API tools faq
paste
Advertisement
tari

tari

tari
Oct 22nd, 2008
109
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.05 KB | None | 0 0
raw download clone embed print report
  1. <Ox1F18> Subfield 0300h is the certification group. Inside that is 0700h, which contains public keys. Inside that, there are two fields, 0710h and 0730h. 0710h contains the key ID, which is 04 or 01 04. 0730h is the actual key itself, including the length byte, so it's 07 3D 41 40 <key>
  2.  
  3. Certificate hacking:
  4. The boot code entry point _ReceiveOS ($8072/1F:5B48 on 1.00) handles receiving an OS, through
  5. link negotiation, then it will check the certificate. Assuming it checks the certificate
  6. for a usable OS key (there's a copy of the OS key in the boot code), we can modify
  7. the OS key for resigning any OS (or app, or whatever).
  8. OSes are signed with a pretty simple Rabin encrypted MD5 hash, where the key is [usually] TI's
  9. 0004 (?) key, which corresponds with the key kept in certificate and boot code. It'll
  10. decrypt that MD5 hash, and complain if it doesn't fit that actual data. The keys are
  11. 512 bits each.
  12.  
  13. If the boot code checks the certificate for a usable OS key, the next step is to generate a key
  14. pair for encryption, as outlined at http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf.
  15.  
  16. IT DOES! Load the public key into the certificate in field 0730, and all is well. It will use
  17. the boot code's OS key if field 8010 (hardware revision)is not in the OS header
  18.  
  19. A whole new certificate can be sent with the _ReceiveCalcID (8081) entry point, and a .8xq file.
  20.  
  21.  
  22. Certificate fields are two bytes:
  23. 0[fieldMSN]:[fieldLSN][sizenibble]
  24. If sizenibble is D, the next byte is size, E is the next word for size, and F is next 4
  25. [1,2]:0A15: Calculator ID field, 5 bytes
  26. [1,4]:04094DFAC1: Product 04 (83P) - Hard revision 1 - Serial number 94DFAC1
  27. [1,9]:0A2D40: Field A2, $40 bytes (512 bits) in length; one of the private keys
  28. [3,12]:0412: Validation number (last 4 digits of calc ID) field, 2 bytes = 7054
  29. [3,16]:0326: Certificate date stamp, 6 bytes = 09040B7E816C
  30. [3,24]:020D40: Field 20, another private key
  31. [5,27]:030E0251: Field 30, size of 251 (not little-endian)-certification group
  32. [5,31]:0010: Subfield 01, size 0
  33. [6,1]:01013A: Subfield 10, size 1
  34. [6,4]:040504094DFAC1: Subfield 40, size 5
  35. [6,11]:032609040B7E816C: Subfield 32, yeah..
  36. [6,19]:020D40: Subfield 20, length 0x40
  37. [8,22]:070E01F6: Field 70, size 0x1F6: public keys
  38. [8,26]:071104: Key ID (04)
  39. [8,29]:073D40: Key data (512 bits) - this is the 0004 OS key
  40. [10,32]:07120104: Key ID (0104)
  41. [11,4]:073D4140: Key data - 0104 app key - the 40 is not part of it
  42. [13,8]:07125204: Key 5204
  43. [13,12]:073D4140: Data again - looks like app keys have a leading 40
  44. [15,16]:07124204: Key 4204
  45. [15,20]:073D4140: repeat again
  46. [17,24]:07123204: Key 3204, followed by data
  47. [19,32]:07122204: Key 2204
  48. [22,8]:07121204: Key 1204
  49. [24,16]:020D40: Some different key..
  50.  
  51. At any rate, I can probably insert a key at [10,32] with the following data:
  52. 07110F ;new key ID, 000F
  53. 073D40<key> ;key data
  54.  
  55. So I read the certificate, find the second instance of field 071
  56. Shift that and everything above it up by 0x40+6
  57. Insert my key data (above)
  58. Write it back to the previously unused sector, erase the original
  59.  
