I just love you brief comments
Would you be willing to expand on your knowledge?
ag
I think Gamma will die...
I just love you brief comments
Would you be willing to expand on your knowledge?
ag
Energy is the father of creation
I'm actually thinking the best way to get the update keys and all the other goodies from the card is to simply write a small program to read them from the flash.
The trick is how to you upload your own program to the card with out knowing any of the 3des keys required to create the encrypted 02000 commands?
If you have a look at startup.c you can see the gamma as part of its boot process checks to see if there has been any new version of the software uploaded. It does this by calling the function "Check4Update".
When a new version of the gamma os is sent via the .gam file using the 02000 commands the card descrypts the payload and stores it into flash. If you have a look at the gamma updates the first encryted line is 0201000000105C6D3A55D9CE0BE8B9032F1305251E6F. The gamma os decrypts this line as stores at flash location 0x010000 minus the command header, checksum, etc...
The Check4Update function compares this line via a XOR check with fixUpdateCMD[] = {0x18,0x55,0x2f,0x45,0xf1,0x55,0x87,0x95}. If the line matches then the gamma os updates itself with the new version otherwise the updated is trashed.
My theory yet to be proven is this.
6D3A55D9CE0BE8B9032F1305251E6F descrypts to be 0x18,0x55,0x2f,0x45,0xf1,0x55,0x87,0x95.
Now that we know both the encrypted and decrypted version of the message the task of working out what one of the the 3DES keys.
Once we have this key we can create our own .gam files.
Can anyone else check this theory?
dont all the gamma updates send the same first line?
How do you know its des/tdes ? I'm not saying its not as I think it is also. I also think the each line is encrypted as a single line in TDES CBC mode, with the first 8 bytes being the IV.
This still does not give you the key.
The first line is different from all the rest. My gut says is an RSA key. If that is the case, then why send an RSA key as a special line if your not going to use it to install the following code.
Just all theory.
BTW when working out the TDES dont forget in its very basic form its just des 3 times. The keyspread algos could salt any key and the way these keys are used can change. ie: You can use 2 or 3 keys for TDes (2 being more common).
ie:
Data = ENC_Key1 (Data)
Data = DEC_Key2 (Data)
Data = ENC_Key1 (Data)
or
Data = ENC_Key1 (Data)
Data = DEC_Key2 (Data)
Data = ENC_Key3 (Data)
etc....
So good luck with that brute force LOL
did you all tryed to extrac the Update from 1.X to 1.4 from the loader ?
contains 3 blocks - Update Revision - Provider Update and IDK
02010000009027FB91D6BA6C08F1B0B8FE2D6CA1B9D7427FD. ...
some lines deeper...
020100000030C4AA6387630AF2BDC6A1A41D12BFACFB0286DC 41488079F2367707C86B9B105CFCE1D6F7B9C6065537D65A7E 140E4093
0201000000208F829592032AE335A1F94E6E8CBDD7F3B9432C 1F6FA9FAD96449FDF349BB8833
END
NEX BLOCK
If you have a look on creating files... (you got this tool?)
Logg ECM with HSN (GROUP)
ECM= 123456788
Gets MD5 and the time Stamp on it. and you have a working GAM File... and you can flash it. So the Backdoor can be a the FLASH, but if you make failures on flashing the card get locked. The Crd pick up decrypt the ECM and extrac the Keys into a other adress in main flash.
So one way you can try if you sending a gam file to your Hardware to inject something.
(glitch) High Risk
$80
our cards here are a gamma varient the card wont accept 0201 commands
and the gamma wont work with the main providers here
Logg ECM with HSN maybe a interresting tool to play with if you could post a link
If Gamma is the new card on the block, then many will be intertested if it works more than normal n updates itself
thanks for reading this mail, n wish u all the best of health n wealth 4 u n yr familiy
the gamma uses 0201 commands
and we updated the gamma with gam files and logged the ecm and sent to card
but the hmk or whatever is not in the stream to be logged
and with the revisions to the white cards i dont think the original gamma code would work here any more
I wonder if the reference was to an unlooper or loader to glitch the timing/voltage. Something like UL4S.
Or maybe he's referring to one of the crypto attacks that involves changing a single bit in the encrypted data and watching the result, although that probably wouldn't be useful for the update data as you don't get to see the data coming out the other end.
ag
Energy is the father of creation
how is it that some ir2 providers in europe have keys...
on another forum there is something about MCT , a raw ECm then the decoded ECM.... not sure if it will help anyone...
cost me $100 all good
Bookmarks