• The forum software that supports hummy.tv has been upgraded to XenForo 2.3!

    Please bear with us as we continue to tweak things, and feel free to post any questions, issues or suggestions in the upgrade thread.

Beta Offline decryption utility

Using a private key that is common across all units, and a shared secret that's also common.. the 2000T code is so much easier to work with than the HDR!
Does that mean you have a back door?
 
Last edited:
Does that mean you have a back door?
No.. I could trivially patch in an all-zero key but we don't have a way of loading modified firmware. I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
 
: just boot a Live Linux CD/DVD/USB (it doesn't hurt your PC, and is handy to have around).
As I found out a couple of years back. Some HD corruption stopped the box getting as far as initialising the network side of things on booting, so no means of fixing it on the machine. Pulling the HD out and running it up in a PC with a Linux live CD sorted it.
 
Sorry, the replies are a bit late. Busy day yesterday.
No point (as per post 168), and I missed this bit:
pointless.zip is encrypted/decrypted and key for a FOX not a 2000T. af123 provided it so that I could work out whether my program/methodology/whatever would do the same job as the utility discussed here (well, the decrypt part). I can decrypt a FOX file given the MAC and S/N. If I do a file comparison, my decrypted version is the same as that in the zip, just 128 bytes larger. It plays.
I thought what you wanted was some data from a 2000T.
 
Last edited:
I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.
I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
I'm trying to make sense of this from a Windows computer and a hex dump!
 
I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.

I'm trying to make sense of this from a Windows computer and a hex dump!
Give http://radare.org/r/ a go.
 
2000T is stuffed as far as I know
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
 
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
Does this help?

C:
        NEXUS_Security_GetDefaultClearKey(&key);
        key.keyIVType = NEXUS_SecurityKeyIVType_eNoIV;
        key.keyEntryType = NEXUS_SecurityKeyType_eOdd;
        key.keySize = xClearTextHostKeySize;
        BKNI_Memcpy(key.keyData, pxClearTextHostKey, sizeof(TCsdUnsignedInt8) * xClearTextHostKeySize);

/* Load clear key to key table. */
        if (NEXUS_Security_LoadClearKey(keyHandle, &key) != 0)

and

C:
typedef struct {
int keySize;
int keyEntryType;// may be in wrong place
int keyIVType;// may be in wrong place
char keyData[0x10];
} NEXUS_SecurityClearKey;
 
Does this help?
It may well do!
How did you get this? Is it your own decompiling :notworthy: or have you got some other reverse engineering software that gets you from mips to C?
BTW, radare2 has turned out to be very useful, thanks. :thumbsup: Just a pity I keep mistyping radare - years ago I did some work for one of our MoD establishments - then known as RARDE, so I keep typing that by mistake. :oops:
 
That's a fragment of code I found on a forum somewhere.. the struct layout is what I have derived from the assembly.
Have you ever tried the "Retargetable Decompiler" (https://retdec.com) ?
It doesn't work well for the HDR binary but would probably have a lot more luck with the 2000..
 
Where are we with this now? What is the direction?
Work stopped play...
The beta packages are probably due to move over to the main repository; at least I have had no reports of problems with them.
I hope to get back to the wider analysis in the next few weeks.
 
Back
Top