A couple of years ago, Atmel started selling EEPROM chips dubbed as "SecureMemory" (AT88SC153, AT88SC1608). These chips are still in use today on many contact smartcards and other devices.
Data sectors on that device can be read-/write-protected by requiring a proprietary challenge-response authentication. In addition, these devices also feature a basic password protection which is reasonably easy to circumvent as flylogic has demonstrated. The challenge-response authentication algorithm is vulnerable to a unroll/meet-in-the-middle attack to the effect that the secret key can be guessed from only a few eavesdropped authentication sessions - researchers from the Radboug University Nijmwegen have published a paper on this a couple of months ago.
I've implemented their attack and recovered keys of several such devices successfully. However, an even more primitive, yet effective vulnerability is a man-in-the-middle attack: an attacker can easily take control of the bus after the authentication / password verification has taken place and inject data at his will. It's not hard to come up with some piece of hardware that does just that. This is also a successful attack against the successor family, the AT88SC...C devices, which implements a slightly better authentication scheme.
Wednesday, December 22, 2010
Tuesday, December 21, 2010
Facepalm.jpg
I've been poking around in the BIOS of a Fujitsu Lifebook A530 (source).
What is wrong with this function:
What is wrong with this function:
Wednesday, October 20, 2010
Shmuck of the Week: 3_2_1_4you / bluechip82
Here's another gem from eBay that a reader has sent me:
3_2_1_4you's apparent lack of technological knowledge ("dos box tools" etc.) is just the icing on the cake. The epitome of his chutzpah, however, is the price at which he's trying to sell my stuff: $85 - just wow. That easily earns him the glorious "Shmuck of the Week" award.
Update: Apparently, he's now going with the username "bluechip82".
3_2_1_4you's apparent lack of technological knowledge ("dos box tools" etc.) is just the icing on the cake. The epitome of his chutzpah, however, is the price at which he's trying to sell my stuff: $85 - just wow. That easily earns him the glorious "Shmuck of the Week" award.
Update: Apparently, he's now going with the username "bluechip82".
Saturday, September 11, 2010
Another One Bites the Dust: HP/Compaq Mini Netbooks
That was suprisingly easy:
As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.
Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.
As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.
Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.
Wednesday, September 8, 2010
Shmuck of the Week: Jason Smith / mastermindit.biz
Here's a screenshot of Jason's awful site:
Designed like it's hosted on Geocities in 1995 - check. Shitty ads - check. Asking for donations without mentioning my site for the extremely hard task of running my stuff - check. So the Shmuck award goes to you, Jason - congratulations, you earned it!
Saturday, July 10, 2010
Shmuck of the Week: jebishere
Sunday, July 4, 2010
How to protect better: Secure BIOS Passwords for Laptops
Since I get a lot of visitors from within the networks of computer vendors (hi guys!), I might as well just give you some hints on how to implement a laptop password in a more secure way. I understand that a lot of your customers forget their passwords and that it's just too expensive for you and your customers to swap the mainboards each time this happens. Also, you are prone to use the lame password implementations of the BIOS vendors. Don't - do your own stuff. Here are a few advices free of charge on how to do better:
- Use better hashing functions for the passwords. CRC16, CRC32, etc. are a bad choice - they are invertible, and even if they weren't, a modern machine can find a hash collision within seconds because the keyspace is only 2^32 in size. Various implementations of better algorithms such as MD6 and SHA2 are readily available.
- Use the machine's serial number in conjunction with the MAC address of the network card to salt the password before hashing it. If the password isn't set, just use both of these to check a hash stored in your 'NVRAM' anyway. This makes it a bit harder to just clone an EEPROM, FlashROM, or any other chip.
- Try to calculate some portions of the algorithm not on the main CPU, but on the keyboard controller - this puts a physical obstacle on reversing the code. Also, provide a secure path for updating the code if the need arises - you don't want to have unencrypted code in your update binaries that can be easily disassembled and reverse-engineered.
- If the password can't be verified, generate a random number from the RTC the third time an invalid password has been entered. Salt it heavily with serial numbers (laptop, MAC, CPU, etc.). Then hash it to generate a one-time password (OTP). Use public-key cryptography on the OTP, e.g. elliptic curves. DO NOT STORE THE PRIVATE KEY IN THE BIOS. Output the result to the screen, making sure that it is properly encoded ('O' vs '0', checksums). Do not save the one-time password anywhere. In fact, wipe it from the memory just after it has been encrypted. Make sure that it's really zero'd out everywhere (CPU cache).
- When a customer calls the support and asks for a password reset, verify that he is indeed the owner of the laptop. Let him read the encrypted and encoded OTP to you, then calculate the OTP by decoding and decrypting it using your private key.
- Do not hand out service tools to your service team which contain the private key. Instead, run a central password service on a server which is secured and can only be accessed with proper authentication. Actively monitor each and every access.
