Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <Ox1F18> Subfield 0300h is the certification group. Inside that is 0700h, which contains public keys. Inside that, there are two fields, 0710h and 0730h. 0710h contains the key ID, which is 04 or 01 04. 0730h is the actual key itself, including the length byte, so it's 07 3D 41 40 <key>
- Certificate hacking:
- The boot code entry point _ReceiveOS ($8072/1F:5B48 on 1.00) handles receiving an OS, through
- link negotiation, then it will check the certificate. Assuming it checks the certificate
- for a usable OS key (there's a copy of the OS key in the boot code), we can modify
- the OS key for resigning any OS (or app, or whatever).
- OSes are signed with a pretty simple Rabin encrypted MD5 hash, where the key is [usually] TI's
- 0004 (?) key, which corresponds with the key kept in certificate and boot code. It'll
- decrypt that MD5 hash, and complain if it doesn't fit that actual data. The keys are
- 512 bits each.
- If the boot code checks the certificate for a usable OS key, the next step is to generate a key
- pair for encryption, as outlined at http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf.
- IT DOES! Load the public key into the certificate in field 0730, and all is well. It will use
- the boot code's OS key if field 8010 (hardware revision)is not in the OS header
- A whole new certificate can be sent with the _ReceiveCalcID (8081) entry point, and a .8xq file.
- Certificate fields are two bytes:
- 0[fieldMSN]:[fieldLSN][sizenibble]
- If sizenibble is D, the next byte is size, E is the next word for size, and F is next 4
- [1,2]:0A15: Calculator ID field, 5 bytes
- [1,4]:04094DFAC1: Product 04 (83P) - Hard revision 1 - Serial number 94DFAC1
- [1,9]:0A2D40: Field A2, $40 bytes (512 bits) in length; one of the private keys
- [3,12]:0412: Validation number (last 4 digits of calc ID) field, 2 bytes = 7054
- [3,16]:0326: Certificate date stamp, 6 bytes = 09040B7E816C
- [3,24]:020D40: Field 20, another private key
- [5,27]:030E0251: Field 30, size of 251 (not little-endian)-certification group
- [5,31]:0010: Subfield 01, size 0
- [6,1]:01013A: Subfield 10, size 1
- [6,4]:040504094DFAC1: Subfield 40, size 5
- [6,11]:032609040B7E816C: Subfield 32, yeah..
- [6,19]:020D40: Subfield 20, length 0x40
- [8,22]:070E01F6: Field 70, size 0x1F6: public keys
- [8,26]:071104: Key ID (04)
- [8,29]:073D40: Key data (512 bits) - this is the 0004 OS key
- [10,32]:07120104: Key ID (0104)
- [11,4]:073D4140: Key data - 0104 app key - the 40 is not part of it
- [13,8]:07125204: Key 5204
- [13,12]:073D4140: Data again - looks like app keys have a leading 40
- [15,16]:07124204: Key 4204
- [15,20]:073D4140: repeat again
- [17,24]:07123204: Key 3204, followed by data
- [19,32]:07122204: Key 2204
- [22,8]:07121204: Key 1204
- [24,16]:020D40: Some different key..
- At any rate, I can probably insert a key at [10,32] with the following data:
- 07110F ;new key ID, 000F
- 073D40<key> ;key data
- So I read the certificate, find the second instance of field 071
- Shift that and everything above it up by 0x40+6
- Insert my key data (above)
- Write it back to the previously unused sector, erase the original
