Author Topic: WTF *is* aadec, anyway?  (Read 3525 times)

0 Members and 1 Guest are viewing this topic.

Offline bushing

  • Senior Member
  • Needs to get outside.
  • *****
  • Posts: 119
  • props to my peeps
WTF *is* aadec, anyway?
« on: June 10, 2005, 10:08:23 pm »
So, I just started looking at aadec because judb mentioned the strings inside that mention the flash.

Here's a partial list of odd things inside aadec, from what I've seen:

* Code to read the flash from userland for both the V1 board (using /dev/mem) and the V2 board (using /dev/mtdblock/0).  Both call mmap.  This is exactly the code that we have been trying to work out in the other thread ... I will figure out what the exact parms they are using, and try to code up a little C util to test it out.

I don't know if my "Rev B" board is a "V2", but we don't have the MTD driver or device -- so hopefully the /dev/mem code therein will work.

* Code to use hdparm to verify the hard drive signature.

* all sorts of crypto code to support the above 2 items

* phatlib -- this is all of the code needed to communicate with phatd through that socket.  This is included in 51d, and is quite a bit of code.  It is not present in nmp3, oggplay, or playwma.

* I do not see any code that actually refers to the playing of audio (!)  but I am not ruling that out.

I find this all highly suspicious.  The first two items are things I was convinced were located in the flash rom.  I don't know that this is really an audio player -- maybe it's just supposed to look like one? I dunno.

Even if this code is not actually used to verify the drive signature, flash hash, etc, it is interesting. because it is probably very similar  to the code in the ROM, so I'll continue working with it.

if it really IS the Audible player, what's with all the security stuff?  Maybe Audible has some licensing requirements that they had to accomodate -- for example, maybe the player has to verify that it's running on an authentic PhatBox (as opposed to an emulator or something), or maybe that it's unmodified (so you couldn't capture the output, or something.)

Anyone have any thoughts?  I'll keep hacking away at this and post back later.

-b

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: WTF *is* aadec, anyway?
« Reply #1 on: June 10, 2005, 10:32:06 pm »
The audible data is stored encrypted in the drive as a PNA file.  its tied to your drive when you copy it in phatman ... I dont know the format the audio is stored in exactly, it might be kicked back to the mp3 decoder for decoding after aadec decrypts it.. ???

also looking at the end of 51d i see a bunch of stuff that looks like the key sectors of the dms .. anyone notice that?

Offline bushing

  • Senior Member
  • Needs to get outside.
  • *****
  • Posts: 119
  • props to my peeps
Re: WTF *is* aadec, anyway?
« Reply #2 on: June 11, 2005, 08:46:17 pm »
Quote
The audible data is stored encrypted in the drive as a PNA file.  its tied to your drive when you copy it in phatman ... I dont know the format the audio is stored in exactly, it might be kicked back to the mp3 decoder for decoding after aadec decrypts it.. ???

also looking at the end of 51d i see a bunch of stuff that looks like the key sectors of the dms .. anyone notice that?



Ugh... talk about a red herring.

aadec reads the first 256 bytes of the ROM image, hashes it using an algorithm based on the TEA cipher, and uses that to decrypt pkeysa.e  ("private keys audible encrypted").  the drive ID is also involved there, and then I think it uses that to decrypt the pna files into mp3s, which are then played.

So that doesn't really help us.   *sigh*

And as far as the 51d stuff goes -- I hadn't noticed that, but I did notice that phatd has the same thing. As far as I can tell, it's 100 public keys.

-b