Open cheng3100 opened 1 year ago
One way to get xor key is to bruteforce it by known strings in binary.
One way to get xor key is to bruteforce it by known strings in binary.
I think if there is some long 0x00 or 0xff bytes in the serial transfer than it should work.
By magic.. At least as far as i am concerned. Just pure magic and sorcery.
After reading some script in the repo. I understand how the firmware is pack/unpack and how it is modified. But I'm really curious about, how it is found? For example, how do you know the raw binary is xor by a special sequence? And how do you know the sequence? In the script https://github.com/amnemonic/Quansheng_UV-K5_Firmware/blob/main/uvmod_kitchen/mod_enable_tx_50to850_except_airband.py, how did you guys know that at the offset 0x1804 is the code that limit the tx freq value so that you can replace the asm code with a custom shell code? Is that really all done through reading the disassemble code?