• The forum software that supports hummy.tv has been upgraded to XenForo 2.1!

    This upgrade brings a number of improvements including the ability to bookmark posts to come back to later. Please bear with us as we continue to tweak things and open a new thread for any questions, issues or suggestions in Site/Forum Issues.

Beta Offline decryption utility

Black Hole

May contain traces of nut
Using a private key that is common across all units, and a shared secret that's also common.. the 2000T code is so much easier to work with than the HDR!
Does that mean you have a back door?
 
Last edited:
OP
af123

af123

Administrator
Staff member
Does that mean you have a back door?
No.. I could trivially patch in an all-zero key but we don't have a way of loading modified firmware. I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
 

everthewatcher

Forum Supporter
: just boot a Live Linux CD/DVD/USB (it doesn't hurt your PC, and is handy to have around).
As I found out a couple of years back. Some HD corruption stopped the box getting as far as initialising the network side of things on booting, so no means of fixing it on the machine. Pulling the HD out and running it up in a PC with a Linux live CD sorted it.
 

EEPhil

Number 28
Sorry, the replies are a bit late. Busy day yesterday.
No point (as per post 168), and I missed this bit:
pointless.zip is encrypted/decrypted and key for a FOX not a 2000T. af123 provided it so that I could work out whether my program/methodology/whatever would do the same job as the utility discussed here (well, the decrypt part). I can decrypt a FOX file given the MAC and S/N. If I do a file comparison, my decrypted version is the same as that in the zip, just 128 bytes larger. It plays.
I thought what you wanted was some data from a 2000T.
 
Last edited:

EEPhil

Number 28
I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.
I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
I'm trying to make sense of this from a Windows computer and a hex dump!
 
OP
af123

af123

Administrator
Staff member
I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.

I'm trying to make sense of this from a Windows computer and a hex dump!
Give http://radare.org/r/ a go.
 

EEPhil

Number 28
2000T is stuffed as far as I know
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
 
OP
af123

af123

Administrator
Staff member
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
Does this help?

C:
        NEXUS_Security_GetDefaultClearKey(&key);
        key.keyIVType = NEXUS_SecurityKeyIVType_eNoIV;
        key.keyEntryType = NEXUS_SecurityKeyType_eOdd;
        key.keySize = xClearTextHostKeySize;
        BKNI_Memcpy(key.keyData, pxClearTextHostKey, sizeof(TCsdUnsignedInt8) * xClearTextHostKeySize);

/* Load clear key to key table. */
        if (NEXUS_Security_LoadClearKey(keyHandle, &key) != 0)
and

C:
typedef struct {
int keySize;
int keyEntryType;// may be in wrong place
int keyIVType;// may be in wrong place
char keyData[0x10];
} NEXUS_SecurityClearKey;
 

EEPhil

Number 28
Does this help?
It may well do!
How did you get this? Is it your own decompiling :notworthy: or have you got some other reverse engineering software that gets you from mips to C?
BTW, radare2 has turned out to be very useful, thanks. :thumbsup: Just a pity I keep mistyping radare - years ago I did some work for one of our MoD establishments - then known as RARDE, so I keep typing that by mistake. :oops:
 
OP
af123

af123

Administrator
Staff member
That's a fragment of code I found on a forum somewhere.. the struct layout is what I have derived from the assembly.
Have you ever tried the "Retargetable Decompiler" (https://retdec.com) ?
It doesn't work well for the HDR binary but would probably have a lot more luck with the 2000..
 
OP
af123

af123

Administrator
Staff member
Where are we with this now? What is the direction?
Work stopped play...
The beta packages are probably due to move over to the main repository; at least I have had no reports of problems with them.
I hope to get back to the wider analysis in the next few weeks.
 
Top