Hi,
I am still trying but have not come much further.
I used dissect_fw3_2.exe to dissect the FW into the four parts
Flasher Header
Flasher Code
Data Header
Data Body
I found out that the data header as produced by dissect_fw3_2.exe is too small, the actual header is larger and contains some tables that are used when the body part is verified and decrypted. Dissect_Fw3.2.exe give a data header of 0x18 (24) bytes, and my findings result in a header size of 0x7C (124) bytes. The remaining body has a size of 0x631170 bytes. This value of 0x00631170 can be found in the data header on location 0x19DC8C
The flasher part confirms this as the loop that decrypts the data part starts at 0x19DCFC and decrypts a block of 0x00631170 bytes
I now also see that the header of the body follows the patern of the header of the flasher starting from location 0x24.
The pattern of both these headers are the following
Addr
0x00 = Offset to address that contains next parts of the header. For Flasher that is 0xB0, for Data Body that is 0x0C
0x04 = Header Size
0x08 = Some kind of Sizevalue
0xB0 / 0x0C = Size of data block
0xB4 / 0x10 = Some kind of size
0xB8 / 0x14 = 0x00000000
0xBC / 0x18 = Value used in decryption of data block.
0xC0 / 0x1C = Table of 0x10 bytes
0xD0 / 0x2C = Table of 0x20 bytes
0xF0 / 0x4C = Table of 0x10 bytes
0x100 / 0x5C = Table of 0x20 bytes
See the attachment for the (in my opinion) correct layout of the data header.
I see many calls to SHA1 en/decryption and also EAS encryption. The code loads two tables (In my IDA 0x20 byte analyses called Word_4090 and Word_4070) , possibly EAS keys, from a memory location. The one is used during the verification process, and the other during the decryption process.
I have not been able to figure out how the verification/decryption works exactly because the amount calls to SHA1 procedures are so many. An many of the functions/procedures use floating point calculations. I try to understand how variables are stored and read via the stack and also how results of functions are passed back to the calling procedures.
I will keep playing around for a while, maybe I get lucky.
Is there someone else who is still working on this?
