Beta Offline decryption utility

OP
OP
af123

af123

Administrator
Staff member
Does that mean you have a back door?
No.. I could trivially patch in an all-zero key but we don't have a way of loading modified firmware. I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
 
: just boot a Live Linux CD/DVD/USB (it doesn't hurt your PC, and is handy to have around).
As I found out a couple of years back. Some HD corruption stopped the box getting as far as initialising the network side of things on booting, so no means of fixing it on the machine. Pulling the HD out and running it up in a PC with a Linux live CD sorted it.
 
Sorry, the replies are a bit late. Busy day yesterday.
No point (as per post 168), and I missed this bit:
pointless.zip is encrypted/decrypted and key for a FOX not a 2000T. af123 provided it so that I could work out whether my program/methodology/whatever would do the same job as the utility discussed here (well, the decrypt part). I can decrypt a FOX file given the MAC and S/N. If I do a file comparison, my decrypted version is the same as that in the zip, just 128 bytes larger. It plays.
I thought what you wanted was some data from a 2000T.
 
Last edited:
I extracted some/all of the 2000T files by cheating. Finding humidify didn't work, I just removed the first few bytes from the .hdf file and hey-presto humidify did work. Whether it extracted everything I don't know.
I'm just slightly envious at how readable the code is by comparison - I think they must have used a much newer compiler for a start..
I'm trying to make sense of this from a Windows computer and a hex dump!
 
2000T is stuffed as far as I know
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
 
OP
OP
af123

af123

Administrator
Staff member
:rolling:
You could be are right. I only asked because your question followed a reply from af123, which was about the 2000T stuff.
(Just for the record, I'm getting nowhere slowly trying to make sense of the 2000T code for ...LoadClearKey. Need to know where it is called from, with what parameters, and what it returns... :coffee: )
Does this help?

C:
        NEXUS_Security_GetDefaultClearKey(&key);
        key.keyIVType = NEXUS_SecurityKeyIVType_eNoIV;
        key.keyEntryType = NEXUS_SecurityKeyType_eOdd;
        key.keySize = xClearTextHostKeySize;
        BKNI_Memcpy(key.keyData, pxClearTextHostKey, sizeof(TCsdUnsignedInt8) * xClearTextHostKeySize);

/* Load clear key to key table. */
        if (NEXUS_Security_LoadClearKey(keyHandle, &key) != 0)
and

C:
typedef struct {
int keySize;
int keyEntryType;// may be in wrong place
int keyIVType;// may be in wrong place
char keyData[0x10];
} NEXUS_SecurityClearKey;
 
It may well do!
How did you get this? Is it your own decompiling :notworthy: or have you got some other reverse engineering software that gets you from mips to C?
BTW, radare2 has turned out to be very useful, thanks. :thumbsup: Just a pity I keep mistyping radare - years ago I did some work for one of our MoD establishments - then known as RARDE, so I keep typing that by mistake. :oops:
 
OP
OP
af123

af123

Administrator
Staff member
That's a fragment of code I found on a forum somewhere.. the struct layout is what I have derived from the assembly.
Have you ever tried the "Retargetable Decompiler" (https://retdec.com) ?
It doesn't work well for the HDR binary but would probably have a lot more luck with the 2000..
 
Top