12-09-2011, 07:40 AM | #1 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
decrypting the firmware upgrade files
Is there any information about the firmware upgrade files for the orizon and the odyssey? I want to have a look at the files inside them and was hoping there was some obvious way to decrypt them
The files (CybUpdate.bin) start with the string 'Boo1' and end with 'GAME OVER', but otherwise I didn't discover any patterns in the data. There are no text strings and it's not very compressible (with bzip2 they actually become bigger). I looked at the firmware upgrade files from both devices and besides the header and the footer I didn't see any similarities in the data. Does anyone have access to the file system to figure out how the firmware updates are done? Last edited by markun; 12-09-2011 at 07:42 AM. |
12-12-2011, 09:52 AM | #2 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
I never heard of such a thing...
But I will be interested if some people have informations on this! Last edited by Godzil; 12-12-2011 at 10:35 AM. |
Advert | |
|
12-12-2011, 11:17 AM | #3 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
Actually I did find some patterns
At the start of the Odyssey firmware update: Code:
00000004 df a3 79 1f 0c 5a 51 57 e9 09 be bb 3d 3e 61 68 |..y..ZQW....=>ah| 00000014 51 fc 24 ff 05 45 f8 43 4c b7 84 3c 96 a2 65 06 |Q.$..E.CL..<..e.| 00000024 0a dd 8d a1 9e 14 26 93 0a dd 8d a1 9e 14 26 93 |......&.......&.| 00000034 0a dd 8d a1 9e 14 26 93 5b 19 42 79 b8 6e b6 86 |......&.[.By.n..| 00000044 45 b3 27 7c 48 8d ca 38 b0 21 b0 3e 55 c8 51 9d |E.'|H..8.!.>U.Q.| 00000054 50 c1 30 43 01 50 a6 52 63 d9 ab 92 ff 5a 24 2e |P.0C.P.Rc....Z$.| 00000064 7d d4 6a 8f ff 36 64 28 0a dd 8d a1 9e 14 26 93 |}.j..6d(......&.| 00000074 0c 4b e9 d2 32 76 2e 67 29 20 93 66 22 26 15 fd |.K..2v.g) .f"&..| Code:
00000004 11 86 c9 5c 3c c4 7f 07 7e ad 73 2c c7 20 34 5d |...\<...~.s,. 4]| 00000014 21 2c 85 cf f2 99 1d bb 46 b6 d3 5a a8 60 e5 96 |!,......F..Z.`..| 00000024 d0 d4 62 9e 86 bf a4 18 d0 d4 62 9e 86 bf a4 18 |..b.......b.....| 00000034 d0 d4 62 9e 86 bf a4 18 1b 5c 35 05 96 82 8f f1 |..b......\5.....| 00000044 ad ed 29 bc e8 20 7e 63 97 06 5b d4 d6 de 7d 94 |..).. ~c..[...}.| 00000054 9e ea bd 94 94 d2 93 7d d0 3a de ad 26 63 14 c8 |.......}.:..&c..| 00000064 63 0e 52 57 98 a9 19 14 d0 d4 62 9e 86 bf a4 18 |c.RW......b.....| 00000074 57 72 59 5f 55 96 73 db 05 9d c1 20 68 70 ba c4 |WrY_U.s.... hp..| Odyssey: Code:
