one last gift
The burning man is reignited with this bit of fire from outerspace. // firedecrypt.cpp // #include "stdafx.h" #include <windows.h> #include <wincrypt.h> #include <stdlib.h> #include <stdio.h> void DumpKey(char *name,char *key); void PD_CryptErrorHandler(char *); int PD_Challenge2Response(int index, unsigned char *challengeresponsedata); int LoadKey(); unsigned char challengekey[512]; unsigned char responsekey[512]; unsigned char data2hash[32][16] = { {0x97,0x9B,0xFD,0xEA,0x2E,0x81,0x56,0x24,0x08,0xD6,0x74,0xEC,0x6B,0xBE,0xCE,0xB7}, //01 {0x06,0x18,0x6e,0xe3,0x2a,0x8b,0x7d,0x03,0x40,0x74,0xd6,0x09,0x4a,0x44,0xd1,0x21}, //02 {0xd0,0xa4,0x24,0x46,0x3d,0xd4,0xb9,0x45,0x8b,0x01,0x46,0x4c,0x19,0x2c,0xf3,0x58}, //03 {0x81,0xbc,0x56,0x18,0x4e,0xc5,0x2d,0xb2,0x63,0x06,0x10,0x5c,0x4e,0x41,0xda,0x42}, //04 {0xde,0x71,0xe6,0x63,0xe9,0xb6,0x2d,0x4e,0x8f,0x88,0x03,0x94,0xbf,0x55,0x6d,0x48}, //05 {0xb0,0x82,0xe8,0x2d,0xb8,0x88,0x36,0xcc,0x26,0xbc,0x34,0x23,0x0e,0x8b,0x9a,0xba}, //06 {0x74,0x26,0x3f,0x34,0x28,0xa1,0x94,0xfe,0xea,0x02,0xc3,0x0b,0xd4,0xce,0x1b,0x78}, //07 {0x48,0x9c,0x64,0xdc,0x8c,0xb2,0xa4,0x41,0x08,0x16,0xe4,0x7d,0x32,0x92,0x2d,0x5d}, //08 {0x8a,0xd5,0xb2,0xb8,0x2a,0x0c,0x36,0x06,0xd4,0x1d,0x5f,0x0e,0x18,0x3f,0xe7,0xca}, //09 {0x79,0x62,0xa4,0x59,0x64,0xa0,0xbf,0x8d,0xac,0x73,0x24,0x0f,0x45,0x74,0x72,0x71}, //10 {0x06,0x46,0x61,0x57,0x53,0xf7,0x63,0x43,0xa6,0xb8,0xbc,0x91,0xb2,0x88,0xfe,0x32}, //11 {0x0a,0x58,0x9d,0x5c,0x2e,0x94,0x66,0xcf,0x2c,0x05,0x7e,0x39,0x66,0xc4,0x54,0x27}, //12 {0xf4,0xdd,0x85,0xcf,0xce,0x1e,0xe2,0xd1,0x31,0x71,0x65,0x09,0x38,0xab,0xd2,0xb7}, //13 {0x43,0xf3,0x06,0x77,0x62,0x51,0xe8,0x2a,0x80,0xbc,0x47,0xc0,0x48,0xcb,0x2f,0xd2}, //14 {0x1b,0x34,0xc2,0xe1,0x41,0x30,0xcc,0x3c,0x84,0x2d,0xa1,0x61,0x92,0xd3,0xc8,0xa1}, //15 {0x46,0x74,0xed,0x39,0x70,0xd8,0xf3,0xb8,0xd3,0x31,0x86,0xa8,0xb9,0xa1,0x64,0x9a}, //16 {0x5c,0x6b,0xbb,0x1b,0xa7,0x68,0x43,0x43,0xa3,0xe8,0x41,0x9b,0x5f,0x31,0x86,0x67}, //17 {0x12,0x5a,0x4e,0x66,0x4c,0x1d,0xf3,0xe6,0x6d,0xd7,0xb4,0x10,0xd3,0xe6,0xc9,0xda}, //18 {0x10,0x3b,0x62,0xf0,0x9e,0x6e,0x93,0x36,0x9d,0x06,0xc9,0x05,0xa8,0x1c,0x7c,0x5c}, //19 {0x02,0xf7,0x52,0xc2,0xab,0x3a,0xd4,0x6f,0xa3,0x69,0x5a,0xd9,0x67,0xb9,0x87,0x1d}, //20 {0x6c,0x9c,0x3a,0x8b,0x9a,0x32,0xe8,0x51,0x9e,0x5a,0xa0,0xfc,0x0d,0x07,0x37,0xce}, //21 {0xb3,0x84,0x71,0x25,0x13,0x45,0x3e,0x5a,0xfd,0xf5,0x65,0x83,0x66,0xa4,0x01,0x38}, //22 {0xdf,0x01,0x5d,0x34,0xb6,0xd1,0xec,0xeb,0xaa,0xd9,0xf1,0xfe,0x63,0xb1,0x75,0x39}, //23 {0x94,0x96,0x82,0x59,0xfa,0x3a,0x1d,0xb7,0x19,0x43,0x2f,0x02,0xdf,0x84,0xc2,0x2d}, //24 {0xbb,0x54,0x79,0x28,0xbe,0xfa,0xd3,0xa4,0xe5,0x39,0x9c,0x4e,0xcc,0x70,0x0a,0x62}, //25 {0x87,0x85,0xff,0x21,0xdf,0xf4,0xab,0xa4,0xe5,0xd5,0x5f,0x64,0x39,0x49,0x44,0x54}, //26 {0x41,0x97,0xf5,0xf4,0xc9,0xd6,0x26,0x80,0xa7,0x16,0x43,0xe6,0x57,0xa6,0x8c,0xf7}, //27 {0xa2,0x84,0x54,0x35,0xad,0xbc,0x66,0xc3,0xc9,0x15,0x8e,0xc7,0x8d,0x36,0x3e,0x90}, //28 {0x59,0x7a,0x6a,0x00,0x5d,0x66,0xea,0x5a,0x94,0x8b,0x77,0x3b,0x4c,0x02,0x1f,0x6e}, //29 {0x0a,0x5e,0xb1,0x02,0x49,0x18,0xa7,0xa7,0xda,0x3a,0xdf,0xab,0x77,0xe2,0x26,0xff}, //30 {0x1e,0x1e,0xb4,0x81,0xf6,0xd3,0x9e,0x96,0xb7,0x34,0x84,0xa8,0x73,0x9b,0x61,0xc7}, //31 {0x1c,0x0d,0x4d,0x81,0x4c,0xc5,0xd1,0x7e,0xd7,0xc8,0x09,0x3f,0x70,0x54,0x96,0xad} //32 }; unsigned char data4iv[32][8] = { {0xFE,0x2A,0x60,0xFD,0x10,0x38,0x1E,0x7F}, //01 {0x5D,0x18,0xFB,0x0C,0xAF,0x31,0xB7,0x02}, //02 {0x2D,0x48,0x77,0xDC,0x72,0xA6,0x8F,0xBC}, //03 {0xC6,0xDB,0x61,0xA5,0x61,0x13,0x03,0x07}, //04 {0x56,0xaf,0x19,0x31,0xec,0x8f,0x77,0x22}, //05 {0xc5,0xf2,0x71,0x4c,0xf1,0xa7,0x19,0x7b}, //06 {0xe4,0xb6,0xb0,0xb4,0x2b,0x1c,0x71,0xd5}, //07 {0xec,0x6d,0x98,0x43,0x76,0xdf,0xe0,0x13}, //08 {0x27,0x9a,0xb7,0x10,0x94,0xde,0x08,0x0d}, //09 {0x85,0x92,0xc6,0xc5,0x3b,0x88,0xb7,0xcd}, //10 {0xbd,0x50,0xd7,0xdb,0xe8,0x9f,0x79,0x4e}, //11 {0xdb,0xb9,0xe8,0x95,0x5e,0x1a,0x47,0x1e}, //12 {0x96,0x30,0xfd,0xbf,0x27,0xbe,0x5e,0xce}, //13 {0x7e,0x29,0xf2,0x76,0xe4,0x53,0xbf,0x1b}, //14 {0xb1,0xa5,0xfe,0x76,0x5a,0x08,0xd6,0x4e}, //15 {0x01,0x73,0xb1,0xb0,0x8e,0xb8,0xbe,0x7d}, //16 {0xbe,0x3b,0x2b,0x57,0x1a,0xa1,0xb2,0xfa}, //17 {0x2a,0xc8,0xc1,0xc9,0x5b,0xd7,0xda,0x27}, //18 {0xd3,0x41,0x41,0xa2,0x94,0x93,0xdc,0x90}, //19 {0x71,0x93,0xc6,0x95,0x24,0xb9,0xe3,0x6f}, //20 {0x77,0x70,0x26,0x8a,0x51,0xbf,0xa9,0xb2}, //21 {0x89,0x9a,0xd0,0xde,0x67,0x24,0x82,0x23}, //22 {0x2f,0x7d,0xb7,0xa4,0xa5,0xca,0x73,0x4c}, //23 {0x30,0xd2,0x2b,0x33,0x2b,0xa4,0x0d,0x74}, //24 {0x98,0xae,0x10,0xaa,0xaa,0xd3,0x4f,0x0f}, //25 {0x3b,0x9a,0x24,0xc6,0x07,0x39,0x62,0xf8}, //26 {0x38,0x10,0xa6,0x13,0x1a,0xbe,0xb0,0x3a}, //27 {0xe4,0xfc,0x7c,0x9a,0x46,0x18,0x3e,0xbc}, //28 {0xb2,0x79,0x2f,0x14,0x20,0x4e,0x40,0x1a}, //29 {0xb2,0x25,0xa6,0xcc,0x1c,0x9a,0xcb,0x88}, //30 {0x31,0xa4,0x88,0xbc,0x0f,0xc5,0x7a,0x81}, //31 {0x5d,0x0e,0x9d,0x40,0xb7,0xe5,0x85,0xda} //32 }; int main(int argc, char* argv[]) { printf("firedecrypt V0.3\n\n"); if(LoadKey()==FALSE) { printf("Couldn't load firedecryptkeys.txt\n"); system("pause"); return(1); } if((challengekey[0]<1)||(challengekey[0]>32)) { printf("Challenge is out of 01-12 range... aborting!\n"); system("pause"); return(1); } printf("\nS firedecrypt\n"); DumpKey((char *)"C",(char *)challengekey); PD_Challenge2Response(challengekey[0],challengekey+1); DumpKey((char *)"R",(char *)challengekey+1); printf("\n\n"); system("pause"); return 0; } int PD_Challenge2Response(int index, unsigned char *challengeresponsedata) // read variables: index (Ranges from 1->32. It's the first byte of the challenge) // r+w variables challengeresponsedata. (It's the remaining bytes of the challenge with 0 pad at end) // write variables: none, except return TRUE or FALSE for success or failure // comments: this routine takes in challenge and overwrites it with response { HCRYPTPROV hProv; //Crypto Context Provider HCRYPTHASH hHash; //Crypto Hash HCRYPTKEY hKey; //Derived Key unsigned long cryptsize; LPCTSTR provider; provider=MS_DEF_PROV; if(index>4) provider=MS_ENHANCED_PROV; if (CryptAcquireContext(&hProv, NULL, /* ideally this should be a unique text string instead of NULL for the global context */ provider, PROV_RSA_FULL, 0)==FALSE) { if (CryptAcquireContext(&hProv, NULL, /* ideally this should be a unique text string... */ MS_DEF_PROV, PROV_RSA_FULL, CRYPT_NEWKEYSET)==FALSE) { PD_CryptErrorHandler("CryptAcquireContext"); return(FALSE); } } if (CryptCreateHash(hProv, CALG_MD5, NULL, 0, &hHash)==FALSE) { PD_CryptErrorHandler("CryptCreateHash"); return(FALSE); } if (CryptHashData(hHash,data2hash[index-1], 16, 0)==FALSE) { PD_CryptErrorHandler("CryptHashData"); CryptDestroyHash(hHash); return(FALSE); } if (CryptDeriveKey(hProv, CALG_RC2, hHash, CRYPT_NO_SALT, &hKey)==FALSE) { PD_CryptErrorHandler("CryptDeriveKey"); CryptDestroyHash(hHash); return(FALSE); } if (CryptSetKeyParam(hKey, KP_IV, data4iv[index-1], 0)==FALSE) { PD_CryptErrorHandler("CrypteSetKeyParam"); CryptDestroyKey(hKey); CryptDestroyHash(hHash); return(FALSE); } cryptsize=0x7f; if(CryptEncrypt(hKey,NULL,TRUE, 0, challengeresponsedata, /* the unencrypted data will be overwritten with crypted data */ &cryptsize, 512 /* max buffer size */)==FALSE) { PD_CryptErrorHandler("CryptEncrypt"); CryptDestroyKey(hKey); CryptDestroyHash(hHash); return(FALSE); } CryptDestroyKey(hKey); CryptDestroyHash(hHash); CryptReleaseContext(hProv,0); return(TRUE); } void PD_CryptErrorHandler(char *func) { //TODO: Add actual error reporting fprintf(stderr,"**** ERROR in %s()!\n",func); return; } void DumpKey(char *name,char *key) { int t; printf("%s ",name); for(t=0;t<0x80;t++) { printf("%02x",(unsigned char)key[t]); if((t%32==31)&&(t!=0x7f)) printf("\n%s ",name); } printf("\n"); } int LoadKey() { FILE *in; unsigned int sline,cline,rline,val,t; unsigned char tmp_challenge_key[128],tmp_response_key[128], tmp_keydesc[128]; char line[130]; char sval[3]; in=fopen("firedecryptkeys.txt","r"); if(in==NULL) { return(FALSE); } printf("Opened firedecryptkeys.txt\n"); cline=0; while(fgets(line,127,in)!=NULL) { if(line[strlen(line)-1]==0x0a) line[strlen(line)-1]=0; if(cline<4) { if(line[0]!='C') { continue; } for(t=0;t<32;t++) { sval[0]=line[2+(t*2)]; sval[1]=line[3+(t*2)]; sval[2]=0; val=(unsigned char)strtoul(sval,NULL,16); tmp_challenge_key[cline*32+t]=val; } cline++; } if(cline==4) { sline=0;cline=0; memcpy(challengekey,tmp_challenge_key,128); fclose(in); return(TRUE); } } fclose(in); return(FALSE); } I've been one and I've been many. Soon we'll all be none. Oh Pancho. Will all this mean anything after the ash and bits have vanished into the aether? Does it mean anything now? Farewell.

Which means???? :)

thanks, brite, guy fawkes, etc. :D but I can't compile firedecrypt.cpp:5:20: error: stdafx.h: No such file or directory firedecrypt.cpp:6:21: error: windows.h: No such file or directory firedecrypt.cpp:7:22: error: wincrypt.h: No such file or directory firedecrypt.cpp: In function ‘int main(int, char**)’: firedecrypt.cpp:98: error: ‘FALSE’ was not declared in this scope firedecrypt.cpp: At global scope: firedecrypt.cpp:126: error: expected initializer before ‘pad’ need someone on windows. PS> I did get the prometheus allusion :D yay!

after compiling, i cant get it to read "firedecryptkeys.txt". firedecrypt V0.3 Couldn't load firedecryptkeys.txt Press any key to continue . . . left with these 4 warnings. warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. warning C4101: 'tmp_keydesc' : unreferenced local variable warning C4101: 'rline' : unreferenced local variable warning C4101: 'tmp_response_key' : unreferenced local variable

:shock: It looks like the source is a bit mangled. There are some slash-n characters that are showing up as just n's. If you're grabbing this source, do a quoted-reply and copy and paste from there. Someone please confirm this works! These days I'm just running Ubuntu, so I have no way of trying this out. (at least until I get to work on monday!)

I'll try this on my WinXP virtualbox...gotta install Code::Blocks first though.

As always, the name carries some sort of signficance. Asteroid-1809 http://en.wikipedia.org/wiki/1809_Prometheus http://en.wikipedia.org/wiki/Prometheus Perhaps this is key? "He was a champion of human-kind known for his wily intelligence, who stole fire from Zeus and gave it to mortals." I await the liver-hungry Pure Digital. :wink:

Eh GCC/its dependencies ain't enough...waiting for C++ Visual Studio...bleh...

compiled it... and... HOLY SHIT IT WORKS!

Great, it works for Windows. Now, can anyone tell us how to adapt this stuff to Linux? Dave

To adapt it to linux, you'll need to make it work with openssl instead of the windows crypto. The main obstacle you have here is that the Windows code doen't directly provide an initialization vector, but rather generates it using some data from a table. But if you create an openssl version that uses an all-zero IV, you can descover the real IV with a known challenge+response. You take the first 8 bytes of the real response and xor them with the response generated with the all-zero IV implemenation. The result is what you should use as your new IV. This was the method my onetimebrute program used to determine the IV. Alternatively, there may be some way of pulling the IV out of the key handle in the M$ crypto API, but I'm a lot more familliar with openssl, so I'd just grab the IV as I described above. If you're not well versed in chain block ciphers, I'm probably talking greek to you... I was hoping to provide a code example, but someone deleted my onetimebrute program from sourceforge! :roll: Edit - found it elsewhere: http://freelowell.com/downloads/camcorderpage/files.html

I don't know ANYTHING about encryption, etc.. The last I worked with anything that doesn't even come close was generating hash keys for random access files. This is completely new to me! I copied the code here, as well as got your zip file. Guess I need to look at the code, and then go hunting on the net to see what pieces do as I get to them. Thanks! Dave BTW - dumb question, but consider it's coming from me: when I merged avidownload and pv2tools to make the common program that handles the cameras and the camcorders in one and also works for Windows and Linux, I don't show the key unless the device has been unlocked. I know that one of the versions of ops or something will show the key so you can plug it into a key-gen. How did you read the key before unlocking? (I'm probably just being stupid here, right?). Thanks Dave :) :)

The camcorders respond to a few commands prior to unlocking... One of them is the challenge retrieval command, since the PD processing station need to get a cam's challenge before it can calculate the response and send it back. RE:encryption, I'd highly recommend starting with the wikipedia pages on Chain Block Ciphers, RC2, and linked pages therein. Before you start coding, make sure you have the basic concepts straight in your head - e.g. What an IV is, the difference between a crypto hash and a cipher, etc. Have fun! :D

Thanks BillW!! I think I'll change my code around a bit to try to read the key if not unlocked - it will be interesting to see what happens if it is the still camera instead of the camcorder. Thanks for the heads-up for places to start to try to understand this encryption business. It might be interesting for me, even though I'm an old guy and on disability to boot. At least now, as long as I put the prog. in this thread in Windows I won't need to worry about new camcorders. I had wanted to get a couple more but was leary because of the 17 challenge. Thanks again!! Dave :)

Ai Prometheus! May the chthonic gods never bank thy fires! MY bilious liver would give them ol' birdies indigestion! Good to know you are still watching over us, like a guardian spirit with an enormous handlebar mustache.