> hi, > i think about a brute-force attack on ROM. has anyone tried > badblox's(not sure about name) deciphering code on ROM. I tried a brute-force using RC4 and AES-128 CBC, since it worked for Nano 1G's (RC4). The key length was only 4 bytes, which didn't take long to brute-force, but it seems like that changed... > If not done, > i'll try to do it(on LOGO section). but i need some info from who > tried it before. (maybe the same algorithm, because headers are very > alike) simply, there all keys are zero, except MAGICWORD. did you > changed only that var? is it sufficient? > The 1G FLSHLOGO section only contained 0xFF's and has 9700 bytes. The 2G FLSHLOGO has 9728 bytes (I stripped the section header). This could be a good starting point. There's probably a key hidden in those 28 bytes.
I got some code, extracted sections and other stuff lying around. Contact me if you want them. --Felix _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
