GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Other Gsm/Mobile Related Forums > GSM Programming & Reverse Engineering


GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets.

Reply
 
LinkBack Thread Tools Display Modes
Old 04-15-2024, 02:10   #31 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218






I have still not managed the AT Cmd part... nor AES DE nor ENcryption of steady.bin... or whatever is inside this base64 crap...





Code:
em_crypto_aes_256_ctr_encrypt

em_crypto_aes_256_ctr_decrypt

em_crypto_aes_256_gcm_encrypt

em_crypto_aes_256_gcm_decrypt




Maybe somebody could help me please.



Thanx in advance.




And 1 more problem...


I can not fix ESI problem on my SM-G965F...
So I can not write EM Token via Odin...


Best Regards
  Reply With Quote
Old 04-19-2024, 10:02   #32 (permalink)
Junior Member
 
Join Date: Jul 2012
Posts: 36
Member: 1787241
Status: Offline
Thanks Meter: 3
i wish i could help but i think youre way above my level, i am reading with interest though.

i know the DAESUL files were about in around 2017 as i had them from a sie that looked like most of the mobile file servers do but was just called "samsungengneering" or something like that, they had all the daesul files, i grabbed a load as i found an old anyway jig and thought i could do something with it (i couldnt, or rather i never had the time and resources to) but im sure if they were out there then they have to still be floating about somewhere.

all i can do is wish you the best of luck, keep us updated
  Reply With Quote
The Following User Says Thank You to emba4 For This Useful Post:
Old 04-21-2024, 20:01   #33 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
[541] MAGIC : [541] ENGRES0001

[541] DID : [541] 123456789abc````````````````````

[541] IMEI : [541] fffffffffffffff`````````````````

[541] MODEL : [541] SM-A202F````````````````````````

[541] SINGLE : [541] DASEUL``````````````````````````````````

[541] MODE : 0x0

[541] VALIDITY: 0xffff

Interesting...


Seems we have 40 Bytes reserved... for funny text visible in Download/Odin Mode...


So more then DASEUL can be written...


Only short tested with "v1" steady.bin


Only as info...


Best Regards
  Reply With Quote
Old 06-16-2024, 01:22   #34 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Any idea how many AES Modes supported from openssl?



Code:
openssl enc -aes-256-ctr
openssl enc -aes-256-cbc
openssl enc -aes-256-gcm



Thanx in advance.


Best Regards
  Reply With Quote
Old 06-22-2024, 07:08   #35 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218



Still unsolved the AES DEcrypt nor ENcrypt part...




I have copy and paste from DASEUL Log... SM-N970U1



Tiny part of Log...
Code:
06-22 07:22:08.543   741  2159 E SMD     : Message:AT+ENGMODES=0,1,01:DASEUL_EMR:1:0|1|10|12|13|17|26|28:20191209:20191111:DASEUL:9999:995:308203DF308202C7A003020102020111300D06092A864886F70D01010B05003059310B3009060355040613024B523113301106035504070C0A5375776F6E206369747931173015060355040B0C0E53616D73756E67204D6F62696C65311C301A06035504030C1353616D73756E6720636F72706F726174696F6E301E170D3138313131323037333531315A170D3238313130393037333531315A3081B0310B300906035504061302564E311430120603550408130B54484149204E475559454E31243022060355040A131B53616D73756E6720456C656374726F6E69637320436F2E2C4C7464311E301C060355040B13154D6F62696C6520436F6D6D756E69636174696F6E73311830160603550403130F456E67696E656572696E674D6F6465312B3029060A0992268993F22C640101131B5356522D503A32303138313130353A31303A30342D3030313A454D30820122300D06092A864886F70D01010105000382010F003082010A0282010100D3933A1A092AEE5BCABCA03B316A6DCFE3A09F1C9B539BBD5B96599B1CC26CB4C72C90E9CA0B8E3DDC34F66A2610231740CF35CF2919DEF2355F88415B9DB84AA4741415FFAEE5FA9DA135996E05BC022FF4C128047E803246603CF04FD0DAAEC54
06-22 07:22:08.544  1023  1170 I EngineeringModeESS: ESS Protocol Version is v.01
06-22 07:22:08.544  1023  1170 I EngineeringModeESS: Command Type : 1
06-22 07:22:08.544  1023  1170 I EngineeringModeESS: Command : 01:DASEUL_EMR:1:0|1|10|12|13|17|26|28:20191209:20191111:DASEUL:9999:995:308203DF308202C7A003020102020111300D06092A864886F70D01010B05003059310B3009060355040613024B523113301106035504070C0A5375776F6E206369747931173015060355040B0C0E53616D73756E67204D6F62696C65311C301A06035504030C1353616D73756E6720636F72706F726174696F6E301E170D3138313131323037333531315A170D3238313130393037333531315A3081B0310B300906035504061302564E311430120603550408130B54484149204E475559454E31243022060355040A131B53616D73756E6720456C656374726F6E69637320436F2E2C4C7464311E301C060355040B13154D6F62696C6520436F6D6D756E69636174696F6E73311830160603550403130F456E67696E656572696E674D6F6465312B3029060A0992268993F22C640101131B5356522D503A32303138313130353A31303A30342D3030313A454D30820122300D06092A864886F70D01010105000382010F003082010A0282010100D3933A1A092AEE5BCABCA03B316A6DCFE3A09F1C9B539BBD5B96599B1CC26CB4C72C90E9CA0B8E3DDC34F66A2610231740CF35CF2919DEF2355F88415B9DB84AA4741415FFAEE5FA9DA135996E05BC022FF4C128047E803246603CF04FD0DAAEC546DBAC5A84AB47C9FE50AFC33E613FB9076892AE67D9EC4BF7702AE360F96C2099B8D7E17CE83483048A652B9FCBF7BF5A2E5DEEEBBD1A2673CB34EEF174797A1C834A3AAB23267CD003E5FC106EAF66942DCFBF090383E693F9F3375406AD3A5322068F5C6E06593C67EF1BC7F0A1E20951157772CF080EBCED65F68E8A9EFB6C1945A7CCB5F576C6314BCD4BF6FB738BDAAB090BB160F99E8BE1272922F10203010001A35A305830090603551D1304023000300B0603551D0F0404030206C0301D0603551D0E041604143B9EA63F5B2A3A383AA59B5EF537231B4C660435301F0603551D230418301680141A3849592E3221820C77260DCA11ADDD9CCA437D300D06092A864886F70D01010B05000382010100B17ABDE9E26A6C2506224B766934DD3020431902CA0293B76DDF8EB8A8ED298C080CBB907A25A0503291DF7B11525195EF49E7E482A0F26D5CE11A2BE5E94B14C9A53563380ABEFEC4B5BC7E82ACCCF050A81BE1535E5706BFDBCBB308FD6ADFCD64E95B804A278EDA6B1572A075FE3B0DA067D57BAA8743D66A1383EB54B32041C96D2B83205D0CACF1E74040BC9F18BD80EC05D82121512FEDB340491D30C4D36CE53C8DFA0C11B104B690A7D4BD5518ACB85BAFFD2671BAF0113690A723CF0BB0FEE8D7579C2D58BF24D32830463643EF39A839B127F40B304B1365A220E49AB23C4984A746FEE77C311647826404131727172BBBF8C5436487702BE478EB:F81E44112368257F5E3C3D229388548D8FE28DE696C2D5A0FF026A23245C38E6:
06-22 07:22:08.545  1023  1170 I EngineeringModeESS: bodyMsg : 01:DASEUL_EMR:1:0|1|10|12|13|17|26|28:20191209:20191111:DASEUL:9999:995:308203DF308202C7A003020102020111300D06092A864886F70D01010B05003059310B3009060355040613024B523113301106035504070C0A5375776F6E206369747931173015060355040B0C0E53616D73756E67204D6F62696C65311C301A06035504030C1353616D73756E6720636F72706F726174696F6E301E170D3138313131323037333531315A170D3238313130393037333531315A3081B0310B300906035504061302564E311430120603550408130B54484149204E475559454E31243022060355040A131B53616D73756E6720456C656374726F6E69637320436F2E2C4C7464311E301C060355040B13154D6F62696C6520436F6D6D756E69636174696F6E73311830160603550403130F456E67696E656572696E674D6F6465312B3029060A0992268993F22C640101131B5356522D503A32303138313130353A31303A30342D3030313A454D30820122300D06092A864886F70D01010105000382010F003082010A0282010100D3933A1A092AEE5BCABCA03B316A6DCFE3A09F1C9B539BBD5B96599B1CC26CB4C72C90E9CA0B8E3DDC34F66A2610231740CF35CF2919DEF2355F88415B9DB84AA4741415FFAEE5FA9DA135996E05BC022FF4C128047E803246603CF04FD0DAAEC546DBAC5A84AB47C9FE50AFC33E613FB9076892AE67D9EC4BF7702AE360F96C2099B8D7E17CE83483048A652B9FCBF7BF5A2E5DEEEBBD1A2673CB34EEF174797A1C834A3AAB23267CD003E5FC106EAF66942DCFBF090383E693F9F3375406AD3A5322068F5C6E06593C67EF1BC7F0A1E20951157772CF080EBCED65F68E8A9EFB6C1945A7CCB5F576C6314BCD4BF6FB738BDAAB090BB160F99E8BE1272922F10203010001A35A305830090603551D1304023000300B0603551D0F0404030206C0301D0603551D0E041604143B9EA63F5B2A3A383AA59B5EF537231B4C660435301F0603551D230418301680141A3849592E3221820C77260DCA11ADDD9CCA437D300D06092A864886F70D01010B05000382010100B17ABDE9E26A6C2506224B766934DD3020431902CA0293B76DDF8EB8A8ED298C080CBB907A25A0503291DF7B11525195EF49E7E482A0F26D5CE11A2BE5E94B14C9A53563380ABEFEC4B5BC7E82ACCCF050A81BE1535E5706BFDBCBB308FD6ADFCD64E95B804A278EDA6B1572A075FE3B0DA067D57BAA8743D66A1383EB54B32041C96D2B83205D0CACF1E74040BC9F18BD80EC05D82121512FEDB340491D30C4D36CE53C8DFA0C11B104B690A7D4BD5518ACB85BAFFD2671BAF0113690A723CF0BB0FEE8D7579C2D58BF24D32830463643EF39A839B127F40B304B1365A220E49AB23C4984A746FEE77C311647826404131727172BBBF8C5436487702BE478EB:
06-22 07:22:08.549   747   800 D DataRouter: Before the usb select

Tried with adb logcat and RDX...


But perfect Log for my tiny brain is missing...


Tried with these "v2" devices:
Code:
SM-G965F
SM-A505FN

I get after first Command response...


SM-A202F for instance not receive response as it seems...


Not tested with EM3 devices...


From DASEUL Log I can pull the Response... need some time...


Best Regards
Attached Files
File Type: zip SGTKEif_emTokenTEST_v5_S9optimized_v2.zip (35.1 KB, 22 views)
  Reply With Quote
Old 07-02-2024, 20:36   #36 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Tiny summary about my "AES_AT_EM_Adventure"...


If somebody has S8 or Note 8 and is willing to help...


Feel free to contact me...


At the moment I have only Infos from friendly SM-N950F User....


My devices are only Android 9 as oldest...


No idea if Android 7.1 Logging spit out more usefull infos...

Thanx in advance.


Best Regards
Attached Files
File Type: zip SGTKEif_emTokenTEST_v5_S9optimized_v8.zip (61.2 KB, 12 views)
  Reply With Quote
Old 07-09-2024, 03:57   #37 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
Failed to make m-message
Failed to make d-message
Failed to decrypt e-token
Failed to install token via ESS_V1
Failed to write iin
Failed to get iin
Failed to read iin
Failed to get sk
Failed to get si
Failed to encrypt message
Failed to get wb iv
Failed to encrypt(wb) SS data
Failed to make esk
Failed to make digest of esk_erm

I hang somewhere here...


Only as tiny info...


Best Regards
  Reply With Quote
Old 07-09-2024, 04:04   #38 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
Failed to make m-message
Failed to make d-message
Failed to decrypt e-token
Failed to install token via ESS_V1
Failed to write iin
Failed to get iin
Failed to read iin
Failed to get sk
Failed to get si
Failed to encrypt message
Failed to get wb iv
Failed to encrypt(wb) SS data
Failed to make esk
Failed to make digest of esk_erm
I still stuck in the White Box AES "universe"...


Only as info...


Best Regards
  Reply With Quote
Old 07-23-2024, 01:32   #39 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
My SM-G965F is UH/SH aka bit 17...
My Firmware is FUJ2... so after March 2021... so v3...


No idea why... I can use both libs from 1 year older firmware:
Code:
AP_G965FXXU9ETF5_CL18847185_QB31836602_REV01_user_low_ship_meta_OS10.tar.md5

U9 instead SH/UH


1 easy change is to rename all:
Failed to
to
Fail64 to


In both libs... here I use from lib64 folder...
Code:
lib64_U9_2_ETF9_FAKE5

Fake 5 is still working for AT cmd 1 and receive Response...


Soon I will go back to SM-A202F xperiments... as here:
Code:
/dev/urandom

Has visible effect to nonce...


Best Regards
Attached Files
File Type: zip SMg965F_lib64_U9_2_ETF9_v1.zip (397.5 KB, 13 views)
  Reply With Quote
Old 07-31-2024, 06:12   #40 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
[   68.612833][1:  SATServiceData] 07-31 03:55:33.759  1045  1198 I EngineeringModeESSbodyMsg : 01:DASEUL_EMR:DASEUL:9999:995:308203DF308202C7A003020102020111300D06092A864886F70D01010B05003059310B3009060355040613024B523113301106035504070C0A5375776F6E206369747931173015060355040B0C0E53616D73756E67204D6F62696C65311C301A06035504030C1353616D73756E6720636F72706F726174696F6E301E170D3138313131323037333531315A170D3238313130393037333531315A3081B0310B300906035504061302564E311430120603550408130B54484149204E475559454E31243022060355040A131B53616D73756E6720456C656374726F6E69637320436F2E2C4C7464311E301C060355040B13154D6F62696C6520436F6D6D756E69636174696F6E73311830160603550403130F456E67696E656572696E674D6F6465312B3029060A0992268993F22C640101131B5356522D503A32303138313130353A31303A30342D3030313A454D30820122300D06092A864886F70D01010105000382010F003082010A0282010100D3933A1A092AEE5BCABCA03B316A6DCFE3A09F1C9B539BBD5B96599B1CC26CB4C72C90E9CA0B8E3DDC34F66A2610231740CF35CF2919DEF2355F88415B9DB84AA4741415FFAEE5FA9DA135996E05BC022FF4C128047E803246603CF04FD0DAAEC546DBAC5A84AB47C9FE50AFC33E613FB9076892AE67D9EC4BF7702AE360F96C2099B8D7E17CE83483048A652B9FCBF7BF5A2E5DEEEBBD1A2673CB34EEF174797A1C834A3AAB23267CD003E5FC106EAF66942DCFBF090383E693F9F3375406AD3A5322068F5C6E06593C67EF1BC7F0A1E20951157772CF080EBCED65F68E8A9EFB6C1945A7CCB5F576C6314BCD4BF6FB738BDAAB090BB160F99E8BE1272922F10203010001A35A305830090603551D1304023000300B0603551D0F0404030206C0301D0603551D0E041604143B9EA63F5B2A3A383AA59B5EF537231B4C660435301F0603551D230418301680141A3849592E3221820C77260DCA11ADDD9CCA437D300D06092A864886F70D01010B05000382010100B17ABDE9E26A6C2506224B766934DD3020431902CA0293B76DDF8EB8A8ED298C080CBB907A25A0503291DF7B11525195EF49E7E482A0F26D5CE11A2BE5E94B14C9A53563380ABEFEC4B5BC7E82ACCCF050A81BE1535E5706BFDBCBB308FD6ADFCD64E95B804A278EDA6B1572A075FE3B0DA067D57BAA8743D66A1383EB54B32041C96D2B83205D0CACF1E74040BC9F18BD80EC05D82121512FEDB340491D30C4D36CE53C8DFA0C11B104B690A7D4BD5518ACB85BAFFD2671BAF0113690A723CF0BB0FEE8D7579C2D58BF24D32830463643EF39A839B127F40B304B1365A220E49AB23C4984A746FEE77C311647826404131727172BBBF8C5436487702BE478EB:
[   68.615856][2:   system_server] 07-31 03:55:33.762  1045  1045 I EngineeringModeServicewakelock is acquired!!
[   68.623078][0:  SATServiceData] 07-31 03:55:33.769  1045  1198 I ENGMODE2em_init: Send INIT CMD to TA

[   68.626258][2:  SATServiceData] 07-31 03:55:33.772  1045  1198 I ENGMODE2em_jni_print_command : EM Version 0002, INTERNAL Version : 20, MODULE Version : 21.02.0

[   68.626305][2:  SATServiceData] 07-31 03:55:33.772  1045  1198 I ENGMODE2em_jni_print_command : [CMD] : [EM_CMD_INIT_EMAS]

[   68.626436][2:  SATServiceData] 07-31 03:55:33.772  1045  1198 I TeeSysClientdriver version: v6.3 [hardware/samsung_slsi/exynos9810/mobicore/ClientLib/src/driver.cpp:104]
[   68.626464][2:  SATServiceData] 07-31 03:55:33.773  1045  1198 I TeeSysClientdriver open [hardware/samsung_slsi/exynos9810/mobicore/ClientLib/src/driver.cpp:109]
[   68.626493][2:  SATServiceData] 07-31 03:55:33.773  1045  1198 I ENGMODE2Opening MobiCore device is done..

[   68.627207][6:    McDaemon.SWd] 07-31 03:55:33.773   412   416 W TeeMcDaemonCannot open trustlet /data/vendor/mcRegistry/ffffffff000000000000000000000070.tlbin (No such file or directory) [hardware/samsung_slsi/exynos9810/mobicore/Daemon/src/SecureWorld.cpp:195]
[   68.628762][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 E TeeSysClientmcOpenSession returned INVALID_DEVICE_FILE (rc 0x10) [hardware/samsung_slsi/exynos9810/mobicore/ClientLib/src/native_interface.cpp:573]
[   68.628834][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 E ENGMODE2Opening the session is failed : 0x00000010
[   68.628886][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 E TeeSysClientmcCloseSession returned UNKNOWN_SESSION (rc 0x8) [hardware/samsung_slsi/exynos9810/mobicore/ClientLib/src/native_interface.cpp:620]
[   68.628918][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 E ENGMODE2Closing the session is failed : 0x00000008
[   68.628944][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I ENGMODE2Closing session is done(session id : 0, device id : 0)

[   68.629036][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I TeeSysClientdriver closed [hardware/samsung_slsi/exynos9810/mobicore/ClientLib/src/driver.cpp:120]
[   68.629068][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I ENGMODE2Closing MobiCore device is done..

