Changes

Jump to navigation Jump to search
598 bytes added ,  05:19, 19 June 2018
no edit summary
Line 1: Line 1: −
== Syscon 0xD0 four part key exchange ==
+
== Syscon four part key exchange ==
    
The <code>0F</code> here appears to be a context id. Only <code>0F</code> and <code>0B</code> has been seen but only <code>0F</code> seems to be supported by the update sm using the command [[F00D_Commands#0xD0002|0xD0002]] (with different sequence number for each part).
 
The <code>0F</code> here appears to be a context id. Only <code>0F</code> and <code>0B</code> has been seen but only <code>0F</code> seems to be supported by the update sm using the command [[F00D_Commands#0xD0002|0xD0002]] (with different sequence number for each part).
Line 23: Line 23:  
# Append the header <code>30 04 00 0F 00 00 00 00</code> and send to Syscon
 
# Append the header <code>30 04 00 0F 00 00 00 00</code> and send to Syscon
 
# Get a response back from Syscon (header <code>30 05 00 0F 00 00 00 00</code>), decrypt the buffer with the session, and check that it matches the known value. Both the plaintext and ciphertext should match.
 
# Get a response back from Syscon (header <code>30 05 00 0F 00 00 00 00</code>), decrypt the buffer with the session, and check that it matches the known value. Both the plaintext and ciphertext should match.
# Keyslot 0x511 is programmed with the session key.
+
 
# Keyslot 0x512 is programmed with a 32 bit random number from Bigmac.
+
== Syscon 0xD0 ==
 +
 
 +
After handshake:
 +
 
 +
Keyslot 0x511 is programmed with the session key.
 +
 
 +
Keyslot 0x512 is programmed with a 32 bit random number from Bigmac.
    
== Syscon 0xD2 ==
 
== Syscon 0xD2 ==
 
Packets sent/received with syscon 0xD2 are encrypted with the session key and IV = 0. There is a 4 byte command field, 4 byte counter (from keyslot 0x512) that increments per send, 6 bytes of zeros, optional data, and a 2 byte checksum. The checksum is the sum of all previous bytes and then negated.
 
Packets sent/received with syscon 0xD2 are encrypted with the session key and IV = 0. There is a 4 byte command field, 4 byte counter (from keyslot 0x512) that increments per send, 6 bytes of zeros, optional data, and a 2 byte checksum. The checksum is the sum of all previous bytes and then negated.
 +
 +
=== Seen at boot ===
 +
 +
First transaction
 +
 +
F00D => Syscon: <code>00 00 20 00 47 D3 65 F4 00 00 00 00 00 00 6C FD</code>
 +
 +
F00D <= Syscon: <code>00 00 20 00 47 D3 65 F4 00 00 00 00 00 00 01 DD C7 AB 57 AD 28 9E 00 93 51 F8 D3 D2 29 2E 78 B6 8C 63 5A 26 7A A9 6B C8 E3 AC F3 3D 61 77 F0 EC</code>
 +
 +
 +
Second transaction
 +
 +
F00D => Syscon:  <code>20 00 20 00 48 D3 65 F4 00 00 00 00 00 00 4B FD</code>
 +
 +
Syscon <= F00D:  <code>20 00 20 00 48 D3 65 F4 00 00 00 00 00 00 95 AD 79 D1 FE 5E 96 4B 3F 66 7D 47 04 28 05 E9 EB D1 26 86 E2 C1 9B 7B 53 B6 D3 11 76 8F 2D 3F 80 ED</code>

Navigation menu