Unable to figure Checksum algo!

[hcglitte]

Hi,

This is the array: {0x0A, 0x41, 0x31, 0x36, 0x34, 0x40, 0x40, 0x35, 0x30, 0x45, 0x68}
The last byte is the checksum.
The first byte is is the length of the payload including the checksum.

I cannot find the checksum algorithm that is used here... Anyone got a clue?

[oskugbg]

Do you have another example?

[sokoloff]

If you're reverse engineering, you need a few examples.

Some are as simple as "make the checksum such that summing the whole buffer and ignoring carry ends up at <some constant>". Others transpose bits or do some other operation.

If you can force a known "plaintext", it's easier, just change a single bit at a time and see what changes in the checksum. Otherwise, hope for a simple sum-and-mod.

[hcglitte]

I tried the usual ones, but none of them worked. I can make some more examples, it's a bit annoying since I have to to some bit manipulations first...

First I need to make all 00 to 0 and 11 to 1 since my spectrum analyzer won't allow me enlarge the IF BW so I must double sample all symbols.
Then I must do manchester decoding.
I just used some online tools, but I must write this into a script to get some more data.

What I am trying to do is to reverse engineering ER400TS from LPRS used in an old product so I can use my newer cc1101 as the transmitter.
So far I have found the OTA preamble pattern, sync word, symbol rate and freq. deviation.

[hcglitte]

Having a further look into the datasheet, they added a new CRC16 and also saying it could replace their normal crc8.
So I assume if all the bytes are put into a CRC8 calculator it would produce 0 as the result, this could be the starting point for finding the
initial values etc. Perhaps there is some tool that will try all combinations and search for 0 result...

[Nusa]

Assume is a bad word when dealing with unknowns. Try 1 byte and 2 byte payloads and see what comes out. Try payload values of 0x00 or 0xFF. If you get it to work for simple cases, THEN try longer examples to verify you got it right.

[Rerouter]

It doesn't appear to match any normal CRC8,

I find it very odd that the datasheet doesnt actually specify the exact CRC used.

[nfmax]

Perhaps there is some tool that will try all combinations and search for 0 result...

There is: http://reveng.sourceforge.net

And a wonderful tool it is too. I found it while I was trying to reverse-engineer a wireless energy monitor radio packet format, just the other day.

[hcglitte]

I will look into it. Anyway, I asked the LPRS directly, and they said it was proprietary - their CRC8 calculation...
If they do some extra bit manipulations I guess it will be hard to figure it out.

[nfmax]

The reveng tool can also exhaustively search all possible polynomials if you know the size of the CRC data. It checks the big/little endianness and the initial value & final XOR values too.