[英]Trying to reverse engineer a packet checksum/CRC/hash
I have an old, no longer manufactured electronic device with a serial port. 我有一个旧的,不再制造的带有串口的电子设备。 I am trying to reverse engineer the data packet CRC/checksum/hash used in this device. 我正在尝试对此设备中使用的数据包CRC /校验和/散列进行反向工程。
Anyone with keen eyes, sharp math skills out there who might be able to crack this thing ? 任何有敏锐眼光,有敏锐数学技能的人都可以破解这个东西?
Here is what I know so far ... 这是我到目前为止所知道的......
Verified that my data packet samples observed the "superposition principle" outlined in above web link. 验证我的数据包样本观察到上述网络链接中概述的“叠加原则”。 This indicates that they have a mathematical XOR relationship. 这表明它们具有数学XOR关系。
Started to feel good ... but then stumped after that. 开始感觉很好......但之后又难过了。 Have not been able to determine a CRC-16 polynomial. 无法确定CRC-16多项式。 There is a strong possibility that these data packets hashes are not CRC-related, but rather some home brew scheme. 这些数据包哈希很可能不与CRC相关,而是一些家庭酿造方案。
Read thru “A PAINLESS GUIDE TO CRC ERROR DETECTION ALGORITHMS” by Ross N. Williams 通过Ross N. Williams阅读“CRC错误检测算法的无痛指南”
Unfortunately, I do not have access to any of the devices source/binary code 不幸的是,我无法访问任何设备源/二进制代码
Also ran tests to see if used other hashes such as Fletcher's checksum 还运行测试以查看是否使用了其他哈希,例如Fletcher的校验和
Here are various samples of my data packets. 以下是我的数据包的各种样本。
0x47366B2EE00000000000751CEB5F3469543B585E2D 0x47366B2EE00000000000751CEB5F3469543B585E2D
0x47366B2ED00000000000751CEB5F3469543B582A2C 0x47366B2ED00000000000751CEB5F3469543B582A2C
0x47366B2EC80000000000751CEB5F3469543B580B2B 0x47366B2EC80000000000751CEB5F3469543B580B2B
0x47366B2EC40000000000751CEB5F3469543B58BB2A 0x47366B2EC40000000000751CEB5F3469543B58BB2A
0x47366B2EC20040000000751CEB5F3469543B58DFE7 0x47366B2EC20040000000751CEB5F3469543B58DFE7
0x47366B2EC10000000000751CEB5F3469543B58A328 0x47366B2EC10000000000751CEB5F3469543B58A328
0x47366B2EC08000000000751CEB5F3469543B584127 0x47366B2EC08000000000751CEB5F3469543B584127
0x47366B2EC04000000000751CEB5F3469543B588126 0x47366B2EC04000000000751CEB5F3469543B588126
0x47366B2EC02000000000751CEB5F3469543B580525 0x47366B2EC02000000000751CEB5F3469543B580525
0x47366B2EC01000000000751CEB5F3469543B580124 0x47366B2EC01000000000751CEB5F3469543B580124
Please note the following about these data packets ... 请注意以下有关这些数据包的信息......
(0x47).....................................................................(0x2D) (0X47)............................................... ......................(0x2D)
I do not know if my system is big or little endian, but quite certain bytes are LSB-first 我不知道我的系统是大端还是小端,但是确定的字节是LSB优先的
See data bytes that follows 0x47366B2E portion of the data packet. 请参阅数据包的0x47366B2E部分之后的数据字节。
Only pattern I see that emerged is the last byte decrements by one (2D, 2C, ...) on each data packet. 只有模式我看到出现的是每个数据包上的最后一个字节递减一(2D,2C,...)。 (Except the 5th packet, where I had to change 2 bits) (除了第5个数据包,我必须更改2位)
Any help is appreciated ! 任何帮助表示赞赏!
IF it follows the simple XOR relationship that (checksum(A ^ B) == checksum(A) ^ checksum(B)) then there is a simple brute force solution! 如果它遵循简单的XOR关系(校验和(A ^ B)==校验和(A)^校验和(B))那么就有一个简单的强力解决方案!
Illustration. 插图。 Suppose you have a 1-byte value with a K-bit checksum - where K doesn't actually matter, so we just represent checksums as c(i). 假设你有一个带有K位校验和的1字节值 - 其中K实际上并不重要,所以我们只将校验和表示为c(i)。
Step 1. Experiment: observe the checksum c(-1) of the all zeros packet. 步骤1.实验:观察全零包的校验和c(-1)。
0b0000000 => c(-1)
Step 2. Experiment: observe the checksums c(i) of all binary sequence with a single 1 in them at position i 步骤2.实验:观察所有二进制序列的校验和c(i),其中在位置i处具有单个1
0b00000001 => c(0)
0b00000010 => c(1)
0b00000100 => c(2)
0b00001000 => c(3)
0b00010000 => c(4)
0b00100000 => c(5)
0b01000000 => c(6)
0b10000000 => c(7)
The values you observed the checksums for form a linear basis for GF(2), and the XOR relationship now allows you to compute any checksum. 您观察到的校验和的值形成了GF(2)的线性基础 ,现在XOR关系允许您计算任何校验和。
Now you can compute checksums by adding the checksums for each bit position with a 1, eg suppose you want the checksum of 0XF3 which in binary is 0b11110011. 现在,您可以通过为每个位位置添加校验和来计算校验和,例如,假设您希望校验和为0XF3,二进制为0b11110011。 Since 以来
0b11110011 = (0) + 0x80 + 0x40 + 0x20 + 0x10 + 0x02 + 0x01
then by XOR relationship, 那么通过XOR关系,
checksum(0b11110011) = c(7) + c(6) + c(5) + c(4) + c(1) + c(0) + c(-1)
ie for every bit you are going to output, just XOR-accumulate the known checksum for that bit. 即对于您要输出的每个位,只需对该位进行XOR累加已知的校验和。
If you do this exercise and experimentally write out all 152 checksums of the basis vectors, it's possible you will also in the process spot a simple pattern that explains how the checksums come from the basis vectors. 如果你做这个练习并通过实验写出基础向量的所有152个校验和,你可能还会在过程中找到一个简单的模式来解释校验和如何来自基础向量。 :) If so it would be nice to post that back here! :)如果是这样,将它发回到这里会很高兴! (And maybe tell us what we're reversing?) (也许告诉我们我们正在逆转什么?)
I have run some packets through an application called "SRP16", which searches for and displays CRC16 Rocksoft parameters. 我通过名为“SRP16”的应用程序运行了一些数据包,该应用程序搜索并显示CRC16 Rocksoft参数。 The output follows: 输出如下:
===== Result parameter sets =====
CRC=$2a2c Poly=$2817 init=$3141 xorout=$ffff refin=true refout=true
*** Second data set verified
CRC=$2a2c Poly=$2817 init=$70f4 xorout=$0000 refin=true refout=true
*** Second data set verified
CRC=$2a2c Poly=$2817 init=$9bf3 xorout=$0000 refin=false refout=true
*** Second data set verified
CRC=$2a2c Poly=$2817 init=$da46 xorout=$ffff refin=false refout=true
*** Second data set verified
CRC=$2a2c Poly=$4777 init=$1263 xorout=$0000 refin=false refout=true
*** Second data set verified
CRC=$2a2c Poly=$4777 init=$6f2d xorout=$0000 refin=true refout=true
*** Second data set verified
CRC=$2a2c Poly=$4777 init=$a127 xorout=$ffff refin=true refout=true
*** Second data set verified
CRC=$2a2c Poly=$4777 init=$dc69 xorout=$ffff refin=false refout=true
*** Second data set verified
CRC=$2c2a Poly=$7354 init=$1dab xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$7354 init=$417e xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$7354 init=$a401 xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$7354 init=$f8d4 xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$8a23 init=$0fa0 xorout=$0000 refin=false refout=true
*** Second data set verified
CRC=$2c2a Poly=$8a23 init=$3f6a xorout=$ffff refin=false refout=true
*** Second data set verified
CRC=$2c2a Poly=$8a23 init=$cc70 xorout=$0000 refin=true refout=true
*** Second data set verified
CRC=$2c2a Poly=$8a23 init=$fcba xorout=$ffff refin=true refout=true
*** Second data set verified
CRC=$2c2a Poly=$9656 init=$3460 xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$9656 init=$ff4b xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$a644 init=$195b xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$a644 init=$70ca xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$a644 init=$a3e8 xorout=$0000 refin=false refout=true
*** Third data set verified
CRC=$2c2a Poly=$a644 init=$ca79 xorout=$0000 refin=false refout=true
*** Third data set verified
===== done =====
Maybe give these a try and see if they work for you? 也许尝试一下,看看它们是否适合你?
Good luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.