DCT-4加密技术讨论 � U"`5%�(�
t%R_fS%?�C
�lY,/Q|
CPU加密解析: > /A}6@T��
R69pYwrC�H
ARM scrambling system on DCT-4 g�7L$�?CV@
****************************** OreG��t�9
wMkG�@H7�
Decrypt 8!|Mi^j�#
" H=FvD�.j
edx = address (even) n4��<Sec 7
******************************** @}7u`qW�p
nex_d: mov ax,[esi+edx] 1-E �obQ
call d_ax ;data scramble &��fd'!|4{
call a_ax ;address scramble ?r(8*:l�$O
mov [esi+edx],ax eb�Dk?MJ<4
add edx,2 �] ,>E8`+u
loop nex_d @��Rq7Ml-�
YW_Da_�$��
ret qt,�1)OI�J
******************************** \$1h���H~|
G�kyyYwMB�
J0SzM�_�&)
Data scramble |$�?�=S��
d_ax: push ebx edx ���=qW�]Y6
mov ebx,0 �KZ*I�_UKb
mov dx,0 R�%�xSvUh�
nex_d_ax: shr ax,1 8"q+2+W8lp
jnc no_xr_d 'MyeN<9K�r
xor dx,[t_d+ebx] 9|q2n{�R}W
no_xr_d: add ebx,2 }�XL�b5��
cmp ebx,32 /VqU�\�LL�
jb nex_d_ax .�Ka�+!�$
mov ax,dx eIq�a2E�e^
pop edx ebx "N="q�cwAj
ret W83fPjY_g
!VRLZ JSF@
NOTE! It seem that this table depend on key on FLASH !Y��5RbDY
t_d dw 0001h,2002h,0204h,0009h,0010h,0820h,0140h,00a0h,0102h,1200h,8400h,0808h,1080h,2010h,4404h,8040h D 4Z�|gNqw
�e[>2O�},A
drk9n� `:
****************************************** J�#+�?(=>^
Encrypt AwI2 L�hRD
,Yh�)~�&2
;First you have to generate reverse function of d_ax bh�Atm; 6
$�B4K��l�V
call set_r_ax ��N*s��+9$
tzjmz�F�b3
**************** ^�J� �qAL�
;edx = address (even) 8'p�7`{�J1
�K!bnR7;!
nex_enc: mov ax,[esi+edx] .n6�[F!9|y
call a_ax ;address scrambling F43Cb;24 E
call r_ax ;reverse data scrambling �(.,Yx�<3c
mov [esi+edx],ax K+GrS*�32�
add edx,2 f�eW�M'0U�
loop nex_enc &sF8lm�(/
a0�b��)X;�
ret 4$xR��(=;'
****************************************** 8�[SK�Z���
RKg|1�7PQ
�T]F9e �**
(QB}OMb�A.
n),f}Gu,)X
set_r_ax: mov dx,0 i <o� r<J�
nex_sr_ax: mov ax,dx kJDK�[�'&�
call d_ax AGoCG�0>[?
movzx eax,ax (5��w��j��
mov [r_ax_table+eax*2],dx �N�B +;���
inc dx ~,�,=]p�:F
jnz nex_sr_ax ZOL@(IA ?S
ret 0u�+PF� \�
L�a67T2{�
r_ax: movzx eax,ax OotK�+Q|�[
mov ax,[r_ax_table+eax*2] bx/Y�\�y9
ret U]�&B��YH�
k�kM7�z�H
r_ax_table dw 10000h dup (0) 1H7*)%+z K
F2$#�};L\�
�tL-�_wi �
tVG�S2zD
A way to get easy data & address scrambling params x�m5<Fcyk)
************************************************** mgqG##�G��
ZVI�v�H@R
Getting Data params. Z��b�8~({V
�64v�*.Q4
1.) Read crypted & decrypted data from DCT4 phone using "dct4_rd.com" +n�{��^efH
Qp#�{^qw�B
2.1) Write to some FLASH even address word 0001h �o�o�^b~2+
2.2) Read word from that address in decrypted mode and update first <�OB034V)�
word in table "t_d" 0p�W�[Gi l
2.3) Repeat steps 2.1 & 2.2 with words 0002,0004,0008,..to 8000h k"ZR\�6�og
and update table "t_d" p]1(��_:��
2.4) Write to same FLASH addr. word 0000 G�@\G9�.PJ
2.5) Read decrypted word and xor all 16 words in table "t_d" with it. 3���^l�^��
hZzzY=}3 �
Getting Address params. c K@Pqmms.
