***DCT4系列CPU与IMEI的加密技术***
CPU加密解析:
ARM scrambling system on DCT-4
******************************
Decrypt
1.) Read crypted & decrypted data from DCT4 phone using "dct4_rd.com"
2.1) Write to some FLASH even address word 0001h
2.2) Read word from that address in decrypted mode and update first
word in table "t_d"
2.3) Repeat steps 2.1 & 2.2 with words 0002,0004,0008,..to 8000h
and update table "t_d"
2.4) Write to same FLASH addr. word 0000
2.5) Read decrypted word and xor all 16 words in table "t_d" with it.
Getting Address params.
After getting data params, use function d_ax on whole crypted FLASH
word by word.
Now, xor word by word that data with decrypted FLASH, and that's it!
And function a_ax will be:
a_ax: xor ax,[edx+address_params-FLASH_offset]
ret
--------------------------------------------------------------------------------
以下内容只有回复后才可以浏览
IMEI加密解析:
Hint:
010000000 Plain FLASH base
090000000 Cipher FLASH base
###########################################
; Get_IMEI
###########################################
;r0 = dest
;RET r0 = status; 1=OK
;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????...."
002B2E2C: B5 30 PUSH (R4,R5,LR)
002B2E2E: B0 82 SUB SP,#0008
;==========================================
; get IMEI from flash
002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest
002B2E32: 21 0D MOV R1,#0D ;offset
002B2E34: 22 10 MOV R2,#10 ;size
002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI)
002B2E3A: 1C 05 ADD R5,R0,#0
002B2E3C: 2D 01 CMP R5,#01
002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID!
;==========================================
; get IMEI from UEM
002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8])
002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest
002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status
002B2E48: 2D 01 CMP R5,#01
002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...)
;==========================================
; compare UEM & FLASH IMEI
002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI
002B2E4E: 20 00 MOV R0,#00
002B2E50: 5D 03 LDRB R3,[R0+R4]
002B2E52: 78 0A LDRB R2,[R1+#00]
002B2E54: 42 93 CMP R3,R2
002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference!
002B2E58: 31 01 ADD R1,#01
002B2E5A: 1C 40 ADD R0,R0,#1
002B2E5C: 04 00 LSL R0,R0,16
002B2E5E: 0C 00 LSR R0,R0,16
002B2E60: 28 08 CMP R0,#08
002B2E62: DB F5 BLT 002B2E50
;==========================================
002B2E64: 2D 00 CMP R5,#00
002B2E66: D0 01 BEQ 002B2E6C
002B2E68: E0 05 JMP 002B2E76
002B2E6A: 25 00 MOV R5,#00
002B2E6C: 20 03 MOV R0,#03
002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag
002B2E72: 28 02 CMP R0,#02
002B2E74: D0 09 BEQ 002B2E8A
002B2E76: 2D 01 CMP R5,#01
002B2E78: D0 07 BEQ 002B2E8A
;==========================================
; fill dest with "FF" if IMEI is BAD!
002B2E7A: 21 FF MOV R1,#FF
002B2E7C: 20 00 MOV R0,#00
002B2E7E: 55 01 STRB R1,[R0+R4]
002B2E80: 1C 40 ADD R0,R0,#1
002B2E82: 04 00 LSL R0,R0,16
002B2E84: 0C 00 LSR R0,R0,16
002B2E86: 28 10 CMP R0,#10
002B2E88: DB F9 BLT 002B2E7E
002B2E8A: 20 01 MOV R0,#01
002B2E8C: B0 02 ADD SP,#0008
002B2E8E: BD 30 RET (R4,R5)
002B31B2: 22 28 MOV R2,#28 ;size
002B31B4: 23 20 MOV R3,#20 ;decryption mode
002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA
002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status
;=======================================
; calc checksum of decrypted SECURE FLASH block and test if it is correct
002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src
002B31BE: 21 26 MOV R1,#26 ;size
002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk)
002B31C4: 21 26 MOV R1,#26
002B31C6: 5D 49 LDRB R1,[R1+R5]
002B31C8: 02 0A LSL R2,R1,8
002B31CA: 21 27 MOV R1,#27
002B31CC: 5D 49 LDRB R1,[R1+R5]
002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block
002B31D0: 42 88 CMP R0,R1
002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD!
002B31D4: 2F 01 CMP R7,#01
002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD!
;=======================================
; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h)
002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0
002B31DA: 98 00 LDR R0,[SP+#0000] ARAM R1 (offset)
002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset
002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31E2: 68 1B LDR R3,[R3+#00] ;=840001
002B31E4: 46 FE MOV LR,PC
002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)
002B31E8: E0 04 JMP 002B31F4
;=======================================
; If FLASH IMEI have any error dest will be filled with "FF".....
002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31EE: 21 FF MOV R1,#FF ;r1 = fill value
002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM
;=======================================
; fill temp_baf to make HACKING harder
002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf
002B31F6: 21 FF MOV R1,#FF ;r1 = fill value
002B31F8: 22 28 MOV R2,#28 ;size
002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM
002B31FE: 1C 38 ADD R0,R7,#0
002B3200: B0 01 ADD SP,#0004
002B3202: BD F0 RET (R4,R5,R6,R7)
;************************************************
;################################################
READ_UEM_IMEI
;################################################
;r0 = dest
;RET r0 = status; 1=IMEI is not zero (00,00,00,....)
002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3206: 1C 04 ADD R4,R0,#0
002B3208: 26 04 MOV R6,#04 ;read 4 registers
002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff)
002B320C: 27 00 MOV R7,#00
002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask
002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG
002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value
;************************************************
004AE414: 00 1B ;IMEI UEM TABLE
004AE416: FF FF
004AE418: 00 1C
004AE41A: FF FF
004AE41C: 00 1D
004AE41E: FF FF
004AE420: 00 1E
004AE422: FF FF
;************************************************
B.R.
Dejan Kaljevic
DCT4采用了ARM7 MCU core+TI320C54X DSP core的基带架构、如上是以8310为例的硬件ID验证和IMEI验证
--------------------------------------------------------------------------------
CPU加密解析:
ARM scrambling system on DCT-4
******************************
Decrypt
1.) Read crypted & decrypted data from DCT4 phone using "dct4_rd.com"
2.1) Write to some FLASH even address word 0001h
2.2) Read word from that address in decrypted mode and update first
word in table "t_d"
2.3) Repeat steps 2.1 & 2.2 with words 0002,0004,0008,..to 8000h
and update table "t_d"
2.4) Write to same FLASH addr. word 0000
2.5) Read decrypted word and xor all 16 words in table "t_d" with it.
Getting Address params.
After getting data params, use function d_ax on whole crypted FLASH
word by word.
Now, xor word by word that data with decrypted FLASH, and that's it!
And function a_ax will be:
a_ax: xor ax,[edx+address_params-FLASH_offset]
ret
--------------------------------------------------------------------------------
以下内容只有回复后才可以浏览
IMEI加密解析:
Hint:
010000000 Plain FLASH base
090000000 Cipher FLASH base
###########################################
; Get_IMEI
###########################################
;r0 = dest
;RET r0 = status; 1=OK
;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????...."
002B2E2C: B5 30 PUSH (R4,R5,LR)
002B2E2E: B0 82 SUB SP,#0008
;==========================================
; get IMEI from flash
002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest
002B2E32: 21 0D MOV R1,#0D ;offset
002B2E34: 22 10 MOV R2,#10 ;size
002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI)
002B2E3A: 1C 05 ADD R5,R0,#0
002B2E3C: 2D 01 CMP R5,#01
002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID!
;==========================================
; get IMEI from UEM
002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8])
002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest
002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status
002B2E48: 2D 01 CMP R5,#01
002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...)
;==========================================
; compare UEM & FLASH IMEI
002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI
002B2E4E: 20 00 MOV R0,#00
002B2E50: 5D 03 LDRB R3,[R0+R4]
002B2E52: 78 0A LDRB R2,[R1+#00]
002B2E54: 42 93 CMP R3,R2
002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference!
002B2E58: 31 01 ADD R1,#01
002B2E5A: 1C 40 ADD R0,R0,#1
002B2E5C: 04 00 LSL R0,R0,16
002B2E5E: 0C 00 LSR R0,R0,16
002B2E60: 28 08 CMP R0,#08
002B2E62: DB F5 BLT 002B2E50
;==========================================
002B2E64: 2D 00 CMP R5,#00
002B2E66: D0 01 BEQ 002B2E6C
002B2E68: E0 05 JMP 002B2E76
002B2E6A: 25 00 MOV R5,#00
002B2E6C: 20 03 MOV R0,#03
002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag
002B2E72: 28 02 CMP R0,#02
002B2E74: D0 09 BEQ 002B2E8A
002B2E76: 2D 01 CMP R5,#01
002B2E78: D0 07 BEQ 002B2E8A
;==========================================
; fill dest with "FF" if IMEI is BAD!
002B2E7A: 21 FF MOV R1,#FF
002B2E7C: 20 00 MOV R0,#00
002B2E7E: 55 01 STRB R1,[R0+R4]
002B2E80: 1C 40 ADD R0,R0,#1
002B2E82: 04 00 LSL R0,R0,16
002B2E84: 0C 00 LSR R0,R0,16
002B2E86: 28 10 CMP R0,#10
002B2E88: DB F9 BLT 002B2E7E
002B2E8A: 20 01 MOV R0,#01
002B2E8C: B0 02 ADD SP,#0008
002B2E8E: BD 30 RET (R4,R5)
002B31B2: 22 28 MOV R2,#28 ;size
002B31B4: 23 20 MOV R3,#20 ;decryption mode
002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA
002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status
;=======================================
; calc checksum of decrypted SECURE FLASH block and test if it is correct
002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src
002B31BE: 21 26 MOV R1,#26 ;size
002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk)
002B31C4: 21 26 MOV R1,#26
002B31C6: 5D 49 LDRB R1,[R1+R5]
002B31C8: 02 0A LSL R2,R1,8
002B31CA: 21 27 MOV R1,#27
002B31CC: 5D 49 LDRB R1,[R1+R5]
002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block
002B31D0: 42 88 CMP R0,R1
002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD!
002B31D4: 2F 01 CMP R7,#01
002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD!
;=======================================
; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h)
002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0
002B31DA: 98 00 LDR R0,[SP+#0000] ARAM R1 (offset)
002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset
002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31E2: 68 1B LDR R3,[R3+#00] ;=840001
002B31E4: 46 FE MOV LR,PC
002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)
002B31E8: E0 04 JMP 002B31F4
;=======================================
; If FLASH IMEI have any error dest will be filled with "FF".....
002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31EE: 21 FF MOV R1,#FF ;r1 = fill value
002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM
;=======================================
; fill temp_baf to make HACKING harder
002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf
002B31F6: 21 FF MOV R1,#FF ;r1 = fill value
002B31F8: 22 28 MOV R2,#28 ;size
002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM
002B31FE: 1C 38 ADD R0,R7,#0
002B3200: B0 01 ADD SP,#0004
002B3202: BD F0 RET (R4,R5,R6,R7)
;************************************************
;################################################
READ_UEM_IMEI
;################################################
;r0 = dest
;RET r0 = status; 1=IMEI is not zero (00,00,00,....)
002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3206: 1C 04 ADD R4,R0,#0
002B3208: 26 04 MOV R6,#04 ;read 4 registers
002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff)
002B320C: 27 00 MOV R7,#00
002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask
002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG
002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value
;************************************************
004AE414: 00 1B ;IMEI UEM TABLE
004AE416: FF FF
004AE418: 00 1C
004AE41A: FF FF
004AE41C: 00 1D
004AE41E: FF FF
004AE420: 00 1E
004AE422: FF FF
;************************************************
B.R.
Dejan Kaljevic
DCT4采用了ARM7 MCU core+TI320C54X DSP core的基带架构、如上是以8310为例的硬件ID验证和IMEI验证
--------------------------------------------------------------------------------