Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Arm reversing and hex encryption

Hi all,

probably it has been 20-22 years that I know Quequero (not personally but from his web e-zine articles :-)) and I didn't know that his web-page was still up :-).

Anyway, I'd like to ask the community for some help to reverse/decrypt an ARM firmware.
First of all let me explain what is the project that I'm working on.

There is on the market a circuit board that is able to emulate any new console game pad, it's called "Univer*al Fighting B*ard" produced by Bro*k (http:// www. br*okaccess*ry. com/). (* = o)
Of course this product is not licensed by MS, S*ny or Nintend*.

Note 1:
I don't know if you are familiar with the new gen protocols involved in the joypad <--> console communication but, long story short, everything is based on the RSA encryption with a key of 512bits. This makes hard to decode and break the communication (that's why there aren't after-market joypads),
However, this company was able to break this encryption (apparently) an make a full joypad emulations.

This catched my interest and I started to collect more information in order to understand how they did it.
Here below you could find some results that I got so far by analysing and reversing their software.

I started from their software update (http://www.br*okaccess*ry.com/downl*ad/PS4/) and I discovered that their firmwares are stored here: ftp://219_84_35_58:21/ b r o o khex /

Some notes:
1) By looking at the circuit board images and doing some reverse engineering I discovered that the uC used is the Nuvoton M452RG6AE/M452RE6AE that is an "ARM-Cortex M4". You can find the datasheet here:
http://www.nuvoton.com/hq/products/

2) At this point I started to analyse the hex files available in the FTP server.
Almost all firmwares have a sort of encryption.
For instance, if you open a file under the the "/Fighting Board/" folder, the first line might be like this:
:10000000A976D7144AAB0748401C6DA28CF3B39174
If you are familiar with the Hex Intel code you can easy understand that is pure garbage (if it wasn't crypt).
The software update sends the payload encrypted to the uC, so I assume that the uC bootloader (located in the LDROM) decrypts the bytes and it writes in the APROM.

3) Exist a specific project were the firmwares are not crypted.
I'm talking about the hex files included in the P2_P3 P4 folder.

By using these files, I started to try to understand how the HEX encryption works by using the assumption that the first lines are (almost) always the same for every projects done by this company.
Personally, I don't think that a difficult crypt algorithm has been used, this is based on the diff that I made on every files. I think that some (fast) recursive XOR has been used (something like salsa20 or chacha algorithm) but so far I didn't find any solution.

I took 3 files for my analysis:

1) ZP003030 V19 20170328 APROM AF25 auth.hex (crypted)
2) ZP003030 V18 20160913 APROM 2A79 auth.hex (crypted)
3) ZPJ0J010 V21 20170627 LD-6EAD AP-746E.hex (not crypted)

Note 2:
The number that you see before the auth is the CRC that is used when the firmware is uploaded to the uC (these are not used for the hex encryption, I'm 99% sure).
Basically, from what I understood, the windows application will send the (crypted) payload to the uC that will write it (crypted) on an external I2C memory.
At this point the uC will read the I2C memory and it will calculate the checksum, the number will be sent to the Windows application for a crosscheck.
If the checksum is valid the application will send the command to the uC to write the firmware.
At this point the uC will read the I2C memory -> decrypt the context -> write in the APROM section.


Anyway the first 12-13 hex lines (16 bytes) should be always the same.

As you can see the bytes are almost the same for the AF25/2A79, except some of them.
If you started to do some math, you can see that there is an offset of 0x18 (for the first 60bytes), 0x28 (for the 61..68 bytes) and so on.
In particular the first line is always the same because it contains the entry point address (0x00000171) that is in common to every hex files.

AF25/2A79/746E
:10000000 91 76 D7 14 32 AB 07 48 28 1C 6D A2 8C F3 9B 91 D4
:10000000 A9 76 D7 14 4A AB 07 48 40 1C 6D A2 8C F3 B3 91 74
:10000000 88 29 00 20 71 01 00 00 79 01 00 00 55 01 00 00 DD

:10001000 44 23 CC C3 F7 54 FD F8 DA C5 40 19 61 7E 4A 1B 6E
:10001000 44 23 E4 C3 F7 54 15 F9 DA C5 58 19 79 7E 4A 1B 0D
:10001000 7D 01 00 00 7F 01 00 00 81 01 00 00 00 00 00 00 60

:10002000 C6 F2 AB 7F FC D9 F6 22 2C 0D 27 56 18 7E 8C B0 79
:10002000 DE F2 AB 7F FC D9 0E 23 2C 0D 3F 56 18 7E A4 B0 18
:10002000 00 00 00 00 00 00 00 00 00 00 00 00 83 01 00 00 4C

:10003000 10 F5 F8 00 45 26 29 33 DD 69 79 56 B8 D7 BC 76 26
:10003000 10 F5 10 01 45 26 41 33 F5 69 79 56 D0 D7 BC 76 C5
:10003000 85 01 00 00 00 00 00 00 87 01 00 00 89 01 00 00 28

:10004000 B3 2E DD DB 93 A2 3E 40 03 99 C3 D2 A8 CA F3 05 C9
:10004000 CB 2E DD DB BB A2 3E 40 03 99 EB D2 A8 CA 1B 06 38
:10004000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 80

:10005000 D2 61 17 3D D0 D8 83 8D 8E 0B B4 BF 4D 3D E5 F4 F2
:10005000 0A 61 17 3D 08 D8 83 8D B6 08 B4 BF 75 3A E5 F4 38
:10005000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 70

:10006000 26 AB 28 15 C2 7B 96 00 9C EE F7 64 57 20 48 BF 4C
:10006000 4E A8 28 15 C3 7B BE FD 9D EE 1F 62 58 20 70 BC B4
:10006000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 60

:10007000 0C 52 78 F2 52 4B 7B C4 3A BF E7 14 9C 46 6F F0 A7
:10007000 03 52 A0 EF 7A 48 72 C4 62 BC DE 14 85 46 97 ED 45
:10007000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 50
|
:10008000 5B 78 A0 25 34 E6 E3 45 2F 3D 04 AB 09 B0 65 0F 4E
:10008000 44 78 C8 22 23 E6 0B 43 1E 3D 2C A8 F8 AF 8D 0C 04
:10008000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 40

:10009000 3E 68 39 E0 AD 89 69 13 A7 FD CE 6D 91 72 3B BE 14
:10009000 56 67 28 E0 C5 88 58 13 BF FC BD 6D B9 73 2A BE EA
:10009000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 30

:1000A000 E0 EE C6 A3 89 1D F8 D8 B0 F8 ED 8C AB 4F 0E F2 88
:1000A000 CF EE EE A4 78 1D 20 DA E8 FB DC 8C E3 52 FD F1 04
:1000A000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 20

:1000B000 9B C5 6F 56 56 F7 BF B0 FB 28 F0 E3 DE 3F 6A 9B 47
:1000B000 C3 C6 5E 56 7E F8 AE B0 23 2A DF E3 CF 3F 92 9C E4
:1000B000 8B 01 00 00 8B 01 00 00 8B 01 00 00 8B 01 00 00 10

Is there any mathematician that is interested to try to break this :-) ?
Thanks.
Bye.




Tagged:
Sign In or Register to comment.