GSM-Forum - View Single Post

smoother · 01-13-2002, 02:40

here we go...........

================================================= #define __targetwindows__

#include <stdio.h> #include <string.h>

#ifdef __targetwindows__ #include <Windows.h> #endif

#define UINT8 unsigned char #define UINT32 unsigned long #define UINT16 unsigned short

#define TRUE 1 #define FALSE 0 #define BOOL int #define FE_INVALID_BUFFER_SIZE 0x65

#define misc_gettickcount GetTickCount

#define LOBYTE(x) (UINT8)((UINT16)x & 0xFF) #define HIBYTE(x) (UINT8)((UINT16)(x >> 8) & 0xFF)

typedef UINT16 (*pFindDK2)(char *Id,char *lpszPKey); typedef void (*pDK2SendAndReceive)(UINT16 dwID, char *Id,UINT8 *AU8encryptblock, UINT32 U32encryptlen, UINT8 *AU8inbuff, UINT32 U32inbufflen, UINT8 *AU8outbuff, UINT32 U32outbufflen, UINT8 U8tmp); typedef BOOL (*pDK2Success)(void);

HMODULE lib = NULL;

pDK2SendAndReceive DK2SendAndReceive; pFindDK2 FindDK2; pDK2Success DK2Success;

#define __DK2__ // #define __ALWAYSRANDOM__

static int flash_errno; static UINT16 U16startingseed = 0;

static void FLS1_Randomize(UINT16 U16seed) { U16startingseed = U16seed; }

static UINT8 FLS1_Random(void) { UINT16 U16seed = U16startingseed; UINT16 i; UINT8 U8al,U8dl;

for (i=0;i<9;i++) { U8dl = U8al = LOBYTE(U16seed); U8al >>= 1; U8al ^= U8dl;

if (U8al & 1) { U16seed |= 0x8000; } else { U16seed &= 0x7FFF; }

U16seed >>= 1; U8al >>=1;

if (U8dl & 1) { U8al |= 0x80; } else { U8al &= 0x7F; } }

U16startingseed = U16seed; return U8al; } static void FLS1_GetRandomNumber(UINT8 *pAU8encryptblock, UINT8 U8seed1, UINT8 U8seed2) { #ifdef __ALWAYSRANDOM__ UINT32 U32tickcount = misc_gettickcount(); #else UINT32 U32tickcount = 0x55AA; #endif UINT16 U16tickcount; UINT8 U8num;

FLS1_Randomize(U32tickcount);

U16tickcount = U32tickcount & 0xFFFF;

pAU8encryptblock[0] = 13; pAU8encryptblock[1] = U8seed1; pAU8encryptblock[2] = HIBYTE(U16tickcount); pAU8encryptblock[3] = LOBYTE(U16tickcount);

U8num = FLS1_Random(); U8num ^= U8seed2; pAU8encryptblock[4] = U8num; }

 static BOOL FLS1_CalculateAuthorityID(UINT8 *pAU8inbuff, UINT32 U32inbufflen, UINT8 *pAU8outbuff, UINT32 U32outbufflen) { UINT8 AU8encryptblock[6]; UINT8 AU8tmpbuff[28]; UINT8 AU8outbuff[13]; UINT8 U8num; UINT16 i; #ifdef __DK2__ UINT16 DataReg; UINT8 Id[] = "NK"; #endif

if (U32inbufflen<1 || U32inbufflen>28 || U32outbufflen>12 || !pAU8inbuff || !pAU8outbuff || U32outbufflen==0) { flash_errno = FE_INVALID_BUFFER_SIZE; return FALSE; }

memset(AU8encryptblock,0,sizeof(AU8encryptblock)); memset(AU8tmpbuff,0,sizeof(AU8tmpbuff)); memcpy(AU8tmpbuff,pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF)); FLS1_GetRandomNumber(AU8encryptblock, 1, 0);

AU8encryptblock[5] = FLS1_Random(); AU8encryptblock[5] ^= 1;

for (i=0;i<28;i++) { U8num = FLS1_Random(); AU8tmpbuff[i] ^= U8num; }

printf("encryption block:"); for (i=0;i<sizeof(AU8encryptblock);i++) { printf("%02X ",AU8encryptblock[i]); } printf("\n");

 printf("bytestream to be decrypted:"); for (i=0;i<sizeof(AU8tmpbuff);i++) { printf("%02X ",AU8tmpbuff[i]); } printf("\n");

#ifdef __DK2__ DataReg = FindDK2(Id, NULL); if (DataReg==0) { DataReg = FindDK2(Id, "1234"); if (DataReg==0) { printf("DK2 not found\n"); return FALSE; } } DK2SendAndReceive(DataReg, Id, AU8encryptblock, sizeof(AU8encryptblock), AU8tmpbuff, sizeof(AU8tmpbuff), AU8outbuff, sizeof(AU8outbuff), 1); if (!DK2Success()) { printf("bad response from DK2\n"); return FALSE; } #else for (i=0;i<sizeof(AU8outbuff);i++) { AU8outbuff[i] = AU8tmpbuff[i] ^ AU8encryptblock[i % sizeof(AU8encryptblock)]; } #endif

printf("decrypted bytestream step 1:"); for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++) { printf("%02X ",AU8outbuff[i]); } printf("\n");

 for (i=0;i<13;i++) { U8num = FLS1_Random(); AU8outbuff[i] ^= U8num; }

memcpy(pAU8outbuff,AU8outbuff,(UINT16)(U32outbuffl en & 0xFFFF));

printf("decrypted bytestream step 2:"); for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++) { printf("%02X ",pAU8outbuff[i]); } printf("\n");

return TRUE; }

BOOL FLS1_GetAuthorityID(UINT8 U8seed1, UINT8 U8seed2, UINT8 *pAU8inbuff, UINT32 U32inbufflen, UINT8 *pAU8outbuff, UINT32 U32outbufflen) { UINT8 AU8buffer[64];

memset(AU8buffer,0,sizeof(AU8buffer));

AU8buffer[0] = 1; AU8buffer[1] = U8seed1; AU8buffer[2] = U8seed2; memcpy(&AU8buffer[3],pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF)); return FLS1_CalculateAuthorityID(AU8buffer,(U32inbufflen & 0xFFFF) + 3,pAU8outbuff,U32outbufflen); }

BOOL FLS1_DecodeMSID(UINT8 *pAU8MSIDin,UINT8 *pAU8MSIDout) { BOOL Bsuccess; UINT8 AU8outbuff[12];

memset(pAU8MSIDout,0,12); Bsuccess = FLS1_GetAuthorityID(0,pAU8MSIDin[0],&pAU8MSIDin[1],12,AU8outbuff,sizeof(AU8outbuff)); if (Bsuccess) { memcpy(pAU8MSIDout,AU8outbuff,sizeof(AU8outbuff)); }

return Bsuccess; }

 /************************************************** ****** * * * FUNCTION NAME: * * * * ARGUMENTS: * * * * ARGUMENT NAME: * * * * TYPE: * * * * I/O: * * * * DESCRIPTION * * * * * * RETURNS: * * * ************************************************* ********/

static BOOL GetFunc(char *dllname,char *funcname, FARPROC *funcptr) { *funcptr = NULL;

if (!lib) { lib = LoadLibrary(dllname); if (!lib) { printf("%s not found\n",dllname); return FALSE; } }

*funcptr = GetProcAddress(lib, funcname);

return *funcptr!=NULL; }

 /************************************************** ****** * * * FUNCTION NAME: * * * * ARGUMENTS: * * * * ARGUMENT NAME: * * * * TYPE: * * * * I/O: * * * * DESCRIPTION * * * * * * RETURNS: * * * ************************************************* ********/

static BOOL InitializeLibrary(char *dllname) { if (!GetFunc(dllname,"DK2SendAndReceive",(FARPROC *)&DK2SendAndReceive)) { printf("DK2SendAndReceive not found in %s\n",dllname); return FALSE; }

if (!GetFunc(dllname,"FindDK2",(FARPROC *)&FindDK2)) { printf("FindDK2 not found in %s\n",dllname); return FALSE; }

if (!GetFunc(dllname,"DK2Success",(FARPROC *)&DK2Success)) { printf("DK2Success not found in %s\n",dllname); return FALSE; }

return TRUE; }

 void main(void) { UINT8 MSID[] = {0x82, 0xe8, 0xe4, 0x47, 0xf5, 0xbf, 0x59, 0xba, 0xa0, 0x6c, 0xd0, 0x8e ,0x04}; UINT8 MSIDout[12]; char buf[128];

