From b05b762ed45c6c8967fce098c598ec1a6ed7a533 Mon Sep 17 00:00:00 2001
From: Amaury Pouly <amaury.pouly@gmail.com>
Date: Sat, 16 Feb 2013 20:47:07 +0100
Subject: sbtools: add brute force option for sb1 in sbtoelf

After some reverse engineering, it appears that the keys of the
sb1 format are very weak: the 128 bytes are generated from the
laserfuse words 4,5 and 6 but in a weird manner: 4 and 5 are
simply ORed and 6 is only half used (somehow), making it "only" a
48 bit word to find.

Change-Id: I40702e19d0924ef51c01894efce3cb65bd664456
---
 utils/imxtools/sbtools/sbtoelf.c | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

(limited to 'utils/imxtools/sbtools/sbtoelf.c')

diff --git a/utils/imxtools/sbtools/sbtoelf.c b/utils/imxtools/sbtools/sbtoelf.c
index 540d55acc1..e68f5e6e06 100644
--- a/utils/imxtools/sbtools/sbtoelf.c
+++ b/utils/imxtools/sbtools/sbtoelf.c
@@ -231,6 +231,7 @@ static void usage(void)
     printf("  -2/--v2\tForce to read file as a version 2 file\n");
     printf("  -s/--no-simpl\tPrevent elf files from being simplified*\n");
     printf("  -x\t\tUse default sb1 key\n");
+    printf("  -b\tBrute force key\n");
     printf("Options marked with a * are for debug purpose only\n");
     exit(1);
 }
@@ -308,6 +309,7 @@ int main(int argc, char **argv)
     const char *loopback = NULL;
     bool force_sb1 = false;
     bool force_sb2 = false;
+    bool brute_force = false;
 
     while(1)
     {
@@ -325,7 +327,7 @@ int main(int argc, char **argv)
             {0, 0, 0, 0}
         };
 
-        int c = getopt_long(argc, argv, "?do:k:zra:nl:f12xs", long_options, NULL);
+        int c = getopt_long(argc, argv, "?do:k:zra:nl:f12xsb", long_options, NULL);
         if(c == -1)
             break;
         switch(c)
@@ -391,6 +393,9 @@ int main(int argc, char **argv)
             case 's':
                 g_elf_simplify = false;
                 break;
+            case 'b':
+                brute_force = true;
+                break;
             default:
                 abort();
         }
@@ -442,6 +447,33 @@ int main(int argc, char **argv)
     }
     else if(force_sb1 || ver == SB_VERSION_1)
     {
+        if(brute_force)
+        {
+            struct crypto_key_t key;
+            enum sb1_error_t err;
+            if(!sb1_brute_force(sb_filename, NULL, sb_printf, &err, &key))
+            {
+                color(OFF);
+                printf("Brute force failed: %d\n", err);
+                return 1;
+            }
+            color(RED);
+            printf("Key found:");
+            color(YELLOW);
+            for(int i = 0; i < 32; i++)
+                printf(" %08x", key.u.xor_key[i / 16].k[i % 16]);
+            color(OFF);
+            printf("\n");
+            color(RED);
+            printf("Key: ");
+            color(YELLOW);
+            for(int i = 0; i < 128; i++)
+                printf("%02x", key.u.xor_key[i / 64].key[i % 64]);
+            color(OFF);
+            printf("\n");
+            add_keys(&key, 1);
+        }
+
         enum sb1_error_t err;
         struct sb1_file_t *file = sb1_read_file(sb_filename, NULL, sb_printf, &err);
         if(file == NULL)
-- 
cgit v1.2.3