- Do not charge customers for resetting a password. That's just lame.
Saturday, June 26, 2010
How to protect better: The Apple iPhone
Apple's iPhone is a prime example for a well-engineered netlock protection. To this day, it has remained uncracked in principle: all current and past unlock solutions just patch the firmware running on the baseband modem to the effect that the netlock checks are overriden. These solutions basically inject code into the firmware 'on the fly' by exploiting buffer/heap overflows. A small piece of homebrew code runs on the application processor for just doing that - a jailbreak is therefore a prerequisite for an unlock. These firmware patches can't be permanently applied to the firmware of 3G and later devices because it is signature-checked by the baseband bootloader before it is executed. Whenever Apple decides to update the baseband firmware, they fix the injection holes. Firmware downgrades are blocked, so a way to permanently unlock the baseband has yet to be found for models other than the first iPhone 2G. In a nutshell, the protection works like this:
When testing a network code key, the baseband firmware reads the encryptedSignature, calculates the deviceKey and the nckKey from the entered NCK, decrypts the encryptedSignature with the nckKey using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the chipID / norID. Here's the pseudo code:
A correct NCK key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted rawSignature passes the check, the baseband unlocks.This is what happens in factory-unlocked devices and iPhones which have been officially unlocked. It remains unknown whether some iPhones can never be unlocked by design even with the knowledge of the correct NCK: in the US, AT&T does not give out NCKs for any iPhone, even for those devices on which the contract has run out. This practice suggests that AT&T iPhones have a permanent barrier.
On top of this, a WildcardTicket mechanism has been implemented on 3G and later devices. However, it is quite noteworthy that the WildcardTicket mechanism is overriden if the NCK can be verified (3G/3GS).
Various lessons can be learned from this:
EDIT: Here is the re-implementation in python.
- Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the norID and the chipID, 8 respectively 12 bytes in size.
- The device-specific deviceKey is generated from truncating a SHA1 hash of the concatenated and padded norID and chipID.
- A supposedly random NCK ('network control key') is SHA1-hashed. With the hashed NCK and the norID and chipID, the second key nckKey is generated. The hashing algorithm uses Tiny Encryption Algorithm (TEA). The nckKey is also device-specific since both the norID and chipID are used.
- A device-specific RSA signature is generated: two SHA1 hashes are generated from the norID and chipID. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).
- The asymmetric RSA algorithm is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.
- This signature is encrypted with TEA once again using the device-specific deviceKey in CBC mode.
deviceKey = SHA1_hash(norID+chipID)
nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)
rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))
Signature = RSA_encrypt(rawSignature, privateRSAkey)
encryptedSignature = TEA_encrypt_cbc(Signature, nckKey)The encryptedSignature is then saved to a protected memory area - the device has been locked. This happens when Apple issues the AT+CLCK="PN",1,"NCK" command presumably directly after manufacturing the phone.
When testing a network code key, the baseband firmware reads the encryptedSignature, calculates the deviceKey and the nckKey from the entered NCK, decrypts the encryptedSignature with the nckKey using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the chipID / norID. Here's the pseudo code:
deviceKey = SHA1_hash(norID+chipID)
nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)
encryptedSignature = readEncryptedSignature()
Signature = TEA_decrypt_cbc(encryptedSignature, nckKey)
rawSignature = RSA_decrypt(Signature, publicRSAKey)
if ( (rawSignature has correct format) and (rawSignature contains both SHA1_hash(norID+chipID), SHA1_hash(chipID)) and (Lock status byte in rawSignature is OK) )
.. accept every SIM card
else
.. block non-authorized SIMs
A correct NCK key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted rawSignature passes the check, the baseband unlocks.
On top of this, a WildcardTicket mechanism has been implemented on 3G and later devices. However, it is quite noteworthy that the WildcardTicket mechanism is overriden if the NCK can be verified (3G/3GS).
Various lessons can be learned from this:
- The NCK is only stored indirectly on the device in a protected area.
- The signature which contains the information about the NCK is directly linked to the device. Hence, replicating a signature from another device will not work.
- The NCK is a 15 digit number which is presumably not dependent on the IMEI or any other serial number, but completely random.
- Brute force attacks are foiled because a few expensive operations are necessary just to verify the code and the key space is large, e.g. the number of possible key combinations is big.
- A valid signature is implicitly required for an unlocked device. Factory-unlocked devices are shipped with such a signature, and during the official unlock process, this signature is generated.
- A fake signature for a device with known norID, chipID and NCK can not be generated because the private RSA key is unknown.
- Consequent code signing makes permanent firmware patches impossible.
- Interestingly, the signature check itself is executed in the bootloader which isn't touched during a firmware upgrade.
EDIT: Here is the re-implementation in python.
