[DEV] find key to decrypt updates

C

condi

Senior Member
Feb 13, 2007
743
980
123
Dec 9, 2012 at 9:45 AM
Hi guys,

I think I've found a way to find the key/pattern to decrypt updates,
without device, without vulnerable recovery etc.

but to get it we have to do some brainstorming :D

Sony tab is desklunvring (decrypting) update zip, then verify and flash.
Just get small update - such as ICS Release 6a Incremental
(its for Xp tab = will not flash on nbx03, so you are safe :) ).

Recovery checks some encrypted header or something similar,
there is no checksum check etc - we can insert our own code to zip :)

Open it in hex editor, go to somewhere middle of the code,
and write there whenever you want. Save it, copy to sd card,
run 1st _hack_recovery to get adb shell working,
then run modified update zip, run shell and type:

Code: 
/system/bin/tempsu
/system/bin/cat /tmp/desklunvr/desklunvr.zip > /cache/recovery/decr.zip
exit shell and:
adb pull /cache/recovery/decr.zip

Now open decr.zip with hex editor,
and go to offset where you've made changes.

Thats the way we can add there our text our characters,
and get the way updates are being decrypted.

For example:
Code: 
added:
00 00 00 00 00 00 00 00 00 00

after decrypting becomes:
82 A6 51 3D 82 A6 51 3D 82 A6
Im not encryption/shifting cipher/xor expert etc,
so help from anybody who got knowledge in that will be greatly
appreciated :)

We could develop a tool like for Acer,
it would be very handy.

br
condi
 
Last edited:
  • Like
Reactions: nitrous², papacarla, stifilz and 1 other person
psxpetey

psxpetey

Senior Member
Dec 4, 2011
1,310
124
93
www.youtube.com
Dec 10, 2012 at 2:08 AM
Did u try entering that code into something you want to decrypt?

Sent from my Sony Tablet S using xda app-developers app

---------- Post added at 10:08 PM ---------- Previous post was at 10:03 PM ----------

Tryed entering figured it wouldnt seems condi has use for ure post tho

Sent from my Sony Tablet S using xda app-developers app
 
furb3t

furb3t

Senior Member
Mar 24, 2008
228
20
48
Dec 10, 2012 at 6:57 AM
condi said:

For example:
Code: 
added:
00 00 00 00 00 00 00 00 00 00

after decrypting becomes:
82 A6 51 3D 82 A6 51 3D 82 A6
Click to expand...
From the example seems that to decrypt are using a costant : 82 A6 51 3D ; usually to crypt/decrypt a firmware is used a value constant (82 A6 51 3D) to XOR with the original bytes; but it's also a common use to insert a CRC at the end of file to verify it.
 
R

<robin>

Senior Member
Jun 12, 2012
124
92
0
Dec 13, 2012 at 7:14 AM
i'am decompilation recovery by ida pro,know this:
Update From SD card is done by function at 0xD1EC(sub_D1EC)
it do Desklunvr(descramble) first(sub_21854)
then load key from /res/keys,earch key len is 64(0x40),
verify rom file by this keys in sub_F008
if all ok,install file META-INF/com/google/android/update-bina to /tmp/update_binary and run it
(sub_E988 is write string to screen,sub_40254 is write string to log file)

so,next step is study sub_21854,sub_F008,and get key in /res/keys

hi condi,that /res/keys is what?same with AllInOne 5.2/files/keys?
 
  • Like
Reactions: mikajo
C

condi

Senior Member
Feb 13, 2007
743
980
123
Dec 13, 2012 at 7:53 AM
<robin> said:
i'am decompilation recovery by ida pro,know this:
Update From SD card is done by function at 0xD1EC(sub_D1EC)
it do Desklunvr(descramble) first(sub_21854)
then load key from /res/keys,earch key len is 64(0x40),
verify rom file by this keys in sub_F008
if all ok,install file META-INF/com/google/android/update-bina to /tmp/update_binary and run it
(sub_E988 is write string to screen,sub_40254 is write string to log file)

so,next step is study sub_21854,sub_F008,and get key in /res/keys

hi condi,that /res/keys is what?same with AllInOne 5.2/files/keys?
Click to expand...
/res/keys is not important, it is for verification AFTER decrypting.
 
