Open ToaruOsaka opened 7 years ago
hi! I have disassembled the unpacking of new versions of testmode! but where is the error, can we somehow solve this puzzle? downloaded files from the device, the code is rewritten from assembler to C++, it works fine! but the radio device does not take it! crashes on the first check with error 19. In the new versions, a parity check is made, and the byte in the sum is changed code :)
#!/usr/bin/perl
# usage perl decode.pl TEST.KEY
my $filename = (shift);
open(my $fh, $filename) or die $!;
binmode($fh);
my $cnt = 0;
my $encodeString = "";
my $otherString = "";
while (read($fh, my $byte, 1))
{
if ($cnt % 2 == 1)
{
if (ord($byte) > 55) #$33
{
$byte = ord($byte) - 24; #$14 old new 0x18
}
else
{
$byte = ord($byte) + 72; #old $4C new 0x48;
}
$encodeString = $encodeString.chr($byte);
} else {
if (ord($byte) > 55)
{
$byte = ord($byte) - 24; #0x18
}
else
{
$byte = ord($byte) + 72;# 0x48;
}
$otherString = chr($byte).$otherString;
}
$cnt++;
}
print $encodeString.$otherString;
print "\n";
close $fh;
007SERVICE003ALL00833333333013XXTECHNICALXX0031670082013010100820251230000 007SERVICE - type 003ALL -all 00833333333 013XXTECHNICALXX -version 003167 -verson 00820130101 -start date 00820251230 -end date 000
vc+ code
while (1) { v17 = (unsigned int8)++v14; v16 = v17; if (!v17 && !v14[1]) break; if ((v13 & 1) == 0) //skip odd characters NEW in modern model!!! ((BYTE *)&a5 + v15++) = v16; if (arrSize <= v13 + 1) break; ++v13; } if (v15) { v18 = (unsigned int8)a5;
2. 2-nd check
if ((BYTE)a5)
{
v19 = (__int16 *)((char *)&a5 + 1);
do
{
if (v18 > 55)
v21 = v18 - 0x18; // in perl decode upper message
else
v21 = v18 + 0x48;
*((BYTE *)v19 - 1) = v21;
if (v19 == (__int16 *)((char *)&a5 + v15))
break;
v20 = *(unsigned __int8 *)v19;
v19 = (__int16 *)((char *)v19 + 1);
v18 = v20;
} while (v20);
//LOBYTE(v18) = a5;
////a5 = LOBYTE(v18);// = a5;
v18 = LOBYTE(a5);
}
v22 = 0;
v23 = &a5;
v24 = 0;
v25 = v15 - 1;
3. 3-d check
while (1) { v5 = (v22++ & 1) == 0; if (v5) ArrOfChar_1028[v25--] = v18; else ArrOfChar_1028[v24++] = v18; if (v22 == v15) break; v26 = ((BYTE )v23 + 1); v23 = (__int16 )((char )v23 + 1); //LOBYTE(v18) = v26; v18 = LOBYTE(v26); //v18 = v26; } } ArrOfChar_1028[v15] = 0;
- key without 1-st check
HHHHHOHkK]JjInMaJ[H]JHPHHKHYIdHdIHHHKPIKHKJKPKHKHKOKNKIHKIHKHppppld]Y[[`af
- key with 1-st check (odd characters added)
H!H!H!H!H!O!H!k!K!]!J!j!I!n!M!a!J![!H!]!J!H!P!H!H!K!H!Y!I!d!H!d!I!H!H!H!K!P!I!K!H!K!J!K!P!K!H!K!H!K!O!K!N!K!I!H!K!I!H!K!H!p!p!p!p!l!d!]!Y![![!`!a!f!
1-st check on device and get error 19
if (!TST_KeyFileInformation::extractKyeData(KeyFileInformation, ArrChar_1056))
{
v8 = 19;
goto LABEL_15;
}
hi, bro, i'm interesting about how your guys can decode the TestModeKey. as UBOOT/kernel must follow GPL to be open-source , but frameworks are not. these keyStrings are checked in native code C/C++ with some SO file . so , you just IDA them, read through assembly code ? ( WOW,MY GOD)