PDA

View Full Version : LFSR-based cypher analysis


sapu
June 21st, 2004, 04:15
Hi,
I'm analysing an hardware device (a dongle key) than seems to be using a linear feedback shift register (LFSR) cypher. I am quite sure it uses LFSR because i obtained similar results simulating 2 LFSR in cascade mode.

The device contains a certain number of 16bits cells who could be programmed once from the vendor in order to obtain different cypher algorythms (2 cells = 1 algorythm).

I found the algorythm is based on 2 'seed' values than depends from the 2 'cell' content (a dump obtained with some of those values follows).

My purpose is to find the exact correlation between the 2 'cell' values and the 'seed' values.

Does anyone has any suggestion about how to analyze the problem ?
Thx for any reply

cell#1, cell#2, seed#1, seed#2
0x0000, 0x0000, 0x5001E000, 0x40018000
0x0000, 0x0001, 0x500D6004, 0x40038000
0x0000, 0x0002, 0x505CE010, 0x40058000
0x0000, 0x0003, 0x50606014, 0x40078000
0x0000, 0x0004, 0x526BE040, 0x40098000
0x0000, 0x0005, 0x52C76044, 0x400B8000
0x0000, 0x0006, 0x53B6E050, 0x400D8000
0x0000, 0x0007, 0x532A6054, 0x400F8000
0x0000, 0x0008, 0x4195E100, 0x40118000
0x0000, 0x000F, 0x49FE6154, 0x401F8000
0x0000, 0x0010, 0xD629E400, 0x40218000
0x0000, 0x0080, 0xD140E000, 0x41018000
0x0000, 0x0600, 0x5F51E000, 0x4C018000
0x0000, 0x1000, 0x7C01E000, 0x60018000
0x0000, 0x2000, 0x1001E000, 0x00018000
0x0000, 0x3FFF, 0x43333554, 0x3FFF8000
0x0001, 0x0000, 0x2FFFE000, 0x40007FFE
0x0002, 0x0000, 0x68787999, 0x8CCCD554
0x0003, 0x0000, 0xCBE5BFA5, 0xE28A36DA
0x0004, 0x0000, 0x9014015E, 0x11451248
0x0005, 0x0000, 0xFCA66C14, 0xD37A4B96
0x0006, 0x0000, 0xE09EE788, 0xF25ECE9C
0x0007, 0x0000, 0x03EC13F3, 0xF4B4B332
0x0008, 0x0000, 0x61853184, 0xD0909110
0x000F, 0x0000, 0xDF267CF3, 0x98360C62
0x0010, 0x0000, 0x0381A538, 0x04110420
0x0100, 0x0000, 0xD05DC296, 0x48058200
0x1000, 0x0000, 0x5411CE80, 0x4401A000
0x2000, 0x0000, 0x4101AC00, 0x5001C000
0x3FFF, 0x0000, 0xC018000B, 0x80060002
0x0001, 0x0001, 0x0DDD0666, 0xEAAA7FFE
0x0001, 0x0002, 0xC1148665, 0x15547FFE
0x0001, 0x0003, 0xD0066003, 0xBFFE7FFE
0x0001, 0x0004, 0xA753866A, 0xEAA87FFE
0x0002, 0x0001, 0xD2C2CFAF, 0xAEEED554
0x0002, 0x0002, 0x21316D8D, 0xC888D554
0x0002, 0x0003, 0xABBBDBBB, 0xEAAAD554
0x0003, 0x0001, 0x779E7451, 0x400036DA
0x0003, 0x0002, 0x3F5AAC84, 0xA79E36DA
0x0003, 0x0003, 0x80116770, 0x051436DA
0x0004, 0x0004, 0x52D80B3E, 0x934D1248
0x0005, 0x0005, 0x5ECE0E98, 0x59F84B96
0x0006, 0x0006, 0x177FB7EB, 0xFD92CE9C
0x0007, 0x0007, 0xB7859609, 0xC282B332
0x0008, 0x0008, 0x71013094, 0xC0809110
0x000F, 0x000F, 0xE7F9F71E, 0x00500C62
0x0010, 0x0010, 0xE5A12338, 0x84310420
0x0080, 0x0080, 0x10416140, 0xC0008100
0x0600, 0x0600, 0xD64E3E7B, 0x8C518C00
0x1000, 0x1000, 0x7891CE80, 0x6401A000
0x2000, 0x2000, 0x0501AC00, 0x1001C000
0x3FFF, 0x3FFF, 0x00000006, 0x00000002

Sab
June 21st, 2004, 16:17
just curious is that a sspro standard dongle your working on?

CrackZ
June 21st, 2004, 16:38
Quote:
[Originally Posted by Sab]just curious is that a sspro standard dongle your working on?


Hardlock I'd say ;-).

Regards

CrackZ.

mike
June 22nd, 2004, 18:46
If it's really an LFSR, then you can use the Berlekamp-Massey algorithm.

sapu
June 28th, 2004, 05:26
Hi mike,
Very thanks for your suggestion.
I found a C/C++ implementation on www.qualcomm.com.au/UsefulStuff.html, i'll try this one...
Quote:
[Originally Posted by mike]If it's really an LFSR, then you can use the Berlekamp-Massey algorithm.


About the 'sample' values, yes, there are from an SSPRO dongle using the 'standard' (not 'enhanced') query mode.
The 'standard' algo is completely useless in order to emulate a 'real' dongle, but it's still useful to guess the original content of cells in range 00-07 (write & override pwds).
Quote:
[Originally Posted by Sab]just curious is that a sspro standard dongle your working on?


Regards,
SaPu

Sab
June 28th, 2004, 14:53
sspro std algo has been laying around for sometime now hidden . If you try checking out some dumpers for it (not spath type) you might find the answer inside rather then going through B Massey. -Sabbbbbrrrrr22orijdskflksdf

sapu
July 9th, 2004, 03:34
Nope, B&M doesn't work.
In fact, the B&M algorythm could be used to retrieve the LFSR feedback from a sequence of MULTIPLE results obtained with the SAME feedback value.
In my case, i have a list of SINGLE results obtained with DIFFERENT feedback values.
Does anyone has another suggestion ???

Quote:
[Originally Posted by mike]If it's really an LFSR, then you can use the Berlekamp-Massey algorithm.

Sab
July 9th, 2004, 04:30
sapu. see pm, send me an email or send me ur email.