How to convert eCWPK to dCWPK

[adas]

It can't work, every operator has an encryption algo.

Thank you for your nice help.

Here I would use u-boot or SoC reball.

Cau Adas

 

[starsurfer]

@dognaldo nice try but still dark.

 

[leandrotsampa]

Maybe you can edit/reflash rootfs to enable SSH, Telnet or UART to get access and decrypt CWPK.

Try open your dump with 7zip ;P
Or you can extract squashfs from address 0x5C0028 and open with 7zip.

Anyway you can edit u-boot in your dump too and reflash.

 

[p2p]

very good replay bro thanks...

 

[truefrnd]

Maybe you can edit/reflash rootfs to enable SSH, Telnet or UART to get access and decrypt CWPK.

Try open your dump with 7zip ;P
Or you can extract squashfs from address 0x5C0028 and open with 7zip.

Anyway you can edit u-boot in your dump too and reflash.

i have opend UART what ssh command for CWPK

 

[starsurfer]

Hi truefrnd is it possible to decode the CWPK keys from the post?
Greetings and stay healthy.
How to convert eCWPK to dCWPK

 

[adas]

Without ALGO or SoC, nobody will count anything.
You need U-Boot, and you start playing with SoC.

Cau Adas

 

[truefrnd]

@adas i dont know so i ask, if you know anything share

 

[truefrnd]

should be, if anybudy know

 

[gazoil12]

Good morning all
I relaunch the post, I have uart access on a soc7105jud, how to calculate the cwpk
of course I have the flash dump
Thanks for your help

 

[schwarzekatze]

Good morning all
I relaunch the post, I have uart access on a soc7105jud, how to calculate the cwpk
of course I have the flash dump
Thanks for your help

for sti7105-jud you need to use new method called dma bruteforce because dcw adress is locked by security fuse
in short decrypt + encrypt works but 3des decryption result is unreadable from fixed models
dma bruteforce method is explained in latest security explorations pdfs

 

[gazoil12]

for sti7105-jud you need to use new method called dma bruteforce because dcw adress is locked by security fuse
in short decrypt + encrypt works but 3des decryption result is unreadable from fixed models
dma bruteforce method is explained in latest security explorations pdfs

can tell me more about this brut force method
do you have a link for the documents
thanks

 

[pachecoso]

can tell me more about this brut force method
do you have a link for the documents
thanks

Mon ami gazoil, you need to put your receiver in upgrade mode , that way the protected memory address will be free to dump
Play a little on the receivers firmware via shell and check how upgrade mode is launched, check receivers initialisations and conditions and you will get it
Some inits modifications do the trick.

 

[schwarzekatze]

Mon ami gazoil, you need to put your receiver in upgrade mode , that way the protected memory address will be free to dump
Play a little on the receivers firmware via shell and check how upgrade mode is launched, check receivers initialisations and conditions and you will get it
Some inits modifications do the trick.

it is otp security in cpu you cant unlock dcw adress by upgrading receiver firmware or whatsoever , any of firmware modiffications also would not help

 

[gazoil12]

no body wants to help on this brute force method !!!!
this is a mutual aid forum
if I posted the method to open the box you would all be bothered

 

[starsurfer]

Hello Gazoil I think many users would be happy about a PM, including me. love greetings and stay healthy.

 

[gazoil12]

I think you do not understand well
it will not be in PM but in public

 

[starsurfer]

So then free your mind.

 

[truefrnd]

@gazoil12 when you cant post public better to pm, my pm blocked plz pm me, im looking for learn how its works, many experts here but no one putted post on this forum, i came here to learn more here, but experts not share him experience

 

[siera]

also pm to me