Guest ZeBadger Posted June 29, 2010 Report Share Posted June 29, 2010 I can't see any of the md5sums of the extracted files within the UPDATA.APP for any of the extracted files I'm going to modify my crc16 to do the whole file and see if any of the checksums from the file are in that. Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 29, 2010 Report Share Posted June 29, 2010 (edited) Where can I get the time machine rom? Searching the forum gives too many hits. An even smaller file you can get from the Pulse Mini forum - but those give "Invalid security code". Weird. I'd expect "Incorrect device" or something. Actually, how about the CUSTOMIZED_HU file in the 2.1 update? That's incredibly small too. Edited June 29, 2010 by Speckles Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 29, 2010 Report Share Posted June 29, 2010 Actually, how about the CUSTOMIZED_HU file in the 2.1 update? That's incredibly small too. That is an awesome idea! I forgot that was a "proper" file too. TimeMachine rom is on Huawei's website here Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 29, 2010 Report Share Posted June 29, 2010 (edited) Hmmm, I just found the CUSTOMIZED_UK/SK/NL etc. They are all very small and very similar, apart from one major difference: File id F3 is completely different in all of them. This is always the same size regardless of file length, but I don't think it could possibly load in 200MB+ (for the full updates) to verify the signature in such a small amount of time, so maybe it only validates the headers and depends on the headers validating the data via the crc's in the headers. It would make sense too, the F3 file is always the first one by the looks of it. A 128-byte file would give a 1024bit signature. Sounds plausable. I think I need to see if I can check the headers using that file. The public key must be in updater executable somewhere. Other than that, the CUSTOMIZED_xx just changes one file from "t-mobile xx" to "t-mobile yy". Edited June 29, 2010 by Speckles Link to comment Share on other sites More sharing options...
Guest Simon O Posted June 29, 2010 Report Share Posted June 29, 2010 Where did you find CUSTOMIZED_UK? Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 29, 2010 Report Share Posted June 29, 2010 Huawei released it for the Pulse Mini - it's close enough for the purposes in the topic :lol: Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) file02.mbn appears to contain CRC checksums for some of the files. I'm guessing that it's not a 4096 byte checksum in this one, coz I can't find the checksum for larger files, so I just need to work out the size used... leave me on it :lol: eg for the Time Machine rom $ hd file02.mbn 00000000 27 91 42 fd f9 ac 26 fc 87 21 01 3e 48 9a de c9 |'.B...&..!.>H...| 00000010 d1 64 af 9f 4d 42 4f 10 04 1d 09 9d |.d..MBO.....| 0000001c boot_versions.txt 2791 (bytes 1 and 2) upgradable_versions.txt 099D (last 2 bytes) version.txt 099D (last 2 bytes as well... ahem) file01.mbn 2109 file02.mbn 7A7A (It can't contain the checksum for itself) file04.mbn 42FD (bytes 3 and 4) file05.mbn 01C9 Edited June 30, 2010 by ZeBadger Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) Interesting... I wonder why they would do that? Secondly, I wonder if they have a file that contains checksums for the file headers? Edited June 30, 2010 by Speckles Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 Interesting... I wonder why they would do that? Secondly, I wonder if they have a file that contains checksums for the file headers? I'm quite sure all the checksums for the files will be in this file. Just got to workout how they are stored. I'm confident that this will sort out my CRC error with my image :lol: Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 I think you could be right. If you open the CUSTOMIZED_HU file, the FILE02 contains just two bytes 7D BD which happens to be the CRC16 of the file which contains the text "T-Mobile HU". Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) I thought I had it for a minute. There are 117145030 bytes of data in the files, 7180 in file02.mbn, that gives around 16315 bytes per file. This is very close to 16k (16384). I split the splash screen up with "split -b 16384 splash.raw565". This didn't give me anything recognisable when passed through crc_file "split -a 10 -b 16383 splash.raw565" gave me lots of F078 $ for each in x?? > do > echo $each: `./crc_file $each` > done xaa: F078 xab: F078 xac: F078 xad: F078 xae: F078 xaf: F078 xag: F078 xah: 1357 xai: 3F61 xaj: F078 xak: F078 xal: F078 xam: F078 xan: F078 xao: F078 xap: F078 xaq: F078 xar: F078 xas: 4FA7 There's a lot of F078 in file02.mbn which makes me think that for large amounts of NULL this is probably correct, but 1357 isn't and 3F61 are not in there. EDIT: Doh doh doh... it's 2 bytes per chunk... so must be 32k chunks... Stupid coincidence of F078 and 78FO lol Edited June 30, 2010 by ZeBadger Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) Yup :lol: for the splash screen... the checksums are in there $ for each in x?? > do > ./crc_file $each > done 78F0 78F0 78F0 9A0B EE47 78F0 78F0 78F0 78F0 0E07 I'll recompile a crc creator for 32k... brb after rebooting into Linux! Okay it's here crc32k Time to edit file02 then try re-flashing my phone! Edited June 30, 2010 by ZeBadger Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) Cool, I was just about to mention that the file02.mbn was too big for one crc per file and that it looked chunked into 32KB sections, but I'd not confirmed it as fast as you had and I don't want to post every thought as this isn't twitter :lol: BTW, I use VMWare for Linux, much easier than rebooting :D Edited June 30, 2010 by Speckles Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) Cool, I was just about to mention that the file02.mbn was too big for one crc per file and that it looked chunked into 32KB sections, but I'd not confirmed it as fast as you had and I don't want to post every thought as this isn't twitter :D Failing straight away on me now. "Update failed". First time was because I had forgotten to update the CRC for file02.mbn! Now I'm getting : **** SD download log **** Failure: MD5_RSA verify failure. Failure: operation did not succeed. Failure: operation did not succeed. Failure: operation did not succeed. Failure: operation did not succeed. Failure: operation did not succeed. dload_sd_ram_data_proc->(retry >= DLOAD_RETRY) failed! Crikey... there must be an md5 in there somewhere too ? Maybe, as you had the same problems, this is something to do with how the file is assembled too. That's enough tinkering for tonight... g/f is getting tetchy :lol: Edited June 30, 2010 by ZeBadger Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 I think it's the F3 file (file01.mbn), thats 128 bytes and changes drastically on every updata.app. I don't think it's just an MD5 either - I think it's an MD5 of the file headers (those have not been checked yet, only the data) and then that MD5 hash cryptographically signed by Huawei using there own private key which is then checked by the phone which has a copy of the public key. Link to comment Share on other sites More sharing options...
Guest Epic-Emodude Posted June 30, 2010 Report Share Posted June 30, 2010 I think it's the F3 file (file01.mbn), thats 128 bytes and changes drastically on every updata.app. I don't think it's just an MD5 either - I think it's an MD5 of the file headers (those have not been checked yet, only the data) and then that MD5 hash cryptographically signed by Huawei using there own private key which is then checked by the phone which has a copy of the public key. Hi, I have been following this post for a while now (since it started), and I am very interested in what your doing. Unfortunately I don't understand much of what your talking about, so I was wondering if you could say roughly how close to completion you are on this, as I am sure there are many others in a simular position to me. Thanx Aaron Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 Really, it's impossible to say. We think there just one hurdle left, but we've been thinking that for a while now and as soon as we jump over it, another one jumps in our way. It could end up being impossible, we just don't know yet. We need a proof of concept. Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 (edited) I think it's the F3 file (file01.mbn), thats 128 bytes and changes drastically on every updata.app. I don't think it's just an MD5 either - I think it's an MD5 of the file headers (those have not been checked yet, only the data) and then that MD5 hash cryptographically signed by Huawei using there own private key which is then checked by the phone which has a copy of the public key. Yeah I was looking in there... it's divisible by 32bits (_8_ md5 checksums... just need to know what they are checksums for, it's also 128 bytes in the TimeMachine rom) I know how we can work out what it is for. It's not all of the headers as I have edited one of them and it didn't fail. I have however edited file02.mbn and got this error... but only after I fixed the CRC checksum for it! So we can just try bodging other files until we know which ones are affected.... okay I'm really going for the evening now! I have been following this post for a while now (since it started), and I am very interested in what your doing. Unfortunately I don't understand much of what your talking about, so I was wondering if you could say roughly how close to completion you are on this, as I am sure there are many others in a simular position to me. As Speckles says, it might not even be possible, if there's any cryptography we will probably hit a brick wall. We still haven't worked out the "something2" field... although one of my friends got the bug and has taken it away for analysis. Edited July 1, 2010 by ZeBadger Link to comment Share on other sites More sharing options...
Guest DanWilson Posted June 30, 2010 Report Share Posted June 30, 2010 although one of my friends got the bug and has taken it away for analysis. Erm whut? What bug? Analysis how and where? Is this the phone still or has your friend got diarrhea? Link to comment Share on other sites More sharing options...
Guest Speckles Posted June 30, 2010 Report Share Posted June 30, 2010 :lol: Link to comment Share on other sites More sharing options...
Guest DanWilson Posted June 30, 2010 Report Share Posted June 30, 2010 :lol: DAMMIT!! Why can't people answer me with words, instead of smiling at me!? :D :D :) :D :) :) Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 Erm whut? What bug? Analysis how and where? Is this the phone still or has your friend got diarrhea? #5 bug noun 1. insect, beastie (informal), creepy-crawly (informal), gogga (S. African informal) a bloodsucking bug which infests poor housing 2. (Informal) illness, disease, complaint, virus, infection, disorder, disability, sickness, ailment, malaise, affliction, malady, lurgy (informal) I think I've got a bit of a stomach bug. 3. fault, failing, virus, error, defect, flaw, blemish, imperfection, glitch, gremlin There is a bug in the software. 4. bugging device, wire, listening device, phone tap, hidden microphone There was a bug on the phone. 5. (Informal) mania, passion, rage, obsession, craze, fad, thing (informal) I've definitely been bitten by the gardening bug. Link to comment Share on other sites More sharing options...
Guest DanWilson Posted June 30, 2010 Report Share Posted June 30, 2010 #5 bug noun 1. insect, beastie (informal), creepy-crawly (informal), gogga (S. African informal) a bloodsucking bug which infests poor housing 2. (Informal) illness, disease, complaint, virus, infection, disorder, disability, sickness, ailment, malaise, affliction, malady, lurgy (informal) I think I've got a bit of a stomach bug. 3. fault, failing, virus, error, defect, flaw, blemish, imperfection, glitch, gremlin There is a bug in the software. 4. bugging device, wire, listening device, phone tap, hidden microphone There was a bug on the phone. 5. (Informal) mania, passion, rage, obsession, craze, fad, thing (informal) I've definitely been bitten by the gardening bug. Still don't get it, your friend is enraged and analyzing himself? Lulz, you've lost me... Link to comment Share on other sites More sharing options...
Guest ZeBadger Posted June 30, 2010 Report Share Posted June 30, 2010 Still don't get it, your friend is enraged and analyzing himself? Lulz, you've lost me... He's gotten obsessed with the puzzle. Link to comment Share on other sites More sharing options...
Guest DanWilson Posted June 30, 2010 Report Share Posted June 30, 2010 He's gotten obsessed with the puzzle. Ah. I'm to stupid to see the puzzle than to become obsessed with it... I think someone should work 24/7 , just to fix his friends obsession. *HINT HINT* JK - I wouldn't rush you that much, you need an hour to sleep! Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now