Changes

Jump to navigation Jump to search
104 bytes added ,  05:45, 19 June 2018
Line 15: Line 15:  
The <code>0F</code> here appears to be a class id. Only <code>0F</code> and <code>0B</code> has been seen but only <code>0F</code> seems to be supported by the update sm using the command [[F00D_Commands#0xD0002|0xD0002]] (with different sequence number for each part).
 
The <code>0F</code> here appears to be a class id. Only <code>0F</code> and <code>0B</code> has been seen but only <code>0F</code> seems to be supported by the update sm using the command [[F00D_Commands#0xD0002|0xD0002]] (with different sequence number for each part).
   −
=== Part 1 ===
+
=== Part 1: Ernie challenges Kermit ===
 
# Generate an empty buffer <code>30 00 00 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</code> and send it to Syscon.
 
# Generate an empty buffer <code>30 00 00 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</code> and send it to Syscon.
 
# Syscon returns header <code>30 01 00 0F 00 00 00 00</code> + 8 byte challenge.
 
# Syscon returns header <code>30 01 00 0F 00 00 00 00</code> + 8 byte challenge.
   −
=== Part 2 ===
+
=== Part 2: Kermit responds and challenges Ernie ===
 
# F00D composes a data buffer that is 8 bytes of RNG value, 8 bytes copied from challenge in part 1.2, and 16 bytes of '''Shared Data A'''.
 
# F00D composes a data buffer that is 8 bytes of RNG value, 8 bytes copied from challenge in part 1.2, and 16 bytes of '''Shared Data A'''.
 
# This data is encrypted using AES-128-CBC with all zero IV and '''Shared Key A''' as the key.
 
# This data is encrypted using AES-128-CBC with all zero IV and '''Shared Key A''' as the key.
 
# A header is prepended <code>30 02 00 0F 01 00 00 00</code> to the data and sent to Syscon
 
# A header is prepended <code>30 02 00 0F 01 00 00 00</code> to the data and sent to Syscon
   −
=== Part 3 ===
+
=== Part 3: Session Key Establishment ===
 
# Gets a 0x28 byte response from Syscon with a header <code>30 03 00 0F 00 00 00 00</code> and 0x20 buffer.
 
# Gets a 0x28 byte response from Syscon with a header <code>30 03 00 0F 00 00 00 00</code> and 0x20 buffer.
 
# Decrypt with AES-128-CBC with all zero IV and the key '''Shared Key B'''.
 
# Decrypt with AES-128-CBC with all zero IV and the key '''Shared Key B'''.
Line 31: Line 31:  
# This is now the session key!
 
# This is now the session key!
   −
=== Part 4 ===
+
=== Part 4: Verification ===
 
# Using the session key, encrypt a known value, '''Shared Data B'''.
 
# Using the session key, encrypt a known value, '''Shared Data B'''.
 
# Append the header <code>30 04 00 0F 00 00 00 00</code> and send to Syscon
 
# Append the header <code>30 04 00 0F 00 00 00 00</code> and send to Syscon

Navigation menu