PC Ekspert Forum - View Single Post

bcsaba · 29.06.2011., 12:36

I just fear, if i manage to make a secondary_bootloader image but accepted by primary bootloader, but that one not boot for a reason there will be no way back. Like device passes primary loader and freezes on loading secondary one it is freeze, as cant interrupt the boot sequence and get primary to go into tftp server mode. Well fileheader.h is part off ssign package of sagem/siemens whatever source code (and as far as copyright goes not seemed clean to me that is why i did not put it on my site) , but can look it up.

It is not crc it is an sha256 signature of the "contents" signed with siemens private key (written a tool for that so can see if the image going or not going to be accepted by the router), there is one crc too but that is for header think it is crc32 but yet to reproduce that value.

Result like this:

Siemens firmware information tool (0.01prealpha)
Magic:0xdeadbeef (correct)
Header version:0x100
Header CRC32 (?):0x48c891ac (todo verify header checksum)
PlatformId: sx76x-danube
Image size: 64408
Stored filename:080616_1724_secondary_sx76x_danube_b__v4.1.26.52.0
PlatformId:sx76x-danube
PlatformOptions:
Firmware Annex:Annex Verification, image for both AnnexA and B devices.
Firmware Chipset:image for Infineon Danube chipset
Image contains:FILE_TYPE_2ND_BOOTLOADER_SHA256_RSA
Signature checking:
Encrypted signature:
c4:f1:34:01:87:35:a8:6a:d8:46:9a:48:e8:fc:ad:d4
7a:80:b4:0d:6d:62:82:31:c3:f9:46:1c:26:7a:b0:0e
d7:f4:48:01:bf:19:73:0e:48:b4:02:d8:d8:77:eb:2e
77:9f:bc:c2:02:8b:fa:90:1d:11:66:c1:1b:a7:c0:ba
60:55:15:10:53:64:c7:ea:5b:bc:77:52:bf:33:74:1f
47:f9:cb:67:e1:63:dd:1f:3e:55:74:50:81:93:db:3d
d1:d0:9f:52:29:52:c0:c9:57:cc:1c:53:30:9d:8f:93
f9:29:50:bb:5d:e7:2a:06:40:5f:15:90:df:70:11:31
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

Signature successfully decrypted with public.key

Stored image SHA256 hash is:
59:72:85:91:e9:58:0d:bc:d7:a5:f5:18:4a:65:b2:9d
a2:79:25:be:b2:f7:cb:c6:7e:6c:94:a9:f7:d5:d4:eb

Calculated image SHA256 hash is
59:72:85:91:e9:58:0d:bc:d7:a5:f5:18:4a:65:b2:9d
a2:79:25:be:b2:f7:cb:c6:7e:6c:94:a9:f7:d5:d4:eb

Calculated and stored SHA256 hash equals image will be accepted by the router!

As for configuration files ssign tool can decrypt those with device's aes key, firmware files are way more complex.
Faking a secondary bootloader is easy (do not want to bore anyone with the details), faking a runtime_image is nearly impossible without private_key, my only concerns what if faked secondary loader fails to boot up (as primary loader will think it is completly ok an will not start a tftp server to give a chance for replacement)

29.06.2011., 12:36	#745
bcsaba Registered User Datum registracije: Jun 2011 Lokacija: Balmazújváros Postovi: 11	I just fear, if i manage to make a secondary_bootloader image but accepted by primary bootloader, but that one not boot for a reason there will be no way back. Like device passes primary loader and freezes on loading secondary one it is freeze, as cant interrupt the boot sequence and get primary to go into tftp server mode. Well fileheader.h is part off ssign package of sagem/siemens whatever source code (and as far as copyright goes not seemed clean to me that is why i did not put it on my site) , but can look it up. It is not crc it is an sha256 signature of the "contents" signed with siemens private key (written a tool for that so can see if the image going or not going to be accepted by the router), there is one crc too but that is for header think it is crc32 but yet to reproduce that value. Result like this: Siemens firmware information tool (0.01prealpha) Magic:0xdeadbeef (correct) Header version:0x100 Header CRC32 (?):0x48c891ac (todo verify header checksum) PlatformId: sx76x-danube Image size: 64408 Stored filename:080616_1724_secondary_sx76x_danube_b__v4.1.26.52.0 PlatformId:sx76x-danube PlatformOptions: Firmware Annex:Annex Verification, image for both AnnexA and B devices. Firmware Chipset:image for Infineon Danube chipset Image contains:FILE_TYPE_2ND_BOOTLOADER_SHA256_RSA Signature checking: Encrypted signature: c4:f1:34:01:87:35:a8:6a:d8:46:9a:48:e8:fc:ad:d4 7a:80:b4:0d:6d:62:82:31:c3:f9:46:1c:26:7a:b0:0e d7:f4:48:01:bf:19:73:0e:48:b4:02:d8:d8:77:eb:2e 77:9f:bc:c2:02:8b:fa:90:1d:11:66:c1:1b:a7:c0:ba 60:55:15:10:53:64:c7:ea:5b:bc:77:52:bf:33:74:1f 47:f9:cb:67:e1:63:dd:1f:3e:55:74:50:81:93:db:3d d1:d0:9f:52:29:52:c0:c9:57:cc:1c:53:30:9d:8f:93 f9:29:50:bb:5d:e7:2a:06:40:5f:15:90:df:70:11:31 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 Signature successfully decrypted with public.key Stored image SHA256 hash is: 59:72:85:91:e9:58:0d:bc:d7:a5:f5:18:4a:65:b2:9d a2:79:25:be:b2:f7:cb:c6:7e:6c:94:a9:f7:d5:d4:eb Calculated image SHA256 hash is 59:72:85:91:e9:58:0d:bc:d7:a5:f5:18:4a:65:b2:9d a2:79:25:be:b2:f7:cb:c6:7e:6c:94:a9:f7:d5:d4:eb Calculated and stored SHA256 hash equals image will be accepted by the router! As for configuration files ssign tool can decrypt those with device's aes key, firmware files are way more complex. Faking a secondary bootloader is easy (do not want to bore anyone with the details), faking a runtime_image is nearly impossible without private_key, my only concerns what if faked secondary loader fails to boot up (as primary loader will think it is completly ok an will not start a tftp server to give a chance for replacement) Zadnje izmijenjeno od: bcsaba. 29.06.2011. u 12:50.