GetSystemDirectory(buf, sizeof(buf)); strcat(buf,"\\DK2WIN32.DLL"); if (!InitializeLibrary(buf)) { printf("cannot load DK2 lib\n"); if (lib) { FreeLibrary(lib); } return; }

printf("functions indentified\n");

printf("----------------------\n"); memset(MSIDout,0,sizeof(MSIDout)); FLS1_DecodeMSID(MSID,MSIDout);

// expected flashid should be: B3679FA3, Cobba ID: 002213DB 1D FreeLibrary(lib); }

==============================================

 SORRY FOR THE FLOOD!!! but i think maybe this is usefull to get FAID calc!

01-13-2002, 02:40	#1 (permalink)
smoother Freak Poster Join Date: May 2001 Location: Portugal Posts: 132 Member: 4812 Status: Offline Thanks Meter: 0	take a look to this FAID.C file!!! here we go........... =================================================< br />#define __targetwindows__ #include <stdio.h><br />#include <string.h> #ifdef __targetwindows__<br /> #include <Windows.h><br />#endif #define UINT8 unsigned char<br />#define UINT32 unsigned long<br />#define UINT16 unsigned short #define TRUE 1<br />#define FALSE 0<br />#define BOOL int<br />#define FE_INVALID_BUFFER_SIZE 0x65 #define misc_gettickcount GetTickCount #define LOBYTE(x) (UINT8)((UINT16)x & 0xFF)<br />#define HIBYTE(x) (UINT8)((UINT16)(x >> 8) & 0xFF) typedef UINT16 (pFindDK2)(char Id,char lpszPKey);<br />typedef void (pDK2SendAndReceive)(UINT16 dwID, char Id,UINT8 AU8encryptblock, UINT32 U32encryptlen, UINT8 AU8inbuff, UINT32 U32inbufflen, UINT8 AU8outbuff, UINT32 U32outbufflen, UINT8 U8tmp);<br />typedef BOOL (pDK2Success)(void); HMODULE lib = NULL; pDK2SendAndReceive DK2SendAndReceive;<br />pFindDK2 FindDK2;<br />pDK2Success DK2Success; #define __DK2__<br />// #define __ALWAYSRANDOM__ static int flash_errno;<br />static UINT16 U16startingseed = 0; static void FLS1_Randomize(UINT16 U16seed)<br />{<br /> U16startingseed = U16seed;<br />} static UINT8 FLS1_Random(void)<br />{<br /> UINT16 U16seed = U16startingseed;<br /> UINT16 i;<br /> UINT8 U8al,U8dl; for (i=0;i<9;i++)<br /> {<br /> U8dl = U8al = LOBYTE(U16seed);<br /> U8al >>= 1;<br /> U8al ^= U8dl; if (U8al & 1)<br /> {<br /> U16seed \|= 0x8000;<br /> }<br /> else<br /> {<br /> U16seed &= 0x7FFF;<br /> } U16seed >>= 1;<br /> U8al >>=1; if (U8dl & 1)<br /> {<br /> U8al \|= 0x80;<br /> }<br /> else<br /> {<br /> U8al &= 0x7F;<br /> }<br /> } U16startingseed = U16seed;<br /> return U8al;<br />}<br /> <br />static void FLS1_GetRandomNumber(UINT8 pAU8encryptblock, UINT8 U8seed1, UINT8 U8seed2)<br />{<br />#ifdef __ALWAYSRANDOM__<br /> UINT32 U32tickcount = misc_gettickcount();<br />#else<br /> UINT32 U32tickcount = 0x55AA;<br />#endif<br /> UINT16 U16tickcount;<br /> UINT8 U8num; FLS1_Randomize(U32tickcount); U16tickcount = U32tickcount & 0xFFFF; pAU8encryptblock[0] = 13;<br /> pAU8encryptblock[1] = U8seed1;<br /> pAU8encryptblock[2] = HIBYTE(U16tickcount);<br /> pAU8encryptblock[3] = LOBYTE(U16tickcount); U8num = FLS1_Random();<br /> U8num ^= U8seed2;<br /> pAU8encryptblock[4] = U8num;<br />} <br />static BOOL FLS1_CalculateAuthorityID(UINT8 pAU8inbuff, UINT32 U32inbufflen, UINT8 pAU8outbuff, UINT32 U32outbufflen)<br />{<br /> UINT8 AU8encryptblock[6];<br /> UINT8 AU8tmpbuff[28];<br /> UINT8 AU8outbuff[13];<br /> UINT8 U8num;<br /> UINT16 i;<br />#ifdef __DK2__<br /> UINT16 DataReg;<br /> UINT8 Id[] = "NK";<br />#endif if (U32inbufflen<1 \|\| U32inbufflen>28 \|\| U32outbufflen>12 \|\|<br /> !pAU8inbuff \|\| !pAU8outbuff \|\| U32outbufflen==0)<br /> {<br /> flash_errno = FE_INVALID_BUFFER_SIZE;<br /> return FALSE;<br /> } memset(AU8encryptblock,0,sizeof(AU8encryptblock)); <br /> memset(AU8tmpbuff,0,sizeof(AU8tmpbuff));<br /> memcpy(AU8tmpbuff,pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF));<br /> <br /> FLS1_GetRandomNumber(AU8encryptblock, 1, 0); AU8encryptblock[5] = FLS1_Random();<br /> AU8encryptblock[5] ^= 1; for (i=0;i<28;i++)<br /> {<br /> U8num = FLS1_Random();<br /> AU8tmpbuff[i] ^= U8num;<br /> } printf("encryption block:");<br /> for (i=0;i<sizeof(AU8encryptblock);i++)<br /> {<br /> printf("%02X ",AU8encryptblock[i]);<br /> }<br /> printf("\n"); <br /> printf("bytestream to be decrypted:");<br /> for (i=0;i<sizeof(AU8tmpbuff);i++)<br /> {<br /> printf("%02X ",AU8tmpbuff[i]);<br /> }<br /> printf("\n"); #ifdef __DK2__<br /> DataReg = FindDK2(Id, NULL);<br /> if (DataReg==0)<br /> {<br /> DataReg = FindDK2(Id, "1234");<br /> if (DataReg==0)<br /> {<br /> printf("DK2 not found\n");<br /> return FALSE;<br /> }<br /> }<br /> DK2SendAndReceive(DataReg, Id, AU8encryptblock, sizeof(AU8encryptblock), AU8tmpbuff, sizeof(AU8tmpbuff), AU8outbuff, sizeof(AU8outbuff), 1);<br /> if (!DK2Success())<br /> {<br /> printf("bad response from DK2\n");<br /> return FALSE;<br /> }<br />#else<br /> for (i=0;i<sizeof(AU8outbuff);i++)<br /> {<br /> AU8outbuff[i] = AU8tmpbuff[i] ^ AU8encryptblock[i % sizeof(AU8encryptblock)];<br /> }<br />#endif printf("decrypted bytestream step 1:");<br /> for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++)<br /> {<br /> printf("%02X ",AU8outbuff[i]);<br /> }<br /> printf("\n"); <br /> for (i=0;i<13;i++)<br /> {<br /> U8num = FLS1_Random();<br /> AU8outbuff[i] ^= U8num;<br /> } memcpy(pAU8outbuff,AU8outbuff,(UINT16)(U32outbuffl en & 0xFFFF)); printf("decrypted bytestream step 2:");<br /> for (i=0;i<(UINT16)(U32outbufflen & 0xFFFF);i++)<br /> {<br /> printf("%02X ",pAU8outbuff[i]);<br /> }<br /> printf("\n"); return TRUE;<br />} BOOL FLS1_GetAuthorityID(UINT8 U8seed1, UINT8 U8seed2, UINT8 pAU8inbuff, UINT32 U32inbufflen, UINT8 pAU8outbuff, UINT32 U32outbufflen)<br />{<br /> UINT8 AU8buffer[64]; memset(AU8buffer,0,sizeof(AU8buffer)); AU8buffer[0] = 1;<br /> AU8buffer[1] = U8seed1;<br /> AU8buffer[2] = U8seed2;<br /> memcpy(&AU8buffer[3],pAU8inbuff,(UINT16)(U32inbufflen & 0xFFFF));<br /> return FLS1_CalculateAuthorityID(AU8buffer,(U32inbufflen & 0xFFFF) + 3,pAU8outbuff,U32outbufflen);<br />} BOOL FLS1_DecodeMSID(UINT8 pAU8MSIDin,UINT8 pAU8MSIDout)<br />{<br /> BOOL Bsuccess;<br /> UINT8 AU8outbuff[12]; memset(pAU8MSIDout,0,12);<br /> Bsuccess = FLS1_GetAuthorityID(0,pAU8MSIDin[0],&pAU8MSIDin[1],12,AU8outbuff,sizeof(AU8outbuff));<br /> if (Bsuccess)<br /> {<br /> memcpy(pAU8MSIDout,AU8outbuff,sizeof(AU8outbuff)); <br /> } return Bsuccess;<br />} <br />/************************************************ ***<br /> <br /> FUNCTION NAME: <br /> <br /> ARGUMENTS: <br /> <br /> ARGUMENT NAME: <br /> <br /> TYPE: <br /> <br /> I/O: <br /> <br /> DESCRIPTION <br /> <br /> <br /> RETURNS: <br /> <br />********************************************** *****/ static BOOL GetFunc(char dllname,char funcname, FARPROC funcptr)<br />{<br /> funcptr = NULL; if (!lib)<br /> {<br /> lib = LoadLibrary(dllname);<br /> if (!lib)<br /> {<br /> printf("%s not found\n",dllname);<br /> return FALSE;<br /> }<br /> } funcptr = GetProcAddress(lib, funcname); return funcptr!=NULL;<br />} <br />/*********************************************** ***<br /> <br /> FUNCTION NAME: <br /> <br /> ARGUMENTS: <br /> <br /> ARGUMENT NAME: <br /> <br /> TYPE: <br /> <br /> I/O: <br /> <br /> DESCRIPTION <br /> <br /> <br /> RETURNS: <br /> <br />********************************************** *****/ static BOOL InitializeLibrary(char dllname)<br />{<br /> if (!GetFunc(dllname,"DK2SendAndReceive",(FARPROC )&DK2SendAndReceive))<br /> {<br /> printf("DK2SendAndReceive not found in %s\n",dllname);<br /> return FALSE;<br /> } if (!GetFunc(dllname,"FindDK2",(FARPROC )&FindDK2))<br /> {<br /> printf("FindDK2 not found in %s\n",dllname);<br /> return FALSE;<br /> } if (!GetFunc(dllname,"DK2Success",(FARPROC *)&DK2Success))<br /> {<br /> printf("DK2Success not found in %s\n",dllname);<br /> return FALSE;<br /> } return TRUE;<br />} <br />void main(void)<br />{<br /> UINT8 MSID[] = {0x82, 0xe8, 0xe4, 0x47, 0xf5, 0xbf, 0x59, 0xba, 0xa0, 0x6c, 0xd0, 0x8e ,0x04};<br /> UINT8 MSIDout[12];<br /> char buf[128]; GetSystemDirectory(buf, sizeof(buf));<br /> strcat(buf,"\\DK2WIN32.DLL");<br /> if (!InitializeLibrary(buf))<br /> {<br /> printf("cannot load DK2 lib\n");<br /> if (lib)<br /> {<br /> FreeLibrary(lib);<br /> }<br /> return;<br /> } printf("functions indentified\n"); printf("----------------------\n");<br /> memset(MSIDout,0,sizeof(MSIDout));<br /> FLS1_DecodeMSID(MSID,MSIDout); // expected flashid should be: B3679FA3, Cobba ID: 002213DB 1D<br /> FreeLibrary(lib);<br />} ============================================== <br />SORRY FOR THE FLOOD!!!<br />but i think maybe this is usefull to get FAID calc!