Cryptography

From MILEDROPEDIA
Jump to: navigation, search

Description

As described in the introduction to the mbmloader-replacement attack, there's a cryptographic signature in the mbmloader, which is verified by the OMAP hardware. According to Texas Instrument's documents, this cryptographic signature is based on a 128-bit RSA key((according to promotional information; moreover, the TI eFuse patent describes a 128bit key. The signing tool document says it needs sha1 and rsa. Do not confuse this key with the one used by mbmloader to check mbm further down the boot chain - that key is probably much harder to crack and is not the subject of this attack.)). By cracking that key we would be able to load a modified mbmloader that didn't verify mbm's signature, thus being able to patching mbm to not check the boot image's signature.

SHA1

Milestone, Charm Root key hash: "\x1d\x3f\xb6\x62\x79\x4d\x8c\x70\xfb\x57\xb4\xcb\x49\x2e\x27\xf6\x6f\x15\x2e\x4f"

Milestone 2 Root key hash: "\x9e\xa1\x7a\xc5\x32\x2d\xfe\x31\x96\xbc\x48\x2e\x7b\xea\xfc\x15\xf3\x78\x65\x87"

Get and compile code from https://bitbucket.org/droiddev/hash_collision_search

hg clone https://droiddev@bitbucket.org/droiddev/hash_collision_search
cd hash_collision_search
make
./hash_collision

RSA

OMAP3xxx support 2048-bits, 1024-bits and 512-bits root/primary keys.

Production Root Key:

R&D Root Key:

mbmloader keys

There can be about 7 keys in CertPK section:

  1. struct certpk {
  2. 		char cert_mark[8];
  3. 		long cert_version;
  4. 		long cert_type;
  5. 		long minver_pk;
  6. 		long minver_ppa;
  7. 		long minver_rd1;
  8. 		long minver_rd2;
  9. 		long minver_isw;
  10. 		long minver_ki;
  11. 		long minver_pau;
  12. 		long minver_pas;
  13. 		long unkn1;
  14. 		struct {
  15. 			long key_id;
  16. 			long key_type;
  17. 			long key_rights;
  18. 			long modul_length;
  19. 			long e_value;
  20. 			char modul[256];
  21. 		} root_key;
  22. 		long keys_active;
  23. 		struct {
  24. 			long key_id;
  25. 			long key_type;
  26. 			long key_rights;
  27. 			long modul_length;
  28. 			long e_value;
  29. 			char modul[256];
  30. 		} key_02;
  31. 		struct {
  32. 			long key_id;
  33. 			long key_type;
  34. 			long key_rights;
  35. 			long modul_length;
  36. 			long e_value;
  37. 			char modul[256];
  38. 		} key_03;
  39. 		struct {
  40. 			long key_id;
  41. 			long key_type;
  42. 			long key_rights;
  43. 			long modul_length;
  44. 			long e_value;
  45. 			char modul[256];
  46. 		} key_04;
  47. 		struct {
  48. 			long key_id;
  49. 			long key_type;
  50. 			long key_rights;
  51. 			long modul_length;
  52. 			long e_value;
  53. 			char modul[256];
  54. 		} key_05;
  55. 		struct {
  56. 			long key_id;
  57. 			long key_type;
  58. 			long key_rights;
  59. 			long modul_length;
  60. 			long e_value;
  61. 			char modul[256];
  62. 		} key_06;
  63. 		struct {
  64. 			long key_id;
  65. 			long key_type;
  66. 			long key_rights;
  67. 			long modul_length;
  68. 			long e_value;
  69. 			char modul[256];
  70. 		} key_07;
  71. 		long rights;
  72. 		long msv_mask;
  73. 		char zero_hole_2[120];
  74. 		struct {
  75. 			char signer_info[16];
  76. 			long signature_info;
  77. 			long key_id;
  78. 			char digest[256];
  79. 		} digest;
  80. };

Root Public Key

This is an root key. There pub key 1 (which is checked before bootloader start) in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4X9+giOEtXjhyN84Qbbv
HdwF+CHUqKtCyTJoDL+5lVovy+enTKCVFdWFFko6O39cD0fUF4EMVCuOVWdlt5kQ
JPBYMqHVbV8653/T5ij+JNCyKWxSCZ071XQaM2RUg5YexpezSjn837UVyEm7bng1
p1+JZfpPvWEFtPC5+deGydrffg6MwHrTwf0kO0PCEJG47LWDIKuFXX/IVZj9mmOh
3gthj3xFKW2cvaem+yQrDcqxz07RAwd+++WqlISYnjL/JW2TXc/ZgfssLyryTeLo
JdLKzWWGMz42n7rhiYraejw2Cx/eGcwXL7ah5VfEj40hS5Ztposhym7Jat3ueWsP
aQIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK1.pem -pubin -text -noout
Modulus (2048 bit):
    00:e1:7f:7e:82:23:84:b5:78:e1:c8:df:38:41:b6:
    ef:1d:dc:05:f8:21:d4:a8:ab:42:c9:32:68:0c:bf:
    b9:95:5a:2f:cb:e7:a7:4c:a0:95:15:d5:85:16:4a:
    3a:3b:7f:5c:0f:47:d4:17:81:0c:54:2b:8e:55:67:
    65:b7:99:10:24:f0:58:32:a1:d5:6d:5f:3a:e7:7f:
    d3:e6:28:fe:24:d0:b2:29:6c:52:09:9d:3b:d5:74:
    1a:33:64:54:83:96:1e:c6:97:b3:4a:39:fc:df:b5:
    15:c8:49:bb:6e:78:35:a7:5f:89:65:fa:4f:bd:61:
    05:b4:f0:b9:f9:d7:86:c9:da:df:7e:0e:8c:c0:7a:
    d3:c1:fd:24:3b:43:c2:10:91:b8:ec:b5:83:20:ab:
    85:5d:7f:c8:55:98:fd:9a:63:a1:de:0b:61:8f:7c:
    45:29:6d:9c:bd:a7:a6:fb:24:2b:0d:ca:b1:cf:4e:
    d1:03:07:7e:fb:e5:aa:94:84:98:9e:32:ff:25:6d:
    93:5d:cf:d9:81:fb:2c:2f:2a:f2:4d:e2:e8:25:d2:
    ca:cd:65:86:33:3e:36:9f:ba:e1:89:8a:da:7a:3c:
    36:0b:1f:de:19:cc:17:2f:b6:a1:e5:57:c4:8f:8d:
    21:4b:96:6d:a6:8b:21:ca:6e:c9:6a:dd:ee:79:6b:
    0f:69
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 2

Purpose: Using for signing PPA image

There pub key 2 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6fQN0oMcUWxzMgR2OQS2
D3oOcI0MrCWMMQaKyJb/VcZorJ15Fb2SSsItB4XWCRdLxz8T7KECGsASWKJhwM3K
2f/Ci5scckovs/8qxtogJUmkyyELiB+m8fIq0it6YZImK5P8FmkIiZsBa/lgErA9
VAj53c+LPdoEhWDabpFAh/N9zzYx7d1k+qx2ZBfjB236aMgMNzjldbRdI8bH7ND0
+9JK6QHUwrnqv7YooGr3EbC4xZ8VMZHklr8EhbkdvUoYRY8R90q/jb8DDsKHm9F0
PePzwiksRFy92ryeBonDWvRi4ascczGHGbQfo+gfSEETFZbw9G+WfrpWc8nH1XEI
5QIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK2.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:e9:f4:0d:d2:83:1c:51:6c:73:32:04:76:39:04:
    b6:0f:7a:0e:70:8d:0c:ac:25:8c:31:06:8a:c8:96:
    ff:55:c6:68:ac:9d:79:15:bd:92:4a:c2:2d:07:85:
    d6:09:17:4b:c7:3f:13:ec:a1:02:1a:c0:12:58:a2:
    61:c0:cd:ca:d9:ff:c2:8b:9b:1c:72:4a:2f:b3:ff:
    2a:c6:da:20:25:49:a4:cb:21:0b:88:1f:a6:f1:f2:
    2a:d2:2b:7a:61:92:26:2b:93:fc:16:69:08:89:9b:
    01:6b:f9:60:12:b0:3d:54:08:f9:dd:cf:8b:3d:da:
    04:85:60:da:6e:91:40:87:f3:7d:cf:36:31:ed:dd:
    64:fa:ac:76:64:17:e3:07:6d:fa:68:c8:0c:37:38:
    e5:75:b4:5d:23:c6:c7:ec:d0:f4:fb:d2:4a:e9:01:
    d4:c2:b9:ea:bf:b6:28:a0:6a:f7:11:b0:b8:c5:9f:
    15:31:91:e4:96:bf:04:85:b9:1d:bd:4a:18:45:8f:
    11:f7:4a:bf:8d:bf:03:0e:c2:87:9b:d1:74:3d:e3:
    f3:c2:29:2c:44:5c:bd:da:bc:9e:06:89:c3:5a:f4:
    62:e1:ab:1c:73:31:87:19:b4:1f:a3:e8:1f:48:41:
    13:15:96:f0:f4:6f:96:7e:ba:56:73:c9:c7:d5:71:
    08:e5
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 3

Purpose: Using for signing ISW image

There pub key 3 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA37CLGnjxQs/bZTsUm0NG
ayKxS66s0nvH4ONZrKJhI/CmMcdZkqILUf/1mIim5y3wJvvTm1u9dSEexBadXpLA
QuqeBsoWMWogbK8OdjTN9OqK2+5HUgJxL/TbjrtJ539IhVaUwXw3nkuNFmUtH02w
dtZpQ1+61DM5gnxAuiuSrqjOZz3FFDMUpwUTyWqL/UZbjwvp1N46aQTgv6XvLVTG
FTjzQAaPgy6jxyLvsXg7Ah14PuYv4WSirh8ErRYouqleRx8RmdSWDqAnGVEuOtwG
pHqLKgXV7wxlEYv5Ww5L/b88gG+bxBDX3ujvxTI/eiSykQlCTl4HgS0lE/pGvzRx
wQIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK3.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:df:b0:8b:1a:78:f1:42:cf:db:65:3b:14:9b:43:
    46:6b:22:b1:4b:ae:ac:d2:7b:c7:e0:e3:59:ac:a2:
    61:23:f0:a6:31:c7:59:92:a2:0b:51:ff:f5:98:88:
    a6:e7:2d:f0:26:fb:d3:9b:5b:bd:75:21:1e:c4:16:
    9d:5e:92:c0:42:ea:9e:06:ca:16:31:6a:20:6c:af:
    0e:76:34:cd:f4:ea:8a:db:ee:47:52:02:71:2f:f4:
    db:8e:bb:49:e7:7f:48:85:56:94:c1:7c:37:9e:4b:
    8d:16:65:2d:1f:4d:b0:76:d6:69:43:5f:ba:d4:33:
    39:82:7c:40:ba:2b:92:ae:a8:ce:67:3d:c5:14:33:
    14:a7:05:13:c9:6a:8b:fd:46:5b:8f:0b:e9:d4:de:
    3a:69:04:e0:bf:a5:ef:2d:54:c6:15:38:f3:40:06:
    8f:83:2e:a3:c7:22:ef:b1:78:3b:02:1d:78:3e:e6:
    2f:e1:64:a2:ae:1f:04:ad:16:28:ba:a9:5e:47:1f:
    11:99:d4:96:0e:a0:27:19:51:2e:3a:dc:06:a4:7a:
    8b:2a:05:d5:ef:0c:65:11:8b:f9:5b:0e:4b:fd:bf:
    3c:80:6f:9b:c4:10:d7:de:e8:ef:c5:32:3f:7a:24:
    b2:91:09:42:4e:5e:07:81:2d:25:13:fa:46:bf:34:
    71:c1
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 4

There pub key 4 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5UNGprRKRboeL0vrajgp
rrOTPWDdlpKmbmHcuCEybe/VGaBPVFlwdWH7Ksm1+XJAYnwO4IfSw8+L2CxtyMRU
e/hN6yCo2vSdc6HkW68HMoiSFVI3oZORmiYuf2zc1wqlprrmCR9tpeFQvKGX4kMP
Gr6n2/g+GwLpa0jR68Q8fK6v4//7akYSMl2Vt+YiJw4DlGrF6q1BBlV41ZBUDZUs
lkdTTeuqDy+gOUhfQ6W4U7DjaLuveR5jtX1KgZU4FvLVixauZo1KEsNhvYZRvLAJ
DyKMqRTyIuopDRrKYdOKEZIiU00RXJHfnxFo2KaX/ZnRqS2N+bSc3ddt82Wp0Qe4
pgIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK4.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:e5:43:46:a6:b4:4a:45:ba:1e:2f:4b:eb:6a:38:
    29:ae:b3:93:3d:60:dd:96:92:a6:6e:61:dc:b8:21:
    32:6d:ef:d5:19:a0:4f:54:59:70:75:61:fb:2a:c9:
    b5:f9:72:40:62:7c:0e:e0:87:d2:c3:cf:8b:d8:2c:
    6d:c8:c4:54:7b:f8:4d:eb:20:a8:da:f4:9d:73:a1:
    e4:5b:af:07:32:88:92:15:52:37:a1:93:91:9a:26:
    2e:7f:6c:dc:d7:0a:a5:a6:ba:e6:09:1f:6d:a5:e1:
    50:bc:a1:97:e2:43:0f:1a:be:a7:db:f8:3e:1b:02:
    e9:6b:48:d1:eb:c4:3c:7c:ae:af:e3:ff:fb:6a:46:
    12:32:5d:95:b7:e6:22:27:0e:03:94:6a:c5:ea:ad:
    41:06:55:78:d5:90:54:0d:95:2c:96:47:53:4d:eb:
    aa:0f:2f:a0:39:48:5f:43:a5:b8:53:b0:e3:68:bb:
    af:79:1e:63:b5:7d:4a:81:95:38:16:f2:d5:8b:16:
    ae:66:8d:4a:12:c3:61:bd:86:51:bc:b0:09:0f:22:
    8c:a9:14:f2:22:ea:29:0d:1a:ca:61:d3:8a:11:92:
    22:53:4d:11:5c:91:df:9f:11:68:d8:a6:97:fd:99:
    d1:a9:2d:8d:f9:b4:9c:dd:d7:6d:f3:65:a9:d1:07:
    b8:a6
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

CertPPA

  1. struct certppa {
  2. 	char cert_mark[8];
  3. 	long cert_version;
  4. 	long cert_type;
  5. 	long minver_src;
  6. 	long minver_pk;
  7. 	long minver_ppa;
  8. 	long minver_rd1;
  9. 	long minver_rd2;
  10. 	long minver_isw;
  11. 	struct {
  12. 		int image_offset;
  13. 		int image_size;
  14. 		int data_byte[5];
  15. 	} images[4];
  16. 	char zero_hole[128];
  17. 	struct {
  18. 		char signer_info[16];
  19. 		long signature_info;
  20. 		long key_id;
  21. 		char digest[256];
  22. 	} digest;
  23. };

CertISW

  1. struct certisw {
  2. 	char cert_mark[8];
  3. 	int cert_version;
  4. 	int cert_type;
  5. 	int minver_src;
  6. 	int minver_pk;
  7. 	int minver_ppa;
  8. 	int minver_rd1;
  9. 	int minver_rd2;
  10. 	int minver_isw;
  11. 	int watchdog_param;
  12. 	int use_DMA;
  13. 	int active_images;
  14. 	struct {
  15. 		int image_offset;
  16. 		int image_size;
  17. 		int data_byte[5];
  18. 	} images[4];
  19. 	int magic_1; // Mark for SpeedUp parsing registers table
  20. 	int reg_bitfield; // Mask for SpeedUp parsing registers table
  21. 	struct {
  22. 		int reg_address;
  23. 		int reg_value;
  24. 	} reg_table[32]; // SpeedUp parsing registers table
  25. 	int reg_type_01;
  26. 	int reg_type_02;
  27. 	int entry_point_offset;
  28. 	int zero_hole[32];
  29. 	struct {
  30. 		char signer_info[16];
  31. 		long signature_info;
  32. 		long key_id;
  33. 		char digest[256];
  34. 	} digest;
  35. };

End of mbmloader

  1. struct {
  2.       char modul[128];
  3.       long exponent;
  4.       void* modul_pointer;
  5.       __int16 exponent_length;
  6.       __int16 modul_length;
  7.       long unknw;
  8. } key;

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:8700BA18     rsa1024_modul   DCB 0xA0, 0xFC, 0x8F, 0xAF, 0x18, 0x57, 0x7F, 0xC9, 0x73; modul
ROM:8700BA18                                                                 ; DATA XREF: ROM:rsa1024_modul�o
ROM:8700BA18                     DCB 2, 0xCE, 0xB4, 0x31, 0x52, 0xAC, 0x90, 0x5A, 0x89; modul
ROM:8700BA18                     DCB 0xDA, 0x6D, 0xD0, 0x14, 0x3E, 0xB3, 0xB2, 0xCC, 0x12; modul
ROM:8700BA18                     DCB 0xC8, 0xA1, 0x77, 0x9C, 0xF7, 0xCB, 0x72, 0x77, 0xC9; modul
ROM:8700BA18                     DCB 0x6F, 0x9E, 0xA6, 0x73, 0x79, 0x8E, 0x79, 0x51, 0xFC; modul
ROM:8700BA18                     DCB 0xC1, 0x5D, 0x82, 0xA3, 0xE6, 0xF, 0x68, 3, 0x93, 0x5E; modul
ROM:8700BA18                     DCB 0x5B, 0x18, 0xFD, 0xE0, 0x6F, 3, 0xD7, 0x8A, 0xAB; modul
ROM:8700BA18                     DCB 0x24, 0xC9, 0x70, 0xA, 0xB4, 0xB8, 0x98, 0xB9, 8, 0x75; modul
ROM:8700BA18                     DCB 7, 0x95, 0xD3, 0x52, 0x98, 2, 0xF9, 0x1D, 8, 0xAE; modul
ROM:8700BA18                     DCB 0x3D, 0x2D, 0x34, 0x51, 0x25, 0xDC, 0xB9, 0x5C, 0xBE; modul
ROM:8700BA18                     DCB 0xAB, 0x85, 0x3C, 0x7D, 0x35, 0x77, 0x9D, 7, 0xA0; modul
ROM:8700BA18                     DCB 0xAA, 0xB2, 0x30, 0xAB, 0xC4, 0x4B, 0xB4, 0xB3, 0xEE; modul
ROM:8700BA18                     DCB 0xF, 0x48, 0xB4, 0x4B, 0x8B, 0x75, 5, 0x72, 0x72, 0x91; modul
ROM:8700BA18                     DCB 0x20, 0x16, 0x24, 0x27, 0x3B, 0x63, 0xCF; modul
ROM:8700BA18                     DCD 65537                                   ; exponent
ROM:8700BA18                     DCD rsa1024_modul                           ; modul_pointer
ROM:8700BA18                     DCW 3                                       ; exponent_length
ROM:8700BA18                     DCW 128                                     ; modul_length
ROM:8700BA18                     DCD 1                                       ; unknw

Signatures

CertPK

CertPPA

CertISW

signed with 512 RSA

mbm

boot.img/recovery.img

A detailed explanation of the signature block on boot/recovery partitions can be found on BootRecoverySignature.

Hypothesis

We can obtain the signature and the ciphertext checked by the OMAP hardware. If a public key algorithm is used, we can obtain the public key. We can know the signature's formula (sha1 hash signed with rsa?). We can crack the key in reasonable time.

Problems

Extracting ciphertext and signature

User kokone has done some very interesting work on this:

  • File:ReadMBMLoader.c, File:ReadMBMLoader.h
  • This program dumps the 4 Public Keys stored in PKCerts_ as .pem format. They are 2048 bits each and used to sign the different parts of the MBMLoader. Signing seems to be SHA-1 Hash with PKCS-1 Padding.
  • Compile using g++ -c ReadMBMLoader.c
  • Link using g++ -o ReadMBMLoader ReadMBMLoader.o -lcrypt -lopenssl
  • To use the source cut out the 2560 bytes starting at 0x400 in the MTD0 dump and save the result as **mbmloader_cert**.
  • kokone's notes: "I used openssl to create private keys and used csst to create the Certificates. CSST is using openssl internally for all the crypto stuff (most likely due to the FIPS certification). With this code I can read out my own public keys but i'm unable to verify the signature so far. The Rights setting tells the OMAP bootloader which keys are valid for which part of the mtd0 filesystem. I'm not really sure which part of the PKCert_ area is used for signing. My experiments are not conclusive. The significance of the MSV Mask is also unknown. According to the Register description of the 2430 the E-Fuses define a 160bit public key. My guess would be the SHA-1 Sum of the public key. One more thing: word ordering in the file is LSB first. The position of Signature Info and Signer Info is not fixed in stone and just a first guess."
  • comment by maui: "MSV seems to be related to the Keys Access Registers (32 bits long) mentioned in the 6.4.8.13 section of the spruf98 TRM".
  • new version, comments by kokone:
    • "It reads and tries to verify all parts of the MBMLoader (besides CHSETTINGS) including PKCerts, PPA and ISW."
    • "The new ReadMBMLoader writes out the binaries contained in the ISW and PPA parts."
    • "PPA contains only a single binary. ISW can contain up to four binaries."
    • "No payload is verified inside the PPA header. The header contains a 160bit checksum (SHA1 for TI sample image) for each binary."

Dump from mbmloader

  1. struct mbmloader_header {
  2.       ....
  3.       struct {
  4.            char modul[128];
  5.            long exponent;
  6.            void* modul_pointer;
  7.            __int16 exponent_length;
  8.            __int16 modul_length;
  9.            long unknw;
  10.       } key_01;
  11.       struct {
  12.            char modul[128];
  13.            long exponent;
  14.            void* modul_pointer;
  15.            __int16 exponent_length;
  16.            __int16 modul_length;
  17.            long unknw;
  18.       } key_02;
  19.       char sha1_hash[20];
  20. };

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:87000780                     DCB 0x96, 0x3F, 0x71, 0x19, 0xED, 0xCC, 0xF2, 0x5A, 0x41; key_01.modul
ROM:87000780                     DCB 0x43, 0x8A, 0xB, 0x40, 0, 0x38, 0x7A, 0xA9, 0x4B, 2; key_01.modul
ROM:87000780                     DCB 0xB0, 0xD9, 0x15, 0xBE, 0x73, 0xB3, 0x82, 0x3D, 0x9A; key_01.modul
ROM:87000780                     DCB 0x91, 0xF2, 0xB7, 0x6B, 0xEB, 0x34, 0x3E, 0xC7, 0xA; key_01.modul
ROM:87000780                     DCB 0x33, 0x2E, 0xCF, 7, 0x53, 0xED, 0xD3, 0xBB, 0xBC; key_01.modul
ROM:87000780                     DCB 0x2B, 0xE5, 0x3E, 0x11, 0x2F, 0xEF, 0xEE, 0xD0, 0xB5; key_01.modul
ROM:87000780                     DCB 0xD2, 0x6C, 0x84, 0xC2, 0x22, 0xD1, 0xBE, 0xF7, 0xFA; key_01.modul
ROM:87000780                     DCB 0x5E, 0xD6, 0x5A, 0x1C, 0x33, 0x1C, 0xB2, 0x56, 0xB; key_01.modul
ROM:87000780                     DCB 0xCF, 0xFE, 0xA8, 0x39, 0x16, 0x69, 0x93, 0x22, 0x22; key_01.modul
ROM:87000780                     DCB 0x97, 0xC5, 0xA6, 0xF7, 0x95, 0x80, 0x34, 0x86, 0xA6; key_01.modul
ROM:87000780                     DCB 0x9F, 0xA3, 0x89, 0xE2, 0xDE, 0x5D, 0x13, 0x7A, 0xE2; key_01.modul
ROM:87000780                     DCB 0xBE, 0x92, 0xA6, 0x77, 0x44, 0x9E, 0x1F, 0xAB, 0x93; key_01.modul
ROM:87000780                     DCB 0x82, 0x90, 0x14, 0xB4, 0xAB, 0xAD, 0x47, 0x13, 0x53; key_01.modul
ROM:87000780                     DCB 1, 0xF0, 0x3F, 0xCE, 0xD2, 0x41, 0x4E, 0x93, 0xE7; key_01.modul
ROM:87000780                     DCB 0x61                                    ; key_01.modul
ROM:87000780                     DCD 65537                                   ; key_01.exponent
ROM:87000780                     DCD mbmloader_header.key_01                 ; key_01.modul_pointer
ROM:87000780                     DCW 3                                       ; key_01.exponent_length
ROM:87000780                     DCW 128                                     ; key_01.modul_length
ROM:87000780                     DCD 1                                       ; key_01.unknw
ROM:87000780                     DCB 0xAA, 0x37, 0x78, 0x33, 0xEC, 0x35, 0xFE, 0xB0, 0xDC; key_02.modul
ROM:87000780                     DCB 0xC1, 0x76, 0xB5, 0x80, 0x46, 9, 0x77, 0x30, 0xBD; key_02.modul
ROM:87000780                     DCB 0x53, 0x38, 0xB9, 0x75, 0x98, 0xAB, 0xCC, 0xD8, 0x73; key_02.modul
ROM:87000780                     DCB 0x2D, 0xB, 0xB1, 0xA2, 0x43, 0x90, 0x8E, 0x5D, 0x96; key_02.modul
ROM:87000780                     DCB 2, 0x97, 0x95, 0x1A, 0x1C, 0x32, 0x5D, 0xE7, 0x63; key_02.modul
ROM:87000780                     DCB 0x4E, 0xA, 0x7D, 0x47, 0x13, 0xCD, 0x50, 0x2E, 0x1C; key_02.modul
ROM:87000780                     DCB 0x66, 0x69, 0x8D, 0xFA, 0xA6, 0xF9, 0x99, 0x7E, 0xA8; key_02.modul
ROM:87000780                     DCB 0x19, 0x15, 0x4C, 0xBB, 0x37, 0x2D, 0x29, 0x93, 0xA1; key_02.modul
ROM:87000780                     DCB 0xAF, 0x1F, 0xEA, 0x7B, 0x17, 6, 0xA0, 0xB9, 0x27; key_02.modul
ROM:87000780                     DCB 6, 0xE7, 0xD9, 0x11, 0xC8, 0x18, 0xA3, 0xE3, 0xAC; key_02.modul
ROM:87000780                     DCB 0xED, 0x33, 0x6B, 0x5B, 0x92, 0xC9, 8, 0x63, 0xF7; key_02.modul
ROM:87000780                     DCB 0x82, 0x76, 0xF5, 0x99, 0x83, 0x75, 0x24, 0xE7, 0xA1; key_02.modul
ROM:87000780                     DCB 0x7B, 0xF5, 0x68, 0xE6, 0x91, 0x56, 0x49, 0x51, 0x88; key_02.modul
ROM:87000780                     DCB 0x71, 0xEE, 0xBF, 0xBD, 0x61, 0xAB, 0x2E, 0x79, 0x1A; key_02.modul
ROM:87000780                     DCB 0xDE, 0x55                              ; key_02.modul
ROM:87000780                     DCD 65537                                   ; key_02.exponent
ROM:87000780                     DCD mbmloader_header.key_02                 ; key_02.modul_pointer
ROM:87000780                     DCW 3                                       ; key_02.exponent_length
ROM:87000780                     DCW 128                                     ; key_02.modul_length
ROM:87000780                     DCD 1                                       ; key_02.unknw
ROM:87000780                     DCB 0x6B, 0xD3, 0x98, 0xE2, 0xD6, 0xF0, 0xF8, 0xCF, 0xFC; sha1_hash
ROM:87000780                     DCB 0xD4, 0x96, 0x72, 0x5E, 0xB3, 0xA8, 0xB3, 0x6B, 0xF9; sha1_hash
ROM:87000780                     DCB 0xB1, 0x16                              ; sha1_hash

CertPK

This is a certificate, which contains Public Keys. In Milestone bootloader used only 1-st key.

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:86FFDA00                     DCB "CertPK_",0                             ; CertPK.cert_mark
ROM:86FFDA00                     DCD 0                                       ; CertPK.cert_version
ROM:86FFDA00                     DCD 0                                       ; CertPK.cert_type
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pk
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_ppa
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_rd1
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_rd2
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_isw
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_ki
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pau
ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pas
ROM:86FFDA00                     DCD 0                                       ; CertPK.___________field_30
ROM:86FFDA00                     DCD 1                                       ; CertPK.key_01.key_id
ROM:86FFDA00                     DCD 0                                       ; CertPK.key_01.key_type
ROM:86FFDA00                     DCD 1                                       ; CertPK.key_01.key_rights
ROM:86FFDA00                     DCD 256                                     ; CertPK.key_01.modul_length
ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_01.e_value
ROM:86FFDA00                     DCB 0x69, 0xF, 0x6B, 0x79, 0xEE, 0xDD, 0x6A, 0xC9, 0x6E; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xCA, 0x21, 0x8B, 0xA6, 0x6D, 0x96, 0x4B, 0x21, 0x8D; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x8F, 0xC4, 0x57, 0xE5, 0xA1, 0xB6, 0x2F, 0x17, 0xCC; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x19, 0xDE, 0x1F, 0xB, 0x36, 0x3C, 0x7A, 0xDA, 0x8A; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x89, 0xE1, 0xBA, 0x9F, 0x36, 0x3E, 0x33, 0x86, 0x65; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xCD, 0xCA, 0xD2, 0x25, 0xE8, 0xE2, 0x4D, 0xF2, 0x2A; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x2F, 0x2C, 0xFB, 0x81, 0xD9, 0xCF, 0x5D, 0x93, 0x6D; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x25, 0xFF, 0x32, 0x9E, 0x98, 0x84, 0x94, 0xAA, 0xE5; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xFB, 0x7E, 7, 3, 0xD1, 0x4E, 0xCF, 0xB1, 0xCA, 0xD; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x2B, 0x24, 0xFB, 0xA6, 0xA7, 0xBD, 0x9C, 0x6D, 0x29; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x45, 0x7C, 0x8F, 0x61, 0xB, 0xDE, 0xA1, 0x63, 0x9A; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xFD, 0x98, 0x55, 0xC8, 0x7F, 0x5D, 0x85, 0xAB, 0x20; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x83, 0xB5, 0xEC, 0xB8, 0x91, 0x10, 0xC2, 0x43, 0x3B; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x24, 0xFD, 0xC1, 0xD3, 0x7A, 0xC0, 0x8C, 0xE, 0x7E; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xDF, 0xDA, 0xC9, 0x86, 0xD7, 0xF9, 0xB9, 0xF0, 0xB4; CertPK.key_01.modul
ROM:86FFDA00                     DCB 5, 0x61, 0xBD, 0x4F, 0xFA, 0x65, 0x89, 0x5F, 0xA7; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x35, 0x78, 0x6E, 0xBB, 0x49, 0xC8, 0x15, 0xB5, 0xDF; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xFC, 0x39, 0x4A, 0xB3, 0x97, 0xC6, 0x1E, 0x96, 0x83; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x54, 0x64, 0x33, 0x1A, 0x74, 0xD5, 0x3B, 0x9D, 9; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x52, 0x6C, 0x29, 0xB2, 0xD0, 0x24, 0xFE, 0x28, 0xE6; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xD3, 0x7F, 0xE7, 0x3A, 0x5F, 0x6D, 0xD5, 0xA1, 0x32; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x58, 0xF0, 0x24, 0x10, 0x99, 0xB7, 0x65, 0x67, 0x55; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x8E, 0x2B, 0x54, 0xC, 0x81, 0x17, 0xD4, 0x47, 0xF; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x5C, 0x7F, 0x3B, 0x3A, 0x4A, 0x16, 0x85, 0xD5, 0x15; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x95, 0xA0, 0x4C, 0xA7, 0xE7, 0xCB, 0x2F, 0x5A, 0x95; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xB9, 0xBF, 0xC, 0x68, 0x32, 0xC9, 0x42, 0xAB, 0xA8; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0xD4, 0x21, 0xF8, 5, 0xDC, 0x1D, 0xEF, 0xB6, 0x41; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x38, 0xDF, 0xC8, 0xE1, 0x78, 0xB5, 0x84, 0x23, 0x82; CertPK.key_01.modul
ROM:86FFDA00                     DCB 0x7E, 0x7F, 0xE1                        ; CertPK.key_01.modul
ROM:86FFDA00                     DCD 3                                       ; CertPK.__________field_148
ROM:86FFDA00                     DCD 2                                       ; CertPK.key_02.key_id
ROM:86FFDA00                     DCD 0                                       ; CertPK.key_02.key_type
ROM:86FFDA00                     DCD 0b11100                                 ; CertPK.key_02.key_rights
ROM:86FFDA00                     DCD 256                                     ; CertPK.key_02.modul_length
ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_02.e_value
ROM:86FFDA00                     DCB 0xE9, 0xF4, 0xD, 0xD2, 0x83, 0x1C, 0x51, 0x6C, 0x73; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x32, 4, 0x76, 0x39, 4, 0xB6, 0xF, 0x7A, 0xE, 0x70; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x8D, 0xC, 0xAC, 0x25, 0x8C, 0x31, 6, 0x8A, 0xC8, 0x96; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xFF, 0x55, 0xC6, 0x68, 0xAC, 0x9D, 0x79, 0x15, 0xBD; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x92, 0x4A, 0xC2, 0x2D, 7, 0x85, 0xD6, 9, 0x17, 0x4B; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xC7, 0x3F, 0x13, 0xEC, 0xA1, 2, 0x1A, 0xC0, 0x12; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x58, 0xA2, 0x61, 0xC0, 0xCD, 0xCA, 0xD9, 0xFF, 0xC2; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x8B, 0x9B, 0x1C, 0x72, 0x4A, 0x2F, 0xB3, 0xFF, 0x2A; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xC6, 0xDA, 0x20, 0x25, 0x49, 0xA4, 0xCB, 0x21, 0xB; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x88, 0x1F, 0xA6, 0xF1, 0xF2, 0x2A, 0xD2, 0x2B, 0x7A; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x61, 0x92, 0x26, 0x2B, 0x93, 0xFC, 0x16, 0x69, 8; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x89, 0x9B, 1, 0x6B, 0xF9, 0x60, 0x12, 0xB0, 0x3D; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x54, 8, 0xF9, 0xDD, 0xCF, 0x8B, 0x3D, 0xDA, 4, 0x85; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x60, 0xDA, 0x6E, 0x91, 0x40, 0x87, 0xF3, 0x7D, 0xCF; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x36, 0x31, 0xED, 0xDD, 0x64, 0xFA, 0xAC, 0x76, 0x64; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x17, 0xE3, 7, 0x6D, 0xFA, 0x68, 0xC8, 0xC, 0x37, 0x38; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xE5, 0x75, 0xB4, 0x5D, 0x23, 0xC6, 0xC7, 0xEC, 0xD0; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xF4, 0xFB, 0xD2, 0x4A, 0xE9, 1, 0xD4, 0xC2, 0xB9; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xEA, 0xBF, 0xB6, 0x28, 0xA0, 0x6A, 0xF7, 0x11, 0xB0; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0xB8, 0xC5, 0x9F, 0x15, 0x31, 0x91, 0xE4, 0x96, 0xBF; CertPK.key_02.modul
ROM:86FFDA00                     DCB 4, 0x85, 0xB9, 0x1D, 0xBD, 0x4A, 0x18, 0x45, 0x8F; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x11, 0xF7, 0x4A, 0xBF, 0x8D, 0xBF, 3, 0xE, 0xC2, 0x87; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x9B, 0xD1, 0x74, 0x3D, 0xE3, 0xF3, 0xC2, 0x29, 0x2C; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x44, 0x5C, 0xBD, 0xDA, 0xBC, 0x9E, 6, 0x89, 0xC3; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x5A, 0xF4, 0x62, 0xE1, 0xAB, 0x1C, 0x73, 0x31, 0x87; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x19, 0xB4, 0x1F, 0xA3, 0xE8, 0x1F, 0x48, 0x41, 0x13; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x15, 0x96, 0xF0, 0xF4, 0x6F, 0x96, 0x7E, 0xBA, 0x56; CertPK.key_02.modul
ROM:86FFDA00                     DCB 0x73, 0xC9, 0xC7, 0xD5, 0x71, 8, 0xE5   ; CertPK.key_02.modul
ROM:86FFDA00                     DCD 3                                       ; CertPK.key_03.key_id
ROM:86FFDA00                     DCD 0                                       ; CertPK.key_03.key_type
ROM:86FFDA00                     DCD 0b10                                    ; CertPK.key_03.key_rights
ROM:86FFDA00                     DCD 256                                     ; CertPK.key_03.modul_length
ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_03.e_value
ROM:86FFDA00                     DCB 0xDF, 0xB0, 0x8B, 0x1A, 0x78, 0xF1, 0x42, 0xCF, 0xDB; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x65, 0x3B, 0x14, 0x9B, 0x43, 0x46, 0x6B, 0x22, 0xB1; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x4B, 0xAE, 0xAC, 0xD2, 0x7B, 0xC7, 0xE0, 0xE3, 0x59; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xAC, 0xA2, 0x61, 0x23, 0xF0, 0xA6, 0x31, 0xC7, 0x59; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x92, 0xA2, 0xB, 0x51, 0xFF, 0xF5, 0x98, 0x88, 0xA6; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xE7, 0x2D, 0xF0, 0x26, 0xFB, 0xD3, 0x9B, 0x5B, 0xBD; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x75, 0x21, 0x1E, 0xC4, 0x16, 0x9D, 0x5E, 0x92, 0xC0; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x42, 0xEA, 0x9E, 6, 0xCA, 0x16, 0x31, 0x6A, 0x20; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x6C, 0xAF, 0xE, 0x76, 0x34, 0xCD, 0xF4, 0xEA, 0x8A; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xDB, 0xEE, 0x47, 0x52, 2, 0x71, 0x2F, 0xF4, 0xDB; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x8E, 0xBB, 0x49, 0xE7, 0x7F, 0x48, 0x85, 0x56, 0x94; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xC1, 0x7C, 0x37, 0x9E, 0x4B, 0x8D, 0x16, 0x65, 0x2D; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x1F, 0x4D, 0xB0, 0x76, 0xD6, 0x69, 0x43, 0x5F, 0xBA; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xD4, 0x33, 0x39, 0x82, 0x7C, 0x40, 0xBA, 0x2B, 0x92; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xAE, 0xA8, 0xCE, 0x67, 0x3D, 0xC5, 0x14, 0x33, 0x14; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xA7, 5, 0x13, 0xC9, 0x6A, 0x8B, 0xFD, 0x46, 0x5B; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x8F, 0xB, 0xE9, 0xD4, 0xDE, 0x3A, 0x69, 4, 0xE0, 0xBF; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xA5, 0xEF, 0x2D, 0x54, 0xC6, 0x15, 0x38, 0xF3, 0x40; CertPK.key_03.modul
ROM:86FFDA00                     DCB 6, 0x8F, 0x83, 0x2E, 0xA3, 0xC7, 0x22, 0xEF, 0xB1; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x78, 0x3B, 2, 0x1D, 0x78, 0x3E, 0xE6, 0x2F, 0xE1; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x64, 0xA2, 0xAE, 0x1F, 4, 0xAD, 0x16, 0x28, 0xBA; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xA9, 0x5E, 0x47, 0x1F, 0x11, 0x99, 0xD4, 0x96, 0xE; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xA0, 0x27, 0x19, 0x51, 0x2E, 0x3A, 0xDC, 6, 0xA4; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x7A, 0x8B, 0x2A, 5, 0xD5, 0xEF, 0xC, 0x65, 0x11, 0x8B; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0xF9, 0x5B, 0xE, 0x4B, 0xFD, 0xBF, 0x3C, 0x80, 0x6F; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x9B, 0xC4, 0x10, 0xD7, 0xDE, 0xE8, 0xEF, 0xC5, 0x32; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x3F, 0x7A, 0x24, 0xB2, 0x91, 9, 0x42, 0x4E, 0x5E; CertPK.key_03.modul
ROM:86FFDA00                     DCB 7, 0x81, 0x2D, 0x25, 0x13, 0xFA, 0x46, 0xBF, 0x34; CertPK.key_03.modul
ROM:86FFDA00                     DCB 0x71, 0xC1                              ; CertPK.key_03.modul
ROM:86FFDA00                     DCD 4                                       ; CertPK.key_04.key_id
ROM:86FFDA00                     DCD 0                                       ; CertPK.key_04.key_type
ROM:86FFDA00                     DCD 0b100000                                ; CertPK.key_04.key_rights
ROM:86FFDA00                     DCD 256                                     ; CertPK.key_04.modul_length
ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_04.e_value
ROM:86FFDA00                     DCB 0xE5, 0x43, 0x46, 0xA6, 0xB4, 0x4A, 0x45, 0xBA, 0x1E; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x2F, 0x4B, 0xEB, 0x6A, 0x38, 0x29, 0xAE, 0xB3, 0x93; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x3D, 0x60, 0xDD, 0x96, 0x92, 0xA6, 0x6E, 0x61, 0xDC; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xB8, 0x21, 0x32, 0x6D, 0xEF, 0xD5, 0x19, 0xA0, 0x4F; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x54, 0x59, 0x70, 0x75, 0x61, 0xFB, 0x2A, 0xC9, 0xB5; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xF9, 0x72, 0x40, 0x62, 0x7C, 0xE, 0xE0, 0x87, 0xD2; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xC3, 0xCF, 0x8B, 0xD8, 0x2C, 0x6D, 0xC8, 0xC4, 0x54; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x7B, 0xF8, 0x4D, 0xEB, 0x20, 0xA8, 0xDA, 0xF4, 0x9D; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x73, 0xA1, 0xE4, 0x5B, 0xAF, 7, 0x32, 0x88, 0x92; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x15, 0x52, 0x37, 0xA1, 0x93, 0x91, 0x9A, 0x26, 0x2E; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x7F, 0x6C, 0xDC, 0xD7, 0xA, 0xA5, 0xA6, 0xBA, 0xE6; CertPK.key_04.modul
ROM:86FFDA00                     DCB 9, 0x1F, 0x6D, 0xA5, 0xE1, 0x50, 0xBC, 0xA1, 0x97; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xE2, 0x43, 0xF, 0x1A, 0xBE, 0xA7, 0xDB, 0xF8, 0x3E; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x1B, 2, 0xE9, 0x6B, 0x48, 0xD1, 0xEB, 0xC4, 0x3C; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x7C, 0xAE, 0xAF, 0xE3, 0xFF, 0xFB, 0x6A, 0x46, 0x12; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x32, 0x5D, 0x95, 0xB7, 0xE6, 0x22, 0x27, 0xE, 3, 0x94; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x6A, 0xC5, 0xEA, 0xAD, 0x41, 6, 0x55, 0x78, 0xD5; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x90, 0x54, 0xD, 0x95, 0x2C, 0x96, 0x47, 0x53, 0x4D; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xEB, 0xAA, 0xF, 0x2F, 0xA0, 0x39, 0x48, 0x5F, 0x43; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xA5, 0xB8, 0x53, 0xB0, 0xE3, 0x68, 0xBB, 0xAF, 0x79; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x1E, 0x63, 0xB5, 0x7D, 0x4A, 0x81, 0x95, 0x38, 0x16; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xF2, 0xD5, 0x8B, 0x16, 0xAE, 0x66, 0x8D, 0x4A, 0x12; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xC3, 0x61, 0xBD, 0x86, 0x51, 0xBC, 0xB0, 9, 0xF, 0x22; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x8C, 0xA9, 0x14, 0xF2, 0x22, 0xEA, 0x29, 0xD, 0x1A; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xCA, 0x61, 0xD3, 0x8A, 0x11, 0x92, 0x22, 0x53, 0x4D; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x11, 0x5C, 0x91, 0xDF, 0x9F, 0x11, 0x68, 0xD8, 0xA6; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x97, 0xFD, 0x99, 0xD1, 0xA9, 0x2D, 0x8D, 0xF9, 0xB4; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0x9C, 0xDD, 0xD7, 0x6D, 0xF3, 0x65, 0xA9, 0xD1, 7; CertPK.key_04.modul
ROM:86FFDA00                     DCB 0xB8, 0xA6                              ; CertPK.key_04.modul
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0, 0, 0                                 ; CertPK.zero_hole_1
ROM:86FFDA00                     DCD 0b1111110                               ; CertPK.rights
ROM:86FFDA00                     DCD 0xFFFFFFFF                              ; CertPK.msv
ROM:86FFDA00                     DCD 1                                       ; CertPK.msv_mask
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_2
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0   ; CertPK.zero_hole_2
ROM:86FFDA00                     DCB 0xA1, 0x64, 0x78, 0x4A, 0, 0, 0, 0, 0xDF, 1, 0, 0; CertPK.digest.signer_info
ROM:86FFDA00                     DCB 0, 0, 0, 0                              ; CertPK.digest.signer_info
ROM:86FFDA00                     DCD 0                                       ; CertPK.digest.signature_info
ROM:86FFDA00                     DCD 1                                       ; CertPK.digest.key_id
ROM:86FFDA00                     DCB 0x61, 0x66, 0xA8, 0xD7, 0x58, 0x8D, 0xFC, 0x87, 0xF2; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x9B, 0x83, 0x3F, 0xAD, 0x9B, 0x69, 0x25, 0xE6, 0xB4; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xA4, 0x19, 0xCA, 0x45, 4, 0x93, 0xB3, 0x57, 0x6C; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xB4, 0x76, 0x18, 0x52, 0xFA, 0x22, 0x9A, 2, 0x1D; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xFF, 0x8E, 0xFC, 0xAE, 0xF4, 0x94, 0x77, 0x26, 0x1B; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xBD, 0xE5, 0xAB, 0x77, 0x8D, 0xFB, 0x16, 0x30, 0x65; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x5C, 0xF2, 0x3A, 2, 0x98, 0xCB, 0xBC, 0xE8, 0x25; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x34, 0x6B, 0x90, 0xDE, 0xF4, 0x3B, 0xC2, 0xE7, 0xA3; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x43, 0xB9, 0x65, 0x14, 0xD6, 0xF3, 0xB4, 0x45, 0x1F; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x40, 0xF5, 0x2D, 0xCB, 0x2A, 0x28, 0x97, 0xBA, 0x6C; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xEB, 0x39, 4, 0xF2, 0xE8, 0x78, 0xA8, 0xA8, 0x4B; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x3C, 0xA8, 0x24, 0x3C, 0xB3, 0x90, 0x54, 0x9F, 0x9D; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xC5, 0xE8, 0x6E, 0xE5, 0xCD, 0xDF, 9, 0x14, 0xEE; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x4C, 0xC9, 0x6C, 0x93, 0xBA, 0x2B, 8, 0xF6, 0x76; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x6A, 0xE7, 0xB0, 0xC1, 0x16, 0x12, 0x2D, 0x3E, 0xDF; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x87, 0x62, 0x6E, 0x45, 0x89, 0x82, 0x96, 0xD2, 0x58; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xDA, 0x9E, 0xA7, 0xD7, 0x26, 0x32, 0xAB, 0xEF, 0x63; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x72, 0x54, 0x20, 0x2A, 0xE9, 0x34, 0xD1, 0x53, 0xDA; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xB2, 0x84, 0x4F, 0xDD, 0x38, 0xF6, 0xA1, 0x4D, 0x62; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x62, 0x31, 0x4E, 0xC9, 0xF0, 0x77, 0x30, 0x63, 0x65; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x81, 0x6B, 0x10, 0x82, 0x30, 0xF9, 0x15, 0x10, 0xF1; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x44, 0x3E, 0x19, 0x8B, 0x27, 0xC3, 0xBB, 0xF, 0x87; CertPK.digest.digest
ROM:86FFDA00                     DCB 8, 0xAD, 0x9A, 0xC2, 0x93, 0x6F, 0x8A, 0xA6, 0x4A; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x40, 0xFC, 0, 0x6C, 0x8B, 0x5D, 0x15, 0xCD, 0xED; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xEE, 0xCC, 7, 0x20, 0x40, 0x47, 0xA7, 0xCD, 0x9B; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xC3, 0x7B, 0x62, 0x28, 0x18, 0x5B, 0x23, 0xE6, 0xA6; CertPK.digest.digest
ROM:86FFDA00                     DCB 1, 0xC4, 0x78, 0x89, 0xF8, 0x2D, 0x95, 0xA0, 0xED; CertPK.digest.digest
ROM:86FFDA00                     DCB 0xA5, 0x2C, 0x13, 0xA, 0x87, 0xB0, 0x4F, 0xC8, 0x2D; CertPK.digest.digest
ROM:86FFDA00                     DCB 0x56, 0xF6, 0xFB, 0x7A                  ; CertPK.digest.digest

CertPPA

This is a certificate of Primary Protected Application (Similar known as Secure Part of OS and bootloader)

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:86FFDA00                     DCB "CertPPA",0                             ; CertPPA.cert_mark
ROM:86FFDA00                     DCD 0                                       ; CertPPA.cert_version
ROM:86FFDA00                     DCD 0                                       ; CertPPA.cert_type
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_src
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_pk
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_ppa
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_rd1
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_rd2
ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_isw
ROM:86FFDA00                     DCD 0x1DC, 0x1474, 0x12D4378A, 0xF1CC7717, 0x720919A6; CertPPA.image_01.data_byte
ROM:86FFDA00                     DCD 0x306817C4, 0x5B11F5EB                  ; CertPPA.image_01.data_byte
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPPA.zero_hole
ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPPA.zero_hole
ROM:86FFDA00                     DCB 0xFF, 0xDD, 0x82, 0x4A, 0, 0, 0, 0, 0x30, 2, 0, 0; CertPPA.digest.signer_info
ROM:86FFDA00                     DCB 0, 0, 0, 0                              ; CertPPA.digest.signer_info
ROM:86FFDA00                     DCD 0                                       ; CertPPA.digest.signature_info
ROM:86FFDA00                     DCD 2                                       ; CertPPA.digest.key_id
ROM:86FFDA00                     DCB 0x71, 0xA0, 0x9E, 0xBD, 0x2A, 0xC1, 0xB7, 8, 0xC7; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xC0, 0xED, 0xEF, 4, 0xAE, 0x99, 0x27, 0x5C, 0x34; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xAE, 0xF4, 0x7A, 0xEA, 0x60, 0x36, 0x17, 0x8B, 0xE5; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x16, 0x31, 0xBC, 0xFF, 0x5E, 0xA0, 0x78, 0x7B, 0x43; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xBE, 0xA0, 0xDD, 4, 0x28, 0x16, 0xA7, 0xD9, 0x44; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x95, 0x97, 0xEF, 0xD6, 0x9D, 0x9E, 0xAD, 0xD0, 0x59; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x3C, 0x40, 0xA4, 0x32, 0xDA, 0x15, 0x4C, 0x61, 0x39; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x73, 0x9A, 0xC4, 0x11, 0x3B, 0x29, 0xC9, 0x79, 0x22; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xFA, 0xD6, 0x10, 0xED, 0x34, 0x8B, 0x9C, 0xC3, 0x87; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x73, 0xA4, 0x70, 0xC6, 0xB8, 0x7C, 0x8E, 0xA1, 0xCC; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x5C, 0x90, 0x42, 0x5D, 0x89, 0xE6, 0x1D, 0xBD, 0x79; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xE3, 0xBF, 0x78, 0x13, 0x25, 0xB, 0, 0x86, 0x93, 0x7B; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xF5, 0x13, 0x65, 0x52, 0x1E, 0x4D, 3, 7, 0xDF, 0x3E; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x43, 0x57, 0x2D, 0xD2, 0xF9, 0x30, 0x6C, 0x9F, 0x8A; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xB6, 0xA7, 0x33, 0x67, 0x3C, 0xBF, 0x1E, 0xD0, 0x7D; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x7E, 0x46, 0x47, 0x2C, 0x89, 0xE9, 0xF5, 0x5F, 0x9C; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xF4, 0x33, 0x8E, 0xF3, 0x57, 0xBB, 0x44, 0x94, 0x3C; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xC4, 0x3E, 0xAE, 0x31, 0xC8, 0x8D, 0xE4, 0x69, 0xAE; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x33, 0x4D, 0xF6, 0x82, 0x3C, 0x34, 0x69, 0x6A, 0x46; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xA8, 8, 0xF5, 0xBA, 0x52, 0x7D, 0x99, 0x87, 0x9A; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x65, 0x17, 0x8F, 0x87, 0xC0, 0xA8, 0xB7, 0x4C, 0xF5; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x11, 0x18, 0xC5, 0xCB, 0xCA, 0x5E, 0x9A, 0xB1, 0xED; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x30, 7, 7, 0xB8, 0x9D, 0x5A, 0x85, 0xAB, 0x68, 0xD1; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xA5, 0x3A, 0xC, 3, 0x5F, 0x1C, 0x86, 0x3F, 0x45, 0xD7; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x9E, 0x2A, 5, 0xEB, 0xD1, 0x89, 0x2C, 0xC, 0x78, 0xD9; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x96, 0x66, 0x22, 0x87, 0x92, 0x54, 0xD5, 0xE, 0x2E; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0xF6, 0x36, 0xB3, 0x6E, 0x5F, 0x93, 0x86, 0x19, 0xCC; CertPPA.digest.digest
ROM:86FFDA00                     DCB 0x93, 0x8E, 0x9F, 0xCE, 0xAA, 0xB8, 0x95, 0x44; CertPPA.digest.digest

CertISW

This is certificate of Initial Software Image, which is most important part of mbmloader

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:87000000                     DCB "CertISW",0                             ; cert_mark
ROM:87000000                     DCD 0                                       ; cert_version
ROM:87000000                     DCD 0                                       ; cert_type
ROM:87000000                     DCD 0                                       ; minver_src
ROM:87000000                     DCD 0                                       ; minver_pk
ROM:87000000                     DCD 0                                       ; minver_ppa
ROM:87000000                     DCD 0                                       ; minver_rd1
ROM:87000000                     DCD 0                                       ; minver_rd2
ROM:87000000                     DCD 0                                       ; minver_isw
ROM:87000000                     DCD 0                                       ; watchdog_param
ROM:87000000                     DCD 0                                       ; use_DMA
ROM:87000000                     DCD 1                                       ; images_number
ROM:87000000                     DCD 0x350, 0xBB3C, 0x5B276134, 0xE8DB7FAA, 0x19484C32; image_01.data_byte
ROM:87000000                     DCD 0xFF8CCD72, 0xCE925D68                  ; image_01.data_byte
ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_02.data_byte
ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_03.data_byte
ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_04.data_byte
ROM:87000000                     DCD 0x16793A22                              ; magic_1
ROM:87000000                     DCD 0b11111111111111111111111111111111      ; reg_bitfield
ROM:87000000                     DCD 0x48004D30                              ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0x48004934                              ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0x48004948                              ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0x48004944                              ; reg_table.reg_address
ROM:87000000                     DCD 1                                       ; reg_table.reg_value
ROM:87000000                     DCD 0x48004940                              ; reg_table.reg_address
ROM:87000000                     DCD 0x1F419                                 ; reg_table.reg_value
ROM:87000000                     DCD 0x48004D40                              ; reg_table.reg_address
ROM:87000000                     DCD 0x8A00C00                               ; reg_table.reg_value
ROM:87000000                     DCD 0x48004D00                              ; reg_table.reg_address
ROM:87000000                     DCD 0x770077                                ; reg_table.reg_value
ROM:87000000                     DCD 0x48004904                              ; reg_table.reg_address
ROM:87000000                     DCD 0x37                                    ; reg_table.reg_value
ROM:87000000                     DCD 0x48004924                              ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0x48004D20                              ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_table.reg_address
ROM:87000000                     DCD 0                                       ; reg_table.reg_value
ROM:87000000                     DCD 0                                       ; reg_type_01
ROM:87000000                     DCD 0x300                                   ; reg_type_02
ROM:87000000                     DCD 0x350                                   ; image_offset
ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; zero_hole
ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; zero_hole
ROM:87000000                     DCB 0x52, 0x98, 0xE1, 0x4A, 0, 0, 0, 0, 0x3D, 6, 0, 0; digest.signer_info
ROM:87000000                     DCB 0, 0, 0, 0                              ; digest.signer_info
ROM:87000000                     DCD 0                                       ; digest.signature_info
ROM:87000000                     DCD 3                                       ; digest.key_id
ROM:87000000                     DCB 0x21, 0xBF, 0x48, 0x4A, 0x3A, 0x45, 0xB, 0x94, 0x67; digest.digest
ROM:87000000                     DCB 0xBA, 0xC5, 0xC5, 0x7D, 0xC7, 0xA6, 0x6B, 0xBC, 0x59; digest.digest
ROM:87000000                     DCB 0xFE, 0xC0, 0x8D, 0xD4, 0xAE, 0xCD, 0xD6, 0x41, 0x5C; digest.digest
ROM:87000000                     DCB 0xDC, 0x23, 6, 0x3F, 0x33, 0xC3, 0x25, 0xAC, 0x8B; digest.digest
ROM:87000000                     DCB 0xD0, 0x69, 0xF, 0xD2, 0xB1, 0x77, 0xCB, 0x63, 0xD7; digest.digest
ROM:87000000                     DCB 0xE, 0x3A, 0x5B, 0x92, 0x6D, 0xA, 0xF1, 0x5C, 0x29; digest.digest
ROM:87000000                     DCB 0x1F, 0x5E, 0x99, 0xF5, 0xB8, 0x81, 0x9C, 2, 0x87; digest.digest
ROM:87000000                     DCB 0x17, 0x1D, 0x45, 0x5E, 0x5D, 0x47, 0xA9, 0x2B, 2; digest.digest
ROM:87000000                     DCB 0x46, 0x25, 0xA2, 0x1F, 0xC2, 0x5E, 0x50, 0xA5, 0x24; digest.digest
ROM:87000000                     DCB 0x85, 0x1E, 0xC5, 0xE7, 0xC8, 0x87, 0xC6, 0xF4, 0x50; digest.digest
ROM:87000000                     DCB 0xB1, 0x65, 0xC0, 0xF6, 0xB9, 0x79, 0xC1, 0xC9, 0xFC; digest.digest
ROM:87000000                     DCB 0x54, 0x98, 0x30, 0xE4, 0x14, 0xC7, 0xB7, 0x4B, 0x92; digest.digest
ROM:87000000                     DCB 0xC1, 0xAE, 0x4E, 0xDB, 0x3B, 0x79, 0xD9, 0x91, 0x45; digest.digest
ROM:87000000                     DCB 0x9A, 0xE9, 0x28, 0xC, 0x3B, 0xEF, 0x42, 0x53, 0x6D; digest.digest
ROM:87000000                     DCB 0x9C, 0xEF, 0xB6, 0x37, 0xAC, 0xBF, 0x72, 0xF7, 0xE3; digest.digest
ROM:87000000                     DCB 0x33, 0xDC, 0x67, 0x22, 0x56, 0x77, 9, 0x54, 0x9D; digest.digest
ROM:87000000                     DCB 0x45, 0x62, 0x84, 0x72, 0x55, 0xC1, 0x38, 0xC, 0x6A; digest.digest
ROM:87000000                     DCB 1, 0x67, 0x1B, 0xE6, 0xEE, 0xD0, 0x2B, 0xD9, 0x78; digest.digest
ROM:87000000                     DCB 0x56, 0x7F, 0xCB, 0x19, 0xF, 0x3D, 0x46, 0xE6, 0xFA; digest.digest
ROM:87000000                     DCB 0x81, 0x90, 0x7A, 0xBC, 0x96, 0xAB, 0x58, 0x81, 0xB1; digest.digest
ROM:87000000                     DCB 0xB2, 0x62, 0x60, 0x66, 0x1E, 0xFE, 0xB6, 0x1F, 0x48; digest.digest
ROM:87000000                     DCB 0x1A, 0x98, 0xEC, 0xA3, 0xE4, 0xFF, 0x62, 0xF, 0x9F; digest.digest
ROM:87000000                     DCB 0xEA, 0xA, 0x37, 0xBB, 0x80, 0xF0, 0xE2, 0xA3, 0x1F; digest.digest
ROM:87000000                     DCB 0xBD, 0xB8, 0xEE, 0xE9, 0x11, 0x9D, 0x98, 0x15, 1; digest.digest
ROM:87000000                     DCB 0x37, 0x3C, 0xA7, 0xCB, 0x5F, 0xB2, 0x37, 0x5E, 0xFD; digest.digest
ROM:87000000                     DCB 0xFC, 0x37, 0xCE, 0x80, 9, 0xB8, 0x56, 0x74, 0xFF; digest.digest
ROM:87000000                     DCB 0x83, 0xEF, 0xD0, 0xE0, 0x3E, 0x8F, 0xC7, 0xF, 0x1C; digest.digest
ROM:87000000                     DCB 0x67, 0xFE, 0x58, 0xE6, 0xE6, 0x8D, 0x65, 0x4A, 0xF4; digest.digest
ROM:87000000                     DCB 0x20, 0xF9, 0xAD, 0x8D                  ; digest.digest


Finding a hash collision

Finding a new key whose sha1 hash collides with the one stored in hardware would be a very difficult task too, but as far as we know it has not been proven to be as hard as cracking the key directly. The generate & test method is probably useless here, though. This statement was being left from the beginning when the certificates inside mbmloader was not fully understood. The hardware stores the hash of the root public key for validating the public key inside mbmloader's pk cert section. And the private key of it is used to sign the sha1 hash of the ISW content. So finding a hash collision means to modify the ISW content in a way that could benefit us(like patching further signature checking) while retaining the same hash value.

Moreover, finding a fast hash collision on the sha1(root_public_key)(not the brute-force way from RSA components -> modulus -> hash), even succeeded, will simply repeat the public key -> private key problem.

Some useful information about RSA cryptoanalisys

First of all - read this Cryptoanalisys on Wikipedia

As we know may be useful thease methods:

Classical cryptanalysis:

Hash functions:

Attack models:

Side channel attacks:

External attacks:

Useful literature for studying:

  1. U.S. Patent 4405829
  2. Cracking RSA-500
  3. Cracking RSA-500
  4. A. Menezes, P. van Oorschot, S. Vanstone. RSA public-key encryption // Handbook of Applied Cryptography. , 1996.
  5. Boneh, Dan (1999). "Twenty Years of attacks on the RSA Cryptosystem". Notices of the American Mathematical Society (AMS) 46 (2): 203–213.
  6. Factorisation of RSA-768
  7. Factorisation of RSA-768
  8. Applied Cryptography sources in C, Brus Shnaier
  9. Applied Crypto, Brus Shnaier