1. 2015 is going to be a great year for Android! Why wait??
    Samsung Galaxy Note 5 | Samsung Galaxy S6 | HTC One M9
  2. New Forum Created: Samsung Gear VR!

Firmware Versions


  1. sephail

    sephail Active Member

    Are you sure it's using FUSCrypt.dll? I didn't see that in the import table of NPSMitsBinaryUpgrade.exe.
  2. cpwood

    cpwood Active Member

    Another techie post, sorry.. ;)

    Not sure there would be anything in the import table if it's COM+? Wouldn't it load it via its CLSID? I didn't notice any imports for other NPS files either.

    The downloads come from fus.samsungmobile.com, so it's a logical assumption that it's the correct DLL, but not guaranteed to be right of course.

    If it's definitely using FUSCrypt.dll and the Import routines don't work, it would suggest that the crypto keys are hard-coded rather than communicated to the client. Windbg might be useful whilst performing a genuine NPSMitsBinaryUpgrade.exe download if so. Might give away the secret keys...

    Since my last post, I wrote a brute force checker as I described. Nothing showing up for September yet, but it did find the following August releases (all of which we already know about). The download links are useless of course as we can't decrypt the files....

    Operator: O2 UK, CSC: I7500O2UIH2, Firmware: I7500XXIH6
    http://fus.samsungmobile.com/Phone_Binary/6/GT-i7500I7500O2UIH2I7500XXIH6I7500XXIH6_500.zip.enc

    Operator: O2 DE, CSC: I7500VIAIH4, Firmware: I7500XXIH8
    http://fus.samsungmobile.com/Phone_Binary/6/GT-i7500I7500VIAIH4I7500XXIH8I7500XXIH8_500.zip.enc

    Operator: Vodafone IT, CSC: I7500ITVIH2, Firmware: I7500XXIH7
    http://fus.samsungmobile.com/Phone_Binary/6/GT-i7500I7500ITVIH2I7500XXIH7I7500XXIH7_500.zip.enc

    All of academic interest really than practical usefulness :(

    Chris
  3. sephail

    sephail Active Member

    Chris,

    It definitely uses FUSCrypt.

    I'm at the same stage here. The GeneratePasswordSymmetricKey() function seems to work just fine. However, it looks like both a symmetric key and public key pair need to be loaded before DecryptFileThread() will work. Hmm.

    Under the assumption that they're using that (and since it throws an error message to the window handler you specify if the decryption fails), I'm going to try to brute force it with all the strings (about 3000 unique -- should be done in ~4 hours) from the executable tonight. I'm probably grasping at straws, but... whatever. I'll let you know when that fails... ;-)

    Strangely enough, it's running now and matching on very weird strings like: )]"\"] and 0<<,_
    but of course, the .zip files decrypted with the keys generated from those passwords aren't valid.

    Really, though, it seems kind of silly to think that the key would be hard-coded. If I had to guess, I'd say it's sent somewhere in the GetBinaryInfo.php exchange with fus.samsungmobile.com.

    For completeness' sake, I've also come up with a few more firmware releases from July:

    GT-i7500I7500BOGIG2I7500XXIG1I7500XXIG1
    GT-i7500I7500BOGIG8I7500XXIG8I7500XXIG8
    GT-i7500I7500ITVIG1I7500XXIG1I7500XXIG1
    GT-i7500I7500ITVIG6I7500XXIG8I7500XXIG8
    GT-i7500I7500MSRIG4I7500XXIG6I7500XXIG6
    GT-i7500I7500MSRIG5I7500XXIG7I7500XXIG7
    GT-i7500I7500MSRIG6I7500XXIG8I7500XXIG8
    GT-i7500I7500O2UIG5I7500XXIG8I7500XXIG8
    GT-i7500I7500VIAIG6I7500XXIG8I7500XXIG8

    some of which I've already seen floating around. I haven't bothered going back further than that.

    ::sigh:: Now for some sleep.
  4. m4j3r

    m4j3r Member

    You must hack their site to get latest firmware.
    Only in Samsung :D
  5. cpwood

    cpwood Active Member

    Sephail,

    Good luck with that! I agree that it's difficult to believe that the strings are hardcoded, but worth a crack. I too had a moment where I saw the file decrypting and thought "I've cracked it!", only just to get an invalid zip file!

    Are you finding that the ImportPublicKeyBase64 and ImportSymmetricKeyBase64 methods don't work too? I captured some public keys and symmetric keys via Fiddler2 and whilst they're valid base64, it just refuses to load them. Same if I generate my own key/symmetric key, export them (ExportPublicKeyBase64 / ExportSymmetricKeyBase64) and then try and import them again. Completely refuses.

    Interesting that there was an O2 UK firmware for the UK back in July. Must have been what they did their accreditation testing with (I believe it failed initially).

    If nothing else we can produce a complete history of firmwares now. That kind of thing has been done by piecing together pieces of information from the community up to now.

    Good luck!

    Chris
  6. coipu

    coipu Active Member

    im no clever dude but I couldnt even download the the stuff you said I just got this come up in my browser:
    GETPUBKEY=BgIAAACkAABSU0ExAAQAAAEAAQBLkRxedbb7YE15wHuDYnVNmzD/RRXRAQ8HMu+q7fkQ7TQNckTKID3cp+rxcUBRJ9Eu2os4IL6sO++e58yZkCTAJp5Rfa5jwDQS0dtvpEXyHpwMPdT/s5RqVLmy+abiJ3BErnkoFLmhXgkBLNJWsLOC77gWyj5xi0VoUnjyALFtvQ==
  7. Rastaman-FB

    Rastaman-FB Well-Known Member

    use chrome or IE


    wow guys good find, i wish i could help out some how but im low skilled when it comes to stuff like what you are talking.

    its nice to see that you can pull a list though and that o2uk is there prior to this new update.
    if only for the csc.
    how did people obtain these software versions for use with odin before ?
  8. cpwood

    cpwood Active Member

    Hey coipu,

    That's actually quite interesting that you got that. Which web browser are you using?

    Chris
  9. sephail

    sephail Active Member

    That key comes straight from GetPUBKEY.php. Here's the whole exchange:

    POST /GetPUBKEY.php HTTP/1.1
    Accept: */*
    Cache-Control: no-cache
    Ryeol-Magic: My Magic Header
    User-Magic: User's Magic Header
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Host: fus.samsungmobile.com
    Content-Length: 0
    Connection: Keep-Alive

    HTTP/1.1 200 OK
    Date: Sat, 19 Sep 2009 18:50:40 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-Powered-By: PHP/5.1.6
    Content-type: text/html
    Via: 1.1 s0-kt10-sel (jaguar/3.0-11), 1.1 usls02slh009 (jaguar/3.0-11)
    Connection: close

    GETPUBKEY=BgIAAACkAABSU0ExAAQAAAEAAQBLkRxedbb7YE15wHuDYnVNmzD/RRXRAQ8HMu+q7fkQ7TQNckTKID3cp+rxcUBRJ9Eu2os4IL6sO++e58yZkCTAJp5Rfa5jwDQS0dtvpEXyHpwMPdT/s5RqVLmy+abiJ3BErnkoFLmhXgkBLNJWsLOC77gWyj5xi0VoUnjyALFtvQ==

    Presumably that's then used to send the public key of the pair generated by FUSCrypt, but we'd need to know the decrypted content in order to re-generate the requests. Maybe we can grab the keys from memory after they're generated to decrypt the session, but... what a pain.

    As expected, my attempt from last night failed. Interestingly, here are the passwords it reports to have worked on one of the .zip.enc files I tested with. (It may be possible that each binary has a different key, too.):

    Success: )]\"\\\"]
    Success: \t0\t@\t
    Success: 0<<,_
    Success: -455
    Success: 5drD
    Success: *\tA\t(\t
    Success: .?AUIRegistrarBase@@
    Success: D$4PU
    Success: D$lPQ
    Success: g?w&
    Success: [hmm
    Success: !jD}
    Success: +\t<\tK\t(\t
    Success: Kb:gck(W
    Success: L&177
    Success: *\tM\t0\t>\t
    Success: W0~0[0
    Success: wcstol
  10. sephail

    sephail Active Member

    Another thought:

    IF all of the software revisions use the same key, here's a way that's likely to work:
    - Use NPSMitsBinaryUpgrade.exe and get to the stage where it's downloading the zip.enc
    - Pause the process until it timeouts or kill the net connection
    - It'll ask if you want to retry. Meanwhile, set up a quick webserver and either modify the hosts file (if it does another DNS lookup) or set up an iptables rule on your router to forward the resolved IP to your webserver
    - It should grab your .zip.enc instead and perform the decryption for you.

    If it successfully grabs the file but can't decrypt it, this will tell us that we're going to have to decrypt the exchange between the client and fus to get the key...
  11. sephail

    sephail Active Member

    I'm having the same issue with ImportPublicKeyBase64/ImportSymmetricKeyBase64. Neither of them seem to work. I can gen the pairs randomly or from a password and successfully use the crypto, but that's not particularly useful unless the sever is providing a password or the key is fixed. I wonder if we're missing something here...
  12. sephail

    sephail Active Member

    Also, the SYMKEY values from each of our client_login captures is different. This makes me think they're using GenerateRandomSymmetricKey().
  13. pegasus21

    pegasus21 Well-Known Member

    Interesting. BTW does the update program send your firmware version to the server then the server returns with the firmware to update to or is there a list that the program checks to see if there's an update?
  14. sephail

    sephail Active Member

    Well, since I'm using an IFx release of NPS to get IHx firmware, it's clearly getting a list of releases from the server (unless someone at Samsung is really good at predicting the future). Hehe.

    Here's what the request to GetPatch.php looks like:

    BODYR=e509iKAdVgRyfihAtWM%2BRpq5x5WMM%2Bamn55MPJpM4HQh66faOiZRF6aFsJSOH5Elns2PVLNtzlBYXbCvjL3VuDQpcBsOXg3JDROQ3irCmq62JrzpO0QXl4NYgE9f6PJmhq6G3VTiEu1WxohzOvFZ4TFwsEyM1KuorAhCIuX06pTiMV8IhsfczT1bX81SaEZtEmIkKxaMsDD7ow0K%2F%2B4sZmJeZRu3KhEdMZLx0zdTAdcuJrUTMcZCPNlXp%2BjzTkqLGWcdoL7hRNo8p9yOMpTV5A%3D%3D&MODEL=I7500VIAIH4%7EI7500XXIH8%7EI7500XXIH8&TEMPID=f3815af7260063634cbd0e69a7ccd261

    As you can see, it sends the CSC and firmware versions.
  15. ressu

    ressu Well-Known Member

    TEMPID is gotten from login.php and BODYR doesn't make any sense (to me) if you decode it. It's base64 encoded, which is easy to identify from the == in the end (urldecode it first).

    It's pretty hard to understand why the secrecy, most other operators freely provide the firmwares, it's cheaper for them that way. Oh well..
  16. sephail

    sephail Active Member

    There's a function in FUSCrypt called DecryptTextBase64, which I'm pretty sure is how you're supposed to decode that. But if we can't get the keys loaded, we can't use it...
  17. GalaxyMeh

    GalaxyMeh Well-Known Member

    Don't mean to hijack the thread, but I see some knowledgeable Galaxy firmware discussion here, and I thought someone could help me flash the original camera firmware version. In fact, I'm willing to contribute $50 for instructions on how to do that (returning the phone would be more expensive and would benefit some shipping company rather than a hacker).
  18. koy

    koy Active Member

    Another way to do it, is to flash your ROM with some old firmware, so that it will recognize the device and want to update it. After it downloads the update (h8 in that case), you don-t click "next" but you replace the tar file it downloaded with the new tar file (rename it). That way it'll decrypt the file for you.
  19. sephail

    sephail Active Member

    Yes, but in this case I don't have the UK O2 CSCs (and haven't seen that anyone else does, either), so that method is not possible for when I4 becomes available (which it is not yet), unless someone who already has UK firmware does it and sends us the unencrypted .zip/.tar...
  20. b33r

    b33r Member

    Sorry i half stopped following the thread as went into an area I had no idea about lol, is that something I could help with?

    EDIT: Actually I've just read what you were referring to, don't think I'd really wanna do that...
  21. sephail

    sephail Active Member

    Once the firmware is released on Samsung's servers, sure!
  22. sephail

    sephail Active Member

    It's pretty simple and doesn't involve flashing your device at all. Basically, you just pretend you want to update and grab the .tar after it downloads/decrypts/unzips it then cancel the update. It's your choice, of course.
  23. sephail

    sephail Active Member

    Okay, it looks like the crypto functions are actually pretty straightforward. As far as I can tell at this point, this is what's happening:

    The public key crypto functions look like they're strictly there to support the symmetric key import/export functions. First, you import the server's public key. Then, you generate your own public key pair, the public portion of which you can then export. (This is what I believe is sent to fus in client_login.)

    Then, the symmetric key import/export functions become available to import/export encrypted symmetric keys. You can import a symmetric key (that was encrypted with your public key) from the server. You can also export the symmetric key encrypted with the server's public key, which the server can then import. Or, you can just generate one with a passphrase.

    Chris,
    I was previously under the assumption that we could import/export "cleartext" symmetric keys, which I don't believe we can. Judging by your previous post, I think that was the assumption you were under as well.
  24. webants

    webants Member

    XEN XEB I7500XXIH2 is what they updated my i7500 with today, havent heard anything about this version..

    Had to send my i7500 in because it died. got a new mainboard and a software 'update' to XEN XEB I7500XXIH2 ehum.. sounds not like an update to me but i will check when i get the phone back..
  25. sephail

    sephail Active Member

    Okay, I can obtain whatever firmware is available on fus and decrypt it. If anyone has any requests, let me know. I know the UK CSC was wanted, so I'll post that soon.
Loading...

Share This Page