||Joe
13-01-2002, 09:23 PM
check this out, found that..
http://www.xgsmtechnology.com/algorithmflash.html
greetz,
-tek-
Oxo Boxo
13-01-2002, 10:11 PM
This is a disassembled part from software for FLS-1 box, but FAID in the same box...../n/images/smiles/icon_frown.gif(((
||Joe
14-01-2002, 12:10 AM
For anyone that is interested, take a look at this:
#define __targetwindows__
#include <stdio.h>
#include <string.h>
#ifdef __targetwindows__
#include <Windows.h>
#endif
#define UINT8 unsigned char
#define UINT32 unsigned long
#define UINT16 unsigned short
#define TRUE 1
#define FALSE 0
#define BOOL int
#define FE_INVALID_BUFFER_SIZE 0x65
#define misc_gettickcount GetTickCount
#define LOBYTE(x) (UINT8)((UINT16)x & 0xFF)
#define HIBYTE(x) (UINT8)((UINT16)(x >> /n/images/smiles/icon_cool.gif & 0xFF)
typedef UINT16 (*pFindDK2)(char *Id,char *lpszPKey);
typedef void (*pDK2SendAndReceive)(UINT16 dwID, char *Id,UINT8 *AU8encryptblock, UINT32 U32encryptlen, UINT8 *AU8inbuff, UINT32 U32inbufflen, UINT8 *AU8outbuff, UINT32 U32outbufflen, UINT8 U8tmp);
typedef BOOL (*pDK2Success)(void);
HMODULE lib = NULL;
pDK2SendAndReceive DK2SendAndReceive;
pFindDK2 FindDK2;
pDK2Success DK2Success;
#define __DK2__
// #define __ALWAYSRANDOM__
static int flash_errno;
static UINT16 U16startingseed = 0;
static void FLS1_Randomize(UINT16 U16seed)
{
U16startingseed = U16seed;
}
static UINT8 FLS1_Random(void)
{
UINT16 U16seed = U16startingseed;
UINT16 i;
UINT8 U8al,U8dl;
for (i=0;i<9;i++)
{
U8dl = U8al = LOBYTE(U16seed);
U8al >>= 1;
U8al ^= U8dl;
if (U8al & 1)
{
U16seed |= 0x8000;
}
else
{
U16seed &= 0x7FFF;
}
U16seed >>= 1;
U8al >>=1;
if (U8dl & 1)
{
U8al |= 0x80;
}
else
{
U8al &= 0x7F;
}
}
U16startingseed = U16seed;
return U8al;
}
static void FLS1_GetRandomNumber(UINT8 *pAU8encryptblock, UINT8 U8seed1, UINT8 U8seed2)
{
#ifdef __ALWAYSRANDOM__
UINT32 U32tickcount = misc_gettickcount();
#else
UINT32 U32tickcount = 0x55AA;
#endif
UINT16 U16tickcount;
UINT8 U8num;
FLS1_Randomize(U32tickcount);
U16tickcount = U32tickcount & 0xFFFF;
pAU8encryptblock[0] = 13;
pAU8encryptblock[1] = U8seed1;
pAU8encryptblock[2] = HIBYTE(U16tickcount);
pAU8encryptblock[3] = LOBYTE(U16tickcount);
U8num = FLS1_Random();
U8num ^= U8seed2;
pAU8encryptblock[4] = U8num;
}
static BOOL FLS1_CalculateAuthorityID(UINT8 *pAU8inbuff, UINT32 U32inbufflen, UINT8 *pAU8outbuff, UINT32 U32outbufflen)
{
UINT8 AU8encryptblock[6];
UINT8 AU8tmpbuff[28];
UINT8 AU8outbuff[13];
UINT8 U8num;
UINT16 i;
#ifdef __DK2__
UINT16 DataReg;
UINT8 Id[] = "NK";
#endif
if (U32inbufflen<1 || U32inbufflen>28 || U32outbufflen>12 ||
!pAU8inbuff || !pAU8outbuff || U32outbufflen==0)
{
flash_errno = FE_INVALID_BUFFER_SIZE;
return FALSE;
}
memset(AU8encryptblock,0,sizeof(AU8encryptblock));
memset(AU8tmpbuff,0,sizeof(AU8tmpbuff));
memcpy(AU8tmpbuff,pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF));
FLS1_GetRandomNumber(AU8encryptblock, 1, 0);
AU8encryptblock[5] = FLS1_Random();
AU8encryptblock[5] ^= 1;
for (i=0;i<28;i++)
{
U8num = FLS1_Random();
AU8tmpbuff[i] ^= U8num;
}
printf("encryption block:");
for (i=0;i<sizeof(AU8encryptblock);i++)
{
printf("%02X ",AU8encryptblock[i]);
}
printf("\n");
printf("bytestream to be decrypted:");
for (i=0;i<sizeof(AU8tmpbuff);i++)
{
printf("%02X ",AU8tmpbuff[i]);
}
printf("\n");
#ifdef __DK2__
DataReg = FindDK2(Id, NULL);
if (DataReg==0)
{
DataReg = FindDK2(Id, "1234");
if (DataReg==0)
{
printf("DK2 not found\n");
