About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Reverse Engineering Yaesu FT-70D Firmware Encryption- 734

landairePosted 4 Years Ago
  • HAM Radio is a real fun hobby! The author was curious about adding custom firmware to their HAM Radio. As a result, they found a USB firmware updater for Windows. This article was about reversing this application to decrypt the firmware.
  • The author immediately opens up the tool in IDA Pro to reverse engineer the application. After finding good context clues, they use the WinDbg debugger's Time Travel Debugger (TTD) feature while the firmware update occurs. They mention that non-Windows platforms have rr which also has this feature.
  • The function for asset 23 will find and load a resource of type RES_UPDATE_INFO into a large buffer dynamically. This object is passed to another function, which appears to do the encryption/decryption process. While going through this function, IDA automatically named a variable time. I had absolutely no idea that IDA did this!
  • Do we have to write our own decryption code? Not yet! At this point, we can break after the decryption has been done to get a hex dump of the firmware. Running strings on this (once converted to ASCII) shows real strings that are in the radio. Hurray!
  • The author spends more time on the encryption code. They break this up into a few steps:
    1. Building a 48-byte buffer containing key material. This is done via expanding several bytes into the table via XORs with a static buffer.
    2. Build a 32 byte buffer containing 0x800 byte static table. Combine previous steps buffer with this buffer.
    3. Iterate over 8 bytes at a time. For each byte, index from another lookup table to find the index to find the value to XOR with from step 2.
  • The previous steps above assume we have the key. How is the key generated? This is generated via the Unix timestamp at the very beginning! Some inflation is done on these bits to get a bigger key. Interesting!
  • The author made a Github repository with a re-implementation that can decrypt the firmware at Porkchop. Security by obscurity never works! :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed