search

bassrock / AVIC-NEX

A repo for modding the AVIC NEX
GNU General Public License v2.0
21 stars 6 forks source link

about AVIC-TestModeKey #1

Open ToaruOsaka opened 7 years ago

ToaruOsaka commented 7 years ago

hi, bro, i'm interesting about how your guys can decode the TestModeKey. as UBOOT/kernel must follow GPL to be open-source , but frameworks are not. these keyStrings are checked in native code C/C++ with some SO file . so , you just IDA them, read through assembly code ? ( WOW,MY GOD)

crash-rider commented 2 weeks ago

hi! I have disassembled the unpacking of new versions of testmode! but where is the error, can we somehow solve this puzzle? downloaded files from the device, the code is rewritten from assembler to C++, it works fine! but the radio device does not take it! crashes on the first check with error 19. In the new versions, a parity check is made, and the byte in the sum is changed code :)

#!/usr/bin/perl
# usage perl decode.pl TEST.KEY

my $filename = (shift);

open(my $fh, $filename) or die $!;

binmode($fh);

my $cnt = 0;
my $encodeString = "";
my $otherString = "";

while (read($fh, my $byte, 1))
{
    if ($cnt % 2 == 1)
    {
        if (ord($byte) > 55)     #$33
        {
            $byte = ord($byte) - 24; #$14 old  new 0x18
        }
        else
        {
            $byte = ord($byte) + 72; #old $4C new  0x48;
        }
        $encodeString = $encodeString.chr($byte);
    } else {
        if (ord($byte) > 55)
        {
            $byte = ord($byte) - 24; #0x18
        }
        else
        {
            $byte = ord($byte) + 72;#  0x48;
        }
        $otherString = chr($byte).$otherString;
    }
    $cnt++;
}

print $encodeString.$otherString;
print "\n";

close $fh;
crash-rider commented 2 weeks ago

007SERVICE003ALL00833333333013XXTECHNICALXX0031670082013010100820251230000 007SERVICE - type 003ALL -all 00833333333 013XXTECHNICALXX -version 003167 -verson 00820130101 -start date 00820251230 -end date 000

crash-rider commented 2 weeks ago

vc+ code

  1. 1-st check

while (1) { v17 = (unsigned int8)++v14; v16 = v17; if (!v17 && !v14[1]) break; if ((v13 & 1) == 0) //skip odd characters NEW in modern model!!! ((BYTE *)&a5 + v15++) = v16; if (arrSize <= v13 + 1) break; ++v13; } if (v15) { v18 = (unsigned int8)a5;


2. 2-nd check
if ((BYTE)a5)
        {
            v19 = (__int16 *)((char *)&a5 + 1);
            do
            {
                if (v18 > 55)
                    v21 = v18 - 0x18;  // in perl decode upper message
                else
                    v21 = v18 + 0x48;
                *((BYTE *)v19 - 1) = v21;
                if (v19 == (__int16 *)((char *)&a5 + v15))
                    break;
                v20 = *(unsigned __int8 *)v19;
                v19 = (__int16 *)((char *)v19 + 1);
                v18 = v20;
            } while (v20);
            //LOBYTE(v18) = a5;
            ////a5 = LOBYTE(v18);// = a5;
            v18 = LOBYTE(a5);
        }
        v22 = 0;
        v23 = &a5;
        v24 = 0;
        v25 = v15 - 1;

3. 3-d check

while (1) { v5 = (v22++ & 1) == 0; if (v5) ArrOfChar_1028[v25--] = v18; else ArrOfChar_1028[v24++] = v18; if (v22 == v15) break; v26 = ((BYTE )v23 + 1); v23 = (__int16 )((char )v23 + 1); //LOBYTE(v18) = v26; v18 = LOBYTE(v26); //v18 = v26; } } ArrOfChar_1028[v15] = 0;



- key without 1-st check

HHHHHOHkK]JjInMaJ[H]JHPHHKHYIdHdIHHHKPIKHKJKPKHKHKOKNKIHKIHKHppppld]Y[[`af

- key with 1-st check (odd characters added)

H!H!H!H!H!O!H!k!K!]!J!j!I!n!M!a!J![!H!]!J!H!P!H!H!K!H!Y!I!d!H!d!I!H!H!H!K!P!I!K!H!K!J!K!P!K!H!K!H!K!O!K!N!K!I!H!K!I!H!K!H!p!p!p!p!l!d!]!Y![![!`!a!f!
crash-rider commented 2 weeks ago

1-st check on device and get error 19

    if (!TST_KeyFileInformation::extractKyeData(KeyFileInformation, ArrChar_1056))
        {
            v8 = 19;
            goto LABEL_15;
        }
crash-rider commented 2 weeks ago

key_here_libTestModeStartUp_Ext.so.zip