FreeCalypso > hg > freecalypso-reveng

comparison imeibrute.c @ 60:1e797f846563

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
imeibrute written
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Fri, 29 Nov 2013 01:39:31 +0000
parents
children
comparison
equal deleted inserted replaced
59:3f38da3933c2 60:1e797f846563
1 /*
2 * The IMEI "protection" implemented by TI for Calypso (as opposed to Calypso+
3 * or LoCosto) platforms for those device manufs who desired to obfuscate their
4 * IMEIs (not everyone did - Openmoko opted out, for example), as seen in
5 * g23m/condat/com/src/comlib/cl_imei.c in the Leonardo semi-src by Sotovik,
6 * encrypts the IMEI using plain DES, using a key derived from the Calypso die
7 * ID. However, only 28 effective key bits are used, and the key is then also
8 * encrypted with itself and stored right after the encrypted IMEI, and is used
9 * by the decryption & verification routine. Per TI's source, the 16-byte
10 * encrypted IMEI record is to be stored in FFS in /gsm/imei.enc; the DP-L10
11 * phone by Pirelli/Foxconn has been found to use the same scheme, but store
12 * the 16-byte record in question in their "factory block" instead, at absolute
13 * address 0x027F0504 as seen by the ARM7 CPU.
14 *
15 * The encryption scheme seems so weak to me (28 effective key bits and an easy
16 * hit detection criterion for a brute force cracker) that I decided to see,
17 * just for fun, how long it would take to crack that encryption by brute force
18 * alone, and using a totally non-optimized program to do that.
19 */
20
21 #include <sys/types.h>
22 #include <openssl/des.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25
26 DES_cblock ciphertext[2], dieid_key, decrypted[2];
27 DES_key_schedule keysched;
28
29 read_ciphertext(filename, offset_arg)
30 char *filename, *offset_arg;
31 {
32 FILE *f;
33 u_long offset_val;
34
35 f = fopen(filename, "r");
36 if (!f) {
37 perror(filename);
38 exit(1);
39 }
40 if (offset_arg) {
41 offset_val = strtoul(offset_arg, 0, 16);
42 fseek(f, offset_val, 0);
43 }
44 fread(ciphertext, 8, 2, f);
45 fclose(f);
46 }
47
48 print_des_cblock(msg, blk)
49 char *msg;
50 DES_cblock blk;
51 {
52 printf("%s: %02X %02X %02X %02X %02X %02X %02X %02X\n", msg,
53 blk[0], blk[1], blk[2], blk[3], blk[4], blk[5], blk[6], blk[7]);
54 }
55
56 try()
57 {
58 DES_set_key_unchecked(&dieid_key, &keysched);
59 DES_ecb_encrypt(&ciphertext[1], &decrypted[1], &keysched, DES_DECRYPT);
60 if (decrypted[1][0] & 0xFE != dieid_key[0])
61 return;
62 if (decrypted[1][1])
63 return;
64 if (decrypted[1][2] & 0xFE != dieid_key[2])
65 return;
66 if (decrypted[1][3])
67 return;
68 if (decrypted[1][4] & 0xFE != dieid_key[4])
69 return;
70 if (decrypted[1][5])
71 return;
72 if (decrypted[1][6] & 0xFE != dieid_key[6])
73 return;
74 if (decrypted[1][7])
75 return;
76 print_des_cblock("Hit", &decrypted[1]);
77 DES_ecb_encrypt(&ciphertext[0], &decrypted[0], &keysched, DES_DECRYPT);
78 print_des_cblock("IMEI", &decrypted[0]);
79 }
80
81 main(argc, argv)
82 char **argv;
83 {
84 if (argc < 2 || argc > 3) {
85 fprintf(stderr, "usage: %s binfile [offset]\n", argv[0]);
86 exit(1);
87 }
88 read_ciphertext(argv[1], argv[2]);
89 dieid_key[1] = 0;
90 dieid_key[3] = 0;
91 dieid_key[5] = 0;
92 dieid_key[7] = 0;
93 for (dieid_key[0] = 0; dieid_key[0] <= 0xFE; dieid_key[0] += 2)
94 for (dieid_key[2] = 0; dieid_key[2] <= 0xFE; dieid_key[2] += 2)
95 for (dieid_key[4] = 0; dieid_key[4] <= 0xFE; dieid_key[4] += 2)
96 for (dieid_key[6] = 0; dieid_key[6] <= 0xFE; dieid_key[6] += 2)
97 try();
98 exit(0);
99 }