----- Message transféré de [EMAIL PROTECTED] -----
Date : Tue, 20 Mar 2007 06:58:43 +0800
De : Franco Zavatti <[EMAIL PROTECTED]>
Répondre à : Franco Zavatti <[EMAIL PROTECTED]>
Objet : Re: [linux4nano] Firmware encryption
ÀÂ : MAUGE Vincent <[EMAIL PROTECTED]>
(Sorry, can you forward this to the mailling list?)
I have already sent all the details about the Security block V1 on
iPodLinux forum, but look at the end of this message, you will see...
In the firmware partition you usually have 3 files
OSOS
RSCS
AUPD
Usually, OSOS and RSCS are decrypted. AUPD is encrypted. So I have
decrypted the AUPD file using a RC4 cipher and the 32 bits key from
the security block.
I have already wrote a memDumper for the 5G, but I don't have enough
knowledge of the Nano or the knowledge of flash based player. So I
don't think I'm the best person the write the memDumper. Anyone
interested?
Because I don't own a nano, it will be difficult for me to write the
memDumper code because it all about trial and error!
Me, writing the code for someone else to try, will be too painfull...
I don't have questions except about main flash storage access. Is the
main flash all memory mapped (you access it like normal RAM) or you
need to use some kind of hardware interface?
If someone can try my solution and dump the flash rom, we are ok to
decrypt the Retail OS.
I will be able to reverse the Security block V2 inner working.
Here are the details about the Security Block V1
The security block
If you have looked at the new firmware images recently, you may have
notice the 512 bytes of random looking data before every file. What's
that? That's the security block.
The security block tells you if the following file is protected or
not. And if it is, it will give you the key.
The RC4 stream cipher is used for the file protection, with a 32 bits
key that you can get out of the security block.
The security block contains 8 "markers". These markers can be enable
or disable. If all the markers are disabled, then the file is
unprotected. If one marker is enable
then the file is protected and you have to extract the key in order to
decrypt the file.
The markers are 32 bits values at precises locations in the block.
Here is the word offset for the 8 markers in the security block:
int[] offset={0x5,0x25,0x6f,0x69,0x15,0x4d,0x40,0x34};
To get the actual offset in bytes in the block, you have to multiply by 4.
To know more about markers properties and RC4 key extraction, please
refer to the source code example.
To decrypt the file, use a standard RC4 cipher.
---------------------------------
package Ipod.Firmware;
public class SecurityBlock {
byte[] data;
private int[] offset={0x5,0x25,0x6f,0x69,0x15,0x4d,0x40,0x34};
public int key;
public boolean fileIsProtected=false;
public SecurityBlock(byte[] rawData){
int constant = 0x54c3a298;
int key=0;
data=rawData;
int aMarker=0;
int pos=0;
for (int c=0;c<8;c++){
pos =offset[c]*4;
aMarker=readWord(rawData,pos);
boolean result=testMarker(aMarker);
//System.out.println("Marker
="+Integer.toHexString(aMarker)+" "+result);
if (result){ // This marker is enable
fileIsProtected=true;
// pos of nextblock
pos =(offset[c+1]*4)+4;
key=0;
int temp1=aMarker;
for (int count=0;count<2;count++){
int word=readWord(data,pos);
temp1=aMarker;
temp1=temp1^word;
temp1=temp1^constant;
key=temp1;
pos=pos+4;
}
int r1=0x6f;
int r2=0;
int r12;
int r14;
for (int count=2;count<128;count=count+2){
r2=readWord(data,count*4);
r12=readWord(data,(count*4)+4);
r14=r2 | (r12>>>16);
r2=r2&0xffff;
r2=r2 | r12;
r1=r1^r14;
r1=r1+r2;
}
key=key^r1;
// Invert key, little endian
this.key =
((key&0xff)<<24)|((key&0xff00)<<8)|((key&0xff0000)>>>8)|((key&0xff000000)>>>24);
}
}
}
public static int readWord(byte[] buffer,int pos){
int p1=buffer[pos];
int p2=buffer[pos+1];
int p3=buffer[pos+2];
int p4=buffer[pos+3];
if (p1<0)p1=p1+256;
if (p2<0)p2=p2+256;
if (p3<0)p3=p3+256;
if (p4<0)p4=p4+256;
return p1+(p2<<8)+(p3<<16)+(p4<<24);
}
public boolean testMarker(int marker){
int mask =
(marker&0xff)|((marker&0xff)<<8)|((marker&0xff)<<16)|((marker&0xff)<<24);
int decrypt = marker ^ mask;
int temp1=decrypt>>>24;
int temp2=decrypt<<8;
if (temp1==0) return false;
temp2=temp2>>>24;
decrypt=decrypt<<16;
decrypt=decrypt>>>24;
if ((temp1<temp2)&&(temp2<decrypt)){
temp1=temp1&0xf;
temp2=temp2&0xf;
decrypt=decrypt&0xf;
if ((temp1>temp2)&&(temp2>decrypt)){
if (decrypt!=0) return true; // This marker is enable!
}
}
return false;
}
}
----- Original Message -----
From: "MAUGE Vincent" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [linux4nano] Firmware encryption
Date: Mon, 19 Mar 2007 19:41:52 +0100
Hello,
I am a member of linux4nano's team. I receive your e-mail and it's
really interesting.
Can you explain which part of the memory did you decrypt on the 5G
and the algorithm used (with a picture for example) ?
Concerning the memDumper, I can test it if you send me the code. We
don't know for the moment the ROM address but we can suppose that
is 0x0000.
Concerning Firmware (which is update by iTunes) of nano2G, have you
still some questions ?
Vincent
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
_______________________________________________
Get your free email from http://mail.doramail.com
Powered by Outblaze
----- Fin du message transféré -----
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org
