annotate miscprog/pirimei.c @ 160:db3b300da465

malware version of the C118 bootloader reversed
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 08:38:42 +0000
parents 597143ba1c37
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
59
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 /*
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2 * This program recovers the IMEI of a Pirelli DP-L10 phone from a dump of
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3 * its factory block (last 64 KiB sector of the 2nd flash chip select) and
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4 * the corresponding dieid file as written by fc-loadtool.
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
5 *
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
6 * The location of the 16-byte encrypted IMEI record within the factory block
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7 * (at offset 0x504) has been figured out with the help of the factdiff.c
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 * program, and the magic decryption & verification algorithm has been found in
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9 * g23m/condat/com/src/comlib/cl_imei.c in the Leonardo semi-src by Sotovik.
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
10 */
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
12 #include <sys/types.h>
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13 #include <openssl/des.h>
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14 #include <ctype.h>
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 #include <stdio.h>
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16 #include <stdlib.h>
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18 DES_cblock ciphertext[2], dieid_key, decrypted[2];
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 DES_key_schedule keysched;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 read_ciphertext(filename)
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 char *filename;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24 FILE *f;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26 f = fopen(filename, "r");
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 if (!f) {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 perror(filename);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 exit(1);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31 fseek(f, 0x504L, 0);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32 fread(ciphertext, 8, 2, f);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 fclose(f);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
35
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
36 decode_hexdigit(ch)
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
37 {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
38 if (isdigit(ch))
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
39 return(ch - '0');
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
40 else if (isalpha(ch))
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
41 return(ch - 'A' + 10);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
42 else
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
43 return(ch - 'a' + 10);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
44 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
45
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
46 read_dieid_file(filename)
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
47 char *filename;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
48 {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
49 FILE *f;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
50 int i;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
51 char lb[64];
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
52
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
53 f = fopen(filename, "r");
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
54 if (!f) {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
55 perror(filename);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
56 exit(1);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
57 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
58 for (i = 0; i < 4; i++) {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
59 fgets(lb, sizeof lb, f);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
60 if (!isxdigit(lb[0]) || !isxdigit(lb[1]) || !isxdigit(lb[2]) ||
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
61 !isxdigit(lb[3]) || !isxdigit(lb[4]) || !isxdigit(lb[5]) ||
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
62 !isxdigit(lb[6]) || !isxdigit(lb[7]) ||
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
63 lb[8] != ':' || lb[9] != ' ' ||
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
64 !isxdigit(lb[10]) || !isxdigit(lb[11]) ||
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
65 !isxdigit(lb[12]) || !isxdigit(lb[13]) || lb[14] != '\n') {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
66 fprintf(stderr, "%s, line %d: differs from expected\n",
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
67 filename, i + 1);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
68 exit(1);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
69 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
70 dieid_key[i*2] = (decode_hexdigit(lb[12]) << 4) |
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
71 decode_hexdigit(lb[13]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
72 dieid_key[i*2+1] = 0;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
73 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
74 fclose(f);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
75 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
76
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
77 print_des_cblock(msg, blk)
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
78 char *msg;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
79 DES_cblock blk;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
80 {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
81 printf("%s: %02X %02X %02X %02X %02X %02X %02X %02X\n", msg,
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
82 blk[0], blk[1], blk[2], blk[3], blk[4], blk[5], blk[6], blk[7]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
83 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
84
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
85 main(argc, argv)
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
86 char **argv;
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
87 {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
88 if (argc != 3) {
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
89 fprintf(stderr, "usage: %s fact.bin dieid\n", argv[0]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
90 exit(1);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
91 }
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
92 read_ciphertext(argv[1]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
93 read_dieid_file(argv[2]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
94 print_des_cblock("Key derived from die ID", &dieid_key);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
95 print_des_cblock("Ciphertext block 1", &ciphertext[0]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
96 print_des_cblock("Ciphertext block 2", &ciphertext[1]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
97 DES_set_key_unchecked(&dieid_key, &keysched);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
98 DES_ecb_encrypt(&ciphertext[0], &decrypted[0], &keysched, DES_DECRYPT);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
99 print_des_cblock("1st decrypted block", &decrypted[0]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
100 DES_ecb_encrypt(&ciphertext[1], &decrypted[1], &keysched, DES_DECRYPT);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
101 print_des_cblock("2nd decrypted block", &decrypted[1]);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
102 exit(0);
3f38da3933c2 Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
103 }