Products > Test Equipment
R&S RTB2004 Snooping
ElectronMan:
--- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this:
--- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783 -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
--- End code ---
Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)
--- End quote ---
You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.
--- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
--- End code ---
Don't forget to pad the key out to the proper length by appending the 0's.
abyrvalg:
Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.
KaneTW:
--- Quote from: ElectronMan on October 16, 2020, 07:24:14 pm ---
--- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this:
--- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783 -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
--- End code ---
Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)
--- End quote ---
You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.
--- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
--- End code ---
Don't forget to pad the key out to the proper length by appending the 0's.
--- End quote ---
Duh. That's what I get for not double-checking. The args were what was missing.
tv84:
--- Quote from: abyrvalg on October 16, 2020, 10:06:05 pm ---Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.
--- End quote ---
Exactly, but in this RTC10002 FW there are additional sections. ;) (but the structure is the same)
RTC1002:
--- Code: ---00000000 Header Size: 0400 [00000000-000003FF] FileSize OK
00000002 Section 1 Size: 00044BC0 [00000400-00044FBF]
00000006 Section 2 Size: 0097F250 [00044FC0-009C420F]
0000000A Section 1 CRC16: EF35 CRC OK
0000000C Section 2 CRC16: 033B CRC OK
0000000E ????: 0x101B0000
0000001E Model: RTC1002
0000002E FW Version: 06.100
0000003E Release Date: 2018-06-27
0000004E ????: 17479.19094
0000005E Compilation: Build 38186 built on 2018-06-27 15:59:39 by MaG? [06.100 - HCL: 02.500 - MesOS: 03.760] with GCC 5.3.0
0000015E (???) Hash Type: 2
00000198 Build: 38186
000001AA Section 1 SHA256: 9264B3CF9410BDEF8B744AA0F5570FE6 HASH OK
000001CA Section 2 SHA256: 4F0237325E515FB0DCF8C5606A672288 HASH OK
000003FE Header CRC16: D71A CRC OK
--------------------------------------------------------------------
00044FC0 **** SubSection 0x80 ****
00044FC1 SubSect Hdr Size: 0025
00044FC3 SubSection Size: 0000809F [00044FE5-0004D083]
00044FC7 SubSection CRC16: D361 CRC OK
00044FDF Contents Size: 0000809C [00044FE8-0004D083]
00044FE3 SubSect Hdr CRC16: 1A08 [00044FC0-00044FE2] CRC OK
00044FE8 BMP (640x480 pixels - 8 bits / compr.: 1) [00044FE8-0004D083]
0004D084 **** SubSection 0x11 ****
0004D085 SubSect Hdr Size: 0025
0004D087 SubSection Size: 00005B4B [0004D0A9-00052BF3]
0004D08B SubSection CRC16: A31B CRC OK
0004D0A3 Contents Size: 00005B48 [0004D0AC-00052BF3]
0004D0A7 SubSect Hdr CRC16: D911 [0004D084-0004D0A6] CRC OK
0004D0AC Bootloader Programmer
00052BF4 **** SubSection 0x18 ****
00052BF5 SubSect Hdr Size: 0025
00052BF7 SubSection Size: 0096EFE3 [00052C19-009C1BFB]
00052BFB SubSection CRC16: F0CC CRC OK
00052C13 Contents Size: 0096EFE0 [00052C1C-009C1BFB]
00052C17 SubSect Hdr CRC16: 9A46 [00052BF4-00052C16] CRC OK
00052C1D ELF File Size: 0096EF60 [00052C5C-009C1BBB]
00052C21 ELF File CRC32: E0061AED CRC OK
00052C25 Creation Time: 27/06/2018 14:12:00
00052C5C Main Application .ELF
009C1BFC **** SubSection 0x12 ****
009C1BFD SubSect Hdr Size: 0070
009C1BFF SubSection Size: 000025A0 [009C1C6C-009C420B]
009C1C03 SubSection CRC16: 1726 CRC OK
009C1C1B Contents Size: 0000255F [009C1CAC-009C420A]
009C1C6A SubSect Hdr CRC16: 7F25 [009C1BFC-009C1C69] CRC OK
009C1CAC Bootloader EEPROM Programming
--- End code ---
uski:
There are these SCPI commands :
DIAGNOSTIC:PRODUCT:OPTION:STATUS
DIAGNOSTIC:PRODUCT:OPTION:LIST
DIAGNOSTIC:PRODUCT:OPTION:ENABLE OFF ON
DIAGNOSTIC:PRODUCT:OPTION:FACTORY:CLEAR
DIAGNOSTIC:PRODUCT:MNUMBER:SET
Obviously I would not try CLEAR... but STATUS/LIST and ENABLE seem interesting...
Regarding reverse engineering, if the ENABLE command asks for a key, it could be possible to statically decompile the code and look at what checks are performed. This could yield to the key algorithm.
I don't have an RTB - I am waiting to see where this thread goes before maybe getting one. Someone wants to try these commands ? ;D
PS: Oh and MNUMBER can be promising... maybe it allows changing the model number to... a higher bandwidth version ? >:D
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version