ZD,~fR!_9_
After getting data params, use function d_ax on whole crypted FLASH nx� hY7��
word by word. M0r,r$�!`/
Now, xor word by word that data with decrypted FLASH, and that's it! �h��"�U{L�
D�qPr�Ccl
And function a_ax will be: �=2�;5O,vo
'U(-S�kCC�
a_ax: xor ax,[edx+address_params-FLASH_offset] v"�2lIW/�s
ret B(�U"\Ah$
�n_�nOJAc]
Op�A�J}�LD
[h�]�,/WUV
?NXWk2 �\�
-------------------------------------------------------------------------------- s`8DJ�\vBZ
以下内容只有回复后才可以浏览 aQsj�blKtO
�Q/R1Cqem}
|,�`./{RFP
�C0`t& �r]
IMEI加密解析: g,�o�T0�`T
��%F7�xb�j
Hint: .HFaXp\0nN
010000000 Plain FLASH base 7YeQAK�W�;
090000000 Cipher FLASH base icB���;1+e
(] w@=�,
}\~�.{ jaW
########################################### v@*�>T*i�h
; Get_IMEI >I,�1Jy�Q�
########################################### F|!dr&0S�c
;r0 = dest :jy�\��"B$
;RET r0 = status; 1=OK |F%T &DY�z
;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????...." em%' lP :
�H O{�GfK*
002B2E2C: B5 30 PUSH (R4,R5,LR) w����o}j�
002B2E2E: B0 82 SUB SP,#0008 j�UYt�} -
�[�SDF z`/
;========================================== �M��5Tuy*<
; get IMEI from flash q=]ls1�`ts
[ +M?zK��&
002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest z_(a ��uQk
002B2E32: 21 0D MOV R1,#0D ;offset ;^x�T<z>4i
002B2E34: 22 10 MOV R2,#10 ;size �~,IB<=_X;
002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI) �^����VQsW
7.uI3u��W�
002B2E3A: 1C 05 ADD R5,R0,#0 {PA��b?Fn,
002B2E3C: 2D 01 CMP R5,#01 ��]~@0&JGq
002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID! v�c�(�tg�Y
AM=�7 �)kT
;========================================== lX//Ind?;0
; get IMEI from UEM TIN@/M{-q1
�QX] z%.��
002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8]) �I;�}Q#7O2
002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest /T�XIx"M%C
002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status Z�GS*?$n�l
002B2E48: 2D 01 CMP R5,#01 � C>9e$#��
002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...) P++s��ea0
��h�J�,~
;========================================== fr7|L�S'�\
; compare UEM & FLASH IMEI �^zUm4gO+
>8pT[t:)^<
002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI pd�mt _"|!
002B2E4E: 20 00 MOV R0,#00 Xb��K,� l<
002B2E50: 5D 03 LDRB R3,[R0+R4] ({�P� )�4N
002B2E52: 78 0A LDRB R2,[R1+#00] w'ZSLe�Gu0
002B2E54: 42 93 CMP R3,R2 ^KB�C"�UW�
002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference! rkr=>v?=��
002B2E58: 31 01 ADD R1,#01 �kr�8u�zx'
002B2E5A: 1C 40 ADD R0,R0,#1 W�i5=�G0��
002B2E5C: 04 00 LSL R0,R0,16 r�OX#��P-�
002B2E5E: 0C 00 LSR R0,R0,16 � �]i*m"Q
002B2E60: 28 08 CMP R0,#08 $�zf�y5{ M
002B2E62: DB F5 BLT 002B2E50 _pr�_�"54
LR�R>xPC^B
;========================================== %+�khe;7�%
002B2E64: 2D 00 CMP R5,#00 ~<�g�;y�f�
002B2E66: D0 01 BEQ 002B2E6C �^"..; R�V
002B2E68: E0 05 JMP 002B2E76 �oDB[<w[~�
tBC:ZBJ:f�
002B2E6A: 25 00 MOV R5,#00 R@nT� ��R�
002B2E6C: 20 03 MOV R0,#03 �S��A8/TI`
002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag %`!"uXAJ&~
002B2E72: 28 02 CMP R0,#02 Vc�lKqD,>
002B2E74: D0 09 BEQ 002B2E8A of;:R�4mG�
hP��|:!6L
002B2E76: 2D 01 CMP R5,#01 uX��7#: [V
002B2E78: D0 07 BEQ 002B2E8A (<$B&ZV2�!
s>5Nv�o& *
;========================================== gf<`�A8!_
; fill dest with "FF" if IMEI is BAD! \-W]Y!�m@.