  60. ===============================================================================================
  61. Uncommented original data follows (first 800 bytes, rest is $FF)
  62. ===============================================================================================
  63. -1--2--3--4--5--6--7--8--9-10-11-12-13-14-15-16-17-18-19-20-21-22-23-24-25-26-27-28-29-30-31-32|
  64. -----------------------------------------------------------------------------------------------|
  65. 00 0A 15 04 09 4D FA C1|0A 2D 40 03 30 7C D5 15 9E CD 59 B0 52 DD 24 B2 04 2C BA 2B C5 C9 1E 86|1
  66. 93 0D C5 BD 3A 25 F6 E1 2B 29 01 FC D0 0D FD 7F 6D CC A1 97 8B 5F 4C 5E 49 2F D3 55 89 2C 40 BE|2
  67. 13 A9 6C E7 BC E4 39 8C 97 52 A2|04 12 70 54|03 26 09 04 0B 7E 81 6C|02 0D 40 36 C3 F4 9A AE D5|3
  68. 37 F6 BA 3D 6B 31 0E 1D 33 82 04 AC 7F F6 EE A3 5A 38 F3 29 A1 2E 28 1A 74 2F D5 4E A4 7A 1E 82|4
  69. 86 EA 82 C5 69 66 11 61 EA EB 83 05 B6 E9 E9 B9 74 07 9A C4 9F 52 F2 46 F0 1A|03 0E 02 51|00 10|5
  70. 01 01 3A|04 05 04 09 4D FA C1|03 26 09 04 0B 7E 81 6C|02 0D 40 36 C3 F4 9A AE D5 37 F6 BA 3D 6B|6
  71. 31 0E 1D 33 82 04 AC 7F F6 EE A3 5A 38 F3 29 A1 2E 28 1A 74 2F D5 4E A4 7A 1E 82 86 EA 82 C5 69|7
  72. 66 11 61 EA EB 83 05 B6 E9 E9 B9 74 07 9A C4 9F 52 F2 46 F0 1A|07 0E 01 F6|07 11 04|07 3D 40 8F|8
  73. E5 28 B3 40 EB 1C 88 B5 05 B2 35 4B AA DF 47 F3 61 6D 92 CB 53 2E 7E 5A 2A 0D FF 1C 4E 42 83 CE|9
  74. EA 2B 2F 7A D5 F2 8B 7E 4B E4 F3 F4 C9 9C AB A0 D9 8A 8E 5F 2B E1 5E 2A AC 7C ED 09 40 EF 82|07|10
  75. 12 01 04|07 3D 41 40 AD 24 31 DA 22 97 E4 17 5E AC 61 A3 15 4F A3 D8 47 11 57 94 DD 33 0A B7 FF|11
  76. 36 BA 59 FE DA 19 5F EA 7C 16 74 3B D7 BC ED 8A 0D A8 85 E5 E5 C3 4D 5B F2 0D 0A B3 EF 91 81 ED|12
  77. 39 BA 2C 4D 89 8E 87|07 12 52 04|07 3D 41 40 5D 70 06 BF FC 45 A0 19 54 04 8B 51 DD A6 5D D9 C7|13
  78. EE FD 0B D4 B9 AB 75 F8 6D C5 C7 A9 7F 0A EF 6E DB 61 B9 05 E1 A5 4E 38 43 1B 3E 04 18 C6 38 00|14
  79. 66 B9 63 2B F7 CA DD 76 12 93 B8 A5 82 D6 E3|07 12 42 04|07 3D 41 40 5D B2 35 9C 90 83 17 07 B8|15
  80. 30 15 5D 34 4A 3B 91 4D E1 27 04 29 6D B4 B4 F5 9A 84 38 F5 65 DE 28 BF 7C BA F0 EE 0F 2E DA C4|16
  81. 8D 3D 7A 41 65 52 8E CB D5 3E D4 8C 65 08 1D 74 D5 84 9A 86 12 AB 8E|07 12 32 04|07 3D 41 40 A5|17
  82. 34 78 45 D8 D4 B9 FF A9 CD 54 41 A4 25 D7 40 53 0B 38 01 95 C9 2C 0A EB AC 0B 71 37 A5 D3 8F 1C|18
  83. D6 10 3E 0A 89 A8 06 02 51 1A 39 7B 01 4E BF 04 A5 B5 36 4D 93 8D 4B 80 16 94 4E D3 B1 AB 85|07|19
  84. 12 22 04 07 3D 41 40 9D 13 8A 4E A9 37 2E 17 58 52 20 9B DD 51 F9 36 5C 96 AD 43 13 FB D7 A8 21|20
  85. BF 14 50 96 C2 5F E3 C1 6F 47 00 66 36 79 D6 7C 18 C9 63 0E D4 63 72 61 2B AB C1 8D 0E 08 63 BD|21
  86. 70 33 63 2F A1 E9 F0|07 12 12 04|07 3D 41 40 8D 80 FB B4 0F 24 10 FA D3 32 DF 6A 80 89 91 D0 C1|22
  87. A8 DA 31 38 5A 89 73 3F 60 90 4C 58 2A 20 64 A0 0C EE CB 59 AB C0 C9 43 EA EB A0 41 4A 1C 7F 6B|23
  88. 8F 57 27 07 59 B7 0A DF 6C 30 2C 4F 78 F6 97|02 0D 40 14 3F CB 0B 6B 8B 06 54 FA 71 A7 C4 38 19|24
  89. 1B 34 EA 97 14 88 19 92 5B 9F 93 8A E4 CD D0 2B 12 CA F5 7C 04 AD BE 53 72 D5 19 BD E4 8D 18 F5|25
  90. EC 10 5A FF E6 75 4B 3A BB 67 70 A8 F2 02 EC 39 1F 2D FF FF FF FF FF FF FF FF FF FF FF FF FF FF|26
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!