From b05b762ed45c6c8967fce098c598ec1a6ed7a533 Mon Sep 17 00:00:00 2001 From: Amaury Pouly Date: Sat, 16 Feb 2013 20:47:07 +0100 Subject: sbtools: add brute force option for sb1 in sbtoelf After some reverse engineering, it appears that the keys of the sb1 format are very weak: the 128 bytes are generated from the laserfuse words 4,5 and 6 but in a weird manner: 4 and 5 are simply ORed and 6 is only half used (somehow), making it "only" a 48 bit word to find. Change-Id: I40702e19d0924ef51c01894efce3cb65bd664456 --- utils/imxtools/sbtools/crypto.h | 1 + utils/imxtools/sbtools/misc.c | 19 ++++++- utils/imxtools/sbtools/sb1.c | 103 ++++++++++++++++++++++++++++++++++++++ utils/imxtools/sbtools/sb1.h | 5 ++ utils/imxtools/sbtools/sbtoelf.c | 34 ++++++++++++- utils/imxtools/sbtools/xorcrypt.c | 59 ++++++++++++++++++++++ 6 files changed, 218 insertions(+), 3 deletions(-) (limited to 'utils') diff --git a/utils/imxtools/sbtools/crypto.h b/utils/imxtools/sbtools/crypto.h index 599ebf4bf4..6751c2e861 100644 --- a/utils/imxtools/sbtools/crypto.h +++ b/utils/imxtools/sbtools/crypto.h @@ -125,5 +125,6 @@ void sha_1_output(struct sha_1_params_t *params, byte *out); // WARNING those functions modifies the keys !! uint32_t xor_encrypt(union xorcrypt_key_t keys[2], void *data, int size); uint32_t xor_decrypt(union xorcrypt_key_t keys[2], void *data, int size); +void xor_generate_key(uint32_t laserfuse[3], union xorcrypt_key_t key[2]); #endif /* __CRYPTO_H__ */ diff --git a/utils/imxtools/sbtools/misc.c b/utils/imxtools/sbtools/misc.c index dae4f92121..b9f5d21f7e 100644 --- a/utils/imxtools/sbtools/misc.c +++ b/utils/imxtools/sbtools/misc.c @@ -117,8 +117,23 @@ bool parse_key(char **pstr, struct crypto_key_t *key) while(isspace(*str)) str++; /* CRYPTO_KEY: 32 hex characters - * CRYPTO_USBOTP: usbotp(vid:pid) where vid and pid are hex numbers */ - if(isxdigit(str[0])) + * CRYPTO_USBOTP: usbotp(vid:pid) where vid and pid are hex numbers + * CRYPTO_XOR_KEY: 256 hex characters */ + if(isxdigit(str[0]) && strlen(str) >= 256 && isxdigit(str[32])) + { + for(int j = 0; j < 128; j++) + { + byte a, b; + if(convxdigit(str[2 * j], &a) || convxdigit(str[2 * j + 1], &b)) + return false; + key->u.xor_key[j / 64].key[j % 64] = (a << 4) | b; + } + /* skip key */ + *pstr = str + 256; + key->method = CRYPTO_XOR_KEY; + return true; + } + else if(isxdigit(str[0])) { if(strlen(str) < 32) return false; diff --git a/utils/imxtools/sbtools/sb1.c b/utils/imxtools/sbtools/sb1.c index e4eb470e99..deb09a51e1 100644 --- a/utils/imxtools/sbtools/sb1.c +++ b/utils/imxtools/sbtools/sb1.c @@ -252,6 +252,109 @@ static const char *sb1_datatype_name(int cmd) } } +bool sb1_is_key_valid_fast(void *buffer, size_t size, union xorcrypt_key_t _key[2]) +{ + struct sb1_header_t *header = (struct sb1_header_t *)buffer; + + union xorcrypt_key_t key[2]; + + uint8_t sector[SECTOR_SIZE]; + /* copy key and data because it's modified by the crypto code */ + memcpy(key, _key, sizeof(key)); + memcpy(sector, header + 1, SECTOR_SIZE - header->header_size); + /* try to decrypt the first sector */ + uint32_t mark = xor_decrypt(key, sector, SECTOR_SIZE - 4 - header->header_size); + /* copy key again it's modified by the crypto code */ + return mark == *(uint32_t *)§or[SECTOR_SIZE - 4 - header->header_size]; +} + +bool sb1_brute_force(const char *filename, void *u, sb1_color_printf cprintf, + enum sb1_error_t *err, struct crypto_key_t *key) +{ + #define printf(c, ...) cprintf(u, false, c, __VA_ARGS__) + uint8_t sector[SECTOR_SIZE]; + FILE *f = fopen(filename, "rb"); + if(f == NULL) + { + printf("Cannot open file '%s' for reading: %m\n", filename); + *err = SB1_OPEN_ERROR; + return false; + } + if(fread(sector, sizeof(sector), 1, f) != 1) + { + printf("Cannot read file '%s': %m\n", filename); + *err = SB1_READ_ERROR; + fclose(f); + return false; + } + fclose(f); + + printf(BLUE, "Brute forcing key...\n"); + time_t start_time = time(NULL); + uint32_t laserfuse[3] = {0, 0, 0}; + unsigned last_print = 0; + do + { + for(int i = 0; i < 0x10000; i++) + { + laserfuse[2] = (i & 0xff00) << 8 | (i & 0xff); + xor_generate_key(laserfuse, key->u.xor_key); + if(g_debug) + { + printf(GREEN, "Trying key"); + printf(GREEN, "["); + printf(RED, "%08x", laserfuse[0]); + printf(GREEN, ","); + printf(RED, "%08x", laserfuse[1]); + printf(GREEN, ","); + printf(RED, "%08x", laserfuse[2]); + printf(GREEN, "]:"); + for(int j = 0; j < 32; j++) + printf(YELLOW, " %08x", key->u.xor_key[j / 16].k[j % 16]); + } + if(sb1_is_key_valid_fast(sector, SECTOR_SIZE, key->u.xor_key)) + { + if(g_debug) + printf(RED, " Ok\n"); + return true; + } + else + { + if(g_debug) + printf(RED, " No\n"); + } + } + laserfuse[0]++; + + if(laserfuse[0] / 1000 != last_print) + { + time_t cur_time = time(NULL); + float key_per_sec = laserfuse[0] / (float)(cur_time - start_time); + float tot = 0x1000000LL / key_per_sec; + time_t eta_time = start_time + tot; + + printf(YELLOW, "%llu", laserfuse[0] * 0x10000LL); + printf(GREEN, " out of "); + printf(BLUE, "%llu", 0x1000000LL * 0x10000LL); + printf(GREEN, " tested ("); + printf(RED, "%f%%", laserfuse[0] / (float)0x1000000LL * 100.0); + printf(GREEN, "), "); + printf(YELLOW, "%d", cur_time - start_time); + printf(GREEN, " seconds elapsed, "); + printf(BLUE, "%d", eta_time - cur_time); + printf(GREEN, " seconds remaining, ["); + printf(RED, "%f", key_per_sec); + printf(GREEN, " keys/s], ETA "); + printf(YELLOW, "%s", ctime(&eta_time)); + last_print = laserfuse[0] / 1000; + } + }while(laserfuse[0] != 0); + + *err = SB1_NO_VALID_KEY; + return false; + #undef printf +} + struct sb1_file_t *sb1_read_memory(void *_buf, size_t filesize, void *u, sb1_color_printf cprintf, enum sb1_error_t *err) { diff --git a/utils/imxtools/sbtools/sb1.h b/utils/imxtools/sbtools/sb1.h index 1ee28978e1..2adfc6a26c 100644 --- a/utils/imxtools/sbtools/sb1.h +++ b/utils/imxtools/sbtools/sb1.h @@ -154,6 +154,11 @@ struct sb1_file_t *sb1_read_file_ex(const char *filename, size_t offset, size_t struct sb1_file_t *sb1_read_memory(void *buffer, size_t size, void *u, sb1_color_printf printf, enum sb1_error_t *err); +/* do as little checks as possible, make sure the image is valid (advance use only) */ +bool sb1_is_key_valid_fast(void *buffer, size_t size, union xorcrypt_key_t key[2]); +bool sb1_brute_force(const char *filename, void *u, sb1_color_printf printf, + enum sb1_error_t *err, struct crypto_key_t *key); + void sb1_get_default_key(struct crypto_key_t *key); void sb1_dump(struct sb1_file_t *file, void *u, sb1_color_printf printf); diff --git a/utils/imxtools/sbtools/sbtoelf.c b/utils/imxtools/sbtools/sbtoelf.c index 540d55acc1..e68f5e6e06 100644 --- a/utils/imxtools/sbtools/sbtoelf.c +++ b/utils/imxtools/sbtools/sbtoelf.c @@ -231,6 +231,7 @@ static void usage(void) printf(" -2/--v2\tForce to read file as a version 2 file\n"); printf(" -s/--no-simpl\tPrevent elf files from being simplified*\n"); printf(" -x\t\tUse default sb1 key\n"); + printf(" -b\tBrute force key\n"); printf("Options marked with a * are for debug purpose only\n"); exit(1); } @@ -308,6 +309,7 @@ int main(int argc, char **argv) const char *loopback = NULL; bool force_sb1 = false; bool force_sb2 = false; + bool brute_force = false; while(1) { @@ -325,7 +327,7 @@ int main(int argc, char **argv) {0, 0, 0, 0} }; - int c = getopt_long(argc, argv, "?do:k:zra:nl:f12xs", long_options, NULL); + int c = getopt_long(argc, argv, "?do:k:zra:nl:f12xsb", long_options, NULL); if(c == -1) break; switch(c) @@ -391,6 +393,9 @@ int main(int argc, char **argv) case 's': g_elf_simplify = false; break; + case 'b': + brute_force = true; + break; default: abort(); } @@ -442,6 +447,33 @@ int main(int argc, char **argv) } else if(force_sb1 || ver == SB_VERSION_1) { + if(brute_force) + { + struct crypto_key_t key; + enum sb1_error_t err; + if(!sb1_brute_force(sb_filename, NULL, sb_printf, &err, &key)) + { + color(OFF); + printf("Brute force failed: %d\n", err); + return 1; + } + color(RED); + printf("Key found:"); + color(YELLOW); + for(int i = 0; i < 32; i++) + printf(" %08x", key.u.xor_key[i / 16].k[i % 16]); + color(OFF); + printf("\n"); + color(RED); + printf("Key: "); + color(YELLOW); + for(int i = 0; i < 128; i++) + printf("%02x", key.u.xor_key[i / 64].key[i % 64]); + color(OFF); + printf("\n"); + add_keys(&key, 1); + } + enum sb1_error_t err; struct sb1_file_t *file = sb1_read_file(sb_filename, NULL, sb_printf, &err); if(file == NULL) diff --git a/utils/imxtools/sbtools/xorcrypt.c b/utils/imxtools/sbtools/xorcrypt.c index 5ecf9208d6..32f2b6b875 100644 --- a/utils/imxtools/sbtools/xorcrypt.c +++ b/utils/imxtools/sbtools/xorcrypt.c @@ -22,6 +22,42 @@ #include #include "misc.h" +static uint32_t g_ROM_Key_Table[256] = +{ + 0x6B8B4567,0x327B23C6,0x643C9869,0x66334873,0x74B0DC51,0x19495CFF,0x2AE8944A, + 0x625558EC,0x238E1F29,0x46E87CCD,0x3D1B58BA,0x507ED7AB,0x2EB141F2,0x41B71EFB,0x79E2A9E3,0x7545E146, + 0x515F007C,0x5BD062C2,0x12200854,0x4DB127F8,0x216231B,0x1F16E9E8,0x1190CDE7, + 0x66EF438D,0x140E0F76,0x3352255A,0x109CF92E,0xDED7263,0x7FDCC233,0x1BEFD79F,0x41A7C4C9,0x6B68079A, + 0x4E6AFB66,0x25E45D32,0x519B500D,0x431BD7B7,0x3F2DBA31,0x7C83E458,0x257130A3, + 0x62BBD95A,0x436C6125,0x628C895D,0x333AB105,0x721DA317,0x2443A858,0x2D1D5AE9,0x6763845E,0x75A2A8D4, + 0x8EDBDAB,0x79838CB2,0x4353D0CD,0xB03E0C6,0x189A769B,0x54E49EB4,0x71F32454, + 0x2CA88611,0x836C40E,0x2901D82,0x3A95F874,0x8138641,0x1E7FF521,0x7C3DBD3D,0x737B8DDC,0x6CEAF087, + 0x22221A70,0x4516DDE9,0x3006C83E,0x614FD4A1,0x419AC241,0x5577F8E1,0x440BADFC, + 0x5072367,0x3804823E,0x77465F01,0x7724C67E,0x5C482A97,0x2463B9EA,0x5E884ADC,0x51EAD36B,0x2D517796, + 0x580BD78F,0x153EA438,0x3855585C,0x70A64E2A,0x6A2342EC,0x2A487CB0,0x1D4ED43B, + 0x725A06FB,0x2CD89A32,0x57E4CCAF,0x7A6D8D3C,0x4B588F54,0x542289EC,0x6DE91B18,0x38437FDB,0x7644A45C, + 0x32FFF902,0x684A481A,0x579478FE,0x749ABB43,0x3DC240FB,0x1BA026FA,0x79A1DEAA, + 0x75C6C33A,0x12E685FB,0x70C6A529,0x520EEDD1,0x374A3FE6,0x4F4EF005,0x23F9C13C,0x649BB77C,0x275AC794, + 0x39386575,0x1CF10FD8,0x180115BE,0x235BA861,0x47398C89,0x354FE9F9,0x15B5AF5C, + 0x741226BB,0xD34B6A8,0x10233C99,0x3F6AB60F,0x61574095,0x7E0C57B1,0x77AE35EB,0x579BE4F1,0x310C50B3, + 0x5FF87E05,0x2F305DEF,0x25A70BF7,0x1DBABF00,0x4AD084E9,0x1F48EAA1,0x1381823A, + 0x5DB70AE5,0x100F8FCA,0x6590700B,0x15014ACB,0x5F5E7FD0,0x98A3148,0x799D0247,0x6B94764,0x42C296BD, + 0x168E121F,0x1EBA5D23,0x661E3F1E,0x5DC79EA8,0x540A471C,0x7BD3EE7B,0x51D9C564, + 0x613EFDC5,0xBF72B14,0x11447B73,0x42963E5A,0xA0382C5,0x8F2B15E,0x1A32234B,0x3B0FD379,0x68EB2F63, + 0x4962813B,0x60B6DF70,0x6A5EE64,0x14330624,0x7FFFCA11,0x1A27709E,0x71EA1109, + 0x100F59DC,0x7FB7E0AA,0x6EB5BD4,0x6F6DD9AC,0x94211F2,0x885E1B,0x76272110,0x4C04A8AF,0x1716703B, + 0x14E17E33,0x3222E7CD,0x74DE0EE3,0x68EBC550,0x2DF6D648,0x46B7D447,0x4A2AC315, + 0x39EE015C,0x57FC4FBB,0xCC1016F,0x43F18422,0x60EF0119,0x26F324BA,0x7F01579B,0x49DA307D,0x7055A5F5, + 0x5FB8370B,0x50801EE1,0x488AC1A,0x5FB8011C,0x6AA78F7F,0x7672BD23,0x6FC75AF8, + 0x6A5F7029,0x7D5E18F8,0x5F3534A4,0x73A1821B,0x7DE67713,0x555C55B5,0x3FA62ACA,0x14FCE74E,0x6A3DD3E8, + 0x71C91298,0x9DAF632,0x53299938,0x1FBFE8E0,0x5092CA79,0x1D545C4D,0x59ADEA3D, + 0x288F1A34,0x2A155DBC,0x1D9F6E5F,0x97E1B4E,0x51088277,0x1CA0C5FA,0x53584BCB,0x415E286C,0x7C58FD05, + 0x23D86AAC,0x45E6D486,0x5C10FE21,0xE7FFA2B,0x3C5991AA,0x4BD8591A,0x78DF6A55, + 0x39B7AAA2,0x2B0D8DBE,0x6C80EC70,0x379E21B5,0x69E373,0x2C27173B,0x4C9B0904,0x6AA7B75C,0x1DF029D3, + 0x5675FF36,0x3DD15094,0x3DB012B3,0x2708C9AF,0x5B25ACE2,0x175DFCF0,0x4F97E3E4, + 0x53B0A9E,0x34FD6B4F,0x5915FF32,0x56438D15,0x519E3149,0x2C6E4AFD,0x17A1B582,0x4DF72E4E,0x5046B5A9 +}; + static uint32_t do_round(union xorcrypt_key_t *key) { uint32_t k7 = key->k[7]; @@ -97,6 +133,29 @@ static void test_round(union xorcrypt_key_t keys[2]) } } +void xor_generate_key(uint32_t laserfuse[3], union xorcrypt_key_t key[2]) +{ + uint16_t bitmask = 0x36c9; + uint8_t magic = (laserfuse[2] >> 24 | laserfuse[2] >> 16) & 0xff; + uint32_t magic2 = laserfuse[0] | laserfuse[1]; + uint8_t magic3 = (laserfuse[2] >> 8 | laserfuse[2] >> 0) & 0xff; + + for(int i = 0; i < 16; i++, bitmask >>= 1, magic++) + key[0].k[i] = (bitmask & 1) ? 0 : g_ROM_Key_Table[magic]; + bitmask = 0x36c9; + for(int i = 0; i < 16; i++, bitmask >>= 1, magic++) + key[1].k[i] = (bitmask & 1) ? 0 : g_ROM_Key_Table[magic]; + key[0].k[0] ^= magic2; + key[1].k[0] ^= magic2; + +#if 1 + for(int i = 0; i < magic3 + 57; i++) + do_round(&key[0]); + for(int i = 0; i < magic3 + 57; i++) + do_round(&key[1]); +#endif +} + uint32_t xor_encrypt(union xorcrypt_key_t keys[2], void *_data, int size) { if(size % 4) -- cgit v1.2.3