w<TrR��KcM
002B2E7A: 21 FF MOV R1,#FF |Yb�A�B<q�
002B2E7C: 20 00 MOV R0,#00 "rUS:`W�G�
002B2E7E: 55 01 STRB R1,[R0+R4] _ Ux�>lFp
002B2E80: 1C 40 ADD R0,R0,#1 ��{�;<>�-
002B2E82: 04 00 LSL R0,R0,16 `Xp�G~o,!H
002B2E84: 0C 00 LSR R0,R0,16 �N^��"]^F
002B2E86: 28 10 CMP R0,#10 !ciOg�h>M
002B2E88: DB F9 BLT 002B2E7E �{�V�y��c:
RQ�/ +d�.r
002B2E8A: 20 01 MOV R0,#01 ���9buz�k0
002B2E8C: B0 02 ADD SP,#0008 4,CAmlh�Ho
002B2E8E: BD 30 RET (R4,R5) p. �(�v4L9
FQ�^}@�L6&
/*)Yjs#'x=
######################################## �1d�W6S&>&
Get_secure_data_from_FLASH �Q��N�4P7J
######################################## 4+j�n6i/OH
;r0 = dest X8M �E�3R�
;r1 = offset in FLASH secure data block sWn<M*:r�Z
;r2 = size in bytes T��35L�!*S
;RET r0 = status ;1=OK (in dest is valid data), else ERROR (dest is filed by FF...) JB��R�h�NB
;======================================= �g�m]�mJr:
J*I(],�u}<
002B3194: B5 F0 PUSH (R4,R5,R6,R7,LR) {i�4|[�m6h
002B3196: B0 81 SUB SP,#0004 (��3G!7�n2
002B3198: 1C 14 ADD R4,R2,#0 -Zyf �>�Q�
002B319A: 91 00 STR R1,[SP+#0000] ;save PARAM R1 (offset) =_7Y,Svk?7
002B319C: 1C 06 ADD R6,R0,#0 �xn�QLFiyL
�X!W"�'%�v
M�O �,�?�5
;======================================= !h,�23��UH
;copy SECURE FLASH cipher block of 28h bytes from FLASH 900003ah to temp RAM 43d14h �Y�\- �S�m
^I1<�j`�1
002B319E: 4D 5B LDR R5,[PC+#016C] ;[002B330C]=00043D14 ;r5 = temp baf �BsZ$FTz~�
002B31A0: 49 5E LDR R1,[PC+#0178] ;[002B331C]=0900003A ?E"K\�T6[2
002B31A2: 1C 28 ADD R0,R5,#0 E �t]�Rk5I
002B31A4: 22 28 MOV R2,#28 �sUW #{1(y
002B31A6: 4B 5C LDR R3,[PC+#0170] ;[002B3318]=00043FD0 h aFMU`daZ
002B31A8: 68 1B LDR R3,[R3+#00] ;=840001 5yFa4JBM8!
002B31AA: 46 FE MOV LR,PC �vcB�51�J
002B31AC: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size) \�@|�+Fu��
uid[tLR{55
;======================================= x�?{=1��?`
;decode SECURE FLASH cipher block r1!Z7,���
%pGKKbv��M
002B31AE: 1C 28 ADD R0,R5,#0 ;r0,r1 = src,dst Pb��5c}j��
002B31B0: 1C 29 ADD R1,R5,#0 g,qe�0�^N4
002B31B2: 22 28 MOV R2,#28 ;size �j]0�&t;�
002B31B4: 23 20 MOV R3,#20 ;decryption mode Z)C�Fq{TeE
002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA P9\ � w::6
002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status /�-I�1#NU
d#?��^�^&.
;======================================= '�dChQhG�}
; calc checksum of decrypted SECURE FLASH block and test if it is correct 8���A*IHpY
YAnD��x<*)
002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src �^�=]N(,�v
002B31BE: 21 26 MOV R1,#26 ;size %� -'�=G��
002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk) #K�vD�G U>
002B31C4: 21 26 MOV R1,#26 [@~@y��)/.
002B31C6: 5D 49 LDRB R1,[R1+R5] f�j?,�Qa��
002B31C8: 02 0A LSL R2,R1,8 '-��W�rc�T
002B31CA: 21 27 MOV R1,#27 �Wf7*tsWZ�
002B31CC: 5D 49 LDRB R1,[R1+R5] �M{;�qp�>�
002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block �UH?~Pi)LU
002B31D0: 42 88 CMP R0,R1 18f8��@ �N
002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD! r?DPR3E{eS
�+�nt�Ls;H
002B31D4: 2F 01 CMP R7,#01 *T �FNs,[�
002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD! uA.9�:d y_
1D� l)T�!7
;======================================= $�_Q^o4�P
; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h) YF�Q^a�t+�
c#_bfx-f
002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0 Q�EJ< *$�"
002B31DA: 98 00 LDR R0,[SP+#0000] ;PARAM R1 (offset) �C*uO�CW�(
002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset Fk"5n9�ys
002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest) ��s+~U�x3P
002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size) �iJz J%�Y
002B31E2: 68 1B LDR R3,[R3+#00] ;=840001 %F;�*�`�#
002B31E4: 46 FE MOV LR,PC 0�8}�.j=�a
002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size) Q`�{OKt+ !
