| Products > Test Equipment |
| R&S RTB2004 Snooping |
| << < (11/20) > >> |
| ElectronMan:
--- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this: --- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783 -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec --- End code --- Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed) --- End quote --- You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command. --- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0' --- End code --- Don't forget to pad the key out to the proper length by appending the 0's. |
| abyrvalg:
Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed. |
| KaneTW:
--- Quote from: ElectronMan on October 16, 2020, 07:24:14 pm --- --- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this: --- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783 -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec --- End code --- Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed) --- End quote --- You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command. --- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0' --- End code --- Don't forget to pad the key out to the proper length by appending the 0's. --- End quote --- Duh. That's what I get for not double-checking. The args were what was missing. |
| tv84:
--- Quote from: abyrvalg on October 16, 2020, 10:06:05 pm ---Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed. --- End quote --- Exactly, but in this RTC10002 FW there are additional sections. ;) (but the structure is the same) RTC1002: --- Code: ---00000000 Header Size: 0400 [00000000-000003FF] FileSize OK 00000002 Section 1 Size: 00044BC0 [00000400-00044FBF] 00000006 Section 2 Size: 0097F250 [00044FC0-009C420F] 0000000A Section 1 CRC16: EF35 CRC OK 0000000C Section 2 CRC16: 033B CRC OK 0000000E ????: 0x101B0000 0000001E Model: RTC1002 0000002E FW Version: 06.100 0000003E Release Date: 2018-06-27 0000004E ????: 17479.19094 0000005E Compilation: Build 38186 built on 2018-06-27 15:59:39 by MaG? [06.100 - HCL: 02.500 - MesOS: 03.760] with GCC 5.3.0 0000015E (???) Hash Type: 2 00000198 Build: 38186 000001AA Section 1 SHA256: 9264B3CF9410BDEF8B744AA0F5570FE6 HASH OK 000001CA Section 2 SHA256: 4F0237325E515FB0DCF8C5606A672288 HASH OK 000003FE Header CRC16: D71A CRC OK -------------------------------------------------------------------- 00044FC0 **** SubSection 0x80 **** 00044FC1 SubSect Hdr Size: 0025 00044FC3 SubSection Size: 0000809F [00044FE5-0004D083] 00044FC7 SubSection CRC16: D361 CRC OK 00044FDF Contents Size: 0000809C [00044FE8-0004D083] 00044FE3 SubSect Hdr CRC16: 1A08 [00044FC0-00044FE2] CRC OK 00044FE8 BMP (640x480 pixels - 8 bits / compr.: 1) [00044FE8-0004D083] 0004D084 **** SubSection 0x11 **** 0004D085 SubSect Hdr Size: 0025 0004D087 SubSection Size: 00005B4B [0004D0A9-00052BF3] 0004D08B SubSection CRC16: A31B CRC OK 0004D0A3 Contents Size: 00005B48 [0004D0AC-00052BF3] 0004D0A7 SubSect Hdr CRC16: D911 [0004D084-0004D0A6] CRC OK 0004D0AC Bootloader Programmer 00052BF4 **** SubSection 0x18 **** 00052BF5 SubSect Hdr Size: 0025 00052BF7 SubSection Size: 0096EFE3 [00052C19-009C1BFB] 00052BFB SubSection CRC16: F0CC CRC OK 00052C13 Contents Size: 0096EFE0 [00052C1C-009C1BFB] 00052C17 SubSect Hdr CRC16: 9A46 [00052BF4-00052C16] CRC OK 00052C1D ELF File Size: 0096EF60 [00052C5C-009C1BBB] 00052C21 ELF File CRC32: E0061AED CRC OK 00052C25 Creation Time: 27/06/2018 14:12:00 00052C5C Main Application .ELF 009C1BFC **** SubSection 0x12 **** 009C1BFD SubSect Hdr Size: 0070 009C1BFF SubSection Size: 000025A0 [009C1C6C-009C420B] 009C1C03 SubSection CRC16: 1726 CRC OK 009C1C1B Contents Size: 0000255F [009C1CAC-009C420A] 009C1C6A SubSect Hdr CRC16: 7F25 [009C1BFC-009C1C69] CRC OK 009C1CAC Bootloader EEPROM Programming --- End code --- |
| uski:
There are these SCPI commands : DIAGNOSTIC:PRODUCT:OPTION:STATUS DIAGNOSTIC:PRODUCT:OPTION:LIST DIAGNOSTIC:PRODUCT:OPTION:ENABLE OFF ON DIAGNOSTIC:PRODUCT:OPTION:FACTORY:CLEAR DIAGNOSTIC:PRODUCT:MNUMBER:SET Obviously I would not try CLEAR... but STATUS/LIST and ENABLE seem interesting... Regarding reverse engineering, if the ENABLE command asks for a key, it could be possible to statically decompile the code and look at what checks are performed. This could yield to the key algorithm. I don't have an RTB - I am waiting to see where this thread goes before maybe getting one. Someone wants to try these commands ? ;D PS: Oh and MNUMBER can be promising... maybe it allows changing the model number to... a higher bandwidth version ? >:D |
| Navigation |
| Message Index |
| Next page |
| Previous page |