmware radios, but this is what I've found from the provided updater
total data portion is 66720 bytes. Is this a 128K flash MCU?
header: 6 bytes, xor'd with 0x57
b[0:1] - length of payload, big endian
b[2:5] - target address or offset of data block, 32 bits, big endian
data portion of the blocks is thus 0x801 (2049) bytes long, too long by one byte. doing some checks, the last byte doesn't seem to be a basic checksum. could be some other checksum method. is the last byte extra or is it some byte in the middle? can this byte be ignored or is it important?
(edit: is confirmed the last byte is not the data, but we still don't know what it is yet. likely a checksum of some kind but I don't think it is simple summation.)
here's a breakdown of the 31st data block, which has ASCII text:
08 00 (length)
00 00 F0 00 (address / offset)
and a breakdown of 33rd (last) data block, which has a different length:
04 a0 (only 1184 bytes)
00 01 00 00 (address / offset)
Using XOR 0x5F on the first data block gives what could be an ARM vector table (stack pointer looks sane, a couple jumps point to PC change) though almost every vector points to a block filled with 0xE7FEE7FE. I don't reverse engineer much; is this some compiler filler or intentional?
Just a guess but it looks like the blocks are in groups of four. each block of these four is xor'd with [0x1f, 0x17, 0x0f, 0x07] though the first three bits of each page differ. so the first 4 blocks add 0x40, blocks 5-8 add 0x60, blocks 9-12 add 0x00... I don't know a pattern yet. where does the pattern come from? is it hardcoded or does it have to do with that extra byte? haven't checked in depth yet.
(edit: I believe the key uses a bit pattern: 2, 1, 0, 3, then left shifted 1: 6, 5, 4, 7. doing this creates a table which I have attached. I've not yet assembled the firmware to determine if this is valid but this pattern results in some sensical data, gives 0x5F for the first block and gives 0xAF for the block with ASCII. this pattern seems to work for the first 32 blocks. I don't know what should be used for the 33rd block.)
I don't know if a single byte key is used for each entire block as the entire firmware seems filled with data, so there aren't good zeroed out areas to test. Would have to test all values until getting valid and sane looking ARM code but it's harder to do (though possible) with block chunks.
I haven't checked the MCU datasheet to determine if there is a built-in bootloader. Perhaps there is a built-in ROM bootloader that will let us read contents. I would guess the bootloader used for updates is not a ROM bootloader since it has this encryption stuff and weird protocol. Where is it located? Does this MCU have a way of jumping to different base address when booting, or is the main firmware responsible for jumping to the bootloader upon button held at boot? I ask this because the potential vector table in the decrypted firmware points to early addresses, so this firmware is likely loaded at the beginning of flash and executed first.
I'll keep working on this BS series firmware stuff if you ultimately can't figure it out with this information.
Right now my efforts are on getting the key for the BQ firmware (8051) key. Just a note: the TEA encryption is slightly modified in SinOne's tools and library code. I may try out of band attacks on this chip in April or May to recover the key if a key is not discovered by then.