└── decr.c /decr.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define TYPE_MCU 0 6 | #define TYPE_PPM 1 7 | 8 | typedef unsigned char byte; 9 | typedef unsigned short half; 10 | typedef unsigned int word; 11 | 12 | typedef struct _ 13 | { 14 | word addr_bits; 15 | half xor_value; 16 | } 17 | ADDR_ADJ; 18 | 19 | 20 | //#define ZERO_MASK 0x1956 21 | #define ZERO_MASK 0x0000 22 | 23 | half mbit[] = { 24 | 0x1221, 0xA91A, 0x52A5, 0x0908, // 0001 0002 0004 0008 25 | 0xa918, 0x1020, 0xFFFF, 0x52A1, // 0010 0020 0040 0080 26 | 0x0100, 0x1220, 0xAD1A, 0x0900, // 0100 0200 0400 0800 27 | 0x1000, 0x2908, 0x5221, 0xa908, // 1000 2000 4000 8000 28 | }; 29 | 30 | half maddr[] = { 31 | 0x0FAE, 0x3E7F, 0xC99F, 0xD6F7, // 00.0002 00.0004 00.0008 000.0010 32 | 0xA71B, 0x14C4, 0x52A5, 0xCBB1, // 00.0020 00.0040 00.0080 000.0100 33 | 0x4285, 0xEFDF, 0xDFF7, 0x5080, // 00.0200 00.0400 00.0800 000.1000 34 | 0xEE9F, 0x0000, 0x8432, 0x5221, // 00.2000 00.4000 00.8000 001.0000 35 | 0x4084, 0xA91A, 0x56E7, 0xB93A, // 02.0000 04.0000 08.0000 010.0000 36 | 0x5B21, 0xA818, 0x0000, 0xEFDF, // 20.0000 40.0000 80.0000 100.0000 37 | }; 38 | ADDR_ADJ maddr_adj[] = { 39 | {0x00140, 0x1000}, 40 | {0x00220, 0x52a1}, 41 | {0x00480, 0x1221}, 42 | {0x00600, 0xB928}, 43 | {0x00810, 0x5221}, 44 | {0x00840, 0x1220}, 45 | {0x00900, 0x2008}, 46 | {0x01020, 0x1221}, 47 | {0x01080, 0x0908}, 48 | {0x01100, 0x52A1}, 49 | {0x02020, 0x0100}, 50 | {0x02080, 0xFBBD}, 51 | {0x04010, 0xA91A}, 52 | {0x04040, 0xA908}, 53 | {0x08008, 0x2908}, 54 | {0x09000, 0x1000}, 55 | {0x0A000, 0xBD3A}, 56 | {0x10010, 0xAD1A}, 57 | {0x10040, 0x5221}, 58 | {0x10400, 0x0908}, 59 | {0x20200, 0x53A5}, 60 | {0x40040, 0xA91A}, 61 | {0x44000, 0x1B20}, 62 | {0x80100, 0xA918}, 63 | {0x800000, 0xB908}, 64 | 65 | {0, 0} 66 | }; 67 | 68 | half en_codes[65535]; 69 | half de_codes[65535]; 70 | half de_addr[0xFFFF]; 71 | 72 | half mcu_crypt_start = 0; 73 | half mcu_flash_hdlen = 0; 74 | word mcu_flash_start = 0; 75 | half mcu_auto_offset = 0; 76 | half ppm_auto_offset = 0; 77 | half fls_fixchecksum = 1; 78 | half mcu_auto_values = 0; 79 | half ppm_auto_values = 0; 80 | half fls_endianess = 0; 81 | 82 | 83 | word 84 | get_word ( FILE * fin ) 85 | { 86 | byte b[4]; 87 | fread ( b, 1, 4, fin ); 88 | return ( b[0] << 24 ) | ( b[1] << 16 ) | ( b[2] << 8 ) | ( b[3] ); 89 | } 90 | 91 | 92 | word 93 | get_chunk ( FILE * fin, byte * buf, word * addr ) 94 | { 95 | int len; 96 | byte b[10]; 97 | 98 | if ( feof ( fin ) ) 99 | return 0; 100 | 101 | do 102 | { 103 | if ( fread ( b, 1, 1, fin ) != 1 ) 104 | return 0; 105 | 106 | if ( b[0] == 0x21 ) 107 | { 108 | fread ( &b[1], 1, 5, fin ); 109 | } 110 | else if ( b[0] == 0x20 ) 111 | { 112 | fread ( &b[1], 1, 5, fin ); 113 | len = ( b[3] << 8 ) | b[4]; 114 | fread ( buf, 1, len, fin ); 115 | } 116 | } 117 | while ( b[0] != 0x14 ); 118 | 119 | *addr = get_word ( fin ); 120 | fread ( b, 1, 5, fin ); 121 | len = ( b[1] << 16 ) | ( b[2] << 8 ) | b[3]; 122 | fread ( buf, 1, len, fin ); 123 | return len / 2; 124 | } 125 | 126 | unsigned short 127 | get_pt_from_ct ( unsigned short val ) 128 | { 129 | unsigned short nc = 0, i; 130 | 131 | for ( i = 0; i < 16; i++ ) 132 | if ( val & ( 1 << i ) ) 133 | nc ^= mbit[i]; 134 | 135 | return nc; 136 | } 137 | 138 | half get_half ( byte *buf, word ofs ) 139 | { 140 | return ( buf[ofs] << 8 ) | buf[ofs ^ 1]; 141 | } 142 | 143 | void set_half ( byte *buf, word ofs, half code ) 144 | { 145 | buf[ofs] = code >> 8; 146 | buf[ofs ^ 1] = ( byte ) code; 147 | } 148 | 149 | 150 | half address_bits ( half code, word addr ) 151 | { 152 | int i = 0; 153 | ADDR_ADJ *adj = maddr_adj; 154 | 155 | while ( adj->addr_bits ) 156 | { 157 | if ( ( addr & adj->addr_bits ) == adj->addr_bits ) 158 | code ^= adj->xor_value; 159 | adj++; 160 | } 161 | 162 | for ( i = 0; i < 24; i++ ) 163 | { 164 | if ( addr & ( 1 << ( i + 1 ) ) ) 165 | code ^= maddr[i]; 166 | } 167 | return code; 168 | } 169 | 170 | half address_fix ( half code, word fad, half basecode ) 171 | { 172 | return code ^ basecode; 173 | 174 | } 175 | 176 | void 177 | decode ( byte * buf, word addr, word len, half basecode, int type ) 178 | { 179 | word ofs, fad; 180 | int pos = 0; 181 | half code; 182 | 183 | for ( ofs = 0; ofs < len * 2; ofs += 2 ) 184 | { 185 | fad = addr + ofs - mcu_flash_start; 186 | if ( fad >= mcu_crypt_start || type == TYPE_PPM ) 187 | { 188 | code = get_half ( buf, ofs ^ fls_endianess ); 189 | 190 | // Clean the special address bits 191 | code = address_bits ( code, addr + ofs ); 192 | 193 | // Get the PT 194 | code = de_codes[code]; 195 | 196 | // hack 197 | code = address_fix ( code, fad , basecode ); 198 | 199 | set_half ( buf, ofs ^ fls_endianess, code ); 200 | } 201 | } 202 | } 203 | 204 | 205 | void 206 | encode ( byte * buf, word addr, word len, half basecode, int type ) 207 | { 208 | word ofs, fad; 209 | half code; 210 | 211 | for ( ofs = 0; ofs < len * 2; ofs += 2 ) 212 | { 213 | fad = addr + ofs - mcu_flash_start; 214 | 215 | if ( fad >= mcu_crypt_start || type == TYPE_PPM ) 216 | { 217 | code = get_half ( buf, ofs ^ fls_endianess ); 218 | 219 | // hack 220 | code = address_fix ( code, fad, basecode ); 221 | 222 | // Get the CT 223 | code = en_codes[code]; 224 | 225 | // Clean the special address bits 226 | code = address_bits ( code, addr + ofs ); 227 | 228 | set_half ( buf, ofs, code ); 229 | } 230 | 231 | } 232 | } 233 | 234 | void 235 | generate_codes ( ) 236 | { 237 | unsigned int c, nc, i; 238 | printf ( " - Generating codes [" ); 239 | for ( c = 0; c <= 65535; c++ ) 240 | { 241 | if ( ( c & 0xF000 ) == c ) 242 | printf ( "." ); 243 | fflush ( stdout ); 244 | nc = ZERO_MASK; 245 | for ( i = 0; i < 16; i++ ) 246 | if ( c & ( 1 << i ) ) 247 | nc ^= mbit[i]; 248 | de_codes[nc] = c; 249 | en_codes[c] = nc; 250 | } 251 | // printf ( "\n" ); 252 | for ( c = 0; c <= 0xFFFF; c+=1 ) 253 | { 254 | nc = 0; 255 | if ( ( c & 0xFFFF0000 ) == c ) 256 | printf ( "." ); 257 | // if ( !( c % 0x10 ) ) 258 | // printf ( "" ); 259 | fflush ( stdout ); 260 | for ( i = 0; i < 24; i++ ) 261 | if ( c & ( 1 << i ) ) 262 | nc ^= maddr[i]; 263 | 264 | de_addr[c] = nc; 265 | // printf ( "%04X ", nc ); 266 | } 267 | // exit ( 0 ); 268 | printf ( "]\n" ); 269 | } 270 | 271 | int 272 | do_decode ( unsigned char *fname, unsigned char *fname_out, word address, half *code, int type ) 273 | { 274 | int i = 0; 275 | int skip = 0; 276 | int count = 0; 277 | int startaddr_set = 0; 278 | void *pos = NULL; 279 | byte buf[0x4000]; 280 | half idx = 0; 281 | word len = 0; 282 | word startaddr = 0; 283 | FILE *fin = NULL; 284 | FILE *fout = NULL; 285 | 286 | fin = fopen ( fname, "rb" ); 287 | if ( !fin ) 288 | { 289 | printf ( "Can't open %s\n", fname ); 290 | return 0; 291 | } 292 | 293 | fout = fopen ( fname_out, "wb" ); 294 | if ( !fout ) 295 | { 296 | printf ( "Can't open %s\n", fname_out ); 297 | return 0; 298 | } 299 | 300 | printf ( " - Decrypting File [" ); 301 | fflush ( stdout ); 302 | 303 | while ( (len = fread ( buf, 2, 0x2000, fin )) > 0 ) 304 | { 305 | if ( !startaddr_set ) 306 | { 307 | startaddr_set = 1; 308 | startaddr = address; 309 | printf ( "0x%08X ", startaddr ); 310 | } 311 | 312 | if ( skip > 30 ) 313 | { 314 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 315 | fflush ( stdout ); 316 | if ( ++count > 100 ) 317 | { 318 | count = 0; 319 | printf ( "\n [" ); 320 | printf ( "0x%08X ", address ); 321 | fflush ( stdout ); 322 | } 323 | skip = 0; 324 | } 325 | 326 | decode ( buf, address, len, *code, type ); 327 | 328 | 329 | if ( !(*code) && address == startaddr ) 330 | { 331 | switch ( type ) 332 | { 333 | 334 | case TYPE_MCU: 335 | *code = buf[mcu_auto_offset] << 8 | buf[mcu_auto_offset+1]; // at this position is "0x20 0x20" 336 | *code ^= mcu_auto_values; 337 | break; 338 | case TYPE_PPM: 339 | *code = buf[ppm_auto_offset] << 8 | buf[ppm_auto_offset+1]; // at this position is "PPM" 340 | *code ^= ppm_auto_values; 341 | break; 342 | default: 343 | break; 344 | } 345 | 346 | // show some output 347 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8" ); 348 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8" ); 349 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8" ); 350 | printf ( " * Found CryptKey [0x%04X] \n", *code ); 351 | fflush ( stdout ); 352 | if ( type == TYPE_MCU ) 353 | idx = mcu_crypt_start; 354 | else 355 | idx = 0; 356 | for ( ; idx < ( len * 2 ); idx += 2 ) 357 | { 358 | buf[idx] ^= *code >> 8; 359 | buf[idx + 1] ^= ( byte ) *code; 360 | } 361 | printf ( " - Decrypting File [" ); 362 | printf ( "0x%08X ", address ); 363 | fflush ( stdout ); 364 | count = 0; 365 | } 366 | 367 | fseek ( fout, address - startaddr, SEEK_SET ); 368 | fwrite ( buf, 2, len, fout ); 369 | 370 | address += (len*2); 371 | skip++; 372 | } 373 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 374 | printf ( "]\n" ); 375 | fclose ( fin ); 376 | fclose ( fout ); 377 | 378 | return 1; 379 | } 380 | 381 | int 382 | do_encode ( unsigned char *fname, unsigned char *fname_out, word address, half code, int type ) 383 | { 384 | int i = 0; 385 | int skip = 0; 386 | int count = 0; 387 | int startaddr_set = 0; 388 | byte buf[0x4000]; 389 | word len = 0; 390 | word startaddr = 0; 391 | void *pos = NULL; 392 | FILE *fin = NULL; 393 | FILE *fout = NULL; 394 | 395 | fin = fopen ( fname, "rb" ); 396 | if ( !fin ) 397 | { 398 | printf ( "Can't open %s\n", fname ); 399 | return 0; 400 | } 401 | 402 | fout = fopen ( fname_out, "wb" ); 403 | if ( !fout ) 404 | { 405 | printf ( "Can't open %s\n", fname_out ); 406 | return 0; 407 | } 408 | 409 | printf ( " - Encrypting File [" ); 410 | fflush ( stdout ); 411 | 412 | while ( (len = fread ( buf, 2, 0x2000, fin )) > 0 ) 413 | { 414 | if ( !startaddr_set ) 415 | { 416 | startaddr_set = 1; 417 | startaddr = address; 418 | printf ( "0x%08X ", startaddr ); 419 | } 420 | if ( skip > 30 ) 421 | { 422 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 423 | fflush ( stdout ); 424 | if ( ++count > 100 ) 425 | { 426 | count = 0; 427 | printf ( "\n [" ); 428 | printf ( "0x%08X ", address ); 429 | fflush ( stdout ); 430 | } 431 | skip = 0; 432 | } 433 | encode ( buf, address, len, code, type ); 434 | 435 | fseek ( fout, address - startaddr, SEEK_SET ); 436 | fwrite ( buf, 2, len, fout ); 437 | 438 | address += (len*2); 439 | skip++; 440 | } 441 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 442 | printf ( "]\n" ); 443 | fclose ( fin ); 444 | fclose ( fout ); 445 | 446 | return 1; 447 | } 448 | 449 | int create_flash ( char *hdr, char *in, char *out, word address ) 450 | { 451 | int count = 0; 452 | int skip = 0; 453 | int startaddr_set = 0; 454 | unsigned int i = 0; 455 | unsigned long size = 0x4000; 456 | unsigned long len = 0; 457 | unsigned long startaddr = 0; 458 | byte buf[0x4000]; 459 | byte tmp[0x0A]; 460 | byte data = 0x00; 461 | FILE *fin = NULL; 462 | FILE *fout = NULL; 463 | 464 | printf ( " - Writing DCT4 File [" ); 465 | fflush ( stdout ); 466 | 467 | // open the source file for the header 468 | fin = fopen ( hdr, "rb" ); 469 | if ( !fin ) 470 | { 471 | printf ( "Can't open %s\n", hdr ); 472 | return 0; 473 | } 474 | // get the length 475 | fseek ( fin, 1, SEEK_SET ); 476 | len = get_word ( fin ) + 5; 477 | fseek ( fin, 0, SEEK_SET ); 478 | 479 | // read the header 480 | if ( fread ( buf, 1, len, fin ) != len ) 481 | { 482 | printf ( "error while reading header from %s\n", hdr ); 483 | return 0; 484 | } 485 | 486 | // open output file 487 | fout = fopen ( out, "wb" ); 488 | if ( !fout ) 489 | { 490 | printf ( "Can't open %s\n", out ); 491 | return 0; 492 | } 493 | // write the header 494 | fwrite ( buf, 1, len, fout ); 495 | 496 | // now open the flash file 497 | fin = fopen ( in, "rb" ); 498 | if ( !fin ) 499 | { 500 | printf ( "Can't open %s\n", in ); 501 | return 0; 502 | } 503 | 504 | // in case of MCU, the first block is 0x2C bytes (6610) 505 | if ( address == mcu_flash_start ) 506 | size = mcu_flash_hdlen; 507 | 508 | // and write the blocks 509 | while ( (len = fread ( buf, 1, size, fin )) > 0 ) 510 | { 511 | if ( !startaddr_set ) 512 | { 513 | startaddr_set = 1; 514 | startaddr = address; 515 | printf ( "0x%08X ", startaddr ); 516 | } 517 | if ( skip > 30 ) 518 | { 519 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 520 | fflush ( stdout ); 521 | if ( ++count > 25 ) 522 | { 523 | count = 0; 524 | printf ( "\n [" ); 525 | printf ( "0x%08X ", address ); 526 | fflush ( stdout ); 527 | } 528 | skip = 0; 529 | } 530 | 531 | // write the flash data 532 | // 533 | // hex: 14 AA AA AA AA CD 00 LL LL CH 534 | // 535 | // AA = Address 536 | // CD = Checksum of Data 537 | // LL = Length of Data 538 | // CH = Checksum of Header 539 | // 540 | 541 | memset ( tmp, 0x00, 0x0A ); 542 | tmp[0] = (byte)0x14; // flash block header 543 | tmp[1] = (byte)(address >> 24) & 0xff; // address of the chunk 544 | tmp[2] = (byte)(address >> 16) & 0xff; 545 | tmp[3] = (byte)(address >> 8) & 0xff; 546 | tmp[4] = (byte) address & 0xFF; 547 | for (i=0; i> 8) & 0xff; // length of the chunk 554 | tmp[8] = (byte) len & 0xFF; 555 | for (i=1; i<9; i++ ) // checksum of the header 556 | tmp[9] += tmp[i]; 557 | tmp[9] ^= 0xFF; 558 | 559 | fwrite ( tmp, 1, 0x0A, fout ); // write header 560 | fwrite ( buf, 1, len, fout ); // followed by the data itself 561 | 562 | 563 | 564 | // if we wrote the "PeaK" block, go over to 0x01000064 565 | if ( address == 0x1000000 ) 566 | { 567 | size = 0x4000 - 0x64; 568 | address = 0x1000064; 569 | fseek ( fin, 0x64, SEEK_SET ); 570 | } 571 | else 572 | { 573 | size = 0x4000; 574 | address += len; 575 | } 576 | skip++; 577 | } 578 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 579 | printf ( "]\n" ); 580 | fclose ( fin ); 581 | fclose ( fout ); 582 | 583 | return 1; 584 | } 585 | 586 | int 587 | read_flash ( unsigned char *fname, unsigned char *fname_out, word *start_address ) 588 | { 589 | int i = 0; 590 | int skip = 0; 591 | int count = 0; 592 | int startaddr_set = 0; 593 | byte buf[0x10000]; 594 | word len = 0; 595 | word ofs = 0; 596 | word address = 0; 597 | word startaddr = 0; 598 | word lastaddr = 0; 599 | half code = 0; 600 | void *pos = NULL; 601 | FILE *fin = NULL; 602 | FILE *fout = NULL; 603 | 604 | if ( !fin ) 605 | { 606 | fin = fopen ( fname, "rb" ); 607 | if ( !fin ) 608 | { 609 | printf ( "Can't open %s\n", fname ); 610 | return 0; 611 | } 612 | } 613 | 614 | fout = fopen ( fname_out, "wb" ); 615 | if ( !fout ) 616 | { 617 | printf ( "Can't open %s\n", fname_out ); 618 | return 0; 619 | } 620 | 621 | fseek ( fin, 1, SEEK_SET ); 622 | ofs = get_word ( fin ); 623 | fseek ( fin, ofs, SEEK_CUR ); 624 | 625 | printf ( " - Reading DCT4 File [" ); 626 | fflush ( stdout ); 627 | 628 | while ( len = get_chunk ( fin, buf, &address ) ) 629 | { 630 | if ( !startaddr_set ) 631 | { 632 | startaddr_set = 1; 633 | startaddr = address; 634 | printf ( "0x%08X ", startaddr ); 635 | } 636 | if ( skip > 30 ) 637 | { 638 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", address ); 639 | fflush ( stdout ); 640 | if ( ++count > 25 ) 641 | { 642 | count = 0; 643 | printf ( "\n [" ); 644 | printf ( "0x%08X ", address ); 645 | fflush ( stdout ); 646 | } 647 | skip = 0; 648 | } 649 | fseek ( fout, address - startaddr, SEEK_SET ); 650 | fwrite ( buf, 2, len, fout ); 651 | skip++; 652 | lastaddr = address + (len*2); 653 | } 654 | printf ( "\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8\x8. 0x%08X", lastaddr ); 655 | printf ( "]\n" ); 656 | fclose ( fin ); 657 | fclose ( fout ); 658 | 659 | *start_address = startaddr; 660 | 661 | return 1; 662 | } 663 | 664 | int 665 | analyse_codes ( void ) 666 | { 667 | int i = 0; 668 | int j = 0; 669 | int addr = 0; 670 | word val = 0; 671 | unsigned char p1 = 0; 672 | unsigned char p2 = 0; 673 | unsigned char p3 = 0; 674 | unsigned char p4 = 0; 675 | /* 676 | for ( i=0; i<0x10; i++ ) 677 | { 678 | printf ( "0x%04X ",1<>= 12; 710 | */ 711 | /* p1 = (addr & 0x7000) >> 12; 712 | 713 | if ( addr & 0x8000 ) 714 | p1 ^= 0xA; 715 | if ( addr & 0x0010 ) 716 | p1 ^= 0x8; 717 | if ( addr & 0x0020 ) 718 | p1 ^= 0x1; 719 | if ( addr & 0x0080 ) 720 | p1 ^= 0x4; 721 | 722 | if ( val != p1 ) 723 | printf ( "%1X%1X ", val, p1 ); 724 | else 725 | printf ( "%1X%", val ); 726 | } 727 | */ 728 | /* 729 | // 730 | // digit 0xF000 731 | // 732 | 733 | for ( i=0; i<=0xFFFF; i++ ) 734 | { 735 | addr = i*0x1; 736 | 737 | if ( !(i & 0x07) ) 738 | printf ( " " ); 739 | if ( !(i & 0x3F) ) 740 | printf ( "\n" ); 741 | val = de_codes[addr]; 742 | val &= 0xF000; 743 | val >>= 12; 744 | 745 | p1 = (addr & 0x7000) >> 12; 746 | 747 | if ( addr & 0x8000 ) 748 | p1 ^= 0xA; 749 | if ( addr & 0x0010 ) 750 | p1 ^= 0x8; 751 | if ( addr & 0x0020 ) 752 | p1 ^= 0x1; 753 | if ( addr & 0x0080 ) 754 | p1 ^= 0x4; 755 | 756 | if ( val != p1 ) 757 | printf ( "%1X%1X ", val, p1 ); 758 | else 759 | printf ( "%1X%", val ); 760 | } 761 | */ 762 | /* 763 | // 764 | // digit 0x0F00 765 | // 766 | 767 | for ( i=0; i<=0xFFFF; i++ ) 768 | { 769 | addr = i*0x1; 770 | 771 | if ( !(i & 0x07) ) 772 | printf ( " " ); 773 | if ( !(i & 0x3F) ) 774 | printf ( "\n" ); 775 | val = de_codes[addr]; 776 | val &= 0xF00; 777 | val >>= 8; 778 | 779 | p2 = (addr & 0x0700) >> 8; 780 | 781 | if ( addr & 0x0001 ) 782 | p2 ^= 0x2; 783 | if ( addr & 0x0008 ) 784 | p2 ^= 0x8; 785 | if ( addr & 0x0040 ) 786 | p2 ^= 0x4; 787 | if ( addr & 0x0800 ) 788 | p2 ^= 0x9; 789 | 790 | if ( val != p2 ) 791 | printf ( "%1X%1X ", val, p2 ); 792 | else 793 | printf ( "%1X%", val ); 794 | } 795 | */ 796 | /* 797 | // 798 | // digit 0x00F0 799 | // 800 | 801 | for ( i=0; i<=0xFFFF; i++ ) 802 | { 803 | addr = i*0x1; 804 | 805 | if ( !(i & 0x07) ) 806 | printf ( " " ); 807 | if ( !(i & 0x3F) ) 808 | printf ( "\n" ); 809 | val = de_codes[addr]; 810 | val &= 0x00F0; 811 | val >>= 4; 812 | 813 | p3 = (addr & 0x0010) >> 4; 814 | 815 | if ( addr & 0x0002 ) 816 | p3 ^= 0x1; 817 | if ( addr & 0x0004 ) 818 | p3 ^= 0x8; 819 | if ( addr & 0x0020 ) 820 | p3 ^= 0x2; 821 | if ( addr & 0x0040 ) 822 | p3 ^= 0x4; 823 | if ( addr & 0x0080 ) 824 | p3 ^= 0x8; 825 | if ( addr & 0x0200 ) 826 | p3 ^= 0x2; 827 | 828 | if ( val != p3 ) 829 | printf ( "%1X%1X ", val, p3 ); 830 | else 831 | printf ( "%1X%", val ); 832 | } 833 | */ 834 | // 835 | // digit 0x000F 836 | // 837 | /* 838 | for ( i=0; i<=0xFFFF; i++ ) 839 | { 840 | addr = i*0x1; 841 | 842 | if ( !(i & 0x07) ) 843 | printf ( " " ); 844 | if ( !(i & 0x3F) ) 845 | printf ( "\n" ); 846 | val = de_codes[addr]; 847 | val &= 0x000F; 848 | 849 | 850 | p4 = (addr & 0x0007); 851 | 852 | if ( addr & 0x0008 ) 853 | p4 ^= 0x8; 854 | if ( addr & 0x0040 ) 855 | p4 ^= 0x4; 856 | if ( addr & 0x0400 ) 857 | p4 ^= 0x2; 858 | if ( addr & 0x2000 ) 859 | p4 ^= 0x8; 860 | if ( addr & 0x4000 ) 861 | p4 ^= 0x1; 862 | 863 | if ( val != p4 ) 864 | printf ( "%1X%1X ", val, p4 ); 865 | else 866 | printf ( "%1X%", val ); 867 | } 868 | */ 869 | return 0; 870 | } 871 | 872 | 873 | #ifdef CRYPT_LIB 874 | unsigned long decrypter_main ( char* name_in, char* name_out, char* name_org, int action, unsigned short *basecode) 875 | { 876 | #else 877 | int 878 | main ( int argc, char *argv[] ) 879 | { 880 | #endif 881 | 882 | int type = TYPE_MCU; 883 | int decrypt = 1; 884 | half code = 0; 885 | static word addr = 0; 886 | 887 | #ifndef CRYPT_LIB 888 | printf ( "\n DCT4 CrypterX v4.0\n" ); 889 | printf ( " --------------------------\n\n" ); 890 | #endif 891 | 892 | generate_codes ( ); 893 | 894 | // analyse_codes (); 895 | // return 0; 896 | 897 | 898 | //#define TEST_TIKU 899 | 900 | #ifndef TEST_TIKU 901 | mcu_flash_start = 0x1000000; // 6610 NHL4 MCU area start 902 | mcu_flash_hdlen = 0x2C; // length of first header block 903 | mcu_crypt_start = 0x84; // start offset of encrypted MCU data 904 | 905 | mcu_auto_offset = 0x0084; 906 | ppm_auto_offset = 0x0000; 907 | mcu_auto_values = 0xFFFF; // for RH-17/2280: 0x5E80 908 | ppm_auto_values = 0x5050; 909 | 910 | fls_fixchecksum = 1; 911 | 912 | 913 | #else 914 | 915 | // 916 | // _____TEST_____ 917 | // 918 | 919 | mcu_flash_start = 0x0000000; // 6230 RH12 MCU area start 920 | mcu_flash_hdlen = 0x012C; // length of first header block 921 | mcu_crypt_start = 0x01F4; // start offset of encrypted MCU data 922 | 923 | mcu_auto_offset = 0x01F4; 924 | ppm_auto_offset = 0x0000; 925 | mcu_auto_values = 0xFFFF; 926 | ppm_auto_values = 0x5050; 927 | 928 | // fls_endianess |= 0x01; // swap bytes 929 | // fls_endianess |= 0x02; // swap halfs 930 | #endif 931 | 932 | // type = TYPE_MCU; 933 | // type = TYPE_PPM; 934 | 935 | 936 | 937 | // 938 | // 939 | // 940 | // f_orig.fls = Original Nokia DCT4 FlashFile 941 | // || 942 | // \/ 943 | // f_data.fls = Original ENcrypted flash data 944 | // || 945 | // \/ 946 | // f_decr.fls = Original DEcrypted flash data 947 | // || 948 | // || __ Modify the file and save it. 949 | // ||/ Either pause there or restart using the right files. 950 | // || I prefer changing the filenames. 951 | // \/ 952 | // f_encr.fls = Modified ENcrypted flash data 953 | // || 954 | // \/ 955 | // f_done.fls = Modified Nokia DCT4 FlashFile 956 | // 957 | 958 | // 959 | // After the file was created, simply 0xFF all the 0x40 bytes of the D340 signed hash. 960 | // It seems nokia left a backdoor to disable the algo by simple 0xFF-ing it :) 961 | // I also noticed that 6610 has NO ContactService when the MCU checksum is wrong. 962 | // Modifying is easier than i thought :) 963 | // 964 | // 965 | // 966 | 967 | if ( addr > 0x01000000 ) 968 | type = TYPE_PPM; 969 | 970 | #ifdef CRYPT_LIB 971 | if ( action == 0 ) 972 | read_flash ( name_in, name_out, &addr ); // open a nokia flash and serialize it 973 | 974 | if ( action == 1 ) 975 | do_decode ( name_in, name_out, addr, &code, type ); // use the serialized file to decode 976 | 977 | if ( action == 2 ) 978 | do_encode ( name_in, name_out, addr, code, type ); // open a decoded serialized flash and encode it again 979 | 980 | if ( action == 3 ) 981 | create_flash ( name_org, name_in, name_out, addr ); // convert the serialized file to flashfile using headers from original file 982 | 983 | *basecode = code; 984 | //printf ( "\n\n" ); 985 | return addr; 986 | #else 987 | // type = TYPE_MCU; 988 | read_flash ( "flash.fls", "flash.ser", &addr ); // open a nokia flash and serialize it 989 | do_decode ( "flash.ser", "flash.dec", addr, &code, type ); // use the serialized file to decode 990 | do_encode ( "flash.mod", "flash.enc", addr, code, type ); // open a decoded serialized flash and encode it again 991 | create_flash ( "flash.fls", "flash.enc", "flash.out", addr ); // convert the serialized file to flashfile using headers from original file 992 | 993 | #endif 994 | 995 | return 0; 996 | 997 | } 998 | --------------------------------------------------------------------------------