[   68.629096][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I ENGMODE2setProperty flags = 0000000000000000

[   68.629123][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 E ENGMODE2em_init: Fail64 em tlc send(0xf0000001)

[   68.629284][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I ENGMODE2em_jni_print_command : EM Version 0002, INTERNAL Version : 20, MODULE Version : 21.02.0

[   68.629314][2:  SATServiceData] 07-31 03:55:33.775  1045  1198 I ENGMODE2em_jni_print_command : [CMD] : [EM_CMD_REQ_RECOVERY_ITL_ESSDEV_V1]

On my SM-G965F I was able to identify 1 Trustlet involved in this AT cmd/EM adventure...


Still hang in AES adventure...


Only as info.


Best Regards
  Reply With Quote
The Following User Says Thank You to adfree For This Useful Post:
Old 08-07-2024, 13:48   #41 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Tiny progress in AES adventure...


By baby trick to change text string... in lib1...
Code:
/dev/urandom

Into this for instance:
Code:
/dev/zero

You can "skip" the random/nonce stuff... as result...
Response deliver same data for msg...


In other words... I can now confirm it is AES 256 and CTR...


No idea why AES accept such stupid data:
AES 256 Key... 32 Byte lengths...HEX:
Code:
0000000000000000000000000000000000000000000000000000000000000000

IV 16 Byte...HEX
Code:
00000000000000000000000000000000

"Bad"...
This is only in old v1 like SM-A202F working...


S8 not confirmed yet... But nice user helped me...
He modified Kernel to get static Key and IV...



I am trying to find urandom in SM-G965F... EM2...


Hope easier to proceed... As EM2 support CMD 0,3...
Less data to send... less data received...


Maybe then more clear how exact this work...


Only as info.


Best Regards
  Reply With Quote
The Following User Says Thank You to adfree For This Useful Post:
Old 08-11-2024, 13:43   #42 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
First success to write steady.bin via AT cmd...




Successfully tested with my SM-A202F.
So old v1...


But far far away from perfect solution.


A

For now Root mandatory... to replace library *.so




B
Need very old Firmware... Android 9 before March 2021...


C
With my SM-A202F U3 I have luck that /dev/zero trick work...
So AES 256 Key and IV is ever 0...
So random is "disabled"


D
And I have only luck to bypass the verify process with S8 libs...




---------------------------------
I can only find AES random Keys in old FW... RDX dump


Still not managed to get the Key(s) from Response...


I guess the 256 Sign contain the answer...


Maybe something like this is used...
https://developers.google.com/tink/s...treaming?hl=en


For now this exceeds my skills...


Only as info.


Best Regards
  Reply With Quote
The Following User Says Thank You to adfree For This Useful Post:
Old 08-17-2024, 20:47   #43 (permalink)
No Life Poster
 
darmiles's Avatar
 
Join Date: Sep 2005
Location: Cayman Islands
Posts: 535
Member: 177036
Status: Offline
Thanks Meter: 946
Donate money to this user
please message me. bro
  Reply With Quote
Old 08-19-2024, 20:42   #44 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Tiny progress.


The 256 Byte Sign (RSA 2048) inside Response contain 64 Bytes...


These 64 Bytes contain IV and IMHO the AES 256 Key for next AT cmd...


To encrypt steady.bin...


I tried on my SM-G965F manually...


First attempt I forgot to add the IV to cmd 2...


Second attempt ... 4 minutes + before I got the cmd 2 ...




I still not found any similar way to nuke urandom like on my SM-A202F...


Meanwhile I was able to downgrade from bit 17 FUJ2...
To working bit G965FXXS6CSH5...


It seems to me.
AT cmd is introduced since Android 9...
Not in Android 8
So no use to downgrade to Android 8 nor to find bit 17 Combination Firmware, because also Android 8...


Seems I found how to check Version of Trustlets... the TEE time ehm part...


Code:
vendor.img

Da ist glaube das EM Zeugs...
ffffffff000000000000000000000070.tlbin


        70 anders
G965FXXS6CSH5    die hab ich drauf        EngineeringMode TA Here
    20.21.4


G965FXXU2CSC8


G965FXXU2CRLI    hier                EngineeringMode TA Here
    20.20.1

Trustlet seems to control which Cert you can use in AT Adventure... not the libs...