002B31E8: E0 04 JMP 002B31F4 ,�w[<R���o
Ir9R3h^. �
;======================================= n �(@e~_�
; If FLASH IMEI have any error dest will be filled with "FF"..... s~Ct >�o�u
<v^3g0'l[�
002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size) )<�}bZ33d�
002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest) r;U�{,?b Q
002B31EE: 21 FF MOV R1,#FF ;r1 = fill value �� E'�'?�
002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM p(T!r�U}�
�)`3W<q~Br
;======================================= $x �fKUUvv
; fill temp_baf to make HACKING harder Uz0MRf0e#
���x&+��ne
002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf 5�1;�/(GR.
002B31F6: 21 FF MOV R1,#FF ;r1 = fill value }%nC_:�)Tm
002B31F8: 22 28 MOV R2,#28 ;size N�we��;;P+
002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM `+�;x�u �*
�.>$Y�IA��
002B31FE: 1C 38 ADD R0,R7,#0 -�$u$�.wo"
002B3200: B0 01 ADD SP,#0004 (�/u}�B���
002B3202: BD F0 RET (R4,R5,R6,R7) sh[a3� At
;************************************************ � ]1~c=�-O
�CGx%�$�LJ
;################################################ <*5df$6 &@
READ_UEM_IMEI 8 �}0 lax=
;################################################ �UY*^|�I�
;r0 = dest ��Jy�< D_n
;RET r0 = status; 1=IMEI is not zero (00,00,00,....) ZByy}#,$�
h���Pi.��f
002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR) V5N!�n>8i6
002B3206: 1C 04 ADD R4,R0,#0 \�xvD) �'2
002B3208: 26 04 MOV R6,#04 ;read 4 registers ��cQ�iAFV!
002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff) 1;P3w#�{�?
002B320C: 27 00 MOV R7,#00 KI ,�*]Y�r
-ly*~�"��
002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask II>3sVh&A�
002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG t3�oMAkQkk
002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value "�B}ebXS)1
002B3216: 0C 00 LSR R0,R0,16 *K�T�1#�Ao
002B3218: 2F 00 CMP R7,#00 "�/O1�?u<r
002B321A: D1 02 BNE 002B3222 @o�prP�%�n
002B321C: 28 00 CMP R0,#00 !g}X%tLWsa
002B321E: D0 00 BEQ 002B3222 OQk]��Tf?�
002B3220: 27 01 MOV R7,#01 2%4MF�_CnL
002B3222: 0A 01 LSR R1,R0,8 xT`9UNQASw
002B3224: 70 21 STRB R1,[R4+#00] ;wr reg value H to dest d�zvBZ�NXG
002B3226: 34 01 ADD R4,#01 @kgzX:1+��
002B3228: 70 20 STRB R0,[R4+#00] ;wr reg value L to dest `g^[%['eY8
002B322A: 34 01 ADD R4,#01 �T9Dlo9rL=
002B322C: 35 04 ADD R5,#04 !8�^D]DgcJ
002B322E: 3E 01 SUB R6,#01 I]uP����p
002B3230: D1 ED BNE 002B320E �Nkgo2o��i
~�`��Qbw,�
002B3232: 1C 38 ADD R0,R7,#0 �& ��b�FQ�
002B3234: BD F0 RET (R4,R5,R6,R7) O;AE{eM~_#
;************************************************ �ZN �J:>}^
Hs�]"Q@l2�
004AE414: 00 1B ;IMEI UEM TABLE $\KE�T�,`o
004AE416: FF FF Hc8�>4%:D�
004AE418: 00 1C R`<�%+�d�o
004AE41A: FF FF 1e�'+��g7<
004AE41C: 00 1D �Tq��<�&��
004AE41E: FF FF r f�5m5A4S
004AE420: 00 1E 6�} �\> %0
004AE422: FF FF RZ�:�*�P:
;************************************************ L{U�yMEMG5
)\�l< -Q.a
yZ5}`T^}Bg
B.R. <Fxv�5B^5
Dejan Kaljevic �|i.Bw8P[
:Jh.|{�zO
��%sU>>tR}
�]���w.Z%B
DCT4采用了ARM7 MCU core+TI320C54X DSP core的基带架构、如上是以8310为例的硬件ID验证和IMEI验证 >�_3?!�<;G
2oa<�;a$�h
|
