Author Topic: R&S RTB2004 Snooping  (Read 3299 times)

0 Members and 1 Guest are viewing this topic.

Offline KaneTW

  • Frequent Contributor
  • **
  • Posts: 506
  • Country: de
Re: R&S RTB2004 Snooping
« Reply #50 on: October 16, 2020, 04:50:30 pm »
Oh. I didn't realize it was 0-padded 256-bit AES. It even worked the last time round, I just didn't notice that it succeeded. Oops.

E: welp, didn't work. just didn't fail, but the data's still encrypted. hmm.
« Last Edit: October 16, 2020, 04:52:19 pm by KaneTW »
 

Offline ElectronMan

  • Contributor
  • Posts: 46
  • Country: us
Re: R&S RTB2004 Snooping
« Reply #51 on: October 16, 2020, 05:08:24 pm »
Make sure you're using AES-256CBC with an IV of 0. Openssl can be used.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: R&S RTB2004 Snooping
« Reply #52 on: October 16, 2020, 05:22:27 pm »
If all you want from decrypted FWU is to get the main part for study - just find the ELF header signature (7F "ELF") and rip from there till end of file, you'll get a correct ELF.
 

Offline KaneTW

  • Frequent Contributor
  • **
  • Posts: 506
  • Country: de
Re: R&S RTB2004 Snooping
« Reply #53 on: October 16, 2020, 06:48:24 pm »
Using this:
Code: [Select]
openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783  -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)
 

Offline ElectronMan

  • Contributor
  • Posts: 46
  • Country: us
Re: R&S RTB2004 Snooping
« Reply #54 on: October 16, 2020, 07:24:14 pm »
Using this:
Code: [Select]
openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783  -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)

You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.

Code: [Select]
openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
Don't forget to pad the key out to the proper length by appending the 0's.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1813
  • Country: pt
Re: R&S RTB2004 Snooping
« Reply #55 on: October 16, 2020, 08:03:07 pm »
A more detailed parsing.

Code: [Select]
00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 0017792C  [00000400-00177D2B]
00000006   Section 2 Size: 014903A4  [00177D2C-016080CF]
0000000A  Section 1 CRC16: 2AE2    CRC OK
0000000C  Section 2 CRC16: 50A4    CRC OK
0000000E             ????: 0x10330000
0000001E            Model: RTB2004
0000002E       FW Version: 02.202
0000003E     Release Date: 2018-11-06
0000004E             ????: 6731.19395
0000005E      Compilation: Build 522 built on 2018-11-06 12:37:30 by MaG? [02.202 - HCL: 03.300 - MesOS: 04.300] with GCC 5.3.0
0000015E  (???) Hash Type: 2
00000198            Build: 522
000001AA Section 1 SHA256: 898ADDB2A111DBE0C45BC0EA363D4CD5    HASH OK
000001CA Section 2 SHA256: 7208D30AF3FB85125AD5082BC46230FB    HASH OK
000003FE     Header CRC16: 25E7    CRC OK
--------------------------------------------------------------------
00177D2C **** SubSection 0x80 ****
00177D2D  SubSect Hdr Size: 0025
00177D2F   SubSection Size: 0000D5E3  [00177D51-00185333]
00177D33  SubSection CRC16: CF50    CRC OK
00177D4B     Contents Size: 0000D5DE  [00177D54-00185331]
00177D4F SubSect Hdr CRC16: 9260      [00177D2C-00177D4E]    CRC OK
00177D54 BMP (1280x800 pixels - 8 bits / compr.: 1)   [00177D54-00185331]
00185334 **** SubSection 0x18 ****
00185335  SubSect Hdr Size: 0025
00185337   SubSection Size: 01482D73  [00185359-016080CB]
0018533B  SubSection CRC16: 0ABC    CRC OK
00185353     Contents Size: 01482D70  [0018535C-016080CB]
00185357 SubSect Hdr CRC16: CC36      [00185334-00185356]    CRC OK
0018535D     ELF File Size: 01482CF0  [0018539C-0160808B]
00185361    ELF File CRC32: DE645734    CRC OK
00185365     Creation Time: 06/11/2018 11:43:00
0018539C Main Application .ELF
« Last Edit: October 17, 2020, 04:40:16 pm by tv84 »
 
The following users thanked this post: ElectronMan

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: R&S RTB2004 Snooping
« Reply #56 on: October 16, 2020, 10:06:05 pm »
Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.
 

