|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
| LinkBack | Thread Tools | Display Modes |
01-08-2016, 23:21 | #1 (permalink) |
No Life Poster Join Date: Feb 2003 Location: Inside CPU Age: 43
Posts: 1,861
Member: 23420 Status: Offline Thanks Meter: 3,080 | question about imei encryption in samsung there are 3 files located in /data/misc/radio /data/misc/radio/ahrh = AES Encrypted Imei /data/misc/radio/mgzc = AES KEY /data/misc/radio/dakl = AES IV decypted is 15 bytes imei then 0x00 then checkdigit then 15 times 0x00 end with 4D ex: 33353331363330353437353932313100310000000000000000 0000000000004D but those files are rewritten on phone boot.. so the imei is also stored in the NV_DATA.bin anyone know how it's encoded there ? i have 32 bytes for the imei 7C5F2D7611F15BF9E8A71D70387639DC7879FA3A8A80548380 05BA39F33C1108 and then another 16 bytes DFD4868D439D6F25C891F91FCFD729C8 the imei number corresponding with this is: 353163054759211 |
The Following 2 Users Say Thank You to ssa For This Useful Post: |
01-10-2016, 01:13 | #2 (permalink) |
Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 52
Posts: 1,056
Member: 73 Status: Offline Thanks Meter: 537 | AES CTR... key, salt, hwid know from where can get?
__________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor. |
01-10-2016, 02:10 | #4 (permalink) |
Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 52
Posts: 1,056
Member: 73 Status: Offline Thanks Meter: 537 | I not know how to obtain hwid from phone. If you know say. Other without hwid can't gen key and are nonsence. Data is crypted with aes in ctr mode. And if you think will teach any what is ctr mode is wrong.
__________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor. |
01-10-2016, 20:02 | #5 (permalink) |
No Life Poster Join Date: Feb 2003 Location: Inside CPU Age: 43
Posts: 1,861
Member: 23420 Status: Offline Thanks Meter: 3,080 | the HWID is needed for decypt the EFSv2 but this imei encoding in the NV_data was already there even with EFSv1 (i9100 etc phones) so it's something very old.. but still curious how it's done in the nv_data |
01-11-2016, 07:29 | #6 (permalink) |
No Life Poster Join Date: Jan 2004 Location: Unknown Age: 39
Posts: 9,227
Member: 49752 Status: Offline Sonork: QQ:1474246528 Thanks Meter: 6,085 | Hello its binary format 0305 in nv data with tsl and some crap in nv data. older models use aria. new models use imei in binary and aes ctr with custom iv and hw id first 16 byte |
01-13-2016, 14:23 | #8 (permalink) |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | As far as I know there were a few remote unlock/imei repair programs that got the HWID. IIRC, @hoang's client used to do this. BTW, this is the best thread in this section that I've seen in about a year. Five thumbs up. |
The Following User Says Thank You to ecs87 For This Useful Post: |
01-13-2016, 22:02 | #9 (permalink) |
No Life Poster Join Date: Feb 2003 Location: Inside CPU Age: 43
Posts: 1,861
Member: 23420 Status: Offline Thanks Meter: 3,080 | i downloaded the libsec-ril.so from an old i9100 phone, and after some searching i found Code: signed int __fastcall RxRFS_NVWrite(int a1, int a2) { int v2; // r10@1 int v3; // r8@1 int v4; // r0@4 signed int v5; // r4@6 void *v6; // r0@7 void *v7; // r7@7 size_t v8; // r4@8 void *v9; // r0@10 int v10; // r0@12 int v11; // r9@12 int v12; // r0@14 unsigned int v13; // r6@15 int v14; // r0@17 char v15[4]; // r1@17 const char *v16; // r2@17 int v17; // r3@17 int v18; // r0@17 size_t v19; // r2@18 int v20; // r0@20 int *v21; // r0@26 char *v22; // r0@26 char v23; // r0@31 char v24; // r1@31 __off_t v25; // r8@31 bool v26; // zf@33 bool v27; // nf@33 unsigned int v28; // r2@33 int v29; // r0@44 int v30; // r1@44 __off_t dest; // [sp+8h] [bp-38h]@3 unsigned int v33; // [sp+Ch] [bp-34h]@3 int s; // [sp+10h] [bp-30h]@3 char v35; // [sp+15h] [bp-2Bh]@33 char v36; // [sp+16h] [bp-2Ah]@35 char v37; // [sp+17h] [bp-29h]@37 unsigned int v38; // [sp+18h] [bp-28h]@33 unsigned int v39; // [sp+1Ch] [bp-24h]@34 v2 = a1; v3 = a2; if ( bdbg_enable ) _android_log_print(6, "RIL", "%s: ", "RxRFS_NVWrite"); dest = 0; v33 = 0; memset(&s, 0, 0xFu); if ( !check_md5(0) ) { v4 = _android_log_print(6, "RIL", "NV data tainted! Restoring..."); restore_nv_data(v4); if ( bdbg_enable ) _android_log_print(6, "RIL", "Restoring NV completed."); } v5 = 11; if ( v3 ) { v6 = malloc(0x80000u); v7 = v6; if ( !v6 ) { v5 = 11; LABEL_24: v13 = -1; goto LABEL_29; } memset(v6, 0, 0x80000u); memset(&s, 0, 0xFu); memcpy(&dest, (const void *)(v3 + 6), 4u); memcpy(&v33, (const void *)(v3 + 10), 4u); v8 = v33; if ( v33 >= 0x80000 ) v8 = 0x80000; v33 = v8; v9 = memcpy(v7, (const void *)(v3 + 14), v8); if ( bdbg_enable ) v9 = (void *)_android_log_print(6, "RIL", "%s: offset=0x%08lX, size=0x%08lX", "RxRFS_NVWrite", dest, v8); v10 = sub_6A540(v9); v11 = v10; if ( v10 < 0 ) { if ( bdbg_enable ) { v12 = _errno(); _android_log_print(6, "RIL", "%s: open failed with %d", "RxRFS_NVWrite", *(_DWORD *)v12); } v5 = 12; goto LABEL_24; } v13 = lseek(v10, dest, 0); if ( (v13 & 0x80000000) == 0 ) { v19 = v8; v5 = 0; v13 = write(v11, v7, v19); if ( (v13 & 0x80000000) == 0 ) { LABEL_53: if ( bdbg_enable ) _android_log_print(6, "RIL", "%s: closing file.\n", "RxRFS_NVWrite"); if ( fsync(v11) < 0 ) { v21 = (int *)_errno(); v5 = 12; v22 = strerror(*v21); _android_log_print(6, "RIL", "%s: fsync fail %s. \n", "RxRFS_NVWrite", v22); } close(v11); if ( bdbg_enable ) _android_log_print(6, "RIL", "%s: file closed.\n", "RxRFS_NVWrite"); LABEL_29: s = 15; if ( bdbg_enable ) _android_log_print(6, "RIL", "%s: length %d", "RxRFS_NVWrite", 15); v23 = 1 - v5; v24 = *(_BYTE *)(v3 + 5); v25 = dest; if ( (unsigned int)v5 > 1 ) v23 = 0; v26 = v13 == 0; v27 = (v13 & 0x80000000) != 0; v35 = v24; v28 = v38 & 0xFF000000 | ((unsigned int)dest >> 8); v38 = v38 & 0xFF000000 | ((unsigned int)dest >> 8); if ( (signed int)v13 > 0 ) { BYTE3(v38) = v13; v28 = v39 & 0xFF000000; } v36 = v23; if ( (signed int)v13 > 0 ) v13 = v28 | (v13 >> 8); v37 = dest; if ( !v27 && !v26 ) v39 = v13; if ( v7 ) free(v7); refresh_md5_file("/efs/nv_data.bin"); if ( v25 == 1572884 ) { if ( bdbg_enable ) _android_log_print(6, "RIL", "Write IMEI Number on NV Backup and Core"); v29 = (int)"/efs/nv.log"; v30 = (int)"OFFSET_FOR_PRESET1 writing input"; } else { if ( v25 != 1578089 ) { LABEL_50: TxRFS_CfrmNVWrite(v2, &s); return v5; } if ( bdbg_enable ) _android_log_print(6, "RIL", "Write Network lock info on NV Backup and Core"); v29 = (int)"/efs/nv.log"; v30 = (int)"OFFSET_FOR_PRESET2 writing input"; } WriteLogOnEFS(v29, v30); backup_nv_data(); goto LABEL_50; } if ( bdbg_enable ) { v20 = _errno(); *(_DWORD *)v15 = "RIL"; v16 = "%s: write failed with %d"; v17 = (int)"RxRFS_NVWrite"; v18 = *(_DWORD *)v20; goto LABEL_21; } } else if ( bdbg_enable ) { v14 = _errno(); *(_DWORD *)v15 = "RIL"; v16 = "%s: lseek failed with %d"; v17 = (int)"RxRFS_NVWrite"; v18 = *(_DWORD *)v14; LABEL_21: _android_log_print(6, *(_DWORD *)v15, v16, v17, v18); goto LABEL_52; } LABEL_52: v5 = 12; goto LABEL_53; } return v5; } PS: this will only appy to EFSv1 series, as the EFSv2 have the SSNV blocked crypted with the HWID. the topic is not on how do decode efsv2 but how to encode/decode the imei inside the nv_data |
01-13-2016, 22:33 | #10 (permalink) |
Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 52
Posts: 1,056
Member: 73 Status: Offline Thanks Meter: 537 | Ida decompiler is not only "F5". Make variable types corect... "s" is not "int".
__________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor. |
01-13-2016, 22:38 | #11 (permalink) |
Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 52
Posts: 1,056
Member: 73 Status: Offline Thanks Meter: 537 | I say you. Current is aes in ctr. Previous is aria. Stanner confirm... What Moore?
__________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor. |
01-16-2016, 05:07 | #12 (permalink) |
No Life Poster Join Date: Apr 2001 Location: Winimei Age: 8
Posts: 633
Member: 3938 Status: Offline Sonork: 100.1637318 Thanks Meter: 90 | Code: 213 {"wpImei":"-","success":true,"countryCode":"AT","masterNum":"353976058443205","error":false,"model":"GT-I9300RWDATO","data":"Y:GT-I9300:353976058443205:RF1C9BXQDRZ:20121002:AT:GT2I9300RWDATO:SEV:20121017:AT:GT-I9300RWDATO","unNum":"-","thirdImei":"-","isCorrectInputIMEI":true,"serial":"RF1C9BXQDRZ","country":"Austria","returnMessage":"GT-I9300:353976058443205:RF1C9BXQDRZ:20121002:AT:GT2I9300RWDATO:SEV:20121017:AT:GT-I9300RWDATO","returnCode":"Y","SKU":"GT2I9300RWDATO","productDate":"10.02.2012","slaveImei":"-","isWifi":false} 0 |
01-19-2016, 16:38 | #13 (permalink) | |
Freak Poster Join Date: Aug 2006 Location: Buenos Aires, Argentina
Posts: 431
Member: 331917 Status: Offline Thanks Meter: 214 | Quote:
what can we do with it??? ony decrypt? | |
Bookmarks |
| |
|