UExxC6500 series - research

[erdem_ua]

Yes we couldn't find secret key of RSA signature. But when we start to infecting firmware than could find some backdoor or work around like RSA-Disable utility

[timoo]

dalewski:
any news? i am really interested in decrypting and format of config.xml(.cmk) for loading my custom .so file and hacking my Tv ueXXc8000

[Denny]

for decrypt "smk" files this this routine work, whole SDK crypted files can be decrypted.

can someone upload bowling game to check "cmk" files?

Code: Select all

//aes use from openssl
void aes_decrypt_128(const unsigned char* in, unsigned char* out, unsigned char* key){

	AES_KEY	akey;

	AES_set_decrypt_key( key, 128, &akey );
	AES_decrypt( in, out, &akey );
}


int main(int argc, char * argv[])
{
	unsigned int   filesize, i, n, b;
	FILE *inputfp,*outputfp;
	unsigned char buffer[1024];
	unsigned char *inbuf,*outbuf;
	unsigned char key[]    = {0x84,0xAA,0x59,0x95,0x98,0x49,0xF6,0xDD,0xD4,0x82,0x3B,0x90,0xF7,0x91,0x39,0x02};
	unsigned char iv_init[]= {0x1D,0xA7,0x6D,0xE2,0xA0,0xEE,0x55,0xC0,0xDB,0xCC,0xED,0xA7,0x72,0xE3,0x68,0x4D};
	
	for (b = 1; b < argc; b++) {
		unsigned char iv[16];
		int paramlen = strlen(argv[b]);
		memset(buffer, 0, 1024);
		memcpy(buffer, argv[b], paramlen -4);
		memcpy(iv, iv_init, 16);
		inputfp  = fopen(argv[b], "rb");
		outputfp = fopen((char*)buffer, "wb");
		fseek(inputfp,0,2); 
		filesize=ftell(inputfp); 
		rewind(inputfp);

		inbuf =(unsigned char*) malloc(filesize);
		outbuf =(unsigned char*) malloc(filesize);

		fread(inbuf, sizeof(unsigned char), filesize, inputfp);

		for (i =  0; i <filesize; i+=16) {
			unsigned char *out = outbuf + i;
			aes_decrypt_128(inbuf + i, outbuf + i, key);
			for(n = 0; n < 16; n++)
				out[n] ^= iv[n];
			memcpy(iv, inbuf + i, 16);

		}
		fwrite(outbuf, 1,filesize , outputfp);
		fclose(outputfp);
		fclose(inputfp);
		free(outbuf);
		free(inbuf);
	}
	return 0;
}

[timoo]

http://ulozto.net/6006539/14100009003-002.zip
where you found this key?

[Denny]

the key and iv are generated by

Code: Select all

?CMK_to_membuf@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAHPAPAEAAK@Z

inside of the wps.dll in sdk.

[Denny]

cmk is zipped and scrambled.

code taken from SyncMgr.js

now is question, is Unzip and CMKtoSCK function somwhere hiden in SDK.

Code: Select all

SyncMgr.afterDownComplete = function() {
	WMGlobal.FilePlugin.Unzip(WIDGET_TEMP_FULL_PATH + SyncMgr.installFileName, WIDGET_TEMP_FULL_PATH + SyncMgr.installID);
	
	// ????? ?? apptype == 14
	// CMK to SCK ?? ?? ??	
	TRACE( "APPTYPE " + SyncMgr.installID.substr(0,2));
	if( SyncMgr.installID.substr(0,2) == "14" ){
		TRACE("CMKtoSCK..........");
		if (typeof WMGlobal.SecurityPlugin.CMKtoSCK == 'function'){
			// CMK to SCK ?? ??
 			WMGlobal.SecurityPlugin.CMKtoSCK(WIDGET_TEMP_FULL_PATH + SyncMgr.installID, 0, 1);		
		}
		else{
			TRACE("[Ignore] SecurityPlugin.CMKtoSCK() is not a function.");
		}
		TRACE("CMKtoSCK..........DONE!! ");
	}

	WMGlobal.FilePlugin.Delete(WIDGET_TEMP_FULL_PATH + SyncMgr.installFileName);
	WMGlobal.FilePlugin.Delete(NORMAL_WIDGET_PATH + SyncMgr.installID);
	WMGlobal.FilePlugin.Move(WIDGET_TEMP_FULL_PATH + SyncMgr.installID, NORMAL_WIDGET_PATH);
		
	var bRet = ManagerWidget.loadWidgetInfo(SyncMgr.installID);
	
	if( bRet == false )	{
		TRACE("ManagerWidget.loadWidgetInfo() returns false",TRACE_LEVEL.DEBUG);
		var tRetValue = "1000?9";
		SyncMgr.callbackFn(tRetValue);
		return;
	}
    var obj  = new WidgetObj(SyncMgr.installID);
	if (!obj) {
		TRACE("new WidgetObj returns NULL",TRACE_LEVEL.DEBUG);
		return;
	}
	
	obj.loadConfig();
	obj.status = WIDGET_STATUS.NORMAL;
	obj.partners = SyncMgr.partners; // ??CP ??
	obj.priority = SyncMgr.priority; // priority
	obj.setTitle(SyncMgr.title);

	var index = WidgetList.getIndex( SyncMgr.installID );

	if (index == -1) {
		// ?? ??? ???? ??
		obj.installedDate = WidgetList.getStrDate();
		WidgetList.push_back(obj);
	}
	else {
		// ??????? installedDate ???? ??
		
		// ?? ?? ??
		var objOld = WidgetList.getWidget(index);

		obj.lock = objOld.lock;
		obj.favorite = objOld.favorite;
		obj.executed = objOld.executed;
		obj.installedDate = objOld.installedDate;
		
		WidgetList.replaceAt(index, obj);
	}

        SyncMgr.putWidgetList();

}

[timoo]

did you decrypt config.xml.cmk or libDBowling.so.cmk succesfully ?in WidgetEmulatorDLL.dll(wps.dll) there is function CMK_to_membuf SCK_to_membuf ,maybe reverwerse SCK_to_membuf

[Denny]

no, there are missing files that are doing unzip/decrypt in SDK
but they are in TV.

these must be readed by a alien app, that will read each one and store it on usb.
now , just someone who can make java app with smal function.

file io api in sdk are located in /ch_nonsec/wmCommon/fileio/


btw : 14100009003_002.zip file contain MiniCityTrial not bowling game ^..^

[timoo]

do you think is possible to create widget which decrypt .cmk file on tv ? is there anybody familiar with javascript that could write simple tv widget which read from file(test1.dat) and write to another (test2.dat) contents of 1st file (copy file). there is basic API in sdk openCommonFile(),readAll(),writeAll() for file manipulation ,i know that is restrictecd in paths but its not a problem ,i need only walid widget .. then i think could copy exeDSP to usb key or anorher file inside TV (or decrypted config.xml.cmk )