01244604 0a dd 8d a1 9e 14 26 93 54 53 e1 de 72 f2 2d bd |......&.TS..r.-.| 01244614 57 e3 6c 3f fb 6b 2b 97 09 11 0c 13 5d 51 95 1f |W.l?.k+.....]Q..| 01244624 38 4e f2 48 05 1e dc 1d ac a0 a0 4b 15 f5 2a 72 |8N.H.......K..*r| 01244634 3d ae 26 fd 79 a7 d0 d1 16 32 b8 42 57 ca 91 fd |=.&.y....2.BW...| 01244644 bc 2e b4 ee ae 0c ce 0f ac 0a 94 ea bf be 80 dd |................| 01244654 85 6d b7 cd d3 11 b5 10 62 81 5b e5 80 a4 d6 ad |.m......b.[.....| 01244664 3f c1 f8 15 96 2a 7b 7d 13 3d b9 89 3d be a8 d7 |?....*{}.=..=...| 01244674 1c 31 6b f6 c3 ad d5 1c 23 32 00 58 75 86 e9 60 |.1k.....#2.Xu..`| 01244684 04 a1 66 fd 69 dd 6d 05 47 41 4d 45 5f 4f 56 45 |..f.i.m.GAME_OVE| 01244694 52 |R| Code:
010d7194 d0 d4 62 9e 86 bf a4 18 c7 f7 cb 93 5b 5f 00 d5 |..b.........[_..| 010d71a4 7b ab 4d cb e3 1b 93 b2 d7 b3 54 4f 47 4c c9 88 |{.M.......TOGL..| 010d71b4 e1 9c 7d f5 17 17 8d 7c 3c 59 6c 40 0a 73 60 45 |..}....|<Yl@.s`E| 010d71c4 3b 9c cb da 0f 9b 34 f4 63 5c 41 60 bb ba f6 4c |;.....4.c\A`...L| 010d71d4 f4 32 b0 40 5d 74 78 c7 cf 16 5e 39 95 ae 74 56 |.2.@]tx...^9..tV| 010d71e4 7c 92 a2 ef 45 0f da 98 68 07 db 03 20 85 45 eb ||...E...h... .E.| 010d71f4 07 5d 67 70 fc 7f 19 2d ce 6a 3b 24 f9 df 4c da |.]gp...-.j;$..L.| 010d7204 eb c0 54 20 18 d5 3f a0 60 6f 35 cd 43 21 7c 2a |..T ..?.`o5.C!|*| 010d7214 81 7a 2a 27 d9 15 ce 7e 47 41 4d 45 5f 4f 56 45 |.z*'...~GAME_OVE| 010d7224 52 |R| |
12-13-2011, 04:01 AM | #4 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
Can you give the exact version of the update, and the exact position where you find these patterns ?
|
12-13-2011, 04:09 AM | #5 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
I got the firmware updates here:
http://www.bookeen.com/en/supportdownload/?idPart=2 Odyssey firmware upgrade 4.0 (build 1476) Orizon firmware upgrade 3.1 (build 1398) I used "hexdump -s4 -C CybUpdate.bin" in linux to make the dumps show in my previous post. On the left of the dumps you can see the byte positions in hexadecimal. The -s4 argument skips the first 4 characters (which are 'Boo1' for both files) btw, I don't know if it's ok to put links to the firmware upgrade files here since you normally need to log in to get to the download section.. should I remove it and replace it with a link to the download page? Last edited by markun; 12-13-2011 at 04:18 AM. |
Advert | |
|
12-13-2011, 04:54 AM | #6 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
Oups you're right about the address in file, I was misleading it with a "line number" in the "code" box
|
12-13-2011, 05:42 AM | #7 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
The Odyssey file contains these 8 byte 4 times: f1 4f 4c d7 86 75 4b 01
The Orizon file contains these 8 bytes 2 times: 0b af 05 35 3d 9b 10 4f not sure if that is of any use |
12-19-2011, 08:26 AM | #8 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
Just noticed there is a new firmware for the Odyssey, so: more data!
Odyssey firmware upgrade 4.0 (build 1481) Start: Code:
00000004 aa 78 10 0d bd 73 20 10 31 8b ee 8c 0a a7 78 81 |.x...s .1.....x.| 00000014 f3 a2 31 aa 8b e3 7e e8 d7 b9 d6 6f 51 66 4b 8c |..1...~....oQfK.| 00000024 4e 55 bb 36 d8 d5 21 22 4e 55 bb 36 d8 d5 21 22 |NU.6..!"NU.6..!"| 00000034 4e 55 bb 36 d8 d5 21 22 ed b9 a8 05 cb de a4 a7 |NU.6..!"........| 00000044 0b 6e ac 9d f2 93 c6 92 1a a9 3f 4c 7c a1 b8 e0 |.n........?L|...| 00000054 bb c8 dd d9 5c 95 a1 6a e7 9b b3 1d 35 ce 3d 65 |....\..j....5.=e| 00000064 b4 da 9f 46 2e 51 53 a4 c2 6c 40 10 fb f2 fe 03 |...F.QS..l@.....| 00000074 58 03 30 c3 a0 dc bd cb 1a 7c 1f 45 ee 73 e5 82 |X.0......|.E.s..| Code:
0124c204 4e 55 bb 36 d8 d5 21 22 5a 50 74 fd b9 a3 22 5a |NU.6..!"ZPt..."Z| 0124c214 f2 e0 6b a7 6c 3d 44 1e c3 db 9d 89 cc 71 2c 2f |..k.l=D......q,/| 0124c224 cb 2c 0a b4 5e 93 0e 5f cd cd 90 5c 0e 82 94 87 |.,..^.._...\....| 0124c234 e9 3a 26 12 d0 70 a0 a3 93 9e 76 81 d0 4d d7 69 |.:&..p....v..M.i| 0124c244 12 50 6c da fc 6d a6 c6 d8 d5 36 52 4e 1b 7e 3a |.Pl..m....6RN.~:| 0124c254 6e 49 40 2b 3b 6d 6b 3c 1d 89 97 b1 e2 5a 7b d6 |nI@+;mk<.....Z{.| 0124c264 a5 fc bc a1 76 af 8f e8 e5 12 75 ec 57 69 35 24 |....v.....u.Wi5$| 0124c274 3f df ae 1c 9c 5b 0f e5 21 ce 79 0b e3 66 4a 41 |?....[..!.y..fJA| 0124c284 38 a6 54 7a 12 18 1a c7 47 41 4d 45 5f 4f 56 45 |8.Tz....GAME_OVE| 0124c294 52 |R| 5 x 4e 55 bb 36 d8 d5 21 22 3 x 4f 16 aa 3f 96 91 12 26 2 x 7c 72 44 cc fc 69 0f 8e Last edited by markun; 12-19-2011 at 10:18 AM. |
12-19-2011, 12:56 PM | #9 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
Maybe I'm wrong, but I'm unsure this will be of any help. Ok there is this 8 long byte repetition a different number of time on each file, but they are too different to be some usefull data...
I have doubt about this "discover". (somes seems to be placed at the same place, but what that can mean?) |
12-19-2011, 04:12 PM | #10 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
Well, my guess is that the decrypted files all have the same values at those positions in the header, could be 00 00 00 00 ... or ff ff ff ff ... for example. At first I thought the Odyssey and the Orizon might have different keys for the encryption which caused these recurring strings to be different, but since the two Odyssey files look so different I guess that's not true.
Anyway, I personally think it's a good start and will keep trying |
12-20-2011, 10:17 AM | #11 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
I understand what you mean
|
12-20-2011, 10:34 AM | #12 |
Linux User
Posts: 2,279
Karma: 6123806
Join Date: Sep 2010
Location: Heidelberg, Germany
Device: none
|
If that were the case there should probably be several more repeated patterns in the file. This is the case for example with the iriver Story HD firmware files which use a simple byte pad cipher, and the decoded file is a ZIP with an easy to bruteforce password. The Odyssey seems to be using a more sophisticated cipher. You might have to gain access to the system files and figure out the decryption routine from there...
|
12-21-2011, 04:13 AM | #13 |
Junior Member
Posts: 7
Karma: 10
Join Date: Dec 2011
Device: none
|
I don't know if there would be many repeated patterns. If it's a compressed file (bzip2 or something) I wouldn't expect any repeated patterns except maybe in the header.
I don't actually own the Odyssey nor the Orizon and I didn't find out if anyone managed to get access to the filesystem. Do you own one of them? |
12-21-2011, 04:53 AM | #14 | |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
Quote:
|
|
02-13-2012, 12:01 PM | #15 |
a pthread?? where? where?
Posts: 1,763
Karma: 30462
Join Date: Mar 2009
Location: Somewhere in EU
Device: Newton MessagePad 2100, and only this
|
markun: do you have news on you investigations ?
|
Tags |
firmware, odyssey, orizon |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PRS-500 Can I still firmware upgrade this? | Rangoon | Sony Reader | 9 | 08-11-2011 03:11 PM |
PRS-500 Second Firmware Upgrade | CO'Neil | Sony Reader | 0 | 04-03-2010 08:33 PM |
Decrypting DRM-d BBeB | ahi | LRF | 19 | 12-10-2009 11:07 AM |
Firmware Upgrade Available! | scottcstoness | Sony Reader | 65 | 08-06-2007 11:13 PM |
Decrypting eReader books... | bspline | Other formats | 2 | 03-20-2005 12:38 PM |