Added fw modifications required to unpack real world player dumps.
Documented more fwu header fields, magic numbers and finite field arithmetics (extended Euclidean for inverse, long division for reducing modulo field_poly).
v3 encryption used is standard RC4 with the key additionally ciphered by the Elliptic Curve Integrated Encryption Scheme.
Either sect233k1 (NIST K-233) or sect163r2 (NIST B-163) curves can be used, with the former overwhelmingly prevailing, being hardwired in SDK's maker.exe. Using a private/public key scheme is superfluous because both are stored in the firmware, with the added level of complexity likely serving the purpose of obfuscation. The private key is generated at random with each invokation.
None of KDF or MAC from ECIES are used, RC4 key is directly xored with the shared secret. The random number r used to calculate rG isn't stored, but that's unimportant since only krG == rkG is actually used in the encryption.
Change-Id: Ieacf8cc744bc90c7c5582dd724b2c10a41bfc191
The encryption definitely uses some standard elliptic curve encryption over
binary fields (163 and 233 bits, standard polynomials). It is still unclear
how this is used in the actual encryption, the key authentification and
derivation do not look standard.
Change-Id: I6b9180ff7e6115e1dceca8489e986a02a9ea6fc9
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.
Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
This test software setups timer T0 periodic interrupt.
In ISR it changes backlight level. The interrupt handler
does not support nesting and the whole ISR is run in interrupt
context. Exceptions are not handled yet.
Change-Id: Idc5d622991c7257b4577448d8be08ddd1c24c745
This simple program shows how to setup timer for periodic
operation. Interrupts are not used yet and simply pending
irq bit is polled and cleared when set. This program
supports my understanding of disassm of ADEC_N63.BIN that
P_CLK is configured for 7.5MHz and timer clock source is P_CLK
directly.
Change-Id: Idd6461bf847c763b78b8c324012ec2515f65dd41
This test program. I add it mainly to document somehow my work:
1) atj213x.h lists registers addresses
2) crt0.S exploits self relocation of the binary
3) test_bl.c documents how to control backlight on e150
Change-Id: I055e0fe065d926a5c3805b73cea3f537cb64bf52
If no output prefix is specified, a default is picked:
- filename with extension replaced by .afi for FWU files
- filename with extension replaced by .fw/ for AFI files
- filename without extension and with / for FW files
Change-Id: I6497b8f4a49f1238e5db738429f687cad3ae8a5a