Pretty good work! I bet it is AES, because AES is nearly as fast as Blowfish, and there meanwhile are even hardware decoders available, but I doubt they used one. They also used AES earlier to crypt all that iPhone stuff (IIRC), so this would have been straightforward. 10 seconds to decrypt means about 600k per second, that's more than 300 clock cycles per byte => should work. IIRC blowfish was below 100 clock cycles per byte on ARM.
Now how can we break this? I think we can rule out a brute force attack, that would probably take thousands of years. Can we somehow draw some conclusions from comparing the different firmwares/different blocks? BTW, how do you decrypt stuff with WinHex? I can't find that function in my WinHex Specialist Edition. Do you need X-Ways Forensics to do that? Jeremy Prater schrieb: > > Hey. Ive been doing some more work and it looks like the blocks are > 16bytes (128-bit) all the firmware sizes devide down by 16 and that > 1.1.1 and 1.1.2 split at 0x1680 is a 16-byte boundry. If they used a > cbc based scheme (cipher block chaining) then the previous plain-text > is used as the key for the next block. Aes-cbc looked real promising > to me, 128-bit fixed block size and variable key length 128,196,256. > It requires an Initialzation vector that is the same length as the > block size. Its not feasible to break this encryption. It does this > thing with rounds and matrix row shifting and s-blocks and crap the > ciphertext has NO correlation to the plaintext. I was thinking it > could be like a simple xor with the cbc scheme. I mean does the arm > 200mhz apple cpu have enough power to decrypt a 6mb aes encoded file > that has rounds and lookup s-tables, row shifting, etc... its no that > fast. The firmware re-boot takes ~10 sec. it takes my winhex of on my > core2duo 1.83ghz around 3 sec to decrypt > > > > Here is the osos block size sheet I made ill look into one for aupd > also. I like coffee. > > > > 1.0.2 > > > > 1.1.1 > > > > 1.1.2 > > > > 1.1.3 > > > > 1680split > > > > blocksize > > > > 1.1.0 blocks > > > > 1.1.1 blocks > > > > 1.1.2 blocks > > > > 1.1.3 blocks > > > > 1860blockpos > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 1 > > > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 2 > > > > 3135488 > > > > 3189760 > > > > 3133440 > > > > 3126272 > > > > 840 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 4 > > > > 1567744 > > > > 1594880 > > > > 1566720 > > > > 1563136 > > > > 420 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 8 > > > > 783872 > > > > 797440 > > > > 783360 > > > > 781568 > > > > 210 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 16 > > > > 391936 > > > > 398720 > > > > 391680 > > > > 390784 > > > > 105 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 32 > > > > 195968 > > > > 199360 > > > > 195840 > > > > 195392 > > > > 52.5 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 64 > > > > 97984 > > > > 99680 > > > > 97920 > > > > 97696 > > > > 26.25 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 128 > > > > 48992 > > > > 49840 > > > > 48960 > > > > 48848 > > > > 13.125 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 256 > > > > 24496 > > > > 24920 > > > > 24480 > > > > 24424 > > > > 6.5625 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 512 > > > > 12248 > > > > 12460 > > > > 12240 > > > > 12212 > > > > 3.28125 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 1024 > > > > 6124 > > > > 6230 > > > > 6120 > > > > 6106 > > > > 1.640625 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 2048 > > > > 3062 > > > > 3115 > > > > 3060 > > > > 3053 > > > > 0.8203125 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 4096 > > > > 1531 > > > > 1557.5 > > > > 1530 > > > > 1526.5 > > > > 0.41015625 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 8192 > > > > 765.5 > > > > 778.75 > > > > 765 > > > > 763.25 > > > > 0.205078125 > > 6270976 > > > > 6379520 > > > > 6266880 > > > > 6252544 > > > > 1680 > > > > 16384 > > > > 382.75 > > > > 389.375 > > > > 382.5 > > > > 381.625 > > > > 0.102539063 > > > > > > The 1680blockpos is the block number that the 1680 byte is. looks like > 105 is a good number. Later -- Jeremy > > ------------------------------------------------------------------------ > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
