PSAS Support Forum

Hello, I have a firmware for some home controling device, it's atmel based (ARM7) so it's rather close to main idea of that forum.. Once I ad a power lost and afterthat memory of my device somehow wiped out, I used Segger j-link to read memory and it was FFFFFF... I've tried to write smth to device, and it can be read back quite easy. So I have to write some firmware to atmel... I have an app for that device programming, it can update firmware, make some changes.. etc.. I found firmware file in that app system folder, and firmware is encrypted. I'll attach it here..
You may open in for ex. in Microsoft Word, as its not a binary, and I recommend thouse who may help me to start with word, cause firmware is xml-based..
You can see that it flashes to device with 256bytes blocks. From adres 0 futher you may see two md5 hashes and firmware block. It's easy to guess that it's encrypted with base64, moreover you may see that first part of block
is same for every firmware part.
Ok for now if we just decrypt base64 and compute md5 hash it match one of written upper hashes. If we just remove part which is same for all blocks then firmware size don't match 256byte, moreover it's clear that firmware is still encrypted as I suppose we have to see some firmware header in the first block, while we can see only some crazy hex..

Ok.. As for me I couldn't get any futher, anyways I suppose that I had to start with latest blocks, which seems to be FFFFFFFFFFFFFFF (in decrypted firmware) We may see that for last few blocks encrypted parts are same and hashes are same, so FFFF should make clear why it is so. While we know potential code we may try to decrypt last block, and found out how it is encrypted..

You may mention that firs part of block which is same for every firmware slice is 128byte long, while decrypted with base64 it's 96ytes long, all that sizes suit's as for me for encryption keys, but I can't figure out what type of encryption is used.

I know that it may take some time to help me, but if you may support me somehow, I may pay. Any answere will be much appreciated

it would help to know which device it is
you can pm me if you want to keep it confidential ..

It's not a secret, but I don't know how can it help.. It's a "Nevo Connect NC-50" AT91SAM7S128 based

If you've got the full firmware dump, it should be no problem.

But trying to decrypt this encrypted file won't be easy as it could be any algorithm.

I have one more working device, but I can't dump firmware, I don't know why, core is not identified, pinout is 100% correct, and soldering was rechecked 100 times, seems on working firmware smt. prevents me from jtagging.
The only thing I have is app, which write firrmware via usb, while device is working. I suppose that it might be possible to disasm it, and to search for algorythm, but I'm too noobie in such projects(

According, to what you've said I'm shure we have some king of full dump. Each block is encrypted personally, with no involve to other blocks, it's absolutely clear. As last blocks of 256 bytes are same, I suppose in binary they are FFFFFFFFFFFFFFFF or 000000000000000, we know the size it's 256. I'll post block here to make clear my idea..

Let's convert <Image> to binary from base64.. Will get that binary

If we compute hash it will be It's clear that it match Posthash

First part of block
Is same for every block, if we just remove it ve recieve
Which is base64->binary
It's a 32byte while we need 256byte, morover it will be very strange to have same hex in previous few blocks. I suppose that needed binary is

So what is the algorytm to convert previos 32byte code to 256byte FFFFFF? If some app for such calculetions exsist I'm ready to calcilate that algorythm for few mounths 24/7

It must be some compression then.
I strongly guess it must be lzma or gzip, both is supported by QMAT.

Can not decompress it, may be some header for each part is missing?

Could be. I will have a look at it on the weekend.

Thx, Viperbjk, I respect it very much, I'll contribute for any help)

If someone is still kind enough to help me, I want to tell you that I'll donate 30$ for that help.
For your reference I've found out that if we take in count last blocks, which are identical, they (decryped) cosist of

I've found out about this, while trying of creating 256bytes blocks filled by smt. and calculating their md5.
As far as we know form main file which md5 we should get, it was quite easy to find out encryoted value.
So finally we have encrypted bin:

and decrypted bin

As far as we know first part of encrypted binary is same for all blocks, it may be dictionary for archive or some key, anyways if ve trunk it we will see that finally encrypted bin is

And it should become 256byte 0000000000
How it can be done I don't know.
Pls someone, 30$ PP really, I'm shure it's an easy task for you, as you're pro.