There should be at least 2 AES keys.
(Im using the D1000 1.0.5 firmware as i only own a D1000. But the other images use the same way to
decrypt the header)
First some infos about the TABLES that will get used from the payload_header:
RAW VA LEN
data_head: 0x001A0190 0x009A0190 ?
data : 0x001A01A8 0x009A01A8 ?
TABLE1 : 0x001A01AC 0x009A01AC 0x10
TABLE2 : 0x001A01BC 0x009A01BC 0x20
TABLE3 : 0x001A01DC 0x009A01DC 0x10
TABLE4 : 0x001A01A8 0x009A01A8 0x4
TABLE5 : 0x001A01A0 0x009A01A0 0x4
The 1. AES key is the SHA1 256bit hash that you get as the output of the array :
TABLE4 sp+0x10 - 0x14
HEADEROPERATION OUTPUT sp+0x14 - 0x34
TABLE5 sp+0x34 - 0x38
The hash will get used as AES key to decrypt the first 0x20 bytes of the array TABLE1 + TABLE2
in operation mode 2 which could be CBC or ECB ...
possible attacks are:
1. attack) trying to reverse the unknown operation on the header which will get used to create 0x20bytes for the hash.
(unknown_operation_on_header). then the calculation of the hash and the decryption of the table isnt a big deal.
ROM:0080D150 0A 00 A0 E1 MOV R0, R10 ; R0 = e6kr5105.fir_0_header.bin <- unsure
ROM:0080D154 14 10 8D E2 ADD R1, SP, #0x14
ROM:0080D158 08 20 A0 E1 MOV R2, R8
ROM:0080D15C 0B 1D 00 EB BL unknown_operation_on_header
ROM:0080D160 04 10 87 E2 ADD R1, R7, #4 ; R1 = 0x9A019C + 0x4
ROM:0080D164 34 00 8D E2 ADD R0, SP, #0x34 ; TABLE_5
ROM:0080D168 04 20 A0 E3 MOV R2, #4
ROM:0080D16C 6D 11 06 EB BL bcopy_0 ; R1 = ptrData, R2 = LEN, R0 = DESTINATION
ROM:0080D170 C4 40 8D E2 ADD R4, SP, #0xC4
ROM:0080D174 28 10 A0 E3 MOV R1, #0x28
ROM:0080D178 04 20 A0 E1 MOV R2, R4
ROM:0080D17C 05 00 A0 E1 MOV R0, R5
ROM:0080D180 08 1D 00 EB BL HASH_SHA1_256
ROM:0080D184 0C A0 8D E2 ADD R10, SP, #0xC
ROM:0080D188 06 30 A0 E1 MOV R3, R6 ; R6 = TABLE_1 + TABLE_2
ROM:0080D18C 04 10 A0 E1 MOV R1, R4 ; R4 = HASH_RETURN
ROM:0080D190 02 60 A0 E3 MOV R6, #2 ; R2 = OPERATION_MODE (CBC ? ECB ?)
ROM:0080D194 0A 00 A0 E1 MOV R0, R10 ; OUTPUT BUFFER
ROM:0080D198 08 20 A0 E1 MOV R2, R8 ; LEN = 0x20
ROM:0080D19C 00 60 8D E5 STR R6, [SP]
ROM:0080D1A0 B1 1C 00 EB BL call_call_run_aes
ROM:0080D1A4 00 00 50 E3 CMP R0, #0
ROM:0080D1A8 47 00 00 1A BNE decryption_failed
2. attack) ive checked the dumper for the 5D2/40D/50d firmware. i tried to get it working for the 1000d.
case 0x80000254: // 1000D
// 1000D updater 1.0.5 params
// 00807128 tUpdMgr
open = (ft_open) 0x00916B48;
creat = (ft_creat) 0x00916A84;
write = (ft_write) 0x00916D7C;
close = (ft_close) 0x00916E34;
shdn = (ft_shutdown) 0x00807874;
// ROM params
rom_start = (void *)ROM0_ADDRESS;
rom_size = ROM0_SIZE;
rom1_start = (void *)ROM1_ADDRESS;
rom1_size = ROM1_SIZE;
break;
but i dont get a file created. i also tried to play with diffrent calling arguments.
as the functions i found use diffrent arguments (os is vxworks as firmware loader).
so if maybe someone can help me out to get the dumping working it would be
possible to patch the code right befor and after the aes decryption. so we could
grab the aes keys or decrytped header ... maybe someone has a clue how to get
the vxworks functions to create a file on the sd card :/ i can also upload the dumper
ive done for the d1000 if someone would like to play around.