@NTense: Sorry I was gone for a few days.
I took a look at the LRP firmware update files. Lots of fun stuff in there SHA-256, RSA, AES. I was able to get a partial decryption, but there is another layer of encryption below that.
The last layer must be done on the device itself. So, like the Tekin products, there is no way to get the firmware image without knowing what algorithm and key is used by the boot loader.
It was weird looking at their firmware updater. Their convoluted encryption scheme uses RSA to encrypt the AES keys. Normally this is a good thing - you bank uses the same thing to secure your online banking. If done right it prevents anyone from creating a custom firmware image - unless they know the private key. However LRP sends the private key in their updater. Their whole RSA scheme is absolutely pointless!
As for the Novak firmware I'll email what I have.
To decrypt it I used Python with the PyCrypto extension. To mess with proprietary file formats like this, you often have to write your own code to crack them open. I like Python for this since it is easy for me to quickly code up a file decoder. For tasks like this it's valuable to know some kind of scripting language.
Here is the source for the decryption:
- Code: Select all
#Import AES from PyCrypto package
from Crypto.Cipher import AES
#Get AES decryption object
aes = AES.new("1234567890123456",AES.MODE_CBC,"1234567890123456")
#Read the outloada143.rdd file into data
data = file("outloada143.rdd","rb").read()
#Decrypt it into data2
data2 = aes.decrypt(data)
#Save the results
Result is a Motorola S-Record
file. CPU is probably a Freescale S08 series MCU. They make special versions for Brushless motor control. The code doesn't look like their 56 series DSP code - no fixed 24bit instructions.http://www.freescale.com/webapp/sps/sit ... de=APLBDCM