Ernie Secure
Class | Shared Key A | Shared Key B | Shared Key C | Shared Data A | Shared Data B |
---|---|---|---|---|---|
0xB | BB644721CB4C55072E83177BEB3BBEE9 |
DC6B6EE0F457DF0E7BAD1C5EA338027F |
00000000000000000000000000000000 |
CF2E93E9F94E28CCA48026134C7C77CE |
|
0xF | 50E4C3A77264167C409C72A9B57A8609 |
9E34087C48985B4B351A63572D9B481B |
EBE3460D84A41754AC441368CF0200D8 |
C86B51FB019A207F32118E55462D5008 |
457798C6D9B8390DDCA49745746F65A000000000000000000000000000000000
|
Syscon four part key exchange
The 0F
here appears to be a class id. Only 0F
and 0B
has been seen but only 0F
seems to be supported by the update sm using the command 0xD0002 (with different sequence number for each part).
Part 1
- Generate an empty buffer
30 00 00 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and send it to Syscon. - Syscon returns header
30 01 00 0F 00 00 00 00
+ 8 byte challenge.
Part 2
- F00D composes a data buffer that is 8 bytes of RNG value, 8 bytes copied from challenge in part 1.2, and 16 bytes of Shared Data A.
- This data is encrypted using AES-128-CBC with all zero IV and Shared Key A as the key.
- A header is prepended
30 02 00 0F 01 00 00 00
to the data and sent to Syscon
Part 3
- Gets a 0x28 byte response from Syscon with a header
30 03 00 0F 00 00 00 00
and 0x20 buffer. - Decrypt with AES-128-CBC with all zero IV and the key Shared Key B.
- Check that first 8 byte matches the challenge from part 1.2 and next 8 byte matches the F00D nonce generated in part 2.1. The remaining 16 bytes are zero.
- Encrypt the same buffer back using Shared Key C for 16 bytes. The IV will be the last 16 bytes from the encrypted input buffer.
- This is now the session key!
Part 4
- Using the session key, encrypt a known value, Shared Data B.
- Append the header
30 04 00 0F 00 00 00 00
and send to Syscon - Get a response back from Syscon (header
30 05 00 0F 00 00 00 00
), decrypt the buffer with the session, and check that it matches the known value. Both the plaintext and ciphertext should match.
Syscon 0xD0
After handshake:
Keyslot 0x511 is programmed with the session key.
Keyslot 0x512 is programmed with a 32 bit random number from Bigmac.
Syscon 0xD2
Packets sent/received with syscon 0xD2 are encrypted with the session key and IV = 0. There is a 4 byte command field, 4 byte counter (from keyslot 0x512) that increments per send, 6 bytes of zeros, optional data, and a 2 byte checksum. The checksum is the sum of all previous bytes and then negated.
Seen at boot
First transaction
F00D => Syscon: 00 00 20 00 47 D3 65 F4 00 00 00 00 00 00 6C FD
F00D <= Syscon: 00 00 20 00 47 D3 65 F4 00 00 00 00 00 00 01 DD C7 AB 57 AD 28 9E 00 93 51 F8 D3 D2 29 2E 78 B6 8C 63 5A 26 7A A9 6B C8 E3 AC F3 3D 61 77 F0 EC
Second transaction
F00D => Syscon: 20 00 20 00 48 D3 65 F4 00 00 00 00 00 00 4B FD
Syscon <= F00D: 20 00 20 00 48 D3 65 F4 00 00 00 00 00 00 95 AD 79 D1 FE 5E 96 4B 3F 66 7D 47 04 28 05 E9 EB D1 26 86 E2 C1 9B 7B 53 B6 D3 11 76 8F 2D 3F 80 ED