return FALSE;
}
}
DK2SendAndReceive(DataReg, Id, AU8encryptblock, sizeof(AU8encryptblock), AU8tmpbuff, sizeof(AU8tmpbuff), AU8outbuff, sizeof(AU8outbuff), 1);
if (!DK2Success())
{
printf("bad response from DK2\n");
return FALSE;
}
#else
for (i=0;i<sizeof(AU8outbuff);i++)
{
AU8outbuff[i] = AU8tmpbuff[i] ^ AU8encryptblock[i % sizeof(AU8encryptblock)];
}
#endif
printf("decrypted bytestream step 1:");
for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++)
{
printf("%02X ",AU8outbuff[i]);
}
printf("\n");
for (i=0;i<13;i++)
{
U8num = FLS1_Random();
AU8outbuff[i] ^= U8num;
}
memcpy(pAU8outbuff,AU8outbuff,(UINT16)(U32outbufflen & 0xFFFF));
printf("decrypted bytestream step 2:");
for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++)
{
printf("%02X ",pAU8outbuff[i]);
}
printf("\n");
return TRUE;
}
BOOL FLS1_GetAuthorityID(UINT8 U8seed1, UINT8 U8seed2, UINT8 *pAU8inbuff, UINT32 U32inbufflen, UINT8 *pAU8outbuff, UINT32 U32outbufflen)
{
UINT8 AU8buffer[64];
memset(AU8buffer,0,sizeof(AU8buffer));
AU8buffer[0] = 1;
AU8buffer[1] = U8seed1;
AU8buffer[2] = U8seed2;
memcpy(&AU8buffer[3],pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF));
return FLS1_CalculateAuthorityID(AU8buffer,(U32inbufflen & 0xFFFF) + 3,pAU8outbuff,U32outbufflen);
}
BOOL FLS1_DecodeMSID(UINT8 *pAU8MSIDin,UINT8 *pAU8MSIDout)
{
BOOL Bsuccess;
UINT8 AU8outbuff[12];
memset(pAU8MSIDout,0,12);
Bsuccess = FLS1_GetAuthorityID(0,pAU8MSIDin[0],&pAU8MSIDin[1],12,AU8outbuff,sizeof(AU8outbuff));
if (Bsuccess)
{
memcpy(pAU8MSIDout,AU8outbuff,sizeof(AU8outbuff));
}
return Bsuccess;
}
/********************************************************
* *
* FUNCTION NAME: *
* *
* ARGUMENTS: *
* *
* ARGUMENT NAME: *
* *
* TYPE: *
* *
* I/O: *
* *
* DESCRIPTION *
* *
* *
* RETURNS: *
* *
*********************************************************/
static BOOL GetFunc(char *dllname,char *funcname, FARPROC *funcptr)
{
*funcptr = NULL;
if (!lib)
{
lib = LoadLibrary(dllname);
if (!lib)
{
printf("%s not found\n",dllname);
return FALSE;
}
}
*funcptr = GetProcAddress(lib, funcname);
return *funcptr!=NULL;
}
/********************************************************
* *
* FUNCTION NAME: *
* *
* ARGUMENTS: *
* *
* ARGUMENT NAME: *
* *
* TYPE: *
* *
* I/O: *
* *
* DESCRIPTION *
* *
* *
* RETURNS: *
* *
*********************************************************/
static BOOL InitializeLibrary(char *dllname)
{
if (!GetFunc(dllname,"DK2SendAndReceive",(FARPROC *)&DK2SendAndReceive))
{
printf("DK2SendAndReceive not found in %s\n",dllname);
return FALSE;
}
if (!GetFunc(dllname,"FindDK2",(FARPROC *)&FindDK2))
{
printf("FindDK2 not found in %s\n",dllname);
return FALSE;
}
if (!GetFunc(dllname,"DK2Success",(FARPROC *)&DK2Success))
{
printf("DK2Success not found in %s\n",dllname);
return FALSE;
}
return TRUE;
}
void main(void)
{
UINT8 MSID[] = {0x82, 0xe8, 0xe4, 0x47, 0xf5, 0xbf, 0x59, 0xba, 0xa0, 0x6c, 0xd0, 0x8e ,0x04};
UINT8 MSIDout[12];
char buf[128];
GetSystemDirectory(buf, sizeof(buf));
strcat(buf,"\\DK2WIN32.DLL");
if (!InitializeLibrary(buf))
{
printf("cannot load DK2 lib\n");
if (lib)
{
FreeLibrary(lib);
}
return;
}
printf("functions indentified\n");
printf("----------------------\n");
memset(MSIDout,0,sizeof(MSIDout));
FLS1_DecodeMSID(MSID,MSIDout);
// expected flashid should be: B3679FA3, Cobba ID: 002213DB 1D
FreeLibrary(lib);
}
Powered by vBulletin® Version 4.2.0 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.