Beta Offline decryption utility

[Black Hole]

Using a private key that is common across all units, and a shared secret that's also common.. the 2000T code is so much easier to work with than the HDR!

Does that mean you have a back door?

 

[af123]

Does that mean you have a back door?

No.. I could trivially patch in an all-zero key but we don't have a way of loading modified firmware. I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..

 

[everthewatcher]

: just boot a Live Linux CD/DVD/USB (it doesn't hurt your PC, and is handy to have around).

As I found out a couple of years back. Some HD corruption stopped the box getting as far as initialising the network side of things on booting, so no means of fixing it on the machine. Pulling the HD out and running it up in a PC with a Linux live CD sorted it.

 

[Ezra Pound]

humax# stripts -/ 11111111111111111111111111111111 test/Bargain\ Hunt_20180502_1218
Encryption key is INCORRECT for this recording.

Yes thanks for that, I had already added an EDIT to my #144 post I.e. :-
Last edited: Tuesday at 4:25 PM

 

[EEPhil]

Sorry, the replies are a bit late. Busy day yesterday.

No point (as per post 168), and I missed this bit:

pointless.zip is encrypted/decrypted and key for a FOX not a 2000T. af123 provided it so that I could work out whether my program/methodology/whatever would do the same job as the utility discussed here (well, the decrypt part). I can decrypt a FOX file given the MAC and S/N. If I do a file comparison, my decrypted version is the same as that in the zip, just 128 bytes larger. It plays.
I thought what you wanted was some data from a 2000T.

 

[EEPhil]

That's in the web browser client code

Hmm, the clue was in the mention of "opera".

 

[EEPhil]

I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.

I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..

I'm trying to make sense of this from a Windows computer and a hex dump!

 

[Black Hole]

I thought what you wanted was some data from a 2000T.

I did, but it's academic now as I am satisfied there is no feasible crack process.

 

[EEPhil]

I did, but it's academic now as I am satisfied there is no feasible crack process.

I'll stick this on the back burner and get on with something else I think.

 

[af123]

I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.

I'm trying to make sense of this from a Windows computer and a hex dump!

Give http://radare.org/r/ a go.

 

[Black Hole]

Where are we with this now? What is the direction?

 

[EEPhil]

Which part are you referring to, the main thrust of the thread or the 2000T sideline?

 

[Black Hole]

main thrust of the thread

This ^^^

2000T is stuffed as far as I know

 

[EEPhil]

2000T is stuffed as far as I know

You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... )

 

[Black Hole]

The forum has been very quiet, maybe it's this sudden burst of summer (catch it while you can).

 

[af123]

You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... )

Does this help?

        NEXUS_Security_GetDefaultClearKey(&key);
        key.keyIVType = NEXUS_SecurityKeyIVType_eNoIV;
        key.keyEntryType = NEXUS_SecurityKeyType_eOdd;
        key.keySize = xClearTextHostKeySize;
        BKNI_Memcpy(key.keyData, pxClearTextHostKey, sizeof(TCsdUnsignedInt8) * xClearTextHostKeySize);

/* Load clear key to key table. */
        if (NEXUS_Security_LoadClearKey(keyHandle, &key) != 0)

and

typedef struct {
int keySize;
int keyEntryType;// may be in wrong place
int keyIVType;// may be in wrong place
char keyData[0x10];
} NEXUS_SecurityClearKey;

 

[EEPhil]

Does this help?

It may well do!
How did you get this? Is it your own decompiling or have you got some other reverse engineering software that gets you from mips to C?
BTW, radare2 has turned out to be very useful, thanks. Just a pity I keep mistyping radare - years ago I did some work for one of our MoD establishments - then known as RARDE, so I keep typing that by mistake.

 

[af123]

That's a fragment of code I found on a forum somewhere.. the struct layout is what I have derived from the assembly.
Have you ever tried the "Retargetable Decompiler" (https://retdec.com) ?
It doesn't work well for the HDR binary but would probably have a lot more luck with the 2000..

 

[EEPhil]

Have you ever tried the "Retargetable Decompiler" (https://retdec.com) ?

No. Just given RecStudio a go. Not very helpful.

 

[af123]

Where are we with this now? What is the direction?

Work stopped play...
The beta packages are probably due to move over to the main repository; at least I have had no reports of problems with them.
I hope to get back to the wider analysis in the next few weeks.