The Firmware Page

Job Title: Encryption Specialist

Job Description:
Want to feel the thrill and excitement of breaking cyphers and encryption without having to fear the prospect of spending 10 years of your life behind bars because of people mistaking your challenge needs for insustrial espionnage or software piracy?
You want to prove to the world that, as a single individual, you are a smarter than an army of engineers that designed an encryption algorithm.
You have good knowledge of encryption/scrambling mechanism, digital signatures, and how to break or forge then.
You are confident that nothing is unbreakable and looking for a digital challenge?
You have an inalienable thirst for the freedom of information?

Then look no further: DVD firmwares are what you've been looking for all along!

Job details:
Firmware patchers seem to be an itch on the manufacturer's side as more and more of them are using encryption techniques to try to prevent us from freeing their customer from arbitrary contraints.

Here a short list of recent firmwares that are waiting to have some protection algorithm broken:
- Pioneer DVD-119 (scrambling)
- Pioneer DVD-120 (scrambling)
- Sony DRU-500A (scrambling)

Crack the encryption algorithm of these and you will instantly become a hero!
These firmware are available in the download section, and it is a safe bet to say that more will follow.

Job requirements:
- Reverse engineering experience required (you might have to split the firmware embedded in an executable)
- Encryption and encryption breaking techniques knowledge is advisable
- Intuition and cunning!

And what makes you think there would be an encryption algorithm to break in a simple firmware update program ?

Because he has had to break them before. Have you looked and not found them to be encrypted?

Welcome to the forum BTW Spath.

> Because he has had to break them before.

Really ? Unless there's some kind of authentication required to update you
firmware (which I would love to hear of), the actual engine code is simply
obfuscated and can be dumped from the installer without breaking the
obfuscation algorithm itself. Looks more like a basic RE job to me than a
cryptography challenge. Anyway, is it solved yet or are you still stuck
on this ?

>NIL: has finished a patch for the DVD-120 and has plans for the DVD-119 when he gets time, but only preliminary work has been started on the DRU-500A and the DRU-510A... You sound like you may be worthy of the challenge, whatever kind of challenge it is

I'm sure >NIL: would love to share whatever he knows with you if you are interested when he gets back from holidays.

BTW Again, I'm having major issues with the new CDFreaks server

I explored a bit the DRU-500a 2.0f firmware updater and as expected I could
reach the actual firmware code without having to break any encryption. If
you want details or finds serious problems with another fw, contact me.

Am I missing something here? If the firmware is encrypted and its needs to be hacked and modified, then how pray tell are you going to achieve that without the algorithm when the changes will need to be encrypted in order to work for the update??

cheers
nicw

spath,

As far as I can remember the 120 from Pioneer was not encrypted.
The 119 definitely is (at least the Sony version), and I assumed the DRU's are from what I gathered.

Now, since I didn't really investigate these, I don't know whether the unscrambling is done in the firmware uploader (in which case RE is enough) or in the drive itself, as is the case for the Pioneer DVR's.
I assumed that it was done in the drives themselves, as it's uterly pointless to scramble a firmware otherwise.

Now, if you tell me that Sony were stupid enough to do the unscrambling in the uploader, that's good news for us

But as dhc014 said, we've had to crack scramblers out of the blue before, and, even if this is apparently not needed for the firmware above, this will most certainly happen again.
Besides, nothing beats the fun of cracking a scrambler without using reverse engineering. If you keep reading this thread, I'm sure we'll find a scrambled firware you can't get from RE in the near future. I wouldn't be surprised if Matshita's newer drives' ones are already like these...

Really? I don't think so. There's a simple descramble routine in the updater but all you get is encrypted firmware which is decrypted by the drive. I checked it a bit and I'm sure the image is simply xored but the key changes every byte. Each firmware version is encrypted in exactly the same way with the same key. Unfortunately I have no idea how to extract key generation algorithm having only short parts of the real key I was able to decrypt a few small parts of the firmware but that's all.
If you really decrypted the firmware, please tell us how you did it.

-Mok

You can easily just sniff the bus and watch what the updater sends to the sony drive. I've just done it myself but I guess thats not good enough unless the firmware is sent unencrypted. Still, if anyone wants what I've got, give me a shout.

Oh and I know this is an old thread but i just saw the new 2.0h firmware for the 500a and it reminded me that there's no RPC1 patch for it yet.

i have done quite a bit of program cracking and know a lot about encyption algorithms
i know this thread is quite old now but if there are any that are still needed doing then post a link here for the scrambled firmware and i'll take a look at it

The SONY DRU-500A and 510A still need to be decrypted.

http://forum.rpc1.org/dl_firmware.php?category=4&manufactor=30

Getting the data out of the EXE is one thing, getting to plain text is another. If you cannot see the drive name and media lists in plain text, you have not succeeded.