API tools faq
paste
Guest User

Pentax K30 firmware checksum

a guest
Feb 25th, 2014
357
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 4.55 KB | None | 0 0
raw download clone embed print report
  1. # RE'ed by Shodan
  2.  
  3. using System;
  4. using System.Collections.Generic;
  5. using System.IO;
  6. using System.Linq;
  7. using System.Text;
  8. using System.Threading.Tasks;
  9.  
  10. namespace PentaxK30CRCCheck
  11. {
  12.     class Program
  13.     {
  14.         static void Main(string[] args)
  15.         {
  16.             FileInfo fileA = new FileInfo(args[0]);
  17.  
  18.             var bytesA = File.ReadAllBytes(fileA.FullName);
  19.  
  20.             Program p = new Program();
  21.             var success = p.checkFirmwareChecksum(bytesA, 524, 0);
  22.             success &= p.checkFirmwareChecksum(bytesA, 524, 0);
  23.  
  24.  
  25.         }
  26.  
  27.         // reverse byte order (32-bit)
  28.         public static UInt32 BigEndianToLittleEndian(UInt32 value)
  29.         {
  30.             return (value & 0x000000FFU) << 24 | (value & 0x0000FF00U) << 8 |
  31.                    (value & 0x00FF0000U) >> 8 | (value & 0xFF000000U) >> 24;
  32.         }
  33.  
  34.         public static UInt32 GetValueFromFirmware(ref byte[] firmware, int offset)
  35.         {
  36.             var tmp = BitConverter.ToUInt32(firmware, offset);
  37.             return BigEndianToLittleEndian(tmp);
  38.         }
  39.  
  40.         bool checkFirmwareChecksum(byte[] firmware, int cameraDebugId, int index)
  41.         {
  42.           int[] cameraDebugIdLocations = {0x788, 0x600088, 0x788, 0x4FFF0, 0};
  43.  
  44.           bool result = false;
  45.           var debugIdIndex = 2 * cameraDebugIdLocations[index];
  46.           var cameraDebugIdValueInFirmware = GetValueFromFirmware(ref firmware, debugIdIndex);
  47.           if (cameraDebugIdValueInFirmware == cameraDebugId)
  48.           {
  49.             var counter = 0;
  50.             // Do some initial checks for magic values in the firmware
  51.             var cameraMagicChecksumValue = 0x10001 * cameraDebugId;
  52.             do
  53.             {
  54.                 int[] locationOfCheckSumMagicValueLocations = {0x7FC, 0x57FFFC, 0x5FFFFC,
  55.                                                 0x600080, 0x600080, 0x61FFF8,
  56.                                                 0x7FC, 0x57FFFC, 0x5FFFFC,
  57.                                                 0x4FFFA, 0x4FFFA, 0x4FFFA,
  58.                                                 0, 0, 0};
  59.                 const UInt32 magicValue = 0xA55A5AA5;
  60.  
  61.                 var indexIntoFirmware = 2 * locationOfCheckSumMagicValueLocations[3 * index + counter];
  62.                 var firmwareValue = GetValueFromFirmware(ref firmware, indexIntoFirmware);
  63.                 bool valueInFirmwareIsValid = cameraMagicChecksumValue == firmwareValue;
  64.  
  65.                 if (valueInFirmwareIsValid)
  66.                 {
  67.                     var newIndex = (indexIntoFirmware + 4);
  68.                     var newValue = GetValueFromFirmware(ref firmware, newIndex);
  69.                     valueInFirmwareIsValid = newValue == magicValue;
  70.                 }
  71.  
  72.                 if (!valueInFirmwareIsValid)
  73.                 {
  74.                     return false;
  75.                 }
  76.                 ++counter;
  77.             }
  78.             while ( counter < 3 );
  79.  
  80.             // interesting early exit here that bypasses the firmware checksum!
  81.             int[] locationOfChecksumOverrideBits = {
  82.                                                0x7FC, 0x57FFFC, 0x5FFFFC,
  83.                                                0x600080, 0x600080, 0x61FFF8,
  84.                                                 0x7FC, 0x57FFFC, 0x5FFFFC,
  85.                                                 0x4FFFA, 0x4FFFA, 0x4FFFA,
  86.                                                 0, 0, 0};
  87.  
  88.             int indexToMagicCrcOverrideByte = 2 * locationOfChecksumOverrideBits[index];
  89.             var crcOverrideValue = GetValueFromFirmware(ref firmware, indexToMagicCrcOverrideByte);
  90.  
  91.             if ( crcOverrideValue == UInt32.MaxValue)
  92.             {
  93.                 return true;
  94.             }
  95.  
  96.             int[] checkSumStartAddresses = { 0, 0x600000, 0, 0x10000, 0 };
  97.             int[] totalAmountTOCheckSum = { 0x300000, 0x10000, 0x300000, 0x20000, 0 };
  98.  
  99.             UInt32 checkSumValue = 0;
  100.             int addressToProcess = 2 * checkSumStartAddresses[index];
  101.             int totalNumberOfDwordsToCheck = totalAmountTOCheckSum[index];
  102.             // this looks like the main firmware checksum
  103.             var count = 0;
  104.             while (addressToProcess > count)
  105.             {
  106.               var valueAtOffset = GetValueFromFirmware(ref firmware, addressToProcess);
  107.               totalNumberOfDwordsToCheck += 4;
  108.               ++count;
  109.               checkSumValue += valueAtOffset;
  110.             }
  111.             if (checkSumValue == 0)
  112.             {
  113.                 result = true;
  114.             }
  115.           }
  116.           return result;
  117.         }
  118.     }
  119. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!