Tuesday, June 1, 2010
Sunday, May 2, 2010
Dell 2A7B Keygen
A slight modification and the keygen generates now valid passwords for Dell 2A7B serials as well as for the -595B serials.
Source Code & Binaries
Quick How-To:
Source Code & Binaries
Quick How-To:
- Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c - You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
- Press Enter
and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.
Update: Here's is an online version.
Friday, April 30, 2010
Shmuck of the Week: reda
From: reda (mmaimouni@hotmail.com)Translation:
To: dogber1@gmail.com
Subject: pleez help
Date: 04/29/2010 01:59:28 PM
hi ,iam interested in what u do, it is very helpful for us, this is why i ask u , i need a dell password generator for all the latest editions 2a7b and a95b, and if possible the hp 10 digits pass.pleaase help me.ur my only chance.thanks
I shamelessly use the results of your free work to generate parts of my income. I ask you to perform work for which I am both too stupid and lazy. I am not willing to pay you a dime, but I am actually planning on using it for my personal financial gain.Mhhh... no.
Saturday, April 24, 2010
Fix for the -595B Keygen
Apparently, only some of my readers have been able to derive the fix necessary to generate valid HDD passwords. It's been easily guessable that the prehashing scheme needed some minor modification. Before I get countless requests now, here's the C source code for hpgl's keygen:
http://pastebin.com/cu9ijqM1
You need a C compiler to generate the executable (d'uh), e.g. gcc/mingw32, Visual C, lcc, etc., or you can just use the binaries linked below.
Update: Windows binaries...
http://pastebin.com/cu9ijqM1
You need a C compiler to generate the executable (d'uh), e.g. gcc/mingw32, Visual C, lcc, etc., or you can just use the binaries linked below.
Update: Windows binaries...
Friday, April 16, 2010
More crap from Martech.pl
I gotta admit, they have been incredibly fast at stealing the stuff this time:
Martech SBS Tools V3.2.5.0 - DELL FREEThat news item is dated one day after I published the previous blog post and two days after I completed the source code for the keygen on a known forum.
What's new:
- Bios & HDD for DELL 595B, 2A7B, D35B free for users
You can unlock 5 per day without needed payments.
Application is payable, it cost 39 EUR / 52 USD
Download it: SBS Service Tools
Be ready! For next updates :)
Martech Team
Tuesday, April 13, 2010
Dell -595B Keygen
Before I get spammed with even more emails, here are the C sources for a keygen suitable for -595B and other dells (courtesy of hpgl):
http://pastebin.com/yEsiqyQy
You need a regular C compiler for compiling an executable (e.g. mingw32/gcc).
So now let's sit back and watch the inflation happen...
Update: small fix (Windows binaries) - see this post.
Quick How-To:
http://pastebin.com/yEsiqyQy
You need a regular C compiler for compiling an executable (e.g. mingw32/gcc).
So now let's sit back and watch the inflation happen...
Update: small fix (Windows binaries) - see this post.
Quick How-To:
- Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c - You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
- Press Enter
and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.
Tuesday, March 16, 2010
Unlock Code Generator for ZTE Cell Phones
Here's a script which can generate unlock codes for ZTE cell phones:
zte-unlock.py
The script implements an algorithm reverse-engineered by the collaborative effort of elcapitel and y3kt. You need python 2.x to run the script.
Supported Models: GX760, GX761, SFR 232, SFR 341, SFR 342, X760, X761, Orange Vegas, Vodafone Indie, T-Mobile Vairy Touch.
zte-unlock.py
The script implements an algorithm reverse-engineered by the collaborative effort of elcapitel and y3kt. You need python 2.x to run the script.
Supported Models: GX760, GX761, SFR 232, SFR 341, SFR 342, X760, X761, Orange Vegas, Vodafone Indie, T-Mobile Vairy Touch.
Unlocker for Huawei Modems
I've finished a quick and dirty implementation of a script which calculates unlock codes ("NCK") for Huawei modems:
huawei-unlock.py
The algorithm has been published a while ago, and there are a lot of other tools out there which do just the same thing. You need python 2.x to run the script.
This is a list of devices for which the unlock code ought to work:
Huawei: E156, E155, E1550, E1552, E156G, E160, E160G, E161, E166, E169, E169G, E170, E172, E176, E1762, E180, E182E, E196, E226, E270, E271, E272, E510, E612, E618, E620, E630, E630+, E660, E660A, E800, E870, E880, EG162, E880, EG162, EG162G, EG602, EG602G
Vodafone: K2540, K3515, K3520, K3565, K3520, K3565
A method to unlock the popular E220 devices has been published here.
Update 5/9/2011: Neil McPhail has put together an automated unlocker script for Linux.
huawei-unlock.py
The algorithm has been published a while ago, and there are a lot of other tools out there which do just the same thing. You need python 2.x to run the script.
