|
|
RSADecryption_Signature
Here Signature Generation and Decryption is described
RSA-2048 Decryption / Encryption How-To
Tools needed : OpenSSL and BC (Gnu Big Number Calculator)
Generate Private Key, Exponent 3 and Bit Size 2048
openssl genrsa -des3 -3 -out my.key 2048
Extract Public Modulus and Exponent from Private Key, used for signature
openssl rsa -text -in "my.key"
Enter pass phrase for my.key:
Private-Key: (2048 bit)
modulus:
00:a7:46:e9:c3:82:4f:95:79:d0:5f:f9:e1:63:17:
99:95:34:6e:a1:c4:c0:60:46:22:d3:34:2a:70:f2:
84:ae:7a:e1:1d:ad:9d:34:a4:9e:43:48:04:44:46:
ff:b4:38:70:4a:39:94:21:9e:ba:39:d1:1a:da:d9:
8e:e1:c9:af:35:4e:4d:00:29:d0:44:2a:0e:c5:0f:
17:fd:42:df:86:3c:90:ee:78:c0:2f:f3:75:c0:a2:
38:d2:a1:d5:25:f9:a5:62:0d:72:44:47:ef:79:9d:
56:68:f1:7b:66:d8:ff:b5:22:7f:a9:d2:a5:ac:5d:
12:89:bf:c0:34:80:64:eb:32:59:7a:3c:96:c5:67:
00:e0:cb:4e:26:18:94:4d:98:29:e5:46:33:a6:4d:
15:4d:e6:99:7c:64:cb:3a:8c:9d:e1:6f:18:b4:70:
7e:17:3a:87:8a:21:c5:8f:f4:bc:32:60:75:7d:da:
aa:41:76:29:46:77:55:d9:24:11:1b:d1:92:65:49:
1b:29:73:56:ab:08:10:08:05:3b:f1:2b:fb:e4:24:
d7:9c:aa:8a:30:50:5c:a1:4e:7f:4b:e0:4e:67:df:
0a:99:50:ee:eb:b0:83:68:b2:13:ac:70:8d:76:7c:
28:a7:c2:08:e8:83:9d:eb:51:b8:95:b9:ee:5e:1a:
62:21
publicExponent: 3 (0x3)Generate Signature Bytes for AMSS.MBN using Private Key, added at the end of AMSS.MBN
openssl dgst -hex -sha1 -sign my.key amss.mbn
Enter pass phrase for my.key: SHA1(amss.mbn)= 05034375026acc0e117850d76cdcf680942c2c21dfd07407f1fbd3031296521e 9ac3684803969ef25f9dffddcb3a3c420b8ff58f258e36325c271e0047ac7e6fc516f97eeb9fb83a 2acc6f8dd66b2f6c4bc3641b0363bf7ba81770691c2bb6d43cd60d7de5802e7d9c65c23dd7a86213 b61e70639f7e473c32bfa89ddc42ad3834b9aafa22583be71c8b0ceb21a9b3d0abca2d9595fbb075 54b06f0b1a2f97b419117f0aaf859dc186900956987b126bbdf5b4d7c417db8caf6a4196312bbb2f 76b5784daa0f98eab624958d2472b2eafde717b8a5d07eafcf44527210c635ff9bf8736a35043fb1 a0279cd40c46d5b53fe9832f447eeb6e440ebe5f64aa4668
Plugin for BC "mod.bc"
define modexp( m, e, n )
{
auto b, a, i, s;
a = 1;
s = m;
while ( e > 0 ) {
if ((e % 2) != 0 ) {
a = a * s % n;
}
e /= 2;
if ( e > 0 ) {
s = s*s % n;
}
}
return ( a );
}Decrypt Signature from AMSS.mbn using extracted Modulus and Exponent from Private Key
bc mod.bc
bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. obase=16 ibase=16 sp=05034375026ACC0E117850D76CDCF680942C2C21DFD07407F1FBD3031296521E9AC3684803969 EF25F9DFFDDCB3A3C420B8FF58F258E36325C271E0047AC7E6FC516F97EEB9FB83A2ACC6F8DD66B2 F6C4BC3641B0363BF7BA81770691C2BB6D43CD60D7DE5802E7D9C65C23DD7A86213B61E70639F7E4 73C32BFA89DDC42AD3834B9AAFA22583BE71C8B0CEB21A9B3D0ABCA2D9595FBB07554B06F0B1A2F9 7B419117F0AAF859DC186900956987B126BBDF5B4D7C417DB8CAF6A4196312BBB2F76B5784DAA0F9 8EAB624958D2472B2EAFDE717B8A5D07EAFCF44527210C635FF9BF8736A35043FB1A0279CD40C46D 5B53FE9832F447EEB6E440EBE5F64AA4668 m=00A746E9C3824F9579D05FF9E163179995346EA1C4C0604622D3342A70F284AE7AE11DAD9D34A4 9E4348044446FFB438704A3994219EBA39D11ADAD98EE1C9AF354E4D0029D0442A0EC50F17FD42DF 863C90EE78C02FF375C0A238D2A1D525F9A5620D724447EF799D5668F17B66D8FFB5227FA9D2A5AC 5D1289BFC0348064EB32597A3C96C56700E0CB4E2618944D9829E54633A64D154DE6997C64CB3A8C 9DE16F18B4707E173A878A21C58FF4BC3260757DDAAA417629467755D924111BD19265491B297356 AB081008053BF12BFBE424D79CAA8A30505CA14E7F4BE04E67DF0A9950EEEBB08368B213AC708D76 7C28A7C208E8839DEB51B895B9EE5E1A6221 modexp (sp, 3, m) <<< Decrypt Signature !! 1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A0500041487D9C89 67173A92335A52BDDCC3C52A09B12F748
Generate Sha1-Value from original AMSS.mbn to compare decrypted results
openssl dgst -sha1 amss.mbn
SHA1(amss.mbn)= 87d9c8967173a92335a52bddcc3c52a09b12f748
Public Keys Extracted so far
Exponent = 0x3
QC public modulus = "E43FDF738985A2D0664B2D56C25D43EC61FBE66606AD3E937523C0760D6FC5B7B202727C4A3269B39931AB956588EC2CE83ECF2FDE71C8DA753F8C14C3468686E3FF7DBB18E109767C9979FF86747BF0E8FB4E73FFB7277C8F3F8F38069BEF2053328986DDA6B5EB557E641E6D8E06BA17A33CDB08C607E5E67A1D4266EF387CD66735B49A47A6B61CFDE2DFEA99CD07D73F1136BFA6AD50F367790F44D85792AF4432BB162F0B6D3EF87CCFB507A8623D3B4D0733C45ADDCBEE91CC7628E048492C48BED09FB483D1A27F044FD2920F5BF5888CBD432186987BA59F29B5EABE0E77E2FEC94DD6F471CDDEEE64A1997CA51FFFF212638EA897E5778C78F4E61F"
E81, SL91, SG75, E82 = "E43FDF738985A2D0664B2D56C25D43EC61FBE66606AD3E937523C0760D6FC5B7B202727C4A3269B39931AB956588EC2CE83ECF2FDE71C8DA753F8C14C3468686E3FF7DBB18E109767C9979FF86747BF0E8FB4E73FFB7277C8F3F8F38069BEF2053328986DDA6B5EB557E641E6D8E06BA17A33CDB08C607E5E67A1D4266EF387CD66735B49A47A6B61CFDE2DFEA99CD07D73F1136BFA6AD50F367790F44D85792AF4432BB162F0B6D3EF87CCFB507A8623D3B4D0733C45ADDCBEE91CC7628E048492C48BED09FB483D1A27F044FD2920F5BF5888CBD432186987BA59F29B5EABE0E77E2FEC94DD6F471CDDEEE64A1997CA51FFFF212638EA897E5778C78F4E61F"
SXG75 = "FC07745FEF24850EBF7702A14C427AA8A470AB4660AF29677AC96E5D1E23493242DA921BF0B7831B87CC8C0A43C28FE90CBD5339C74F66F1B65CE6FA683BC47927E0B432A1990BA8EE32138093B3CA05D26D18F721888612DE1FA31B17384D01B7E26C6D38BFCF5090C1CE1822AAC7A4FE6691270A3DC6A305ADA066FCA4213B3578CB39C0B73BA004FFA89505C1DFDF6FA5ADF919050F6BEDE9AC1DC8024004313515724DB753F096BB6CE1DF1DA504CFB15CEB2A81B54E2398FEEA3266CFB282F130D239C605DD340CDBE35BF86B272FC36F5250468BA5D111E2E34BEB83F577FDDBDF1EFDD4FF7B9359610DE09E5AD38F760073272C103B74258D291FF039"
EF81 = "C4306877D32F42F928154A34328980A7547AB0D6D43CD7A6C3ADE17F243C24A701D8A80856F72CADFDC8ECF4F01B19724498C31D2BE1828A3CA59DCFA9216170DE3718C95F37FCD8753B806D0D41930496894AC3A32765B159EBA20EAFC423E7EA0857B322F76DAED07C115EE7ECCC387D61CE421ECBBA5DEAF483BBFCFE1D130C8E59ED4ADDBFC8CCB2F1D8E637BBEC32B6680762B06EBFB6A5B37F0610E3B2100424BE57D46122256B0FA897FC743217643791469B2D2C573F4E9668AEFFC21BFD5B9FE65F44C03969D3F219F77F6CEA62C308B1A508AC90E8DA12EC14323C863CD0062980F21BAEB6F7E10A2AE9C9A0835E72AC41E67BA53CBA53396A9A07"
How to extract Public Keys
How to extract KLF Byte / Exponent / Modulus : 1. Way : Use my tool, read out memoryranges as following (worked at least with my ef81)
SG75 02675E38 02675F60 SL91 02695B40 02695C70 EF81 0269B5BC 0269B6E1 E81 026A061C 026A0750 EF82 026AA0B0 026AA1E0 SXG75 026C4198 026C42C0
This work was done by adfree, thanks for it
Example : XX = KLF Bytes YY = IMEI (Reverse Order) 00 FF = Start Indicator Public Key Values 01 02 03 04 = Start Indicator Public Key Values C4 30 68 77 ..... 9A 07 = Public Key E0 = End Indicator Public Key Values
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX ..eø.Ⱥ.Š...‘õF’
00000010 XX YY YY YY YY YY YY YY YY 00 00 00 00 00 00 FF .:…............ÿ
00000020 01 02 03 04 C4 30 68 77 D3 2F 42 F9 28 15 4A 34 ....Ä0hwÓ/Bù(.J4
00000030 32 89 80 A7 54 7A B0 D6 D4 3C D7 A6 C3 AD E1 7F 2‰€§Tz°ÖÔ<צÃ*á.
00000040 24 3C 24 A7 01 D8 A8 08 56 F7 2C AD FD C8 EC F4 $<.ب.V÷,*ýÈìô
00000050 F0 1B 19 72 44 98 C3 1D 2B E1 82 8A 3C A5 9D CF ð..rD˜Ã.+á‚Š<¥.Ï
00000060 A9 21 61 70 DE 37 18 C9 5F 37 FC D8 75 3B 80 6D ©!apÞ7.É_7üØu;€m
00000070 0D 41 93 04 96 89 4A C3 A3 27 65 B1 59 EB A2 0E .A“.–‰Jã'e±Yë¢.
00000080 AF C4 23 E7 EA 08 57 B3 22 F7 6D AE D0 7C 11 5E ¯Ä#çê.W³"÷m®Ð|.^
00000090 E7 EC CC 38 7D 61 CE 42 1E CB BA 5D EA F4 83 BB çìÌ8}aÎB.˺]êôƒ»
000000A0 FC FE 1D 13 0C 8E 59 ED 4A DD BF C8 CC B2 F1 D8 üþ...ŽYíJÝ¿È̲ñØ
000000B0 E6 37 BB EC 32 B6 68 07 62 B0 6E BF B6 A5 B3 7F æ7»ì2¶h.b°n¿¶¥³.
000000C0 06 10 E3 B2 10 04 24 BE 57 D4 61 22 25 6B 0F A8 ..ã².."%k.¨
000000D0 97 FC 74 32 17 64 37 91 46 9B 2D 2C 57 3F 4E 96 —üt2.d7‘F›-,W?N–
000000E0 68 AE FF C2 1B FD 5B 9F E6 5F 44 C0 39 69 D3 F2 h®ÿÂ.ý[Ÿæ_DÀ9iÓò
000000F0 19 F7 7F 6C EA 62 C3 08 B1 A5 08 AC 90 E8 DA 12 .÷.lêbÃ.±¥.¬.èÚ.
00000100 EC 14 32 3C 86 3C D0 06 29 80 F2 1B AE B6 F7 E1 ì.2<†<Ð.)€ò.®¶÷á
00000110 0A 2A E9 C9 A0 83 5E 72 AC 41 E6 7B A5 3C BA 53 .*éÉ ƒ^r¬Aæ{¥<ºS
00000120 39 6A 9A 07 E0 FF FF FF FF FF FF FF FF FF FF FF 9jš.àÿÿÿÿÿÿÿÿÿÿÿ2. Way : Use my tool, select "Information, Use Diag Port". Select correct com port, select "WRITENVFTM_ON", send cmd. Then enter into command window "260200", send cmd to reboot phone. Then your mobile should display "FTM mode". Now select "Readrootkey" and send cmd. If you're lucky, rootkey is displayed just the way it is above. After that, select "WRITENVFTM_OFF", send cmd. Then "260200" and send cmd to reboot again. FTM mode is gone, your mobile just works normal. If the above doesn't word, you first have to send SPC. For EF81, it is "000000" which has to be send just as "41" with 0 in ascii code, which would be : "41303030303030", send cmd.
Now you can use my tool to decrypt any signature using extracted root key. See my C++ sources for decryption examples
Sign in to add a comment