I will go back to SM-A202F ... and check if can use instead /dev/zero...


Something like this.


Code:
star2lte:/ $ su
star2lte:/ # cd /dev
star2lte:/dev # touch /dev/urando2
star2lte:/dev # echo "IVAES256IVAESAESKEYKEYAESKEYAESKEYAES256KEYAESFU" > /dev/urando2
star2lte:/dev # ls -a1l urandom
crw-rw-rw- 1 root root 1,   9 2024-08-12 22:41 urandom
star2lte:/dev # ls -a1l urando2
-rw-r--r-- 1 root root 49 2024-08-12 22:56 urando2
star2lte:/dev # cat /dev/urando2
IVAES256IVAESAESKEYKEYAESKEYAESKEYAES256KEYAESFU
star2lte:/dev # cd /system/lib64
star2lte:/system/lib64 # ls -a1l libcrypto.so
-rw-r--r-- 1 root root 1372848 2008-12-31 16:00 libcrypto.so
star2lte:/system/lib64 # ls -a1l libcrypto.so

My Zero trick seems not very helpfull to identify the complete Crypto...
0 x 0 is 0
But also

FF x 0 = 0


So two base64 encoded "32 Bytes" looks like this:
Code:
AAAAAAAAAAAA...
at end of msg


Only as info.


Best Regards
  Reply With Quote
Old 08-22-2024, 01:02   #45 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 800
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
star2lte:/ $ su
star2lte:/ # cd /dev
star2lte:/dev # ls -a1l urandom
crw-rw-rw- 1 root root 1,   9 2024-08-20 23:18 urandom
star2lte:/dev # rm urandom
star2lte:/dev # ls -a1l urandom
ls: urandom: No such file or directory
1|star2lte:/dev # mknod -m 0666 /dev/urandom c 1 5
star2lte:/dev # ls -a1l urandom
crw-rw-rw- 1 root root 1,   5 2024-08-20 23:30 urandom

This looks better...


But it is gone after Reboot...


And it seems Reboot is mandatory to accept the changes...




Puhhhh...


Maybe Kernel Patch or complete Compiling could help me in my SM-G965F Adventure...


Code:
 		static const struct memdev { const char *name; mode_t mode; const struct file_operations *fops; struct backing_dev_info *dev_info; } devlist[] = { ... [8] = { "random", 0666, &random_fops, NULL }, [9] = { "urandom", 0666, &urandom_fops, NULL },

5 is ZERO
7 is NULL


I have NO idea if this is good for whole OS...


Code:
SM-A202F ASL4
a20e:/dev # cat /proc/version
Linux version 4.4.111-17594784 (dpi@SWDH4607) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Jan 2 13:17:07 KST 2020


-----------------------------------------------------------
SM-G965F

Linux version 4.9.59-16553818 (dpi@21HHAE17) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Aug 29 11:15:27 KST 2019

My SM-A202F have older Linux Version... so maybe this is 1 reason why luck with baby trick in lib1...


I have not tested any EM3 device...


I will try again to write steady.bin via AT cmd 0,2...


To confirm 64 Bytes from Sign contain IV and AES 256 Key and 16 Byte "unknown" data... for cmd 2...


I need around 4 minutes to create "cmd 2"



Code:
AT+ENGMODES=0,2,01:24:



At the moment I have only 1 DRK Cert with FULL Private Key... to decrypt with openssl the 256 Byte Sign from Response...


Limitation... only before March 2021 Security crap... so generally not for EM3 usefull...


I still have no EM Cert with text string:
EngineeringMode


Not Original nor Fake signed...


Only as info about "progress"...


Best Regards
  Reply With Quote
The Following User Says Thank You to adfree For This Useful Post:
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 



All times are GMT +1. The time now is 12:35.



Powered by Searchlight © 2024 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -
Page generated in 0.13289 seconds with 9 queries

SEO by vBSEO