Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- tos.img keybox
- tsec wrapper reads aid
- Challenge Flow:
- 1. Client sends UID to Server (device android_id; "e816ebb8-44b7-3a37-9398-47ec566a63cd")
- 2. Server responds with Challenge (always identical ; "NVSI_2.00") and R1 (random)
- 3. Client sends UID again, (Google) Keybox ID, AID (all consistent on the same device) and R1 Solved to Server
- 4. Server verifies R1 Solved
- 5. More follows e.g. server responds with a 16 byte session ID and the client sends a further encrypted version back alongside a new random value (always random even if the server presents the same R1 every time, indicating seed and/or nonce in RandState is client randomized)
- Map of struct storing all the variables related to randomization Client can access (48 bytes):
- struct RandState {
- u8 seed[16];
- u32_t ctr; //maybe indicates CTR mode e.g.the use of a stream cipher?
- u8 pad[12];
- u32 nonce[2];
- u8 pad2[8];
- }
- //this might not get used during the Challenge Flow but later on during the Session Flow
- Consistent Values:
- AID:
- 1C1DFE67
- UID:
- B8EB16E8 B744373A 98936A56 EC47CD63 (0xB8EB16E8B744373A98936A56EC47CD63)
- Keybox ID:
- 6235D3E3 30DEC513 4DC9DABB 59FF02F6 (0x6235D3E330DEC5134DC9DABB59FF02F6)
- Challenge:
- 2E2E2E2E 4E565349 5F322E30 2E2E2E2E (0x2E2E2E2E4E5653495F322E302E2E2E2E)
- Random Values:
- -----
- R1:
- 64446751 086DC976 F1743D0A 948BB1C7 (0x64446751086DC976F1743D0A948BB1C7)
- R1 Solved:
- 279F9999 AA8A9BB3 F0CEAD54 0031CC42 (0x279F9999AA8A9BB3F0CEAD540031CC42)
- -----
- -----
- R1:
- 413B94DF B8BBD22B 1C770906 F59AD00B (0x413B94DFB8BBD22B1C770906F59AD00B)
- R1 Solved:
- 10817F2D 79A056D5 CC68FCED 96077B17 (0x10817F2D79A056D5CC68FCED96077B17)
- -----
Add Comment
Please, Sign In to add comment