Offline KaneTW

  • Frequent Contributor
  • **
  • Posts: 506
  • Country: de
Re: R&S RTB2004 Snooping
« Reply #57 on: October 16, 2020, 11:45:24 pm »
Using this:
Code: [Select]
openssl aes-256-cbc -K 43C6B3E57510A3C5547AA4DF9528B783  -iv 0 -in RTB2004.FWU -out RTB2004.FWU.dec
Resulting .dec file is either compressed or encrypted (bytes are uniformly distributed)

You're missing some things... Not sure what the defaults are, but I'd specify them. It may be encrypting it rather than decrypting it, as I see no -d in your command.

Code: [Select]
openssl enc -aes-256-cbc -nopad -nosalt -d -in <infile> -out <outfile> -K '<key>' -iv '0'
Don't forget to pad the key out to the proper length by appending the 0's.

Duh. That's what I get for not double-checking. The args were what was missing.
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1813
  • Country: pt
Re: R&S RTB2004 Snooping
« Reply #58 on: October 17, 2020, 10:34:46 am »
Great! So an update file consists of 3 main things: a loader code that writes update to flash, a splash screen to show during update and an all-in-one ELF to be flashed.

Exactly, but in this RTC10002 FW there are additional sections. ;)  (but the structure is the same)

RTC1002:
Code: [Select]
00000000      Header Size: 0400      [00000000-000003FF]    FileSize OK
00000002   Section 1 Size: 00044BC0  [00000400-00044FBF]
00000006   Section 2 Size: 0097F250  [00044FC0-009C420F]
0000000A  Section 1 CRC16: EF35    CRC OK
0000000C  Section 2 CRC16: 033B    CRC OK
0000000E             ????: 0x101B0000
0000001E            Model: RTC1002
0000002E       FW Version: 06.100
0000003E     Release Date: 2018-06-27
0000004E             ????: 17479.19094
0000005E      Compilation: Build 38186 built on 2018-06-27 15:59:39 by MaG? [06.100 - HCL: 02.500 - MesOS: 03.760] with GCC 5.3.0
0000015E  (???) Hash Type: 2
00000198            Build: 38186
000001AA Section 1 SHA256: 9264B3CF9410BDEF8B744AA0F5570FE6    HASH OK
000001CA Section 2 SHA256: 4F0237325E515FB0DCF8C5606A672288    HASH OK
000003FE     Header CRC16: D71A    CRC OK
--------------------------------------------------------------------
00044FC0 **** SubSection 0x80 ****
00044FC1  SubSect Hdr Size: 0025
00044FC3   SubSection Size: 0000809F  [00044FE5-0004D083]
00044FC7  SubSection CRC16: D361    CRC OK
00044FDF     Contents Size: 0000809C  [00044FE8-0004D083]
00044FE3 SubSect Hdr CRC16: 1A08      [00044FC0-00044FE2]    CRC OK
00044FE8 BMP (640x480 pixels - 8 bits / compr.: 1)   [00044FE8-0004D083]
0004D084 **** SubSection 0x11 ****
0004D085  SubSect Hdr Size: 0025
0004D087   SubSection Size: 00005B4B  [0004D0A9-00052BF3]
0004D08B  SubSection CRC16: A31B    CRC OK
0004D0A3     Contents Size: 00005B48  [0004D0AC-00052BF3]
0004D0A7 SubSect Hdr CRC16: D911      [0004D084-0004D0A6]    CRC OK
0004D0AC Bootloader Programmer
00052BF4 **** SubSection 0x18 ****
00052BF5  SubSect Hdr Size: 0025
00052BF7   SubSection Size: 0096EFE3  [00052C19-009C1BFB]
00052BFB  SubSection CRC16: F0CC    CRC OK
00052C13     Contents Size: 0096EFE0  [00052C1C-009C1BFB]
00052C17 SubSect Hdr CRC16: 9A46      [00052BF4-00052C16]    CRC OK
00052C1D     ELF File Size: 0096EF60  [00052C5C-009C1BBB]
00052C21    ELF File CRC32: E0061AED    CRC OK
00052C25     Creation Time: 27/06/2018 14:12:00
00052C5C Main Application .ELF
009C1BFC **** SubSection 0x12 ****
009C1BFD  SubSect Hdr Size: 0070
009C1BFF   SubSection Size: 000025A0  [009C1C6C-009C420B]
009C1C03  SubSection CRC16: 1726    CRC OK
009C1C1B     Contents Size: 0000255F  [009C1CAC-009C420A]
009C1C6A SubSect Hdr CRC16: 7F25      [009C1BFC-009C1C69]    CRC OK
009C1CAC Bootloader EEPROM Programming
« Last Edit: October 17, 2020, 05:55:40 pm by tv84 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf