2224 Component - XC420061
-
cipher
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
I was looking at the pattern as well, I'm not sure what format it is in. If it is in the DES Cipher Block Chaining mode then it will have a parity bit on the lsb of each 8 bit block there should be 56 data bits that come from 8 octets. checking for that will prove it is in CBC mode. I wonder if they used weak key tesing.
-
cipher
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Hey usbbdm,
I this link should be usefull to you.
http://msdn.microsoft.com/library/defau ... cmod24.asp
I this link should be usefull to you.
http://msdn.microsoft.com/library/defau ... cmod24.asp
-
cipher
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
I will work on getting some data for you.
Here is some interesting info on the BCM line.....its close to the BCM7015
How do the EJTAG and PCTrace signals on a Broadcom processor map onto the standard EJTAG connector?
Answer: The following table shows the connections for the standard 12-pin EJTAG connector, for full debug support without PCTrace, and the standard 28-pin EJTAG connector for full debug support with PCTrace.
EJTAG Signal Pin | BCM33xx BCM7100
-----------------------------------------
TRST* 1 | TRST* TRSTB_N
TDI/DINT 3 | TDI TDI
TDO/TPC 5 | TDO TDO
TMS 7 | TMS TMS
TCK 9 | TCK TCK
RST* 11 | (See Note)
------------------------------------------
PCST[0] 13 | PCST[0] PCST[0]
PCST[1] 15 | PCST[1] PCST[1]
PCST[2] 17 | PCST[2] PCST[2]
DCLK 19 | EBI_CLK pPCLK
TPC[2] 21 | TPC_1 TPC_1
PCST2[0] 23 | PCST[3] PCST[3]
PCST2[1] 25 | PCST[4] PCST[4]
PCST2[2] 27 | PCST[5] PCST[5]
Note: The RST* pin should be connected to the reset circuit on your board. When RST* is low, the entire board, including the CPU, should be reset.
Here is some interesting info on the BCM line.....its close to the BCM7015
How do the EJTAG and PCTrace signals on a Broadcom processor map onto the standard EJTAG connector?
Answer: The following table shows the connections for the standard 12-pin EJTAG connector, for full debug support without PCTrace, and the standard 28-pin EJTAG connector for full debug support with PCTrace.
EJTAG Signal Pin | BCM33xx BCM7100
-----------------------------------------
TRST* 1 | TRST* TRSTB_N
TDI/DINT 3 | TDI TDI
TDO/TPC 5 | TDO TDO
TMS 7 | TMS TMS
TCK 9 | TCK TCK
RST* 11 | (See Note)
------------------------------------------
PCST[0] 13 | PCST[0] PCST[0]
PCST[1] 15 | PCST[1] PCST[1]
PCST[2] 17 | PCST[2] PCST[2]
DCLK 19 | EBI_CLK pPCLK
TPC[2] 21 | TPC_1 TPC_1
PCST2[0] 23 | PCST[3] PCST[3]
PCST2[1] 25 | PCST[4] PCST[4]
PCST2[2] 27 | PCST[5] PCST[5]
Note: The RST* pin should be connected to the reset circuit on your board. When RST* is low, the entire board, including the CPU, should be reset.
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
Initial try for the DES CBC check sum failed. Will try more.
When we log the SPI auth command, 80 3c, we can see some field and would like to modify the field. (eg. the ppv credit). But that will not work. The 8 bytes at the bottom seems to be the checksum. Also if we play the SAME command to anothe box failed indicate some data in the box (unit address?) is used to see if the SPI command is valid to the box.
If we find the way to generate the checksum, then we can increse the PPV limit and thus make it unlimited. Also we might be able the create the auth command to another box.
Since ACP uses the modified the DES, then a simple DES checksum might not work directly. I used the unit address as its key.
When we log the SPI auth command, 80 3c, we can see some field and would like to modify the field. (eg. the ppv credit). But that will not work. The 8 bytes at the bottom seems to be the checksum. Also if we play the SAME command to anothe box failed indicate some data in the box (unit address?) is used to see if the SPI command is valid to the box.
If we find the way to generate the checksum, then we can increse the PPV limit and thus make it unlimited. Also we might be able the create the auth command to another box.
Since ACP uses the modified the DES, then a simple DES checksum might not work directly. I used the unit address as its key.
-
Phredog
- Junior Member
- Posts: 39
- Joined: Tue Jul 26, 2005 3:46 pm
There are two possibilities that come to mind:
1. The unit ID is the key. So if the ACP receives a packet that was intended for another box, it will decrypt to nonsense, fail the checksum, and will be discarded. Only the key, or unit ID, will be required to decrypt the data.
2. The variation on DES may, in fact be a variation on cipher block chaining mode. In this hypothetical variation, the unit ID is used as the initialization vector. Once all the message bytes have passed though the algorithm, the final checksum will be dependant on the unit ID. So if the ACP receives a packed that was intended for another box, it will again decrypt to nonsense even if the key was known. The unit ID, and the key must be known. Perhaps the key is loaded when the box is initialized, and is unique to each headend.
Just my thoeretical .02
I will read up on the common variations of DES. Maybe somthing will ring a bell.
Later
1. The unit ID is the key. So if the ACP receives a packet that was intended for another box, it will decrypt to nonsense, fail the checksum, and will be discarded. Only the key, or unit ID, will be required to decrypt the data.
2. The variation on DES may, in fact be a variation on cipher block chaining mode. In this hypothetical variation, the unit ID is used as the initialization vector. Once all the message bytes have passed though the algorithm, the final checksum will be dependant on the unit ID. So if the ACP receives a packed that was intended for another box, it will again decrypt to nonsense even if the key was known. The unit ID, and the key must be known. Perhaps the key is loaded when the box is initialized, and is unique to each headend.
Just my thoeretical .02
I will read up on the common variations of DES. Maybe somthing will ring a bell.
Later
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
Phredog, good thinking.
I think the unit address might be the initial vector and the GI number is the key.
At the time DCT 2000 was designed I believe they use 56 bit keys. If you look at the NEW models of DCT 2500 (some old DCT 2500 still use GI number), there is no longer GI number, it replaced with a long string start with M. I suspect this is a new 64/128 bit keys. That is why I try ot see as many as GI number/unit address pair to see if I can figure out from it.
There RAM based FPGAs use the DES to configure the chip and I belive XC chip is one of them. If someone can give us a little hint ....
I think the unit address might be the initial vector and the GI number is the key.
At the time DCT 2000 was designed I believe they use 56 bit keys. If you look at the NEW models of DCT 2500 (some old DCT 2500 still use GI number), there is no longer GI number, it replaced with a long string start with M. I suspect this is a new 64/128 bit keys. That is why I try ot see as many as GI number/unit address pair to see if I can figure out from it.
There RAM based FPGAs use the DES to configure the chip and I belive XC chip is one of them. If someone can give us a little hint ....
-
cipher
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Interesting diaglog Gentlemen,
Here are some of my thoughts. The only time we see a SPI conversation is when broadcasts or directly addressed authorizations occur this would mean that only specifically resolved messages are acted on by the XC component. From reading ColdFire's notes on the DCII system there are working keys and seed keys. The working keys must be sent over the network and are short lived maybe as encrypted broadcasts to all units. The seed keys are implanted by the manufacturer and are provider specific. I have read that some people have successfully convinced a cable tech to add an external DCT to there system without going to the factory to implant the keys. This is interesting because that would mean the seed keys can be updated over the broadband network. Boy would I love to capture that SPI log. Also if it is possible to address the externally keyed unit then the address is not part of the seed key integration and is therefore is exploitable.
checkout
http://digitalhomecanada.com/forum/show ... 915&page=2
Here are some of my thoughts. The only time we see a SPI conversation is when broadcasts or directly addressed authorizations occur this would mean that only specifically resolved messages are acted on by the XC component. From reading ColdFire's notes on the DCII system there are working keys and seed keys. The working keys must be sent over the network and are short lived maybe as encrypted broadcasts to all units. The seed keys are implanted by the manufacturer and are provider specific. I have read that some people have successfully convinced a cable tech to add an external DCT to there system without going to the factory to implant the keys. This is interesting because that would mean the seed keys can be updated over the broadband network. Boy would I love to capture that SPI log. Also if it is possible to address the externally keyed unit then the address is not part of the seed key integration and is therefore is exploitable.
checkout
http://digitalhomecanada.com/forum/show ... 915&page=2
-
twistedps
- Junior Member
- Posts: 62
- Joined: Fri Jul 22, 2005 10:24 am
- Location: boston
it probably works on a temporary dhcp lease time like a regular router based upon its unit address.cipher wrote:More interesting tid bits.
I decided to fake out a unit address to what it was before I messed up the XC chip to and E11 state. It is very interesting that the unit picked up an IP address that it had before!
-
patsfan
- Junior Member
- Posts: 673
- Joined: Thu Jul 21, 2005 4:02 pm
The GI number is written on the bottom of the box. I'm not sure if the change to the "M" numbers has anything to do with the encryption level. I have seen at least a 10/1 ratio of 2500's in my area that start with GI #'s and same goes for the new dct700. i'm thinking they started to change because they either ran out of GI numbers or they switched to M for motorola.
Who is online
Users browsing this forum: No registered users and 7 guests