What's the algorithm here? | Off Topic

You are not logged in. [Log In] empegbbs.com » Forums » General Discussion » Off Topic » What's the algorithm here?

Topic Options

#374349 - 01/05/2024 21:54

What's the algorithm here?

mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14483
Loc: Canada

I am reverse-engineering a device here, that has a peculiar twist in its protocol. Every 15-seconds, there's what I call a Challenge/Response exchange, without which the device loses some functionality. Now I don't know if this is actually a challenge/response, or if it is merely some needed data (timing or otherwise), but it behaves as such.

Here are two columns of 4-bytes which get exchanged. The first (on left) of each pair is the "challenge", and the second (on right) of each pair is the "correct" response to that challenge. As you may note, I have injected some simple patterns for the challenges, to make it a bit easier to get an idea of what is happening.

In real-life, the "challenge" always has an ef ("f") for the final digit, but the artificial ones I used try other patterns too. It does seem to give the same answer regardless of the final digit of the challenge.

The challenges are state-less: repeating the same challenge at any point will give the same correct response value.

This could just be a CRC or checksum of some kind.
Can anyone here figure out what's happening?

Code:

 0xffffffff 0xffffffff

 0x80000001 0x80fdfcfe
 0x80000002 0x80fdfcfe
 0x80000004 0x80fdfcfe
 0x80000008 0x80fdfcfe
 0x80000000 0x80fdfcfe
 0x40000000 0x40fdfcfe
 0x20000000 0x20fdfcfe
 0x10000000 0x10fdfcfe
 0x08000000 0x08fdfcfe
 0x04000000 0x04fdfcfe
 0x02000000 0x02fdfcfe
 0x01000000 0x01fdfcfe
 0x00800000 0x807efdfe
 0x00400000 0x403efdfe
 0x00200000 0x201efdfe
 0x00100000 0x100efdfe
 0x00080000 0x0806fdfe
 0x00040000 0x0402fdfe
 0x00020000 0x02fffcfe
 0x00010000 0x01fefcfe
 0x00008000 0x80fe7eff
 0x00004000 0x407e3eff
 0x00002000 0x203e1eff
 0x00001000 0x101e0eff
 0x00000800 0x080e06ff
 0x00000400 0x040602ff
 0x00000200 0x0202fffe
 0x00000100 0x01fffdfe
 0x00000080 0x150ae4fe
 0x00000040 0x83b4f0fe
 0x00000020 0xe5e4f6fe
 0x00000010 0xf8f3f9fe
 0x00000008 0xfffcfcfe
 0x00000004 0xfffcfcfe
 0x00000002 0xfffcfcfe
 0x00000001 0xfffcfcfe

 0x00000000 0xfffcfcfe

 0x8000000f 0x80fdfcfe
 0x4000000f 0x40fdfcfe
 0x2000000f 0x20fdfcfe
 0x1000000f 0x10fdfcfe
 0x0800000f 0x08fdfcfe
 0x0400000f 0x04fdfcfe
 0x0200000f 0x02fdfcfe
 0x0100000f 0x01fdfcfe
 0x0080000f 0x807efdfe
 0x0040000f 0x403efdfe
 0x0020000f 0x201efdfe
 0x0010000f 0x100efdfe
 0x0008000f 0x0806fdfe
 0x0004000f 0x0402fdfe
 0x0002000f 0x02fffcfe
 0x0001000f 0x01fefcfe
 0x0000800f 0x80fe7eff
 0x0000400f 0x407e3eff
 0x0000200f 0x203e1eff
 0x0000100f 0x101e0eff
 0x0000080f 0x080e06ff
 0x0000040f 0x040602ff
 0x0000020f 0x0202fffe
 0x0000010f 0x01fffdfe
 0x0000008f 0x150ae4fe
 0x0000004f 0x83b4f0fe
 0x0000002f 0xe5e4f6fe
 0x0000001f 0xf8f3f9fe
 0x0000000f 0xfffcfcfe

Top

#374350 - 02/05/2024 01:49 Re: What's the algorithm here? [Re: mlord]
tfabris carpal tunnel Registered: 20/12/1999 Posts: 31573 Loc: Seattle, WA	There’s gotta be some kind of existing program that can take your known inputs and outputs and make a guess at generating your universal decoder. A neural net would do it, given enough examples, but perhaps there is a simpler way. Like, sort of a generic key generator or something like that. I’ll bet such a thing exists somewhere. I mean, also would be fun to figure out by hand, but if the author of the original black box was deliberately trying to obfuscate, that might be tough. How easy is it to machine-generate a bunch of calls and responses out of the black box? Given enough speed and storage, you wouldn’t need to know the algorithm, just store every possible response in a database. _________________________ Tony Fabris
Top

#374351 - 02/05/2024 02:44 Re: What's the algorithm here? [Re: mlord]
mlord carpal tunnel Registered: 29/08/2000 Posts: 14483 Loc: Canada	28-bits of possible challenges/responses. BIG table for a tiny embedded system in this case. It takes 15-seconds to run the challenge/response for a new value, due to the way the system works -- not the processing time!
Top

Previous Topic

Index

Next Topic