  • Like
Reactions: <robin>
R

<robin>

Senior Member
Jun 12, 2012
124
92
0
Dec 14, 2012 at 6:44 AM
compare the encrypt rom and decrypt one,(china rom signed-nbx03_024-ota-120510011.zip),i got this resault:
1,the 2 file is same size,in my case is 225,785,027 bytes.that means crypt don't add any data to file.it only do with org data self.

2,continue zero line get repeat crypt,but the crypt is not same(16 byte a line)
eg:at 0x9A9C10
plain is many line zero
Code: 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;
crypt is many line of
Code: 
EA 9A 01 BB EA 9A 01 BB EA 9A 01 BB EA 9A 01 BB ;
EA 9A 01 BB EA 9A 01 BB EA 9A 01 BB EA 9A 01 BB ;
eg:at 0x506E8C0
plain is many line zero
Code: 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;
crypt is many line of
Code: 
8C 9D C5 8C F9 15 56 60 6E FB 47 71 75 D2 A8 E5 ;
8C 9D C5 8C F9 15 56 60 6E FB 47 71 75 D2 A8 E5 ;
3,from the 2nd line of zero block to the next line of zero block end
plain line[N]=crypt line[N-1] XOR crypt line[N]
eg:crypt of zero line is same repeat,so plain is zero
eg crypt:
Code: 
0506e870h: F9 15 56 60 6E FB 47 71 75 D2 A8 E5 8C 9D C5 8C ;
0506e880h: F9 15 56 60 6E FB 47 71 75 2D F5 10 8D 9D 35 F3 ;
plain
Code: 
0506e880h: 00 00 00 00 00 00 00 00 00 FF 5D F5 01 00 F0 7F ;
4,why is 2nd line of begain and next line of end?
i guess it use nearby 3 line get crypt.if data repeat more 2 line,you will got same crypt.


any suggestion guys?





edit:
but this line,after zero block
crypt is
Code: 
0506ee60h: 8C 9D C5 8C F9 15 56 60 6E FB 47 71 75 D2 A8 E5 ;
0506ee70h: 8C 9D C5 7C 06 A4 A1 8E 04 AC A6 D3 21 E4 52    ;
XOR out is
Code: 
0506ee70h: 00 00 00 F0 FF B1 F7 EE 6A 57 E1 A2 54 36 FA BC ;
plain should be
Code: 
0506ee70h: 00 00 00 F0 FF B1 F7 EE 01 56 4D FF FF FF A4 39 ;
first 8 byte is ok,but last 8 byte error...
 
Last edited:
R

<robin>

Senior Member
Jun 12, 2012
124
92
0
Dec 22, 2012 at 10:05 AM
sames the descramble work done in this:
recovery read 0x400 byte from rom,run this function,and write to desklunvr.zip

not sure what this func do...
Code: 
.text:000224F4
.text:000224F4 ; =============== S U B R O U T I N E =======================================
.text:000224F4
.text:000224F4
.text:000224F4 descramble1_224F4                       ; DATA XREF: .got:0005E544o
.text:000224F4
.text:000224F4 var_5C          = -0x5C
.text:000224F4 var_58          = -0x58
.text:000224F4 var_54          = -0x54
.text:000224F4 var_50          = -0x50
.text:000224F4 var_4C          = -0x4C
.text:000224F4 var_48          = -0x48
.text:000224F4 var_44          = -0x44
.text:000224F4 var_40          = -0x40
.text:000224F4 var_3C          = -0x3C
.text:000224F4 var_38          = -0x38
.text:000224F4 var_34          = -0x34
.text:000224F4 var_30          = -0x30
.text:000224F4 var_2C          = -0x2C
.text:000224F4 var_28          = -0x28
.text:000224F4 var_24          = -0x24
.text:000224F4 var_20          = -0x20
.text:000224F4 var_1C          = -0x1C
.text:000224F4 var_18          = -0x18
.text:000224F4 var_14          = -0x14
.text:000224F4 var_10          = -0x10
.text:000224F4 var_C           = -0xC
.text:000224F4
.text:000224F4 ; FUNCTION CHUNK AT .text:000228D8 SIZE 00000004 BYTES
.text:000224F4
.text:000224F4                 PUSH            {R4}
.text:000224F6                 SUB             SP, SP, #0x5C
.text:000224F8                 LDR             R4, loc_228DC
.text:000224FA                 ADD             R4, PC
.text:000224FC                 STR             R0, [SP,#0xC]
.text:000224FE                 STR             R1, [SP,#8]
.text:00022500                 STR             R2, [SP,#4]
.text:00022502                 MOV.W           R3, #0
.text:00022506                 STR             R3, [SP,#0x50]
.text:00022508                 MOV.W           R3, #0
.text:0002250C                 STR             R3, [SP,#0x4C]
.text:0002250E                 MOV.W           R3, #0
.text:00022512                 STR             R3, [SP,#0x48]
.text:00022514                 MOV.W           R3, #0
.text:00022518                 STR             R3, [SP,#0x44]
.text:0002251A                 MOV.W           R3, #0
.text:0002251E                 STR             R3, [SP,#0x40]
.text:00022520                 MOV             R3, 0xAE91FA39
.text:00022528                 STR             R3, [SP,#0x10]
.text:0002252A                 MOV             R3, 0x2D682474
.text:00022532                 STR             R3, [SP,#0x4C]
.text:00022534                 MOV             R3, 0x1E1410AC
.text:0002253C                 STR             R3, [SP,#0x48]
.text:0002253E                 MOV             R3, 0x96807D2A
.text:00022546                 STR             R3, [SP,#0x44]
.text:00022548                 MOV             R3, 0x29F145
.text:00022550                 STR             R3, [SP,#0x40]
.text:00022552                 LDR             R3, [SP,#8]
.text:00022554                 STR             R3, [SP,#0x3C]
.text:00022556                 MOV             R3, 0x5001A130
.text:0002255E                 STR             R3, [SP,#0x38]
.text:00022560                 MOV             R3, 0x23EC0A8B
.text:00022568                 STR             R3, [SP,#0x34]
.text:0002256A                 LDR             R3, [SP,#0x3C]
.text:0002256C                 MVN.W           R3, R3
.text:00022570                 STR             R3, [SP,#0x30]
.text:00022572                 LDR             R2, [SP,#0x34]
.text:00022574                 LDR             R3, [SP,#0x30]
.text:00022576                 ORRS            R3, R2
.text:00022578                 STR             R3, [SP,#0x34]
.text:0002257A                 LDR             R2, [SP,#0x34]
.text:0002257C                 MOV             R3, 0x10450111
.text:00022584                 ANDS            R3, R2
.text:00022586                 STR             R3, [SP,#0x30]
.text:00022588                 LDR             R2, [SP,#0x38]
.text:0002258A                 LDR             R3, [SP,#0x3C]
.text:0002258C                 ANDS            R3, R2
.text:0002258E                 STR             R3, [SP,#0x34]
.text:00022590                 LDR             R2, [SP,#0x34]
.text:00022592                 MOV             R3, 0x41A8A022
.text:0002259A                 ORRS            R3, R2
.text:0002259C                 STR             R3, [SP,#0x34]
.text:0002259E                 LDR             R2, [SP,#0x34]
.text:000225A0                 LDR             R3, [SP,#0x30]
.text:000225A2                 ADDS            R3, R2, R3
.text:000225A4                 STR             R3, [SP,#0x34]
.text:000225A6
.text:000225A6 loc_225A6                               ; CODE XREF: .text:000228D6j
.text:000225A6                                         ; descramble1_224F4+3E6j
.text:000225A6                 LDR             R2, [SP,#0x34]
.text:000225A8                 MOV             R3, 0xAE125ED2
.text:000225B0                 ADDS            R3, R2, R3
.text:000225B2                 CMP             R3, #5
.text:000225B4                 BHI.W           loc_227F6
.text:000225B8                 ADR             R1, 0x225C4
.text:000225BA                 LDR.W           R2, [R1,R3,LSL#2]
.text:000225BE                 ADD             R1, R2
.text:000225C0                 BX              R1
.text:000225C0 ; ---------------------------------------------------------------------------
.text:000225C2                 ALIGN 4
.text:000225C4                 DCD 0x19
.text:000225C8                 DCD 0x1C9
.text:000225CC                 DCD 0x221
.text:000225D0                 DCD 0x233
.text:000225D4                 DCD 0x23D
.text:000225D8 ; ---------------------------------------------------------------------------
.text:000225D8                 LSLS            R1, R0, #0xA
.text:000225DA                 MOVS            R0, R0
.text:000225DC                 NOP
.text:000225DE                 LDR             R3, [SP,#0xC]
.text:000225E0                 LDR             R2, [R3]
.text:000225E2                 MOV             R3, 0x88E9A4E5
.text:000225EA                 MUL.W           R2, R3, R2
.text:000225EE                 MOV             R3, 0xAE91FA39
.text:000225F6                 ADDS            R3, R2, R3
.text:000225F8                 STR             R3, [SP,#0x10]
.text:000225FA                 LDR             R3, [SP,#4]
.text:000225FC                 LDR             R3, [R3]
.text:000225FE                 MOV.W           R2, R3,LSL#2
.text:00022602                 LDR             R3, loc_228E0
.text:00022604                 LDR             R3, [R4,R3]
.text:00022606                 ADDS            R3, R2, R3
.text:00022608                 LDR             R3, [R3]
.text:0002260A                 STR             R3, [SP,#0x54]
.text:0002260C                 LDR             R2, [SP,#0x54]
.text:0002260E                 MOV             R3, 0x47EFECAB
.text:00022616                 MUL.W           R1, R3, R2
.text:0002261A                 LDR             R2, [SP,#0x10]
.text:0002261C                 MOV             R3, 0x4D490E26
.text:00022624                 MUL.W           R3, R3, R2
.text:00022628                 MOV             R2, 0x9B64BD89
.text:00022630                 ADDS            R2, R3, R2
.text:00022632                 LDR             R0, [SP,#0x54]
.text:00022634                 MOV             R3, 0xB8517B62
.text:0002263C                 MUL.W           R0, R3, R0
.text:00022640                 MOV             R3, 0xFC54F0B3
.text:00022648                 ADDS            R3, R0, R3
.text:0002264A                 ORRS            R2, R3
.text:0002264C                 MOV             R3, 0x88E9A4E5
.text:00022654                 MUL.W           R3, R3, R2
.text:00022658                 ADDS            R2, R1, R3
.text:0002265A                 LDR             R3, [SP,#0x10]
.text:0002265C                 ADDS            R2, R2, R3
.text:0002265E                 MOV             R3, 0x1DE85463
.text:00022666                 ADDS            R3, R2, R3
.text:00022668                 STR             R3, [SP,#0x54]
.text:0002266A                 LDR             R3, [SP,#0x54]
.text:0002266C                 STR             R3, [SP,#0x10]
.text:0002266E                 LDR             R2, [SP,#0x10]
.text:00022670                 MOV             R3, 0xD95B78ED
.text:00022678                 MUL.W           R2, R3, R2
.text:0002267C                 MOV             R3, 0xB24DA13B
.text:00022684                 ADDS            R3, R2, R3
.text:00022686                 LDR             R2, [SP,#0xC]
.text:00022688                 STR             R3, [R2]
.text:0002268A                 LDR             R2, [SP,#0x10]
.text:0002268C                 MOV             R3, 0x26A48713
.text:00022694                 MUL.W           R2, R3, R2
.text:00022698                 MOV             R3, 0x4DB25EC4
.text:000226A0                 ADDS            R3, R2, R3
.text:000226A2                 MVN.W           R3, R3,LSL#24
.text:000226A6                 MVN.W           R3, R3,LSR#24
.text:000226AA                 MOV             R2, 0x2E345987
.text:000226B2                 MUL.W           R2, R2, R3
.text:000226B6                 MOV             R3, 0xFE8D7C54
.text:000226BE                 ADDS            R3, R2, R3
.text:000226C0                 STR             R3, [SP,#0x54]
.text:000226C2                 LDR             R3, [SP,#0x54]
.text:000226C4                 ADD.W           R2, R3, #1
.text:000226C8                 MOV             R3, 0x4DA1C37
.text:000226D0                 MUL.W           R3, R3, R2
.text:000226D4                 STR             R3, [SP,#0x24]
.text:000226D6                 MOVW            R3, #0xA19E
.text:000226DA                 STR             R3, [SP,#0x20]
.text:000226DC                 MOV             R3, 0xFDBD0000
.text:000226E4                 STR             R3, [SP,#0x1C]
.text:000226E6                 LDR             R2, [SP,#0x1C]
.text:000226E8                 LDR             R3, [SP,#0x24]
.text:000226EA                 ADDS            R2, R2, R3
.text:000226EC                 MOV             R3, 0xA19EFDBD
.text:000226F4                 ADDS            R3, R2, R3
.text:000226F6                 LDR             R2, [SP,#0x20]
.text:000226F8                 EORS            R2, R3
.text:000226FA                 LDR             R3, [SP,#0x1C]
.text:000226FC                 SUBS            R3, R2, R3
.text:000226FE                 STR             R3, [SP,#0x18]
.text:00022700                 LDR             R3, [SP,#0x20]
.text:00022702                 MVN.W           R2, R3
.text:00022706                 LDR             R3, [SP,#0x18]
.text:00022708                 EORS            R2, R3
.text:0002270A                 MOV             R3, 0xD4F20B34
.text:00022712                 EORS            R2, R3
.text:00022714                 MOV             R3, 0xD4F20B34
.text:0002271C                 ORRS            R3, R2
.text:0002271E                 STR             R3, [SP,#0x14]
.text:00022720                 LDR             R3, [SP,#0x24]
.text:00022722                 RSB.W           R2, R3, #0
.text:00022726                 LDR             R3, [SP,#0x14]
.text:00022728                 ADD.W           R3, R3, #1
.text:0002272C                 MOV.W           R3, R3,LSL#1
.text:00022730                 SUBS            R2, R2, R3
.text:00022732                 MOV             R3, 0x129DBE51
.text:0002273A                 ADDS            R3, R2, R3
.text:0002273C                 STR             R3, [SP,#0x54]
.text:0002273E                 LDR             R2, [SP,#0x54]
.text:00022740                 MOV             R3, 0x20B54F26
.text:00022748                 ADDS            R3, R2, R3
.text:0002274A                 MOV.W           R2, R3,LSL#1
.text:0002274E                 MOV             R3, 0x561BE9E6
.text:00022756                 ANDS            R3, R2
.text:00022758                 LDR             R2, [SP,#0x54]
.text:0002275A                 SUBS            R2, R2, R3
.text:0002275C                 MOV             R3, 0x4BC34419
.text:00022764                 ADDS            R3, R2, R3
.text:00022766                 MOV             R2, R3
.text:00022768                 LDR             R3, [SP,#4]
.text:0002276A                 STR             R2, [R3]
.text:0002276C                 LDR             R3, [SP,#0xC]
.text:0002276E                 ADD.W           R3, R3, #4
.text:00022772                 STR             R3, [SP,#0xC]
.text:00022774                 LDR             R3, [SP,#8]
.text:00022776                 ADD.W           R3, R3, #0xFFFFFFFF
.text:0002277A                 STR             R3, [SP,#8]
.text:0002277C                 LDR             R2, [SP,#0x48]
.text:0002277E                 MOV             R3, 0x964428A5
.text:00022786                 EORS            R3, R2
.text:00022788                 STR             R3, [SP,#0x34]
.text:0002278A                 B               loc_228D8
.text:0002278C ; ---------------------------------------------------------------------------
.text:0002278C                 NOP
.text:0002278E                 LDR             R3, [SP,#8]
.text:00022790                 CMP             R3, #0
.text:00022792                 ITE LE
.text:00022794                 MOVLE           R3, #0
.text:00022796                 MOVGT           R3, #1
.text:00022798                 STR             R3, [SP,#0x38]
.text:0002279A                 LDR             R2, [SP,#0x40]
.text:0002279C                 MOV             R3, 0xBACBF7E8
.text:000227A4                 EORS            R3, R2
.text:000227A6                 STR             R3, [SP,#0x30]
.text:000227A8                 LDR             R2, [SP,#0x40]
.text:000227AA                 MOV             R3, 0xBACBF7F4
.text:000227B2                 EORS            R3, R2
.text:000227B4                 STR             R3, [SP,#0x34]
.text:000227B6                 LDR             R3, [SP,#0x38]
.text:000227B8                 CMP             R3, #0
.text:000227BA                 ITE NE
.text:000227BC                 MOVNE           R3, #0
.text:000227BE                 MOVEQ           R3, #1
.text:000227C0                 STR             R3, [SP,#0x2C]
.text:000227C2                 LDR             R3, [SP,#0x2C]
.text:000227C4                 CMP             R3, #0
.text:000227C6                 ITE NE
.text:000227C8                 MOVNE           R3, #0
.text:000227CA                 MOVEQ           R3, #1
.text:000227CC                 STR             R3, [SP,#0x28]
.text:000227CE                 LDR             R3, [SP,#0x28]
.text:000227D0                 LDR             R2, [SP,#0x30]
.text:000227D2                 MUL.W           R2, R2, R3
.text:000227D6                 LDR             R3, [SP,#0x2C]
.text:000227D8                 LDR             R1, [SP,#0x34]
.text:000227DA                 MUL.W           R3, R1, R3
.text:000227DE                 ADDS            R3, R2, R3
.text:000227E0                 STR             R3, [SP,#0x34]
.text:000227E2                 B               loc_228D8
.text:000227E4 ; ---------------------------------------------------------------------------
.text:000227E4                 NOP
.text:000227E6                 LDR             R2, [SP,#0x50]
.text:000227E8                 MOV             R3, 0xF40FC4AE
.text:000227F0                 EORS            R3, R2
.text:000227F2                 STR             R3, [SP,#0x34]
.text:000227F4                 B               loc_228D8
.text:000227F6 ; ---------------------------------------------------------------------------
.text:000227F6
.text:000227F6 loc_227F6                               ; CODE XREF: descramble1_224F4+C0j
.text:000227F6                 NOP
.text:000227F8                 NOP
.text:000227FA                 ADD             SP, SP, #0x5C
.text:000227FC                 POP             {R4}
.text:000227FE                 BX              LR
.text:000227FE ; End of function descramble1_224F4
.text:000227FE
.text:00022800 ; ---------------------------------------------------------------------------
.text:00022800                 NOP
.text:00022802                 LDR             R2, [SP,#0x50]
.text:00022804                 MOV             R3, 0x279C241B
.text:0002280C                 EORS            R3, R2
.text:0002280E                 STR             R3, [SP,#0x50]
.text:00022810                 LDR             R2, [SP,#0x44]
.text:00022812                 MOV             R3, 0x1D087F49
.text:0002281A                 ADDS            R3, R2, R3
.text:0002281C                 STR             R3, [SP,#0x34]
.text:0002281E                 LDR             R2, [SP,#0x34]
.text:00022820                 MOV             R3, 0x40000001
.text:00022828                 SMULL.W         R1, R3, R3, R2
.text:0002282C                 MOV.W           R1, R3,ASR#29
.text:00022830                 MOV.W           R3, R2,ASR#31
.text:00022834                 SUBS            R1, R1, R3
.text:00022836                 MOV             R3, R1
.text:00022838                 MOV.W           R3, R3,LSL#31
.text:0002283C                 SUBS            R3, R3, R1
.text:0002283E                 SUBS            R3, R2, R3
.text:00022840                 STR             R3, [SP,#0x34]
.text:00022842                 B               loc_228D8
.text:00022844 ; ---------------------------------------------------------------------------
.text:00022844                 NOP
.text:00022846                 LDR             R3, [SP,#4]
.text:00022848                 LDR             R3, [R3]
.text:0002284A                 UXTB            R2, R3
.text:0002284C                 LDR             R3, [SP,#4]
.text:0002284E                 STR             R2, [R3]
.text:00022850                 MOV             R3, 0x827E4184
.text:00022858                 STR             R3, [SP,#0x50]
.text:0002285A                 LDR             R2, [SP,#0x4C]
.text:0002285C                 MOV             R3, 0x24857CBB
.text:00022864                 ADDS            R3, R2, R3
.text:00022866                 STR             R3, [SP,#0x34]
.text:00022868                 LDR             R2, [SP,#0x34]
.text:0002286A                 MOV             R3, 0x40000001
.text:00022872                 SMULL.W         R1, R3, R3, R2
.text:00022876                 MOV.W           R1, R3,ASR#29
.text:0002287A                 MOV.W           R3, R2,ASR#31
.text:0002287E                 SUBS            R1, R1, R3
.text:00022880                 MOV             R3, R1
.text:00022882                 MOV.W           R3, R3,LSL#31
.text:00022886                 SUBS            R3, R3, R1
.text:00022888                 SUBS            R3, R2, R3
.text:0002288A                 STR             R3, [SP,#0x34]
.text:0002288C                 LDR             R2, [SP,#0x48]
.text:0002288E                 MOV             R3, 0xD9BD9926
.text:00022896                 EORS            R3, R2
.text:00022898                 STR             R3, [SP,#0x48]
.text:0002289A                 LDR             R2, [SP,#0x44]
.text:0002289C                 MOV             R3, 0x9E64A4BD
.text:000228A4                 ADDS            R3, R2, R3
.text:000228A6                 MOV             R2, 0x40000001
.text:000228AE                 SMULL.W         R1, R2, R2, R3
.text:000228B2                 MOV.W           R1, R2,ASR#29
.text:000228B6                 MOV.W           R2, R3,ASR#31
.text:000228BA                 SUBS            R1, R1, R2
.text:000228BC                 MOV             R2, R1
.text:000228BE                 MOV.W           R2, R2,LSL#31
.text:000228C2                 SUBS            R2, R2, R1
.text:000228C4                 SUBS            R3, R3, R2
.text:000228C6                 STR             R3, [SP,#0x44]
.text:000228C8                 LDR             R2, [SP,#0x40]
.text:000228CA                 MOV             R3, 0xEB0FA783
.text:000228D2                 EORS            R3, R2
.text:000228D4                 STR             R3, [SP,#0x40]
.text:000228D6                 B               loc_225A6
.text:000228D8 ; ---------------------------------------------------------------------------
.text:000228D8 ; START OF FUNCTION CHUNK FOR descramble1_224F4
.text:000228D8
.text:000228D8 loc_228D8                               ; CODE XREF: descramble1_224F4+296j
.text:000228D8                                         ; descramble1_224F4+2EEj ...
.text:000228D8                 NOP
.text:000228DA                 B               loc_225A6
.text:000228DA ; END OF FUNCTION CHUNK FOR descramble1_224F4
.text:000228DC ; ---------------------------------------------------------------------------
.text:000228DC
.text:000228DC loc_228DC                               ; DATA XREF: descramble1_224F4+4r
.text:000228DC                 STMIA           R1, {R1,R2,R4-R6}
.text:000228DE                 MOVS            R3, R0
.text:000228E0
.text:000228E0 loc_228E0                               ; DATA XREF: descramble1_224F4+10Er
.text:000228E0                 MRC             p15, 6, PC,c8,c15, 7
.text:000228E4
i'am trying port this code to c++,so it can run on windows....
 
Last edited:
  • Like
Reactions: condi
S

sciux

Member
Jul 25, 2011
31
2
0
Dec 31, 2012 at 3:14 PM
has that got anything to do ?

i was messing around to try to find a way to unlock bootloader or anything exciting on my Tablet P and i came across this...
im absolute noob when it comes up to developement and android hacking...

/etc/security/otacerts.zip
after unziping the file i came across testkey.x509.pem
than i used x509 online decoder and the result is:

[
[
Version: V3
Subject: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 27087533857153302906822427244451835680271467139433638657402420676788772368468316411790577780743478815329574319010356420647651577255214076320764054962227698091591190998224183931185609609820277016242603583619929549819986490809257050240250723681109660718403959925449702875642189909904608631689243630431349528603016850515510838951987672075344238987930639179476225895129710043944157373677589593772202003591689051650854123572660036810919613063456337914746959297660631038090097224838665758049737111657080826771808365050815496720770905152230613652255807956565630323299366925404317303221604342657788982549334320910974026967327
public exponent: 3
Validity: [From: Fri Feb 29 01:33:46 GMT 2008,
To: Tue Jul 17 02:33:46 BST 2035]
Issuer: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
SerialNumber: [ 936eacbe 07f201df]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 59 00 56 3D 27 2C 46 AE 11 86 05 A4 74 19 AC HY.V=',F.....t..
0010: 09 CA 8C 11 ....
]
[[email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US]
SerialNumber: [ 936eacbe 07f201df]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48 59 00 56 3D 27 2C 46 AE 11 86 05 A4 74 19 AC HY.V=',F.....t..
0010: 09 CA 8C 11 ....
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 7A AF 96 8C EB 50 C4 41 05 51 18 D0 DA AB AF 01 z....P.A.Q......
0010: 5B 8A 76 5A 27 A7 15 A2 C2 B4 4F 22 14 15 FF DA [.vZ'.....O"....
0020: CE 03 09 5A BF A4 2D F7 07 08 72 6C 20 69 E5 C3 ...Z..-...rl i..
0030: 6E DD AE 04 00 BE 29 45 2C 08 4B C2 7E B6 A1 7E n.....)E,.K.....
0040: AC 9D BE 18 2C 20 4E B1 53 11 F4 55 D8 24 B6 56 ...., N.S..U.$.V
0050: DB E4 DC 22 40 91 2D 75 86 FE 88 95 1D 01 A8 FE ..."@.-u........
0060: B5 AE 5A 42 60 53 5D F8 34 31 05 24 22 46 8C 36 ..ZB`S].41.$"F.6
0070: E2 2C 2A 5E F9 94 D6 1D D7 30 6A E4 C9 F6 95 1B .,*^.....0j.....
0080: A3 C1 2F 1D 19 14 DD C6 1F 1A 62 DA 2D F8 27 F6 ../.......b.-.'.
0090: 03 FE A5 60 3B 2C 54 0D BD 7C 01 9C 36 BA B2 9A ...`;,T.....6...
00A0: 42 71 C1 17 DF 52 3C DB C5 F3 81 7A 49 E0 EF A6 Bq...R<....zI...
00B0: 0C BD 7F 74 17 7E 7A 4F 19 3D 43 F4 22 07 72 66 ...t..zO.=C.".rf
00C0: 6E 4C 4D 83 E1 BD 5A 86 08 7C F3 4F 2D EC 21 E2 nLM...Z....O-.!.
00D0: 45 CA 6C 2B B0 16 E6 83 63 80 50 D2 C4 30 EE A7 E.l+....c.P..0..
00E0: C2 6A 1C 49 D3 76 0A 58 AB 7F 1A 82 CC 93 8B 48 .j.I.v.X.......H
00F0: 31 38 43 24 BD 04 01 FA 12 16 3A 50 57 0E 68 4D 18C$......:pW.hM

]

don't know wether this is of any use or not but hey thought i'll let you know what i came across...
 
R

<robin>

Senior Member
Jun 12, 2012
124
92
0
Dec 31, 2012 at 3:41 PM
aio already use test key to signe custom rom,you can find testkey in aio/files/.
stock rom is BOTH scramble AND signed.
so we need descramble(desklunvr)it first.
 
Last edited:
You must log in or register to reply here.

New posts

Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone