Products > Test Equipment

R&S RTB2004 Snooping

<< < (11/20) > >>

ElectronMan:

--- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this:

--- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783  -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
--- End code ---

Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)

--- End quote ---

You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.


--- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
--- End code ---

Don't forget to pad the key out to the proper length by appending the 0's.

abyrvalg:
Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.

KaneTW:

--- Quote from: ElectronMan on October 16, 2020, 07:24:14 pm ---
--- Quote from: KaneTW on October 16, 2020, 06:48:24 pm ---Using this:

--- Code: --- openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783  -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
--- End code ---

Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)

--- End quote ---

You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.


--- Code: ---openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
--- End code ---

Don't forget to pad the key out to the proper length by appending the 0's.

--- End quote ---

Duh. That's what I get for not double-checking. The args were what was missing.

tv84:

--- Quote from: abyrvalg on October 16, 2020, 10:06:05 pm ---Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.

--- End quote ---

Exactly, but in this RTC10002 FW there are additional sections. ;)  (but the structure is the same)

RTC1002:

--- Code: ---00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 00044BC0  [00000400-00044FBF]
00000006   Section 2 Size: 0097F250  [00044FC0-009C420F]
0000000A  Section 1 CRC16: EF35    CRC OK
0000000C  Section 2 CRC16: 033B    CRC OK
0000000E             ????: 0x101B0000
0000001E            Model: RTC1002
0000002E       FW Version: 06.100
0000003E     Release Date: 2018-06-27
0000004E             ????: 17479.19094
0000005E      Compilation: Build 38186 built on 2018-06-27 15:59:39 by MaG? [06.100 - HCL: 02.500 - MesOS: 03.760] with GCC 5.3.0
0000015E  (???) Hash Type: 2
00000198            Build: 38186
000001AA Section 1 SHA256: 9264B3CF9410BDEF8B744AA0F5570FE6    HASH OK
000001CA Section 2 SHA256: 4F0237325E515FB0DCF8C5606A672288    HASH OK
000003FE     Header CRC16: D71A    CRC OK
--------------------------------------------------------------------
00044FC0 **** SubSection 0x80 ****
00044FC1  SubSect Hdr Size: 0025
00044FC3   SubSection Size: 0000809F  [00044FE5-0004D083]
00044FC7  SubSection CRC16: D361    CRC OK
00044FDF     Contents Size: 0000809C  [00044FE8-0004D083]
00044FE3 SubSect Hdr CRC16: 1A08      [00044FC0-00044FE2]    CRC OK
00044FE8 BMP (640x480 pixels - 8 bits / compr.: 1)   [00044FE8-0004D083]
0004D084 **** SubSection 0x11 ****
0004D085  SubSect Hdr Size: 0025
0004D087   SubSection Size: 00005B4B  [0004D0A9-00052BF3]
0004D08B  SubSection CRC16: A31B    CRC OK
0004D0A3     Contents Size: 00005B48  [0004D0AC-00052BF3]
0004D0A7 SubSect Hdr CRC16: D911      [0004D084-0004D0A6]    CRC OK
0004D0AC Bootloader Programmer
00052BF4 **** SubSection 0x18 ****
00052BF5  SubSect Hdr Size: 0025
00052BF7   SubSection Size: 0096EFE3  [00052C19-009C1BFB]
00052BFB  SubSection CRC16: F0CC    CRC OK
00052C13     Contents Size: 0096EFE0  [00052C1C-009C1BFB]
00052C17 SubSect Hdr CRC16: 9A46      [00052BF4-00052C16]    CRC OK
00052C1D     ELF File Size: 0096EF60  [00052C5C-009C1BBB]
00052C21    ELF File CRC32: E0061AED    CRC OK
00052C25     Creation Time: 27/06/2018 14:12:00
00052C5C Main Application .ELF
009C1BFC **** SubSection 0x12 ****
009C1BFD  SubSect Hdr Size: 0070
009C1BFF   SubSection Size: 000025A0  [009C1C6C-009C420B]
009C1C03  SubSection CRC16: 1726    CRC OK
009C1C1B     Contents Size: 0000255F  [009C1CAC-009C420A]
009C1C6A SubSect Hdr CRC16: 7F25      [009C1BFC-009C1C69]    CRC OK
009C1CAC Bootloader EEPROM Programming

--- End code ---

uski:
There are these SCPI commands :

DIAGNOSTIC:PRODUCT:OPTION:STATUS
DIAGNOSTIC:PRODUCT:OPTION:LIST
DIAGNOSTIC:PRODUCT:OPTION:ENABLE    OFF ON
DIAGNOSTIC:PRODUCT:OPTION:FACTORY:CLEAR
DIAGNOSTIC:PRODUCT:MNUMBER:SET

Obviously I would not try CLEAR... but STATUS/LIST and ENABLE seem interesting...

Regarding reverse engineering, if the ENABLE command asks for a key, it could be possible to statically decompile the code and look at what checks are performed. This could yield to the key algorithm.

I don't have an RTB - I am waiting to see where this thread goes before maybe getting one. Someone wants to try these commands ?  ;D

PS: Oh and MNUMBER can be promising... maybe it allows changing the model number to... a higher bandwidth version ?  >:D

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod