Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 44
  1. Collapse Details
    #11
    Junior Member
    Join Date
    Jun 2010
    Posts
    13
    Default
    My mother tongue is not English, my explanations might be "encrypted"

    Here is a simple example:
    firmware TZ6_15, address @0204 => AA 58 4C 22 20 90 4E A7
    firmware TZ7_14, address @0208 => AA 58 4C 22 20 90 4E A7
    firmware TZ10_11, address @0204 => AA 58 4C 22 20 90 4E A7

    Of course, it's almost sure that "AA 58 4C 22 20 90 4E A7" is the encrypted value for the same clear text in TZ6, TZ7 and TZ10, so (if we call F() the encryption function) we have F@0204(cleartext) = F@0208(cleartext) and we can assume F@0204() = F@0208().

    => F() doesn't depend on the "past", and F() length is <= 4 bytes

    Also note:
    TZ6 @0200 => 5B 2B 1F 9C
    TZ7 @0200 => 5B 2B 1E 9C
    TZ10 @0200 => 5B 2B 18 AC

    I believe "5B 2B" is the encrypted value for the same clear text, which means that 3rd and 4th bytes don't change encryption for 1st and 2nd bytes.
    Last edited by JFMw; 06-25-2010 at 10:45 AM.


     

  2. Collapse Details
    #12
    Senior Member
    Join Date
    Jun 2010
    Location
    Latvia
    Posts
    168
    Default
    0x200 - too early for clear texts, but some code possible
    key of F() is not dynamic, as TZ6 and ZS1 is look very similar (only some bytes in middles).
    F() lenght is more than 4 bytes (think at least one empty/pattern block in firmware will be - and that may be easy found visually in short cases)


     

  3. Collapse Details
    #13
    Senior Member
    Join Date
    Jun 2010
    Location
    Latvia
    Posts
    168
    Default
    TZ6 : @0x490510
    00 CB E5 49 C5 18 A9 27 B6 53 DD 8B 6D CC 14 09
    ZS1 : @0x490510
    00 CB E5 49 CB 11 AE 27 B6 53 DD 8B 6D CC 14 09
    T-Z = C5-CB : +0x71
    Z-S = 18-11 : +0xBE
    6-1 = A9-AE : +0x73

    Possible "Panasonic TZ6" instead of space is 0x00
    Last edited by DaLiV; 06-25-2010 at 10:40 AM.


     

  4. Collapse Details
    #14
    Bronze Member
    Join Date
    Apr 2010
    Posts
    2,415
    Default
    Quote Originally Posted by DaLiV View Post
    TZ6 : @0x490510
    00 CB E5 49 C5 18 A9 27 B6 53 DD 8B 6D CC 14 09
    ZS1 : @0x490510
    00 CB E5 49 CB 11 AE 27 B6 53 DD 8B 6D CC 14 09
    T-Z = C5-CB : +0x71
    Z-S = 18-11 : +0xBE
    6-1 = A9-AE : +0x73
    Do you want to say that we have
    Result = Source+Encryption ?
    As if difference is still maintained it is not XOR :-)

    Total difference in this files (without header and checksums):

    00000218: ED B0
    00000219: CF E7
    0000021A: 38 39

    00004E0C: FD A0
    00004E0D: AE 86
    00004E0E: 8F 8E

    00014514: 59 57
    00014515: 53 5A
    00014516: 6D 6A

    00490514: C5 CB
    00490515: 18 11
    00490516: A9 AE

    We always have groups of three bytes :-)


     

  5. Collapse Details
    #15
    Junior Member
    Join Date
    Jun 2010
    Posts
    13
    Default
    Quote Originally Posted by DaLiV View Post
    TZ6 : @0x490510


    00 CB E5 49 C5 18 A9 27 B6 53 DD 8B 6D CC 14 09
    ZS1 : @0x490510
    00 CB E5 49 CB 11 AE 27 B6 53 DD 8B 6D CC 14 09
    T-Z = C5-CB : +0x71
    Z-S = 18-11 : +0xBE
    6-1 = A9-AE : +0x73

    Possible "Panasonic TZ6" instead of space is 0x00
    I would vote for DMC-TZ6

    TZ4@0152F0
    50 61 6E 61 73 6F 6E 69 63 00 00 00 00 00 00 00 = Panasonic
    44 4D 43 2D 54 5A 34 00 00 00 00 00 00 00 00 00 = DMC-TZ4

    TZ5@0152F0
    50 61 6E 61 73 6F 6E 69 63 00 00 00 00 00 00 00 = Panasonic
    44 4D 43 2D 54 5A 35 00 00 00 00 00 00 00 00 00 = DMC-TZ5
    Last edited by JFMw; 06-25-2010 at 12:37 PM.


     

  6. Collapse Details
    #16
    Senior Member
    Join Date
    Jun 2010
    Location
    Latvia
    Posts
    168
    Default
    Also: I've noticed that all clear firmware end the same way:
    ...
    and then 34 bytes that differ
    in encoded changed structure ... checksum (which was in last 34) moved to first 512 ... so helpless information ...
    about end block - that will be easily visible pattern (however in encoded not observed any repeating patterns)


     

  7. Collapse Details
    #17
    Junior Member
    Join Date
    Jun 2010
    Posts
    13
    Default
    Quote Originally Posted by DaLiV View Post
    in encoded changed structure ... checksum (which was in last 34) moved to first 512 ... so helpless information ...
    about end block - that will be easily visible pattern (however in encoded not observed any repeating patterns)
    ... and why not a compressed format, followed byt a 4 bytes permutation?
    That would explain the leading bytes @000200 (like a PK/LZ/Rar header...)


     

  8. Collapse Details
    #18
    Senior Member
    Join Date
    Jun 2010
    Location
    Latvia
    Posts
    168
    Default
    becaus in compression on change 1 byte in mddle you will get big block changes, not only some bytes.
    header persist not only in compressed structures.

    offtopic:
    try any compressor on text file, change there 1 byte and create second compressed file - make diff between them and take a look how it differs on one byte changes ... then questions will be gone ... normally not possible to get for changing 1 byte in compressed file also changing of 1 byte ...
    only Run-length encoding possible
    Last edited by DaLiV; 06-26-2010 at 05:27 AM.


     

  9. Collapse Details
    #19
    Junior Member
    Join Date
    Jun 2010
    Posts
    13
    Default
    Quote Originally Posted by DaLiV View Post
    becaus in compression on change 1 byte in mddle you will get big block changes, not only some bytes.
    header persist not only in compressed structures.
    I have to disagree, (1) you still have blocks 100% untouched, (2) some blocks modified are still very close with only minor changes every 5 or 10 bytes (and some bytes missing, some bytes added), (3) and in fact this is exactly the same behavior when I compare TZ6 and TZ7...

    (FYI, I've modified GH1_133, changing GH1.AHX to GH2.AHX, compressed with WinZip, and compared files the same way I'm comparing TZ6 and TZ7 files... try yourself, I'm pretty sure you'll be convicted)

    Update 1: however differences between ZS1 and TZ6 should be more important than a few bytes... you're right.

    Update 2:

    Quote Originally Posted by Vitaliy Kiselev View Post
    00000218: ED B0
    00000219: CF E7
    0000021A: 38 39

    00004E0C: FD A0
    00004E0D: AE 86
    00004E0E: 8F 8E

    00014514: 59 57
    00014515: 53 5A
    00014516: 6D 6A

    00490514: C5 CB
    00490515: 18 11
    00490516: A9 AE
    Changes at the beginning and the end of the file look like the filename in a zip archive... that's strange.
    Last edited by JFMw; 06-26-2010 at 08:21 AM.


     

  10. Collapse Details
    #20
    Senior Member
    Join Date
    Jun 2010
    Location
    Latvia
    Posts
    168
    Default
    blocks that is before changes may be untouched (depend on compressor and it usage of dictionary size), but after - changes is very big ... and size of .zip also changes ...


     

Page 2 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •