FreeCalypso > hg > freecalypso-reveng
annotate miscprog/pirimei.c @ 160:db3b300da465
malware version of the C118 bootloader reversed
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Thu, 15 May 2014 08:38:42 +0000 |
parents | 597143ba1c37 |
children |
rev | line source |
---|---|
59
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 /* |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
2 * This program recovers the IMEI of a Pirelli DP-L10 phone from a dump of |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
3 * its factory block (last 64 KiB sector of the 2nd flash chip select) and |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
4 * the corresponding dieid file as written by fc-loadtool. |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
5 * |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
6 * The location of the 16-byte encrypted IMEI record within the factory block |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
7 * (at offset 0x504) has been figured out with the help of the factdiff.c |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
8 * program, and the magic decryption & verification algorithm has been found in |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
9 * g23m/condat/com/src/comlib/cl_imei.c in the Leonardo semi-src by Sotovik. |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
10 */ |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
11 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
12 #include <sys/types.h> |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 #include <openssl/des.h> |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 #include <ctype.h> |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 #include <stdio.h> |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 #include <stdlib.h> |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 DES_cblock ciphertext[2], dieid_key, decrypted[2]; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 DES_key_schedule keysched; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 read_ciphertext(filename) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 char *filename; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
24 FILE *f; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
25 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
26 f = fopen(filename, "r"); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
27 if (!f) { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
28 perror(filename); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
29 exit(1); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
30 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 fseek(f, 0x504L, 0); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 fread(ciphertext, 8, 2, f); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 fclose(f); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
35 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 decode_hexdigit(ch) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
37 { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
38 if (isdigit(ch)) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
39 return(ch - '0'); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
40 else if (isalpha(ch)) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
41 return(ch - 'A' + 10); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
42 else |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
43 return(ch - 'a' + 10); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
44 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
45 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
46 read_dieid_file(filename) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
47 char *filename; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
48 { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
49 FILE *f; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
50 int i; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
51 char lb[64]; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
52 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
53 f = fopen(filename, "r"); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 if (!f) { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
55 perror(filename); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
56 exit(1); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
57 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
58 for (i = 0; i < 4; i++) { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
59 fgets(lb, sizeof lb, f); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
60 if (!isxdigit(lb[0]) || !isxdigit(lb[1]) || !isxdigit(lb[2]) || |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
61 !isxdigit(lb[3]) || !isxdigit(lb[4]) || !isxdigit(lb[5]) || |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
62 !isxdigit(lb[6]) || !isxdigit(lb[7]) || |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
63 lb[8] != ':' || lb[9] != ' ' || |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
64 !isxdigit(lb[10]) || !isxdigit(lb[11]) || |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
65 !isxdigit(lb[12]) || !isxdigit(lb[13]) || lb[14] != '\n') { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
66 fprintf(stderr, "%s, line %d: differs from expected\n", |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
67 filename, i + 1); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
68 exit(1); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
69 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
70 dieid_key[i*2] = (decode_hexdigit(lb[12]) << 4) | |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
71 decode_hexdigit(lb[13]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
72 dieid_key[i*2+1] = 0; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
73 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
74 fclose(f); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
75 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
76 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
77 print_des_cblock(msg, blk) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
78 char *msg; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
79 DES_cblock blk; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
80 { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
81 printf("%s: %02X %02X %02X %02X %02X %02X %02X %02X\n", msg, |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
82 blk[0], blk[1], blk[2], blk[3], blk[4], blk[5], blk[6], blk[7]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
83 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
84 |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
85 main(argc, argv) |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
86 char **argv; |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
87 { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
88 if (argc != 3) { |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
89 fprintf(stderr, "usage: %s fact.bin dieid\n", argv[0]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
90 exit(1); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
91 } |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
92 read_ciphertext(argv[1]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
93 read_dieid_file(argv[2]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
94 print_des_cblock("Key derived from die ID", &dieid_key); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
95 print_des_cblock("Ciphertext block 1", &ciphertext[0]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
96 print_des_cblock("Ciphertext block 2", &ciphertext[1]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
97 DES_set_key_unchecked(&dieid_key, &keysched); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
98 DES_ecb_encrypt(&ciphertext[0], &decrypted[0], &keysched, DES_DECRYPT); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
99 print_des_cblock("1st decrypted block", &decrypted[0]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
100 DES_ecb_encrypt(&ciphertext[1], &decrypted[1], &keysched, DES_DECRYPT); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
101 print_des_cblock("2nd decrypted block", &decrypted[1]); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
102 exit(0); |
3f38da3933c2
Pirelli's IMEI obfuscation cracked!
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
103 } |