Re: A89: faking a rom
[Prev][Next][Index][Thread]
Re: A89: faking a rom
Robin Kirkman wrote:
>
> [...]
> I make the assumption that the 512bit checksum is really just 8 RC5 checksums
> (64bits each), that was then encrypted w/ RSA.
The checksum, because there's only one, is 128 bits and it's calculated
using the MD5 algorithm. This checksum is encrypted with a 512-bit RSA
key, resulting in a 512-bit digital signature. RC5 has nothing to do
with it.
> I also make the assumption that the checksums are sequential, eg:
>
> There is 1mb of FlashRom.
> There are 8 checksums.
> the 1st 128kb are used for checksum 1
> the 2nd 128kb are used for checksum 2
> the 3rd 128kb are used for checksum 3
> etc..
There's only ONE checksum and it's calculated from ALL of the code.
> [...]
> if we can write our own rom image with correct checksums, we can, for example,
> modify it to not check the checksums on applications... thereby removing the
> necessity to purchase TI's SDK.
Assuming that the code that checks the digital signature resides in the
base code, we could simply patch it on the calc.
Otherwise, writing an ASM program that installs new base code without
checking the signature wouldn't be that hard. The hardware protection
can be disabled on both HW1 and HW2 calcs, making writes to the flash
ROM possible.
/Johan
References: