Products > Test Equipment
Sniffing the Rigol's internal I2C bus
zombie28:
In order to extract keys from memory dumps you need to search for the following sequence of bytes (in hex):
--- Code: ---02 00 84 00 10 00 <16 bytes of XXTEAKey> 20 00 <2x16 bytes of RC5Key1 and RC5Key2> 08 00 <8 bytes of bit-shuffled ECC public key> 40 00 <64 bytes of some ASCII-HEX data>
--- End code ---
You will need to unshuffle the public key with the algorithm I posted earlier in this thread.
Posterisan:
Why are the public keys differ in the A models? As far as I have read it's the same firmware as the non-A models. Or are the public keys stored somewhere else?
tirulerbach:
So, now I'm diving into Elliptic Curve Cryptography... Pretty interesting stuff... :-DD
So I have a question: How do I calculate the Y coordinate of the public key X coordinate out of the ECC curve parameters, base point and order?
Second, the keygen is getting complex and a lot of work. Are there any people out here who can program C and would like to help? ???
I need:
--- Code: ---struct KeyData
{
char RC5Key1[32 + 1]; // hex string
char RC5Key2[32 + 1]; // hex string
char XXTEAKey[32 + 1]; // hex string
char serialNumber[TBD];
char publicKey[TBD]; // hex string
char secretKey[TBD]; // hex string
};
struct KeyData * LoadKeyData(char *filename);
int SaveKeyData(char *filename);
char * FormatHex(uint8_t *bytes, unsigned int len);
unsigned int ParseHex(uint8_t *buffer, unsigned int capacity, char *hexstring);
uint8_t * ScanMemoryDump(char *filename);
--- End code ---
The Load() and Save() functions should use ASCII-Files. Lines should like something like "serial=DS....." or "RC5Key1: 123456789abcdef...." and so on. Please don't use Windows specific functions, only pure ANSI. The keygen works on linux and windows.
The function FormatHex() should malloc() the string. ParseHex() returns the number of bytes parsed, or zero, if buffer was to small.
ScanMemoryDump() opens a binary file and scans for the pattern zombie28 published.
Any assistance will be useful. :-+
tirulerbach:
--- Quote from: Posterisan on January 08, 2014, 07:06:31 pm ---Why are the public keys differ in the A models? As far as I have read it's the same firmware as the non-A models. Or are the public keys stored somewhere else?
--- End quote ---
This is simply currently not known. Maybe they are in someway calculated. But analyzing the firmware is pretty complex, difficult and time consuming. Thanks to zombie28 again for his effort. If we had more memory dumps, a better analysis maybe is possible. But it's the old problem: People are only sitting around and waiting for the keygen and don't would like to break her warranty seal on the scope to provide a memory dump... This is bad indeed... ::)
neamyalo:
tirulerbach,
I can create definitions for those functions tomorrow. I'll be using C++, so let me know if that's a problem for you.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version