[E3-hacking] PBL 5.1 (again)
Otaku
otaku at takingthingsapart.org
Sun Jan 20 13:14:59 GMT 2008
Hi All...
Ok - took a break from my other shiny to finally play with my PBL5.1 E3
yesterday..
So - the current state of play is this :
Sent Packet:
0x02 0x00 0x02 0x00 0x02 0x00 0x04 ( Version Query )
Rcvd Packet
0x02 0x00 0x0e 0x00 (STX header + length of packet )
0x82 0x00 0x72 0x00 ( Response data )
0x05 0x01
0x22 0x05
0x10 0x40
0xfe 0x7b 0x6e 0xb4
0x1a
Viable commands without SHA-256 hash match are :
cmd_2
cmd_9
cmd_15
cmd_16
cmd_16 is used to upload a ( as far as I can tell ) 392 byte
authentication key.
the key is hashed via sha-256 and, for any of the other commands not
mentioned above, compared to the hash on the box.
If the generated hash matches the stored one, the command executes, if
not, it doesn't.
For the interested, I believe the hash is :
char SHAHASH[0x20]={
0xAD,0xA2,0x8D,0x8B,0x4A,0xE7,0x12,0x15,
0x05,0x30,0x98,0x91,0xB1,0x01,0x09,0x24,
0x2B,0x32,0xDE,0xCE,0x67,0x88,0x94,0x81,
0x18,0xA5,0x0B,0x9C,0xB5,0xBD,0xDC,0x24
};
aka:
0x8B8DA2AD
0x1512E74A
0x91983005
0x240901B1
0xCEDE322B
0x81948867
0x9C0BA518
0x24DCBDB5
I'm currently going over the code to see if there are any sneaky
bypasses, but it doesn't look good so far.
I'll let y'all know if anything progresses.
Happy sunday.
Jake
One thought does strike, however..
392 bytes is kind of a strange length for a plaintext source for the hash.
Makes one wonder if its a (X)PGP ascii signature.
As always, reality may bear no resemblance to the statements above.
More information about the e3-hacking
mailing list