Author Topic: Some Facts (Read 35012 times)

sulaco · « **Reply #20 on:** March 10, 2005, 01:50:32 pm »

Quote

Do you have an ARM compiler/decompiler?

Not at the moment but im working on obtaining one

Firefox · « **Reply #21 on:** March 10, 2005, 01:51:59 pm »

Just wanted to remind people that there are 2 processors in a Keg/Phatbox. Firmware on first one cannot be modified via a DMS-carried firmware update.

Quote from PN when my Keg died last year...

"Standard PhatBox Operation:

When it first gets power, it boots of off protected non-HU specific firmware (that never gets reprogrammed) and then turns off if there is no firmware update on the DMS (this prevents it from becoming a doorstop if it gets programmed with bad firmware).

After it turns off, it is running HU specific firmware and should be talking to the HU. When it gets ignition, it will boot the Linux processor."

Not sure whether the protected firmware does the "is this DMS blessed?"check before trying to do a firmware update, or if its the Linux processor that handles this.

Hope this helps....

AndyMan · « **Reply #22 on:** March 10, 2005, 01:52:42 pm »

if you could get hold of a real copy of their flavor of linux, that would also be a huge step forward

AndyMan · « **Reply #23 on:** March 10, 2005, 01:56:22 pm »

Quote

Not sure whether the protected firmware does the "is this DMS blessed?"check before trying to do a firmware update, or if its the Linux processor that handles this.

Ah but, if I remember correctly, the new 80gb+ drives aren't signed the same as the older drives, therefore it's almost a certainty that the linux scenario verifies the dms

A543 · « **Reply #24 on:** March 10, 2005, 03:17:49 pm »

Quote

So this means your probably right about 2 keys. I have noticed on the DMS there are the following files:

pkeys2.e
pkeysa.e

Just a quick thought, if there are two different keys, one for playlists and one for system files, what if someone copied the playlist key file above to the system key file name (replacing the original) and then used the playlist sig generator to generator new sig files (using the playlist key) for all the system files. Sounds too easy, but it might be worth a try.

Quote

Ah but, if I remember correctly, the new 80gb+ drives aren't signed the same as the older drives, therefore it's almost a certainty that the linux scenario verifies the dms

Do you know what's different about the 80GB DMS keys? I'm just curious.

sulaco · « **Reply #25 on:** March 10, 2005, 03:25:40 pm »

As far as I can see the plsign utility is standalone, so it probably has the key info built in.

AndyMan · « **Reply #26 on:** March 10, 2005, 03:38:06 pm »

Quote

As far as I can see the plsign utility is standalone, so it probably has the key info built in.

A543 · « **Reply #27 on:** March 11, 2005, 02:13:35 pm »

Quote

When it first gets power, it boots of off protected non-HU specific firmware (that never gets reprogrammed) and then turns off if there is no firmware update on the DMS (this prevents it from becoming a doorstop if it gets programmed with bad firmware).

Wasn't there a thread recently on the official board talking about it being dangerous to flash the firmware in the Red box, and if it fails the prom has to be removed from the board and reprogrammed manually? It sounds like the Red box doesn't have this second processor. If the key checking routines are in this second processors code that would sure explain why the Red boxes don't need keyed drives.
Any thoughts?

Firefox · « **Reply #28 on:** March 11, 2005, 04:47:24 pm »

Quote

Wasn't there a thread recently on the official board talking about it being dangerous to flash the firmware in the Red box, and if it fails the prom has to be removed from the board and reprogrammed manually? It sounds like the Red box doesn't have this second processor. If the key checking routines are in this second processors code that would sure explain why the Red boxes don't need keyed drives.
Any thoughts?

I originally took this to mean that the newer "non-Red" phatboxes were designed to be safe from a bad firmware flash (i.e a dumb user unplugging the DMS while flash was happening), because the initial boot always used the protected firmware.

So I thought it was put there to ensure the Phatbox was ALWAYS in a position to check if the modifiable firmware was to be upgraded on this reboot or not. A good way of eliminating the inevitable return of PBs for re-flashing after a bad flash...

But you have raised a good point, it might also imply that the "blessed-drive" checking is in there too.
And hence does not apply to Red Phatboxes.

So, the BIG question: can you upgrade the user firmware using a non-blessed drive? (i.e. the forceupdate file exists in root of PHTSYS on a non-blessed drive)
If you can, then we know that the first boot check is for a firmware upgrade and only later (probably in the linux code somewhere) is the blessed-drive checking.
If you can't, then it must be the protected firmware that is doing blessed-drive checking as it's first task.

Anyone care to try? Might help narrow things down...

judb · « **Reply #29 on:** March 12, 2005, 01:50:03 am »

I would be interested in seeing if we can get the sectors dumped off a couple drives up to where the partition starts for phatsys to do a comparison to see what is the same data wise and what is diffrent. having diffrent size drives and same size drive dumps would help too.

I am interested to see how much data is really significant / changes from drive to drive.

para · « **Reply #30 on:** March 13, 2005, 06:44:04 pm »

Hm, let me see...
Although I don't own one (I think soon I will) myself right now I'll try to contribute something being a coder

I've read that ALL files are signed (not encrypted!?) by either RSA or DES (standard or triple?), right? If that's the case there won't be any reason to search for the key as it would be likely the public key. As these are mathematical "trapdoor problems" one can't decrypt the ciphered information (or sign unsigned files) without the private key with reasonable efforts - and appearantly plsign might contain a private key but that one's not used for system files. Additionally if all files are signed there won't be a way of patching the check routines in files like phatd or even replace them by a symlink attack...
IMHO the most sound approach would be to change (if possible) the hdd information being verified. Is it possible to alter any information (CHS, hence physical layout) in a hdd's firmware-respond without killing it? I think not as this info is used by the bootcode (i.e. BIOS) to address the drive correctly. I f that same info is used to generate an encrypted tag of that drive it going to be nearly impossible to interfere.
Ok, just a bunch of thoughts from my side... Please correct me if I'm wrong :-/ I'm definitely going to dive into this in more detail as soon as I got my own unit!

Bye, Para

AndyMan · « **Reply #31 on:** March 13, 2005, 11:39:50 pm »

Quote

I would be interested in seeing if we can get the sectors dumped off a couple drives up to where the partition starts for phatsys to do a comparison to see what is the same data wise and what is diffrent. having diffrent size drives and same size drive dumps would help too.

I am interested to see how much data is really significant / changes from drive to drive.

I've got a good working 10gb dms AND an identical DRIVE but not a true DMS..

If you have a fast download, I can put on my server for download...

What format do you want the image made using?

AndyMan · « **Reply #32 on:** March 14, 2005, 12:44:09 am »

Quote

Not looking too good so far im afriad, I got hdparm and its sig from the firmware zip file and ran plsign on it. The newly created .sig is a different size (one byte bigger) than the original .sig

You didn't run a diff on these 2 files did you?

sulaco · « **Reply #33 on:** March 14, 2005, 01:50:35 pm »

Quote

You didn't run a diff on these 2 files did you?

"Binary files rc.sig and rc.sig.old differ"

sulaco · « **Reply #34 on:** March 14, 2005, 01:56:15 pm »

Tonight ill try and get a dd dump of the first bit of my 60GB dms, ill try and provide some hdparm info as well, if this is of some use.

balle · « **Reply #35 on:** March 14, 2005, 08:44:08 pm »

I've just bought another PB (this one is for a friend). Is there any point in doing a drivecopy with Ghost/Acronis/dd/whatever when it's still in 'virgin' condition?

Will this tell us anything?

Rgds Balle

A543 · « **Reply #36 on:** March 14, 2005, 09:33:38 pm »

Quote

Is there any point in doing a drivecopy with Ghost/Acronis/dd/whatever when it's still in 'virgin' condition?

The only think I can think of is seeing if there is a key on it before it gets inserted into the Keg or cradle. I'll bet there is but it never hurts to check.

balle · « **Reply #37 on:** March 14, 2005, 10:15:55 pm »

It was sent from US to Norway today, so it probably takes a week or so anyway. But it's not like it would cost me anything to do this, and compare the drive before first use and after.

But I agree with you that it probably won't get us anywhere..

Rgds Balle

para · « **Reply #38 on:** March 15, 2005, 08:49:10 pm »

As asked above, can anyone please tell me if ALL files on the PB are actually signed?

Para

AndyMan · « **Reply #39 on:** March 15, 2005, 09:25:28 pm »

All (as far as I can remember without having a keg in front of me) files on PHTSYS partition are signed

News:

Author Topic: Some Facts (Read 35012 times)