[linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

[linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

[Juergen Urban]

Hello,

I didn't find a DVB-S driver for the Neotion Pilot (aka @Sky Pilot with 
@SkyChip, USB v1.0), so I decided to write it on my own. In my german blog 
http://satfreak.blog.de/ I write something about the reverse engineering 
process. Now I've a problem with the 1-byte-checksum calculation. Each message 
which I send to the device has a checksum (last byte). I don't know how to 
calculate the checksum.
Did someone know how to reverse engineer a 1-byte-checksum?
Did someone see these type of messages before?
Did someone detect any algorithm in the checksum values?

Here are examples:

static unsigned char ep03_msg109[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x1e, 0x01, 0x00,
	0xca /* Checksum */
};

static unsigned char ep03_msg110[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x1f, 0x01, 0x00,
	0xcb /* Checksum */
};

In the above example the checksum is incremented by one and there is also one 
byte incremented by one in the payload (0x1e -> 0x1f and 0xca -> 0xcb). this 
seems to be a simple addition.

static unsigned char ep03_msg111[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x20, 0x01, 0x00,
	0xf4 /* Checksum */
};

In the next example the byte is further incremented, but the checksum changes 
much more (0x1f -> 0x20 and 0xcb -> 0xf4).

The device doesn't respond to a message with the wrong checksum. I used this 
to try all values until I found the correct one, but this needs some seconds. 
This behaviour will not be acceptable within a DVB driver.

Much more examples are in my test code which currently uses libusb-1.0:
http://www.pastie.org/519407

Best regards
Juergen Urban

_______________________________________________
linux-dvb users mailing list
For V4L/DVB development, please use instead linux-media@vger.kernel.org
linux-dvb@linuxtv.org
http://www.linuxtv.org/cgi-bin/mailman/listinfo/linux-dvb

Re: [linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

[Andreas Oberritter]

Juergen Urban wrote:
> Now I've a problem with the 1-byte-checksum calculation. Each message 
> which I send to the device has a checksum (last byte). I don't know how to 
> calculate the checksum.
> Did someone know how to reverse engineer a 1-byte-checksum?
> Did someone see these type of messages before?
> Did someone detect any algorithm in the checksum values?
> 
> Here are examples:
> 
> static unsigned char ep03_msg109[] = {
> 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> 	0x01, 0xd0, 0x1e, 0x01, 0x00,
> 	0xca /* Checksum */
> };
> 
> static unsigned char ep03_msg110[] = {
> 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> 	0x01, 0xd0, 0x1f, 0x01, 0x00,
> 	0xcb /* Checksum */
> };
> 
> In the above example the checksum is incremented by one and there is also one 
> byte incremented by one in the payload (0x1e -> 0x1f and 0xca -> 0xcb). this 
> seems to be a simple addition.
> 
> static unsigned char ep03_msg111[] = {
> 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> 	0x01, 0xd0, 0x20, 0x01, 0x00,
> 	0xf4 /* Checksum */
> };

It's a simple XOR of all bytes with an initial value of 0x84.

unsigned int calc_cs(const unsigned char *buf, unsigned int n)
{
        unsigned int i, cs = 0x84;

        for (i = 0; i < n; i++)
                cs ^= buf[i];

        return cs;
}

Regards,
Andreas

Re: [linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

[Juergen Urban]

On Monday 22 June 2009 07:13:49 Andreas Oberritter wrote:
> Juergen Urban wrote:
> > Now I've a problem with the 1-byte-checksum calculation. Each message
> > which I send to the device has a checksum (last byte). I don't know how
> > to calculate the checksum.
> > Did someone know how to reverse engineer a 1-byte-checksum?
> > Did someone see these type of messages before?
> > Did someone detect any algorithm in the checksum values?
> >
> > Here are examples:
> >
> > static unsigned char ep03_msg109[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x1e, 0x01, 0x00,
> > 	0xca /* Checksum */
> > };
> >
> > static unsigned char ep03_msg110[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x1f, 0x01, 0x00,
> > 	0xcb /* Checksum */
> > };
> >
> > In the above example the checksum is incremented by one and there is also
> > one byte incremented by one in the payload (0x1e -> 0x1f and 0xca ->
> > 0xcb). this seems to be a simple addition.
> >
> > static unsigned char ep03_msg111[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x20, 0x01, 0x00,
> > 	0xf4 /* Checksum */
> > };
>
> It's a simple XOR of all bytes with an initial value of 0x84.
>
> unsigned int calc_cs(const unsigned char *buf, unsigned int n)
> {
>         unsigned int i, cs = 0x84;
>
>         for (i = 0; i < n; i++)
>                 cs ^= buf[i];
>
>         return cs;
> }
>
> Regards,
> Andreas
>

Thanks. I didn't thought that a simple XOR has this effect. Now I see that the 
initial value of 0x84 is same as 0x81 ^ 0x05, so the first 2 bytes are not part 
of the message. I got it working in my test application.

Best regards
Juergen Urban