This is a list of devices for which the unlock code ought to work:
Huawei: E156, E155, E1550, E1552, E156G, E160, E160G, E161, E166, E169, E169G, E170, E172, E176, E1762, E180, E182E, E196, E226, E270, E271, E272, E510, E612, E618, E620, E630, E630+, E660, E660A, E800, E870, E880, EG162, E880, EG162, EG162G, EG602, EG602G
Vodafone: K2540, K3515, K3520, K3565, K3520, K3565
A method to unlock the popular E220 devices has been published here.
Update 5/9/2011: Neil McPhail has put together an automated unlocker script for Linux.
Sunday, February 28, 2010
Shmucks of the Week: Martech.pl & Kulankendi.com
This time, the "shmuck of the week" goes to Poland: in a rather shameless fashion, the idiots from Martech.pl and Kulandkendi.com have literally stolen my GPL'd password generators: Martech has implemented them into a shitty piece of software called "Martech SBS Service Tools" which they are trying to sell. They didn't even bother to hide their theft: the message in the screenshot below is copied verbatim from one of my scripts:
Kulankendi.com are trying to sell the passwords themselves for 50 USD each:
Kulankendi.com are trying to sell the passwords themselves for 50 USD each:
Monday, February 22, 2010
Shmuck of the Week: Felix Hernandez
Felix runs a shady business by basically selling the results my GPL'd work to naive people. Since I'm such a dandy fellow, he wants me to help him fill his pockets some more by reverse-engineering the password schemes used in Sony and Dell laptops:
Guess what, Felix...
From: Felix Hernandez (felixlapbios@gmail.com)
To: dogber1@gmail.com
Subject: HELP BIOS PASSWORD TO DELL THANKS
Date: 02/22/2010 08:46:55 PM
Hello Friend I'm Mexican and my truth because just like you I like the
community help me ah been very helpful all you've developed programs to
generate the master passwords
That's why I want to give the link to unlock the sony vaio to send the
disabled system error
Only need the last serial number of the laptop to come on back
http://hpgl.googlegroups.com/web/SONY_Form1.rar?gda=73_AtUAAAADBratxJI3TcN2SnEOtgI52Or9i_fMM3dcP7Nz297qKnGJHTKS9woYaVuufKj-4-9ttxVPdW1gYotyj7-X7wDON
Hear also want to see if you can help me learn how to unlock sony vaio
onetime password and dell 595B 2A7B A95B
HELP ME PLEASE TO UNLOCK BIOS TO DELL THANKS
Guess what, Felix...
Saturday, February 20, 2010
Shmucks of the Month
So I stumbled across these sellers on eBay who seek to gain financial profit from my work:
That being said, I want to make clear one thing: I'm not interested in financial profit, but merely in the technical challenge which lies in breaking these security systems (or rather 'obscurity systems').
- petrachesimona
- transgression
- biosdepot
- laptopunlock
- amazanj2010
- repairsales2011
- and lots of others....
That being said, I want to make clear one thing: I'm not interested in financial profit, but merely in the technical challenge which lies in breaking these security systems (or rather 'obscurity systems').
Friday, January 1, 2010
Unlocker for Option GI0225 3G Modems
A couple of months ago, I bought a dirt-cheap 3G modem labeled as 'T-Mobile Web'n'Walk' stick. It's actually a relabeled Option Globetrotter Icon 225 which supports both 3G and CDMA networks. The provider installed an annoying netlock on the device - breaking it was quite tough. Here's a quick how-to for Windows for people who want to free their devices:
- Install python 2.6.x (32 bit version): http://www.python.org/download/releases/2.6/
- Install pywin32 for python 2.6: http://sourceforge.net/projects/pywin32/files/
- Install pyserial: http://sourceforge.net/projects/pyserial/files/
- Download the unlocker (http://sites.google.com/site/dogber1/blag/msm-unlock-v1.6.zip) and unpack it (e.g. into the directory C:\msm)
- Download a firmware update for the 3G modem from Option or T-Mobile
- Unpack the firmware update into the directory used above (e.g. C:\msm)
- IMPORTANT: The superfire.exe file of the update is packed.
Unpack the Superfire.exe file of the firmware update once again (e.g. WinRAR can do that).For the newest update, the superfire.exe can be used as it is. - Remove the SIM card from the modem and plug it in . Make sure that you have the latest drivers from the option website installed before you start msm_unlock.py. Also, close all the tools for the stick ('connection manager' etc.).
- Write down the unlock code. Unplug the stick, replug it and apply the unlock code with msm_apply.py. If the unlock code is not accepted, search the comments for a posting by "muxx" - he has given detailed instructions on how to manually enter the unlock code.
- Unplug and replug the stick once more and you've got yourself an unlocked 3G modem.
Subscribe to:
Posts (Atom)