- ===============================================================================================
- Uncommented original data follows (first 800 bytes, rest is $FF)
- ===============================================================================================
- -1--2--3--4--5--6--7--8--9-10-11-12-13-14-15-16-17-18-19-20-21-22-23-24-25-26-27-28-29-30-31-32|
- -----------------------------------------------------------------------------------------------|
- 00 0A 15 04 09 4D FA C1|0A 2D 40 03 30 7C D5 15 9E CD 59 B0 52 DD 24 B2 04 2C BA 2B C5 C9 1E 86|1
- 93 0D C5 BD 3A 25 F6 E1 2B 29 01 FC D0 0D FD 7F 6D CC A1 97 8B 5F 4C 5E 49 2F D3 55 89 2C 40 BE|2
- 13 A9 6C E7 BC E4 39 8C 97 52 A2|04 12 70 54|03 26 09 04 0B 7E 81 6C|02 0D 40 36 C3 F4 9A AE D5|3
- 37 F6 BA 3D 6B 31 0E 1D 33 82 04 AC 7F F6 EE A3 5A 38 F3 29 A1 2E 28 1A 74 2F D5 4E A4 7A 1E 82|4
- 86 EA 82 C5 69 66 11 61 EA EB 83 05 B6 E9 E9 B9 74 07 9A C4 9F 52 F2 46 F0 1A|03 0E 02 51|00 10|5
- 01 01 3A|04 05 04 09 4D FA C1|03 26 09 04 0B 7E 81 6C|02 0D 40 36 C3 F4 9A AE D5 37 F6 BA 3D 6B|6
- 31 0E 1D 33 82 04 AC 7F F6 EE A3 5A 38 F3 29 A1 2E 28 1A 74 2F D5 4E A4 7A 1E 82 86 EA 82 C5 69|7
- 66 11 61 EA EB 83 05 B6 E9 E9 B9 74 07 9A C4 9F 52 F2 46 F0 1A|07 0E 01 F6|07 11 04|07 3D 40 8F|8
- E5 28 B3 40 EB 1C 88 B5 05 B2 35 4B AA DF 47 F3 61 6D 92 CB 53 2E 7E 5A 2A 0D FF 1C 4E 42 83 CE|9
- EA 2B 2F 7A D5 F2 8B 7E 4B E4 F3 F4 C9 9C AB A0 D9 8A 8E 5F 2B E1 5E 2A AC 7C ED 09 40 EF 82|07|10
- 12 01 04|07 3D 41 40 AD 24 31 DA 22 97 E4 17 5E AC 61 A3 15 4F A3 D8 47 11 57 94 DD 33 0A B7 FF|11
- 36 BA 59 FE DA 19 5F EA 7C 16 74 3B D7 BC ED 8A 0D A8 85 E5 E5 C3 4D 5B F2 0D 0A B3 EF 91 81 ED|12
- 39 BA 2C 4D 89 8E 87|07 12 52 04|07 3D 41 40 5D 70 06 BF FC 45 A0 19 54 04 8B 51 DD A6 5D D9 C7|13
- EE FD 0B D4 B9 AB 75 F8 6D C5 C7 A9 7F 0A EF 6E DB 61 B9 05 E1 A5 4E 38 43 1B 3E 04 18 C6 38 00|14
- 66 B9 63 2B F7 CA DD 76 12 93 B8 A5 82 D6 E3|07 12 42 04|07 3D 41 40 5D B2 35 9C 90 83 17 07 B8|15
- 30 15 5D 34 4A 3B 91 4D E1 27 04 29 6D B4 B4 F5 9A 84 38 F5 65 DE 28 BF 7C BA F0 EE 0F 2E DA C4|16
- 8D 3D 7A 41 65 52 8E CB D5 3E D4 8C 65 08 1D 74 D5 84 9A 86 12 AB 8E|07 12 32 04|07 3D 41 40 A5|17
- 34 78 45 D8 D4 B9 FF A9 CD 54 41 A4 25 D7 40 53 0B 38 01 95 C9 2C 0A EB AC 0B 71 37 A5 D3 8F 1C|18
- D6 10 3E 0A 89 A8 06 02 51 1A 39 7B 01 4E BF 04 A5 B5 36 4D 93 8D 4B 80 16 94 4E D3 B1 AB 85|07|19
- 12 22 04 07 3D 41 40 9D 13 8A 4E A9 37 2E 17 58 52 20 9B DD 51 F9 36 5C 96 AD 43 13 FB D7 A8 21|20
- BF 14 50 96 C2 5F E3 C1 6F 47 00 66 36 79 D6 7C 18 C9 63 0E D4 63 72 61 2B AB C1 8D 0E 08 63 BD|21
- 70 33 63 2F A1 E9 F0|07 12 12 04|07 3D 41 40 8D 80 FB B4 0F 24 10 FA D3 32 DF 6A 80 89 91 D0 C1|22
- A8 DA 31 38 5A 89 73 3F 60 90 4C 58 2A 20 64 A0 0C EE CB 59 AB C0 C9 43 EA EB A0 41 4A 1C 7F 6B|23
- 8F 57 27 07 59 B7 0A DF 6C 30 2C 4F 78 F6 97|02 0D 40 14 3F CB 0B 6B 8B 06 54 FA 71 A7 C4 38 19|24
- 1B 34 EA 97 14 88 19 92 5B 9F 93 8A E4 CD D0 2B 12 CA F5 7C 04 AD BE 53 72 D5 19 BD E4 8D 18 F5|25
- EC 10 5A FF E6 75 4B 3A BB 67 70 A8 F2 02 EC 39 1F 2D FF FF FF FF FF FF FF FF FF FF FF FF FF FF|26
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement