Cryptography

From MILEDROPEDIA
Jump to: navigation, search

Contents

Description

As described in the introduction to the mbmloader-replacement attack, there's a cryptographic signature in the mbmloader, which is verified by the OMAP hardware. According to Texas Instrument's documents, this cryptographic signature is based on a 128-bit RSA key((according to promotional information; moreover, the TI eFuse patent describes a 128bit key. The signing tool document says it needs sha1 and rsa. Do not confuse this key with the one used by mbmloader to check mbm further down the boot chain - that key is probably much harder to crack and is not the subject of this attack.)). By cracking that key we would be able to load a modified mbmloader that didn't verify mbm's signature, thus being able to patching mbm to not check the boot image's signature.

SHA1

Milestone, Charm Root key hash: "\x1d\x3f\xb6\x62\x79\x4d\x8c\x70\xfb\x57\xb4\xcb\x49\x2e\x27\xf6\x6f\x15\x2e\x4f"

Milestone 2 Root key hash: "\x9e\xa1\x7a\xc5\x32\x2d\xfe\x31\x96\xbc\x48\x2e\x7b\xea\xfc\x15\xf3\x78\x65\x87"

Get and compile code from https://bitbucket.org/droiddev/hash_collision_search

hg clone https://droiddev@bitbucket.org/droiddev/hash_collision_search
cd hash_collision_search
make
./hash_collision

RSA

OMAP3xxx support 2048-bits, 1024-bits and 512-bits root/primary keys.

Production Root Key:

R&D Root Key:

mbmloader keys

There can be about 7 keys in CertPK section:

  1. struct certpk {
  2. 		char cert_mark[8];
  3. 		long cert_version;
  4. 		long cert_type;
  5. 		long minver_pk;
  6. 		long minver_ppa;
  7. 		long minver_rd1;
  8. 		long minver_rd2;
  9. 		long minver_isw;
  10. 		long minver_ki;
  11. 		long minver_pau;
  12. 		long minver_pas;
  13. 		long unkn1;
  14. 		struct {
  15. 			long key_id;
  16. 			long key_type;
  17. 			long key_rights;
  18. 			long modul_length;
  19. 			long e_value;
  20. 			char modul[256];
  21. 		} root_key;
  22. 		long keys_active;
  23. 		struct {
  24. 			long key_id;
  25. 			long key_type;
  26. 			long key_rights;
  27. 			long modul_length;
  28. 			long e_value;
  29. 			char modul[256];
  30. 		} key_02;
  31. 		struct {
  32. 			long key_id;
  33. 			long key_type;
  34. 			long key_rights;
  35. 			long modul_length;
  36. 			long e_value;
  37. 			char modul[256];
  38. 		} key_03;
  39. 		struct {
  40. 			long key_id;
  41. 			long key_type;
  42. 			long key_rights;
  43. 			long modul_length;
  44. 			long e_value;
  45. 			char modul[256];
  46. 		} key_04;
  47. 		struct {
  48. 			long key_id;
  49. 			long key_type;
  50. 			long key_rights;
  51. 			long modul_length;
  52. 			long e_value;
  53. 			char modul[256];
  54. 		} key_05;
  55. 		struct {
  56. 			long key_id;
  57. 			long key_type;
  58. 			long key_rights;
  59. 			long modul_length;
  60. 			long e_value;
  61. 			char modul[256];
  62. 		} key_06;
  63. 		struct {
  64. 			long key_id;
  65. 			long key_type;
  66. 			long key_rights;
  67. 			long modul_length;
  68. 			long e_value;
  69. 			char modul[256];
  70. 		} key_07;
  71. 		long rights;
  72. 		long msv_mask;
  73. 		char zero_hole_2[120];
  74. 		struct {
  75. 			char signer_info[16];
  76. 			long signature_info;
  77. 			long key_id;
  78. 			char digest[256];
  79. 		} digest;
  80. };

Root Public Key

This is an root key. There pub key 1 (which is checked before bootloader start) in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4X9+giOEtXjhyN84Qbbv
HdwF+CHUqKtCyTJoDL+5lVovy+enTKCVFdWFFko6O39cD0fUF4EMVCuOVWdlt5kQ
JPBYMqHVbV8653/T5ij+JNCyKWxSCZ071XQaM2RUg5YexpezSjn837UVyEm7bng1
p1+JZfpPvWEFtPC5+deGydrffg6MwHrTwf0kO0PCEJG47LWDIKuFXX/IVZj9mmOh
3gthj3xFKW2cvaem+yQrDcqxz07RAwd+++WqlISYnjL/JW2TXc/ZgfssLyryTeLo
JdLKzWWGMz42n7rhiYraejw2Cx/eGcwXL7ah5VfEj40hS5Ztposhym7Jat3ueWsP
aQIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK1.pem -pubin -text -noout
Modulus (2048 bit):
    00:e1:7f:7e:82:23:84:b5:78:e1:c8:df:38:41:b6:
    ef:1d:dc:05:f8:21:d4:a8:ab:42:c9:32:68:0c:bf:
    b9:95:5a:2f:cb:e7:a7:4c:a0:95:15:d5:85:16:4a:
    3a:3b:7f:5c:0f:47:d4:17:81:0c:54:2b:8e:55:67:
    65:b7:99:10:24:f0:58:32:a1:d5:6d:5f:3a:e7:7f:
    d3:e6:28:fe:24:d0:b2:29:6c:52:09:9d:3b:d5:74:
    1a:33:64:54:83:96:1e:c6:97:b3:4a:39:fc:df:b5:
    15:c8:49:bb:6e:78:35:a7:5f:89:65:fa:4f:bd:61:
    05:b4:f0:b9:f9:d7:86:c9:da:df:7e:0e:8c:c0:7a:
    d3:c1:fd:24:3b:43:c2:10:91:b8:ec:b5:83:20:ab:
    85:5d:7f:c8:55:98:fd:9a:63:a1:de:0b:61:8f:7c:
    45:29:6d:9c:bd:a7:a6:fb:24:2b:0d:ca:b1:cf:4e:
    d1:03:07:7e:fb:e5:aa:94:84:98:9e:32:ff:25:6d:
    93:5d:cf:d9:81:fb:2c:2f:2a:f2:4d:e2:e8:25:d2:
    ca:cd:65:86:33:3e:36:9f:ba:e1:89:8a:da:7a:3c:
    36:0b:1f:de:19:cc:17:2f:b6:a1:e5:57:c4:8f:8d:
    21:4b:96:6d:a6:8b:21:ca:6e:c9:6a:dd:ee:79:6b:
    0f:69
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 2

Purpose: Using for signing PPA image

There pub key 2 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6fQN0oMcUWxzMgR2OQS2
D3oOcI0MrCWMMQaKyJb/VcZorJ15Fb2SSsItB4XWCRdLxz8T7KECGsASWKJhwM3K
2f/Ci5scckovs/8qxtogJUmkyyELiB+m8fIq0it6YZImK5P8FmkIiZsBa/lgErA9
VAj53c+LPdoEhWDabpFAh/N9zzYx7d1k+qx2ZBfjB236aMgMNzjldbRdI8bH7ND0
+9JK6QHUwrnqv7YooGr3EbC4xZ8VMZHklr8EhbkdvUoYRY8R90q/jb8DDsKHm9F0
PePzwiksRFy92ryeBonDWvRi4ascczGHGbQfo+gfSEETFZbw9G+WfrpWc8nH1XEI
5QIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK2.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:e9:f4:0d:d2:83:1c:51:6c:73:32:04:76:39:04:
    b6:0f:7a:0e:70:8d:0c:ac:25:8c:31:06:8a:c8:96:
    ff:55:c6:68:ac:9d:79:15:bd:92:4a:c2:2d:07:85:
    d6:09:17:4b:c7:3f:13:ec:a1:02:1a:c0:12:58:a2:
    61:c0:cd:ca:d9:ff:c2:8b:9b:1c:72:4a:2f:b3:ff:
    2a:c6:da:20:25:49:a4:cb:21:0b:88:1f:a6:f1:f2:
    2a:d2:2b:7a:61:92:26:2b:93:fc:16:69:08:89:9b:
    01:6b:f9:60:12:b0:3d:54:08:f9:dd:cf:8b:3d:da:
    04:85:60:da:6e:91:40:87:f3:7d:cf:36:31:ed:dd:
    64:fa:ac:76:64:17:e3:07:6d:fa:68:c8:0c:37:38:
    e5:75:b4:5d:23:c6:c7:ec:d0:f4:fb:d2:4a:e9:01:
    d4:c2:b9:ea:bf:b6:28:a0:6a:f7:11:b0:b8:c5:9f:
    15:31:91:e4:96:bf:04:85:b9:1d:bd:4a:18:45:8f:
    11:f7:4a:bf:8d:bf:03:0e:c2:87:9b:d1:74:3d:e3:
    f3:c2:29:2c:44:5c:bd:da:bc:9e:06:89:c3:5a:f4:
    62:e1:ab:1c:73:31:87:19:b4:1f:a3:e8:1f:48:41:
    13:15:96:f0:f4:6f:96:7e:ba:56:73:c9:c7:d5:71:
    08:e5
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 3

Purpose: Using for signing ISW image

There pub key 3 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA37CLGnjxQs/bZTsUm0NG
ayKxS66s0nvH4ONZrKJhI/CmMcdZkqILUf/1mIim5y3wJvvTm1u9dSEexBadXpLA
QuqeBsoWMWogbK8OdjTN9OqK2+5HUgJxL/TbjrtJ539IhVaUwXw3nkuNFmUtH02w
dtZpQ1+61DM5gnxAuiuSrqjOZz3FFDMUpwUTyWqL/UZbjwvp1N46aQTgv6XvLVTG
FTjzQAaPgy6jxyLvsXg7Ah14PuYv4WSirh8ErRYouqleRx8RmdSWDqAnGVEuOtwG
pHqLKgXV7wxlEYv5Ww5L/b88gG+bxBDX3ujvxTI/eiSykQlCTl4HgS0lE/pGvzRx
wQIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK3.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:df:b0:8b:1a:78:f1:42:cf:db:65:3b:14:9b:43:
    46:6b:22:b1:4b:ae:ac:d2:7b:c7:e0:e3:59:ac:a2:
    61:23:f0:a6:31:c7:59:92:a2:0b:51:ff:f5:98:88:
    a6:e7:2d:f0:26:fb:d3:9b:5b:bd:75:21:1e:c4:16:
    9d:5e:92:c0:42:ea:9e:06:ca:16:31:6a:20:6c:af:
    0e:76:34:cd:f4:ea:8a:db:ee:47:52:02:71:2f:f4:
    db:8e:bb:49:e7:7f:48:85:56:94:c1:7c:37:9e:4b:
    8d:16:65:2d:1f:4d:b0:76:d6:69:43:5f:ba:d4:33:
    39:82:7c:40:ba:2b:92:ae:a8:ce:67:3d:c5:14:33:
    14:a7:05:13:c9:6a:8b:fd:46:5b:8f:0b:e9:d4:de:
    3a:69:04:e0:bf:a5:ef:2d:54:c6:15:38:f3:40:06:
    8f:83:2e:a3:c7:22:ef:b1:78:3b:02:1d:78:3e:e6:
    2f:e1:64:a2:ae:1f:04:ad:16:28:ba:a9:5e:47:1f:
    11:99:d4:96:0e:a0:27:19:51:2e:3a:dc:06:a4:7a:
    8b:2a:05:d5:ef:0c:65:11:8b:f9:5b:0e:4b:fd:bf:
    3c:80:6f:9b:c4:10:d7:de:e8:ef:c5:32:3f:7a:24:
    b2:91:09:42:4e:5e:07:81:2d:25:13:fa:46:bf:34:
    71:c1
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

Public Key 4

There pub key 4 in PEM format converted from pk.bin

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5UNGprRKRboeL0vrajgp
rrOTPWDdlpKmbmHcuCEybe/VGaBPVFlwdWH7Ksm1+XJAYnwO4IfSw8+L2CxtyMRU
e/hN6yCo2vSdc6HkW68HMoiSFVI3oZORmiYuf2zc1wqlprrmCR9tpeFQvKGX4kMP
Gr6n2/g+GwLpa0jR68Q8fK6v4//7akYSMl2Vt+YiJw4DlGrF6q1BBlV41ZBUDZUs
lkdTTeuqDy+gOUhfQ6W4U7DjaLuveR5jtX1KgZU4FvLVixauZo1KEsNhvYZRvLAJ
DyKMqRTyIuopDRrKYdOKEZIiU00RXJHfnxFo2KaX/ZnRqS2N+bSc3ddt82Wp0Qe4
pgIDAQAB
-----END PUBLIC KEY-----

here is parsed key:

openssl rsa -in PK4.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:e5:43:46:a6:b4:4a:45:ba:1e:2f:4b:eb:6a:38:
    29:ae:b3:93:3d:60:dd:96:92:a6:6e:61:dc:b8:21:
    32:6d:ef:d5:19:a0:4f:54:59:70:75:61:fb:2a:c9:
    b5:f9:72:40:62:7c:0e:e0:87:d2:c3:cf:8b:d8:2c:
    6d:c8:c4:54:7b:f8:4d:eb:20:a8:da:f4:9d:73:a1:
    e4:5b:af:07:32:88:92:15:52:37:a1:93:91:9a:26:
    2e:7f:6c:dc:d7:0a:a5:a6:ba:e6:09:1f:6d:a5:e1:
    50:bc:a1:97:e2:43:0f:1a:be:a7:db:f8:3e:1b:02:
    e9:6b:48:d1:eb:c4:3c:7c:ae:af:e3:ff:fb:6a:46:
    12:32:5d:95:b7:e6:22:27:0e:03:94:6a:c5:ea:ad:
    41:06:55:78:d5:90:54:0d:95:2c:96:47:53:4d:eb:
    aa:0f:2f:a0:39:48:5f:43:a5:b8:53:b0:e3:68:bb:
    af:79:1e:63:b5:7d:4a:81:95:38:16:f2:d5:8b:16:
    ae:66:8d:4a:12:c3:61:bd:86:51:bc:b0:09:0f:22:
    8c:a9:14:f2:22:ea:29:0d:1a:ca:61:d3:8a:11:92:
    22:53:4d:11:5c:91:df:9f:11:68:d8:a6:97:fd:99:
    d1:a9:2d:8d:f9:b4:9c:dd:d7:6d:f3:65:a9:d1:07:
    b8:a6
Exponent: 65537 (0x10001)

so, we have:

  • Modulus n = this big value
  • Public exponent e = 65537
  • Private exponent d can be computed from this formula
    e * d == 1 (mod \lambda(n))

CertPPA

  1. struct certppa {
  2. 	char cert_mark[8];
  3. 	long cert_version;
  4. 	long cert_type;
  5. 	long minver_src;
  6. 	long minver_pk;
  7. 	long minver_ppa;
  8. 	long minver_rd1;
  9. 	long minver_rd2;
  10. 	long minver_isw;
  11. 	struct {
  12. 		int image_offset;
  13. 		int image_size;
  14. 		int data_byte[5];
  15. 	} images[4];
  16. 	char zero_hole[128];
  17. 	struct {
  18. 		char signer_info[16];
  19. 		long signature_info;
  20. 		long key_id;
  21. 		char digest[256];
  22. 	} digest;
  23. };

CertISW

  1. struct certisw {
  2. 	char cert_mark[8];
  3. 	int cert_version;
  4. 	int cert_type;
  5. 	int minver_src;
  6. 	int minver_pk;
  7. 	int minver_ppa;
  8. 	int minver_rd1;
  9. 	int minver_rd2;
  10. 	int minver_isw;
  11. 	int watchdog_param;
  12. 	int use_DMA;
  13. 	int active_images;
  14. 	struct {
  15. 		int image_offset;
  16. 		int image_size;
  17. 		int data_byte[5];
  18. 	} images[4];
  19. 	int magic_1; // Mark for SpeedUp parsing registers table
  20. 	int reg_bitfield; // Mask for SpeedUp parsing registers table
  21. 	struct {
  22. 		int reg_address;
  23. 		int reg_value;
  24. 	} reg_table[32]; // SpeedUp parsing registers table
  25. 	int reg_type_01;
  26. 	int reg_type_02;
  27. 	int entry_point_offset;
  28. 	int zero_hole[32];
  29. 	struct {
  30. 		char signer_info[16];
  31. 		long signature_info;
  32. 		long key_id;
  33. 		char digest[256];
  34. 	} digest;
  35. };

End of mbmloader

  1. struct {
  2.       char modul[128];
  3.       long exponent;
  4.       void* modul_pointer;
  5.       __int16 exponent_length;
  6.       __int16 modul_length;
  7.       long unknw;
  8. } key;
ROM:8700BA18     rsa1024_modul   DCB 0xA0, 0xFC, 0x8F, 0xAF, 0x18, 0x57, 0x7F, 0xC9, 0x73; modul
ROM:8700BA18                                                                 ; DATA XREF: ROM:rsa1024_modul�o
ROM:8700BA18                     DCB 2, 0xCE, 0xB4, 0x31, 0x52, 0xAC, 0x90, 0x5A, 0x89; modul
ROM:8700BA18                     DCB 0xDA, 0x6D, 0xD0, 0x14, 0x3E, 0xB3, 0xB2, 0xCC, 0x12; modul
ROM:8700BA18                     DCB 0xC8, 0xA1, 0x77, 0x9C, 0xF7, 0xCB, 0x72, 0x77, 0xC9; modul
ROM:8700BA18                     DCB 0x6F, 0x9E, 0xA6, 0x73, 0x79, 0x8E, 0x79, 0x51, 0xFC; modul
ROM:8700BA18                     DCB 0xC1, 0x5D, 0x82, 0xA3, 0xE6, 0xF, 0x68, 3, 0x93, 0x5E; modul
ROM:8700BA18                     DCB 0x5B, 0x18, 0xFD, 0xE0, 0x6F, 3, 0xD7, 0x8A, 0xAB; modul
ROM:8700BA18                     DCB 0x24, 0xC9, 0x70, 0xA, 0xB4, 0xB8, 0x98, 0xB9, 8, 0x75; modul
ROM:8700BA18                     DCB 7, 0x95, 0xD3, 0x52, 0x98, 2, 0xF9, 0x1D, 8, 0xAE; modul
ROM:8700BA18                     DCB 0x3D, 0x2D, 0x34, 0x51, 0x25, 0xDC, 0xB9, 0x5C, 0xBE; modul
ROM:8700BA18                     DCB 0xAB, 0x85, 0x3C, 0x7D, 0x35, 0x77, 0x9D, 7, 0xA0; modul
ROM:8700BA18                     DCB 0xAA, 0xB2, 0x30, 0xAB, 0xC4, 0x4B, 0xB4, 0xB3, 0xEE; modul
ROM:8700BA18                     DCB 0xF, 0x48, 0xB4, 0x4B, 0x8B, 0x75, 5, 0x72, 0x72, 0x91; modul
ROM:8700BA18                     DCB 0x20, 0x16, 0x24, 0x27, 0x3B, 0x63, 0xCF; modul
ROM:8700BA18                     DCD 65537                                   ; exponent
ROM:8700BA18                     DCD rsa1024_modul                           ; modul_pointer
ROM:8700BA18                     DCW 3                                       ; exponent_length
ROM:8700BA18                     DCW 128                                     ; modul_length
ROM:8700BA18                     DCD 1                                       ; unknw

Signatures

CertPK

CertPPA

CertISW

signed with 512 RSA

mbm

boot.img/recovery.img

A detailed explanation of the signature block on boot/recovery partitions can be found on BootRecoverySignature.

Hypothesis

We can obtain the signature and the ciphertext checked by the OMAP hardware. If a public key algorithm is used, we can obtain the public key. We can know the signature's formula (sha1 hash signed with rsa?). We can crack the key in reasonable time.

Problems

Extracting ciphertext and signature

User kokone has done some very interesting work on this:

  • File:ReadMBMLoader.c, File:ReadMBMLoader.h
  • This program dumps the 4 Public Keys stored in PKCerts_ as .pem format. They are 2048 bits each and used to sign the different parts of the MBMLoader. Signing seems to be SHA-1 Hash with PKCS-1 Padding.
  • Compile using g++ -c ReadMBMLoader.c
  • Link using g++ -o ReadMBMLoader ReadMBMLoader.o -lcrypt -lopenssl
  • To use the source cut out the 2560 bytes starting at 0x400 in the MTD0 dump and save the result as **mbmloader_cert**.
  • kokone's notes: "I used openssl to create private keys and used csst to create the Certificates. CSST is using openssl internally for all the crypto stuff (most likely due to the FIPS certification). With this code I can read out my own public keys but i'm unable to verify the signature so far. The Rights setting tells the OMAP bootloader which keys are valid for which part of the mtd0 filesystem. I'm not really sure which part of the PKCert_ area is used for signing. My experiments are not conclusive. The significance of the MSV Mask is also unknown. According to the Register description of the 2430 the E-Fuses define a 160bit public key. My guess would be the SHA-1 Sum of the public key. One more thing: word ordering in the file is LSB first. The position of Signature Info and Signer Info is not fixed in stone and just a first guess."
  • comment by maui: "MSV seems to be related to the Keys Access Registers (32 bits long) mentioned in the 6.4.8.13 section of the spruf98 TRM".
  • new version, comments by kokone:
    • "It reads and tries to verify all parts of the MBMLoader (besides CHSETTINGS) including PKCerts, PPA and ISW."
    • "The new ReadMBMLoader writes out the binaries contained in the ISW and PPA parts."
    • "PPA contains only a single binary. ISW can contain up to four binaries."
    • "No payload is verified inside the PPA header. The header contains a 160bit checksum (SHA1 for TI sample image) for each binary."

Dump from mbmloader

  1. struct mbmloader_header {
  2.       ....
  3.       struct {
  4.            char modul[128];
  5.            long exponent;
  6.            void* modul_pointer;
  7.            __int16 exponent_length;
  8.            __int16 modul_length;
  9.            long unknw;
  10.       } key_01;
  11.       struct {
  12.            char modul[128];
  13.            long exponent;
  14.            void* modul_pointer;
  15.            __int16 exponent_length;
  16.            __int16 modul_length;
  17.            long unknw;
  18.       } key_02;
  19.       char sha1_hash[20];
  20. };
ROM:87000780                     DCB 0x96, 0x3F, 0x71, 0x19, 0xED, 0xCC, 0xF2, 0x5A, 0x41; key_01.modul
ROM:87000780                     DCB 0x43, 0x8A, 0xB, 0x40, 0, 0x38, 0x7A, 0xA9, 0x4B, 2; key_01.modul
ROM:87000780                     DCB 0xB0, 0xD9, 0x15, 0xBE, 0x73, 0xB3, 0x82, 0x3D, 0x9A; key_01.modul
ROM:87000780                     DCB 0x91, 0xF2, 0xB7, 0x6B, 0xEB, 0x34, 0x3E, 0xC7, 0xA; key_01.modul
ROM:87000780                     DCB 0x33, 0x2E, 0xCF, 7, 0x53, 0xED, 0xD3, 0xBB, 0xBC; key_01.modul
ROM:87000780                     DCB 0x2B, 0xE5, 0x3E, 0x11, 0x2F, 0xEF, 0xEE, 0xD0, 0xB5; key_01.modul
ROM:87000780                     DCB 0xD2, 0x6C, 0x84, 0xC2, 0x22, 0xD1, 0xBE, 0xF7, 0xFA; key_01.modul
ROM:87000780                     DCB 0x5E, 0xD6, 0x5A, 0x1C, 0x33, 0x1C, 0xB2, 0x56, 0xB; key_01.modul
ROM:87000780                     DCB 0xCF, 0xFE, 0xA8, 0x39, 0x16, 0x69, 0x93, 0x22, 0x22; key_01.modul
ROM:87000780                     DCB 0x97, 0xC5, 0xA6, 0xF7, 0x95, 0x80, 0x34, 0x86, 0xA6; key_01.modul
ROM:87000780                     DCB 0x9F, 0xA3, 0x89, 0xE2, 0xDE, 0x5D, 0x13, 0x7A, 0xE2; key_01.modul
ROM:87000780                     DCB 0xBE, 0x92, 0xA6, 0x77, 0x44, 0x9E, 0x1F, 0xAB, 0x93; key_01.modul
ROM:87000780                     DCB 0x82, 0x90, 0x14, 0xB4, 0xAB, 0xAD, 0x47, 0x13, 0x53; key_01.modul
ROM:87000780                     DCB 1, 0xF0, 0x3F, 0xCE, 0xD2, 0x41, 0x4E, 0x93, 0xE7; key_01.modul
ROM:87000780                     DCB 0x61                                    ; key_01.modul
ROM:87000780                     DCD 65537                                   ; key_01.exponent
ROM:87000780                     DCD mbmloader_header.key_01                 ; key_01.modul_pointer
ROM:87000780                     DCW 3                                       ; key_01.exponent_length
ROM:87000780                     DCW 128                                     ; key_01.modul_length
ROM:87000780                     DCD 1                                       ; key_01.unknw
ROM:87000780                     DCB 0xAA, 0x37, 0x78, 0x33, 0xEC, 0x35, 0xFE, 0xB0, 0xDC; key_02.modul
ROM:87000780                     DCB 0xC1, 0x76, 0xB5, 0x80, 0x46, 9, 0x77, 0x30, 0xBD; key_02.modul
ROM:87000780                     DCB 0x53, 0x38, 0xB9, 0x75, 0x98, 0xAB, 0xCC, 0xD8, 0x73; key_02.modul
ROM:87000780                     DCB 0x2D, 0xB, 0xB1, 0xA2, 0x43, 0x90, 0x8E, 0x5D, 0x96; key_02.modul
ROM:87000780                     DCB 2, 0x97, 0x95, 0x1A, 0x1C, 0x32, 0x5D, 0xE7, 0x63; key_02.modul
ROM:87000780                     DCB 0x4E, 0xA, 0x7D, 0x47, 0x13, 0xCD, 0x50, 0x2E, 0x1C; key_02.modul
ROM:87000780                     DCB 0x66, 0x69, 0x8D, 0xFA, 0xA6, 0xF9, 0x99, 0x7E, 0xA8; key_02.modul
ROM:87000780                     DCB 0x19, 0x15, 0x4C, 0xBB, 0x37, 0x2D, 0x29, 0x93, 0xA1; key_02.modul
ROM:87000780                     DCB 0xAF, 0x1F, 0xEA, 0x7B, 0x17, 6, 0xA0, 0xB9, 0x27; key_02.modul
ROM:87000780                     DCB 6, 0xE7, 0xD9, 0x11, 0xC8, 0x18, 0xA3, 0xE3, 0xAC; key_02.modul
ROM:87000780                     DCB 0xED, 0x33, 0x6B, 0x5B, 0x92, 0xC9, 8, 0x63, 0xF7; key_02.modul
ROM:87000780                     DCB 0x82, 0x76, 0xF5, 0x99, 0x83, 0x75, 0x24, 0xE7, 0xA1; key_02.modul
ROM:87000780                     DCB 0x7B, 0xF5, 0x68, 0xE6, 0x91, 0x56, 0x49, 0x51, 0x88; key_02.modul
ROM:87000780                     DCB 0x71, 0xEE, 0xBF, 0xBD, 0x61, 0xAB, 0x2E, 0x79, 0x1A; key_02.modul
ROM:87000780                     DCB 0xDE, 0x55                              ; key_02.modul
ROM:87000780                     DCD 65537                                   ; key_02.exponent
ROM:87000780                     DCD mbmloader_header.key_02                 ; key_02.modul_pointer
ROM:87000780                     DCW 3                                       ; key_02.exponent_length
ROM:87000780                     DCW 128                                     ; key_02.modul_length
ROM:87000780                     DCD 1                                       ; key_02.unknw
ROM:87000780                     DCB 0x6B, 0xD3, 0x98, 0xE2, 0xD6, 0xF0, 0xF8, 0xCF, 0xFC; sha1_hash
ROM:87000780                     DCB 0xD4, 0x96, 0x72, 0x5E, 0xB3, 0xA8, 0xB3, 0x6B, 0xF9; sha1_hash
ROM:87000780                     DCB 0xB1, 0x16                              ; sha1_hash

CertPK

This is a certificate, which contains Public Keys. In Milestone bootloader used only 1-st key.

  1. ROM:86FFDA00                     DCB "CertPK_",0                             ; CertPK.cert_mark
  2. ROM:86FFDA00                     DCD 0                                       ; CertPK.cert_version
  3. ROM:86FFDA00                     DCD 0                                       ; CertPK.cert_type
  4. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pk
  5. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_ppa
  6. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_rd1
  7. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_rd2
  8. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_isw
  9. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_ki
  10. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pau
  11. ROM:86FFDA00                     DCD 0                                       ; CertPK.minver_pas
  12. ROM:86FFDA00                     DCD 0                                       ; CertPK.___________field_30
  13. ROM:86FFDA00                     DCD 1                                       ; CertPK.key_01.key_id
  14. ROM:86FFDA00                     DCD 0                                       ; CertPK.key_01.key_type
  15. ROM:86FFDA00                     DCD 1                                       ; CertPK.key_01.key_rights
  16. ROM:86FFDA00                     DCD 256                                     ; CertPK.key_01.modul_length
  17. ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_01.e_value
  18. ROM:86FFDA00                     DCB 0x69, 0xF, 0x6B, 0x79, 0xEE, 0xDD, 0x6A, 0xC9, 0x6E; CertPK.key_01.modul
  19. ROM:86FFDA00                     DCB 0xCA, 0x21, 0x8B, 0xA6, 0x6D, 0x96, 0x4B, 0x21, 0x8D; CertPK.key_01.modul
  20. ROM:86FFDA00                     DCB 0x8F, 0xC4, 0x57, 0xE5, 0xA1, 0xB6, 0x2F, 0x17, 0xCC; CertPK.key_01.modul
  21. ROM:86FFDA00                     DCB 0x19, 0xDE, 0x1F, 0xB, 0x36, 0x3C, 0x7A, 0xDA, 0x8A; CertPK.key_01.modul
  22. ROM:86FFDA00                     DCB 0x89, 0xE1, 0xBA, 0x9F, 0x36, 0x3E, 0x33, 0x86, 0x65; CertPK.key_01.modul
  23. ROM:86FFDA00                     DCB 0xCD, 0xCA, 0xD2, 0x25, 0xE8, 0xE2, 0x4D, 0xF2, 0x2A; CertPK.key_01.modul
  24. ROM:86FFDA00                     DCB 0x2F, 0x2C, 0xFB, 0x81, 0xD9, 0xCF, 0x5D, 0x93, 0x6D; CertPK.key_01.modul
  25. ROM:86FFDA00                     DCB 0x25, 0xFF, 0x32, 0x9E, 0x98, 0x84, 0x94, 0xAA, 0xE5; CertPK.key_01.modul
  26. ROM:86FFDA00                     DCB 0xFB, 0x7E, 7, 3, 0xD1, 0x4E, 0xCF, 0xB1, 0xCA, 0xD; CertPK.key_01.modul
  27. ROM:86FFDA00                     DCB 0x2B, 0x24, 0xFB, 0xA6, 0xA7, 0xBD, 0x9C, 0x6D, 0x29; CertPK.key_01.modul
  28. ROM:86FFDA00                     DCB 0x45, 0x7C, 0x8F, 0x61, 0xB, 0xDE, 0xA1, 0x63, 0x9A; CertPK.key_01.modul
  29. ROM:86FFDA00                     DCB 0xFD, 0x98, 0x55, 0xC8, 0x7F, 0x5D, 0x85, 0xAB, 0x20; CertPK.key_01.modul
  30. ROM:86FFDA00                     DCB 0x83, 0xB5, 0xEC, 0xB8, 0x91, 0x10, 0xC2, 0x43, 0x3B; CertPK.key_01.modul
  31. ROM:86FFDA00                     DCB 0x24, 0xFD, 0xC1, 0xD3, 0x7A, 0xC0, 0x8C, 0xE, 0x7E; CertPK.key_01.modul
  32. ROM:86FFDA00                     DCB 0xDF, 0xDA, 0xC9, 0x86, 0xD7, 0xF9, 0xB9, 0xF0, 0xB4; CertPK.key_01.modul
  33. ROM:86FFDA00                     DCB 5, 0x61, 0xBD, 0x4F, 0xFA, 0x65, 0x89, 0x5F, 0xA7; CertPK.key_01.modul
  34. ROM:86FFDA00                     DCB 0x35, 0x78, 0x6E, 0xBB, 0x49, 0xC8, 0x15, 0xB5, 0xDF; CertPK.key_01.modul
  35. ROM:86FFDA00                     DCB 0xFC, 0x39, 0x4A, 0xB3, 0x97, 0xC6, 0x1E, 0x96, 0x83; CertPK.key_01.modul
  36. ROM:86FFDA00                     DCB 0x54, 0x64, 0x33, 0x1A, 0x74, 0xD5, 0x3B, 0x9D, 9; CertPK.key_01.modul
  37. ROM:86FFDA00                     DCB 0x52, 0x6C, 0x29, 0xB2, 0xD0, 0x24, 0xFE, 0x28, 0xE6; CertPK.key_01.modul
  38. ROM:86FFDA00                     DCB 0xD3, 0x7F, 0xE7, 0x3A, 0x5F, 0x6D, 0xD5, 0xA1, 0x32; CertPK.key_01.modul
  39. ROM:86FFDA00                     DCB 0x58, 0xF0, 0x24, 0x10, 0x99, 0xB7, 0x65, 0x67, 0x55; CertPK.key_01.modul
  40. ROM:86FFDA00                     DCB 0x8E, 0x2B, 0x54, 0xC, 0x81, 0x17, 0xD4, 0x47, 0xF; CertPK.key_01.modul
  41. ROM:86FFDA00                     DCB 0x5C, 0x7F, 0x3B, 0x3A, 0x4A, 0x16, 0x85, 0xD5, 0x15; CertPK.key_01.modul
  42. ROM:86FFDA00                     DCB 0x95, 0xA0, 0x4C, 0xA7, 0xE7, 0xCB, 0x2F, 0x5A, 0x95; CertPK.key_01.modul
  43. ROM:86FFDA00                     DCB 0xB9, 0xBF, 0xC, 0x68, 0x32, 0xC9, 0x42, 0xAB, 0xA8; CertPK.key_01.modul
  44. ROM:86FFDA00                     DCB 0xD4, 0x21, 0xF8, 5, 0xDC, 0x1D, 0xEF, 0xB6, 0x41; CertPK.key_01.modul
  45. ROM:86FFDA00                     DCB 0x38, 0xDF, 0xC8, 0xE1, 0x78, 0xB5, 0x84, 0x23, 0x82; CertPK.key_01.modul
  46. ROM:86FFDA00                     DCB 0x7E, 0x7F, 0xE1                        ; CertPK.key_01.modul
  47. ROM:86FFDA00                     DCD 3                                       ; CertPK.__________field_148
  48. ROM:86FFDA00                     DCD 2                                       ; CertPK.key_02.key_id
  49. ROM:86FFDA00                     DCD 0                                       ; CertPK.key_02.key_type
  50. ROM:86FFDA00                     DCD 0b11100                                 ; CertPK.key_02.key_rights
  51. ROM:86FFDA00                     DCD 256                                     ; CertPK.key_02.modul_length
  52. ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_02.e_value
  53. ROM:86FFDA00                     DCB 0xE9, 0xF4, 0xD, 0xD2, 0x83, 0x1C, 0x51, 0x6C, 0x73; CertPK.key_02.modul
  54. ROM:86FFDA00                     DCB 0x32, 4, 0x76, 0x39, 4, 0xB6, 0xF, 0x7A, 0xE, 0x70; CertPK.key_02.modul
  55. ROM:86FFDA00                     DCB 0x8D, 0xC, 0xAC, 0x25, 0x8C, 0x31, 6, 0x8A, 0xC8, 0x96; CertPK.key_02.modul
  56. ROM:86FFDA00                     DCB 0xFF, 0x55, 0xC6, 0x68, 0xAC, 0x9D, 0x79, 0x15, 0xBD; CertPK.key_02.modul
  57. ROM:86FFDA00                     DCB 0x92, 0x4A, 0xC2, 0x2D, 7, 0x85, 0xD6, 9, 0x17, 0x4B; CertPK.key_02.modul
  58. ROM:86FFDA00                     DCB 0xC7, 0x3F, 0x13, 0xEC, 0xA1, 2, 0x1A, 0xC0, 0x12; CertPK.key_02.modul
  59. ROM:86FFDA00                     DCB 0x58, 0xA2, 0x61, 0xC0, 0xCD, 0xCA, 0xD9, 0xFF, 0xC2; CertPK.key_02.modul
  60. ROM:86FFDA00                     DCB 0x8B, 0x9B, 0x1C, 0x72, 0x4A, 0x2F, 0xB3, 0xFF, 0x2A; CertPK.key_02.modul
  61. ROM:86FFDA00                     DCB 0xC6, 0xDA, 0x20, 0x25, 0x49, 0xA4, 0xCB, 0x21, 0xB; CertPK.key_02.modul
  62. ROM:86FFDA00                     DCB 0x88, 0x1F, 0xA6, 0xF1, 0xF2, 0x2A, 0xD2, 0x2B, 0x7A; CertPK.key_02.modul
  63. ROM:86FFDA00                     DCB 0x61, 0x92, 0x26, 0x2B, 0x93, 0xFC, 0x16, 0x69, 8; CertPK.key_02.modul
  64. ROM:86FFDA00                     DCB 0x89, 0x9B, 1, 0x6B, 0xF9, 0x60, 0x12, 0xB0, 0x3D; CertPK.key_02.modul
  65. ROM:86FFDA00                     DCB 0x54, 8, 0xF9, 0xDD, 0xCF, 0x8B, 0x3D, 0xDA, 4, 0x85; CertPK.key_02.modul
  66. ROM:86FFDA00                     DCB 0x60, 0xDA, 0x6E, 0x91, 0x40, 0x87, 0xF3, 0x7D, 0xCF; CertPK.key_02.modul
  67. ROM:86FFDA00                     DCB 0x36, 0x31, 0xED, 0xDD, 0x64, 0xFA, 0xAC, 0x76, 0x64; CertPK.key_02.modul
  68. ROM:86FFDA00                     DCB 0x17, 0xE3, 7, 0x6D, 0xFA, 0x68, 0xC8, 0xC, 0x37, 0x38; CertPK.key_02.modul
  69. ROM:86FFDA00                     DCB 0xE5, 0x75, 0xB4, 0x5D, 0x23, 0xC6, 0xC7, 0xEC, 0xD0; CertPK.key_02.modul
  70. ROM:86FFDA00                     DCB 0xF4, 0xFB, 0xD2, 0x4A, 0xE9, 1, 0xD4, 0xC2, 0xB9; CertPK.key_02.modul
  71. ROM:86FFDA00                     DCB 0xEA, 0xBF, 0xB6, 0x28, 0xA0, 0x6A, 0xF7, 0x11, 0xB0; CertPK.key_02.modul
  72. ROM:86FFDA00                     DCB 0xB8, 0xC5, 0x9F, 0x15, 0x31, 0x91, 0xE4, 0x96, 0xBF; CertPK.key_02.modul
  73. ROM:86FFDA00                     DCB 4, 0x85, 0xB9, 0x1D, 0xBD, 0x4A, 0x18, 0x45, 0x8F; CertPK.key_02.modul
  74. ROM:86FFDA00                     DCB 0x11, 0xF7, 0x4A, 0xBF, 0x8D, 0xBF, 3, 0xE, 0xC2, 0x87; CertPK.key_02.modul
  75. ROM:86FFDA00                     DCB 0x9B, 0xD1, 0x74, 0x3D, 0xE3, 0xF3, 0xC2, 0x29, 0x2C; CertPK.key_02.modul
  76. ROM:86FFDA00                     DCB 0x44, 0x5C, 0xBD, 0xDA, 0xBC, 0x9E, 6, 0x89, 0xC3; CertPK.key_02.modul
  77. ROM:86FFDA00                     DCB 0x5A, 0xF4, 0x62, 0xE1, 0xAB, 0x1C, 0x73, 0x31, 0x87; CertPK.key_02.modul
  78. ROM:86FFDA00                     DCB 0x19, 0xB4, 0x1F, 0xA3, 0xE8, 0x1F, 0x48, 0x41, 0x13; CertPK.key_02.modul
  79. ROM:86FFDA00                     DCB 0x15, 0x96, 0xF0, 0xF4, 0x6F, 0x96, 0x7E, 0xBA, 0x56; CertPK.key_02.modul
  80. ROM:86FFDA00                     DCB 0x73, 0xC9, 0xC7, 0xD5, 0x71, 8, 0xE5   ; CertPK.key_02.modul
  81. ROM:86FFDA00                     DCD 3                                       ; CertPK.key_03.key_id
  82. ROM:86FFDA00                     DCD 0                                       ; CertPK.key_03.key_type
  83. ROM:86FFDA00                     DCD 0b10                                    ; CertPK.key_03.key_rights
  84. ROM:86FFDA00                     DCD 256                                     ; CertPK.key_03.modul_length
  85. ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_03.e_value
  86. ROM:86FFDA00                     DCB 0xDF, 0xB0, 0x8B, 0x1A, 0x78, 0xF1, 0x42, 0xCF, 0xDB; CertPK.key_03.modul
  87. ROM:86FFDA00                     DCB 0x65, 0x3B, 0x14, 0x9B, 0x43, 0x46, 0x6B, 0x22, 0xB1; CertPK.key_03.modul
  88. ROM:86FFDA00                     DCB 0x4B, 0xAE, 0xAC, 0xD2, 0x7B, 0xC7, 0xE0, 0xE3, 0x59; CertPK.key_03.modul
  89. ROM:86FFDA00                     DCB 0xAC, 0xA2, 0x61, 0x23, 0xF0, 0xA6, 0x31, 0xC7, 0x59; CertPK.key_03.modul
  90. ROM:86FFDA00                     DCB 0x92, 0xA2, 0xB, 0x51, 0xFF, 0xF5, 0x98, 0x88, 0xA6; CertPK.key_03.modul
  91. ROM:86FFDA00                     DCB 0xE7, 0x2D, 0xF0, 0x26, 0xFB, 0xD3, 0x9B, 0x5B, 0xBD; CertPK.key_03.modul
  92. ROM:86FFDA00                     DCB 0x75, 0x21, 0x1E, 0xC4, 0x16, 0x9D, 0x5E, 0x92, 0xC0; CertPK.key_03.modul
  93. ROM:86FFDA00                     DCB 0x42, 0xEA, 0x9E, 6, 0xCA, 0x16, 0x31, 0x6A, 0x20; CertPK.key_03.modul
  94. ROM:86FFDA00                     DCB 0x6C, 0xAF, 0xE, 0x76, 0x34, 0xCD, 0xF4, 0xEA, 0x8A; CertPK.key_03.modul
  95. ROM:86FFDA00                     DCB 0xDB, 0xEE, 0x47, 0x52, 2, 0x71, 0x2F, 0xF4, 0xDB; CertPK.key_03.modul
  96. ROM:86FFDA00                     DCB 0x8E, 0xBB, 0x49, 0xE7, 0x7F, 0x48, 0x85, 0x56, 0x94; CertPK.key_03.modul
  97. ROM:86FFDA00                     DCB 0xC1, 0x7C, 0x37, 0x9E, 0x4B, 0x8D, 0x16, 0x65, 0x2D; CertPK.key_03.modul
  98. ROM:86FFDA00                     DCB 0x1F, 0x4D, 0xB0, 0x76, 0xD6, 0x69, 0x43, 0x5F, 0xBA; CertPK.key_03.modul
  99. ROM:86FFDA00                     DCB 0xD4, 0x33, 0x39, 0x82, 0x7C, 0x40, 0xBA, 0x2B, 0x92; CertPK.key_03.modul
  100. ROM:86FFDA00                     DCB 0xAE, 0xA8, 0xCE, 0x67, 0x3D, 0xC5, 0x14, 0x33, 0x14; CertPK.key_03.modul
  101. ROM:86FFDA00                     DCB 0xA7, 5, 0x13, 0xC9, 0x6A, 0x8B, 0xFD, 0x46, 0x5B; CertPK.key_03.modul
  102. ROM:86FFDA00                     DCB 0x8F, 0xB, 0xE9, 0xD4, 0xDE, 0x3A, 0x69, 4, 0xE0, 0xBF; CertPK.key_03.modul
  103. ROM:86FFDA00                     DCB 0xA5, 0xEF, 0x2D, 0x54, 0xC6, 0x15, 0x38, 0xF3, 0x40; CertPK.key_03.modul
  104. ROM:86FFDA00                     DCB 6, 0x8F, 0x83, 0x2E, 0xA3, 0xC7, 0x22, 0xEF, 0xB1; CertPK.key_03.modul
  105. ROM:86FFDA00                     DCB 0x78, 0x3B, 2, 0x1D, 0x78, 0x3E, 0xE6, 0x2F, 0xE1; CertPK.key_03.modul
  106. ROM:86FFDA00                     DCB 0x64, 0xA2, 0xAE, 0x1F, 4, 0xAD, 0x16, 0x28, 0xBA; CertPK.key_03.modul
  107. ROM:86FFDA00                     DCB 0xA9, 0x5E, 0x47, 0x1F, 0x11, 0x99, 0xD4, 0x96, 0xE; CertPK.key_03.modul
  108. ROM:86FFDA00                     DCB 0xA0, 0x27, 0x19, 0x51, 0x2E, 0x3A, 0xDC, 6, 0xA4; CertPK.key_03.modul
  109. ROM:86FFDA00                     DCB 0x7A, 0x8B, 0x2A, 5, 0xD5, 0xEF, 0xC, 0x65, 0x11, 0x8B; CertPK.key_03.modul
  110. ROM:86FFDA00                     DCB 0xF9, 0x5B, 0xE, 0x4B, 0xFD, 0xBF, 0x3C, 0x80, 0x6F; CertPK.key_03.modul
  111. ROM:86FFDA00                     DCB 0x9B, 0xC4, 0x10, 0xD7, 0xDE, 0xE8, 0xEF, 0xC5, 0x32; CertPK.key_03.modul
  112. ROM:86FFDA00                     DCB 0x3F, 0x7A, 0x24, 0xB2, 0x91, 9, 0x42, 0x4E, 0x5E; CertPK.key_03.modul
  113. ROM:86FFDA00                     DCB 7, 0x81, 0x2D, 0x25, 0x13, 0xFA, 0x46, 0xBF, 0x34; CertPK.key_03.modul
  114. ROM:86FFDA00                     DCB 0x71, 0xC1                              ; CertPK.key_03.modul
  115. ROM:86FFDA00                     DCD 4                                       ; CertPK.key_04.key_id
  116. ROM:86FFDA00                     DCD 0                                       ; CertPK.key_04.key_type
  117. ROM:86FFDA00                     DCD 0b100000                                ; CertPK.key_04.key_rights
  118. ROM:86FFDA00                     DCD 256                                     ; CertPK.key_04.modul_length
  119. ROM:86FFDA00                     DCD 65537                                   ; CertPK.key_04.e_value
  120. ROM:86FFDA00                     DCB 0xE5, 0x43, 0x46, 0xA6, 0xB4, 0x4A, 0x45, 0xBA, 0x1E; CertPK.key_04.modul
  121. ROM:86FFDA00                     DCB 0x2F, 0x4B, 0xEB, 0x6A, 0x38, 0x29, 0xAE, 0xB3, 0x93; CertPK.key_04.modul
  122. ROM:86FFDA00                     DCB 0x3D, 0x60, 0xDD, 0x96, 0x92, 0xA6, 0x6E, 0x61, 0xDC; CertPK.key_04.modul
  123. ROM:86FFDA00                     DCB 0xB8, 0x21, 0x32, 0x6D, 0xEF, 0xD5, 0x19, 0xA0, 0x4F; CertPK.key_04.modul
  124. ROM:86FFDA00                     DCB 0x54, 0x59, 0x70, 0x75, 0x61, 0xFB, 0x2A, 0xC9, 0xB5; CertPK.key_04.modul
  125. ROM:86FFDA00                     DCB 0xF9, 0x72, 0x40, 0x62, 0x7C, 0xE, 0xE0, 0x87, 0xD2; CertPK.key_04.modul
  126. ROM:86FFDA00                     DCB 0xC3, 0xCF, 0x8B, 0xD8, 0x2C, 0x6D, 0xC8, 0xC4, 0x54; CertPK.key_04.modul
  127. ROM:86FFDA00                     DCB 0x7B, 0xF8, 0x4D, 0xEB, 0x20, 0xA8, 0xDA, 0xF4, 0x9D; CertPK.key_04.modul
  128. ROM:86FFDA00                     DCB 0x73, 0xA1, 0xE4, 0x5B, 0xAF, 7, 0x32, 0x88, 0x92; CertPK.key_04.modul
  129. ROM:86FFDA00                     DCB 0x15, 0x52, 0x37, 0xA1, 0x93, 0x91, 0x9A, 0x26, 0x2E; CertPK.key_04.modul
  130. ROM:86FFDA00                     DCB 0x7F, 0x6C, 0xDC, 0xD7, 0xA, 0xA5, 0xA6, 0xBA, 0xE6; CertPK.key_04.modul
  131. ROM:86FFDA00                     DCB 9, 0x1F, 0x6D, 0xA5, 0xE1, 0x50, 0xBC, 0xA1, 0x97; CertPK.key_04.modul
  132. ROM:86FFDA00                     DCB 0xE2, 0x43, 0xF, 0x1A, 0xBE, 0xA7, 0xDB, 0xF8, 0x3E; CertPK.key_04.modul
  133. ROM:86FFDA00                     DCB 0x1B, 2, 0xE9, 0x6B, 0x48, 0xD1, 0xEB, 0xC4, 0x3C; CertPK.key_04.modul
  134. ROM:86FFDA00                     DCB 0x7C, 0xAE, 0xAF, 0xE3, 0xFF, 0xFB, 0x6A, 0x46, 0x12; CertPK.key_04.modul
  135. ROM:86FFDA00                     DCB 0x32, 0x5D, 0x95, 0xB7, 0xE6, 0x22, 0x27, 0xE, 3, 0x94; CertPK.key_04.modul
  136. ROM:86FFDA00                     DCB 0x6A, 0xC5, 0xEA, 0xAD, 0x41, 6, 0x55, 0x78, 0xD5; CertPK.key_04.modul
  137. ROM:86FFDA00                     DCB 0x90, 0x54, 0xD, 0x95, 0x2C, 0x96, 0x47, 0x53, 0x4D; CertPK.key_04.modul
  138. ROM:86FFDA00                     DCB 0xEB, 0xAA, 0xF, 0x2F, 0xA0, 0x39, 0x48, 0x5F, 0x43; CertPK.key_04.modul
  139. ROM:86FFDA00                     DCB 0xA5, 0xB8, 0x53, 0xB0, 0xE3, 0x68, 0xBB, 0xAF, 0x79; CertPK.key_04.modul
  140. ROM:86FFDA00                     DCB 0x1E, 0x63, 0xB5, 0x7D, 0x4A, 0x81, 0x95, 0x38, 0x16; CertPK.key_04.modul
  141. ROM:86FFDA00                     DCB 0xF2, 0xD5, 0x8B, 0x16, 0xAE, 0x66, 0x8D, 0x4A, 0x12; CertPK.key_04.modul
  142. ROM:86FFDA00                     DCB 0xC3, 0x61, 0xBD, 0x86, 0x51, 0xBC, 0xB0, 9, 0xF, 0x22; CertPK.key_04.modul
  143. ROM:86FFDA00                     DCB 0x8C, 0xA9, 0x14, 0xF2, 0x22, 0xEA, 0x29, 0xD, 0x1A; CertPK.key_04.modul
  144. ROM:86FFDA00                     DCB 0xCA, 0x61, 0xD3, 0x8A, 0x11, 0x92, 0x22, 0x53, 0x4D; CertPK.key_04.modul
  145. ROM:86FFDA00                     DCB 0x11, 0x5C, 0x91, 0xDF, 0x9F, 0x11, 0x68, 0xD8, 0xA6; CertPK.key_04.modul
  146. ROM:86FFDA00                     DCB 0x97, 0xFD, 0x99, 0xD1, 0xA9, 0x2D, 0x8D, 0xF9, 0xB4; CertPK.key_04.modul
  147. ROM:86FFDA00                     DCB 0x9C, 0xDD, 0xD7, 0x6D, 0xF3, 0x65, 0xA9, 0xD1, 7; CertPK.key_04.modul
  148. ROM:86FFDA00                     DCB 0xB8, 0xA6                              ; CertPK.key_04.modul
  149. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  150. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  151. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  152. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  153. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  154. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  155. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  156. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  157. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  158. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  159. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  160. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_1
  161. ROM:86FFDA00                     DCD 0, 0, 0                                 ; CertPK.zero_hole_1
  162. ROM:86FFDA00                     DCD 0b1111110                               ; CertPK.rights
  163. ROM:86FFDA00                     DCD 0xFFFFFFFF                              ; CertPK.msv
  164. ROM:86FFDA00                     DCD 1                                       ; CertPK.msv_mask
  165. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPK.zero_hole_2
  166. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0   ; CertPK.zero_hole_2
  167. ROM:86FFDA00                     DCB 0xA1, 0x64, 0x78, 0x4A, 0, 0, 0, 0, 0xDF, 1, 0, 0; CertPK.digest.signer_info
  168. ROM:86FFDA00                     DCB 0, 0, 0, 0                              ; CertPK.digest.signer_info
  169. ROM:86FFDA00                     DCD 0                                       ; CertPK.digest.signature_info
  170. ROM:86FFDA00                     DCD 1                                       ; CertPK.digest.key_id
  171. ROM:86FFDA00                     DCB 0x61, 0x66, 0xA8, 0xD7, 0x58, 0x8D, 0xFC, 0x87, 0xF2; CertPK.digest.digest
  172. ROM:86FFDA00                     DCB 0x9B, 0x83, 0x3F, 0xAD, 0x9B, 0x69, 0x25, 0xE6, 0xB4; CertPK.digest.digest
  173. ROM:86FFDA00                     DCB 0xA4, 0x19, 0xCA, 0x45, 4, 0x93, 0xB3, 0x57, 0x6C; CertPK.digest.digest
  174. ROM:86FFDA00                     DCB 0xB4, 0x76, 0x18, 0x52, 0xFA, 0x22, 0x9A, 2, 0x1D; CertPK.digest.digest
  175. ROM:86FFDA00                     DCB 0xFF, 0x8E, 0xFC, 0xAE, 0xF4, 0x94, 0x77, 0x26, 0x1B; CertPK.digest.digest
  176. ROM:86FFDA00                     DCB 0xBD, 0xE5, 0xAB, 0x77, 0x8D, 0xFB, 0x16, 0x30, 0x65; CertPK.digest.digest
  177. ROM:86FFDA00                     DCB 0x5C, 0xF2, 0x3A, 2, 0x98, 0xCB, 0xBC, 0xE8, 0x25; CertPK.digest.digest
  178. ROM:86FFDA00                     DCB 0x34, 0x6B, 0x90, 0xDE, 0xF4, 0x3B, 0xC2, 0xE7, 0xA3; CertPK.digest.digest
  179. ROM:86FFDA00                     DCB 0x43, 0xB9, 0x65, 0x14, 0xD6, 0xF3, 0xB4, 0x45, 0x1F; CertPK.digest.digest
  180. ROM:86FFDA00                     DCB 0x40, 0xF5, 0x2D, 0xCB, 0x2A, 0x28, 0x97, 0xBA, 0x6C; CertPK.digest.digest
  181. ROM:86FFDA00                     DCB 0xEB, 0x39, 4, 0xF2, 0xE8, 0x78, 0xA8, 0xA8, 0x4B; CertPK.digest.digest
  182. ROM:86FFDA00                     DCB 0x3C, 0xA8, 0x24, 0x3C, 0xB3, 0x90, 0x54, 0x9F, 0x9D; CertPK.digest.digest
  183. ROM:86FFDA00                     DCB 0xC5, 0xE8, 0x6E, 0xE5, 0xCD, 0xDF, 9, 0x14, 0xEE; CertPK.digest.digest
  184. ROM:86FFDA00                     DCB 0x4C, 0xC9, 0x6C, 0x93, 0xBA, 0x2B, 8, 0xF6, 0x76; CertPK.digest.digest
  185. ROM:86FFDA00                     DCB 0x6A, 0xE7, 0xB0, 0xC1, 0x16, 0x12, 0x2D, 0x3E, 0xDF; CertPK.digest.digest
  186. ROM:86FFDA00                     DCB 0x87, 0x62, 0x6E, 0x45, 0x89, 0x82, 0x96, 0xD2, 0x58; CertPK.digest.digest
  187. ROM:86FFDA00                     DCB 0xDA, 0x9E, 0xA7, 0xD7, 0x26, 0x32, 0xAB, 0xEF, 0x63; CertPK.digest.digest
  188. ROM:86FFDA00                     DCB 0x72, 0x54, 0x20, 0x2A, 0xE9, 0x34, 0xD1, 0x53, 0xDA; CertPK.digest.digest
  189. ROM:86FFDA00                     DCB 0xB2, 0x84, 0x4F, 0xDD, 0x38, 0xF6, 0xA1, 0x4D, 0x62; CertPK.digest.digest
  190. ROM:86FFDA00                     DCB 0x62, 0x31, 0x4E, 0xC9, 0xF0, 0x77, 0x30, 0x63, 0x65; CertPK.digest.digest
  191. ROM:86FFDA00                     DCB 0x81, 0x6B, 0x10, 0x82, 0x30, 0xF9, 0x15, 0x10, 0xF1; CertPK.digest.digest
  192. ROM:86FFDA00                     DCB 0x44, 0x3E, 0x19, 0x8B, 0x27, 0xC3, 0xBB, 0xF, 0x87; CertPK.digest.digest
  193. ROM:86FFDA00                     DCB 8, 0xAD, 0x9A, 0xC2, 0x93, 0x6F, 0x8A, 0xA6, 0x4A; CertPK.digest.digest
  194. ROM:86FFDA00                     DCB 0x40, 0xFC, 0, 0x6C, 0x8B, 0x5D, 0x15, 0xCD, 0xED; CertPK.digest.digest
  195. ROM:86FFDA00                     DCB 0xEE, 0xCC, 7, 0x20, 0x40, 0x47, 0xA7, 0xCD, 0x9B; CertPK.digest.digest
  196. ROM:86FFDA00                     DCB 0xC3, 0x7B, 0x62, 0x28, 0x18, 0x5B, 0x23, 0xE6, 0xA6; CertPK.digest.digest
  197. ROM:86FFDA00                     DCB 1, 0xC4, 0x78, 0x89, 0xF8, 0x2D, 0x95, 0xA0, 0xED; CertPK.digest.digest
  198. ROM:86FFDA00                     DCB 0xA5, 0x2C, 0x13, 0xA, 0x87, 0xB0, 0x4F, 0xC8, 0x2D; CertPK.digest.digest
  199. ROM:86FFDA00                     DCB 0x56, 0xF6, 0xFB, 0x7A                  ; CertPK.digest.digest

CertPPA

This is a certificate of Primary Protected Application (Similar known as Secure Part of OS and bootloader)

  1. ROM:86FFDA00                     DCB "CertPPA",0                             ; CertPPA.cert_mark
  2. ROM:86FFDA00                     DCD 0                                       ; CertPPA.cert_version
  3. ROM:86FFDA00                     DCD 0                                       ; CertPPA.cert_type
  4. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_src
  5. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_pk
  6. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_ppa
  7. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_rd1
  8. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_rd2
  9. ROM:86FFDA00                     DCD 0                                       ; CertPPA.minver_isw
  10. ROM:86FFDA00                     DCD 0x1DC, 0x1474, 0x12D4378A, 0xF1CC7717, 0x720919A6; CertPPA.image_01.data_byte
  11. ROM:86FFDA00                     DCD 0x306817C4, 0x5B11F5EB                  ; CertPPA.image_01.data_byte
  12. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPPA.zero_hole
  13. ROM:86FFDA00                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; CertPPA.zero_hole
  14. ROM:86FFDA00                     DCB 0xFF, 0xDD, 0x82, 0x4A, 0, 0, 0, 0, 0x30, 2, 0, 0; CertPPA.digest.signer_info
  15. ROM:86FFDA00                     DCB 0, 0, 0, 0                              ; CertPPA.digest.signer_info
  16. ROM:86FFDA00                     DCD 0                                       ; CertPPA.digest.signature_info
  17. ROM:86FFDA00                     DCD 2                                       ; CertPPA.digest.key_id
  18. ROM:86FFDA00                     DCB 0x71, 0xA0, 0x9E, 0xBD, 0x2A, 0xC1, 0xB7, 8, 0xC7; CertPPA.digest.digest
  19. ROM:86FFDA00                     DCB 0xC0, 0xED, 0xEF, 4, 0xAE, 0x99, 0x27, 0x5C, 0x34; CertPPA.digest.digest
  20. ROM:86FFDA00                     DCB 0xAE, 0xF4, 0x7A, 0xEA, 0x60, 0x36, 0x17, 0x8B, 0xE5; CertPPA.digest.digest
  21. ROM:86FFDA00                     DCB 0x16, 0x31, 0xBC, 0xFF, 0x5E, 0xA0, 0x78, 0x7B, 0x43; CertPPA.digest.digest
  22. ROM:86FFDA00                     DCB 0xBE, 0xA0, 0xDD, 4, 0x28, 0x16, 0xA7, 0xD9, 0x44; CertPPA.digest.digest
  23. ROM:86FFDA00                     DCB 0x95, 0x97, 0xEF, 0xD6, 0x9D, 0x9E, 0xAD, 0xD0, 0x59; CertPPA.digest.digest
  24. ROM:86FFDA00                     DCB 0x3C, 0x40, 0xA4, 0x32, 0xDA, 0x15, 0x4C, 0x61, 0x39; CertPPA.digest.digest
  25. ROM:86FFDA00                     DCB 0x73, 0x9A, 0xC4, 0x11, 0x3B, 0x29, 0xC9, 0x79, 0x22; CertPPA.digest.digest
  26. ROM:86FFDA00                     DCB 0xFA, 0xD6, 0x10, 0xED, 0x34, 0x8B, 0x9C, 0xC3, 0x87; CertPPA.digest.digest
  27. ROM:86FFDA00                     DCB 0x73, 0xA4, 0x70, 0xC6, 0xB8, 0x7C, 0x8E, 0xA1, 0xCC; CertPPA.digest.digest
  28. ROM:86FFDA00                     DCB 0x5C, 0x90, 0x42, 0x5D, 0x89, 0xE6, 0x1D, 0xBD, 0x79; CertPPA.digest.digest
  29. ROM:86FFDA00                     DCB 0xE3, 0xBF, 0x78, 0x13, 0x25, 0xB, 0, 0x86, 0x93, 0x7B; CertPPA.digest.digest
  30. ROM:86FFDA00                     DCB 0xF5, 0x13, 0x65, 0x52, 0x1E, 0x4D, 3, 7, 0xDF, 0x3E; CertPPA.digest.digest
  31. ROM:86FFDA00                     DCB 0x43, 0x57, 0x2D, 0xD2, 0xF9, 0x30, 0x6C, 0x9F, 0x8A; CertPPA.digest.digest
  32. ROM:86FFDA00                     DCB 0xB6, 0xA7, 0x33, 0x67, 0x3C, 0xBF, 0x1E, 0xD0, 0x7D; CertPPA.digest.digest
  33. ROM:86FFDA00                     DCB 0x7E, 0x46, 0x47, 0x2C, 0x89, 0xE9, 0xF5, 0x5F, 0x9C; CertPPA.digest.digest
  34. ROM:86FFDA00                     DCB 0xF4, 0x33, 0x8E, 0xF3, 0x57, 0xBB, 0x44, 0x94, 0x3C; CertPPA.digest.digest
  35. ROM:86FFDA00                     DCB 0xC4, 0x3E, 0xAE, 0x31, 0xC8, 0x8D, 0xE4, 0x69, 0xAE; CertPPA.digest.digest
  36. ROM:86FFDA00                     DCB 0x33, 0x4D, 0xF6, 0x82, 0x3C, 0x34, 0x69, 0x6A, 0x46; CertPPA.digest.digest
  37. ROM:86FFDA00                     DCB 0xA8, 8, 0xF5, 0xBA, 0x52, 0x7D, 0x99, 0x87, 0x9A; CertPPA.digest.digest
  38. ROM:86FFDA00                     DCB 0x65, 0x17, 0x8F, 0x87, 0xC0, 0xA8, 0xB7, 0x4C, 0xF5; CertPPA.digest.digest
  39. ROM:86FFDA00                     DCB 0x11, 0x18, 0xC5, 0xCB, 0xCA, 0x5E, 0x9A, 0xB1, 0xED; CertPPA.digest.digest
  40. ROM:86FFDA00                     DCB 0x30, 7, 7, 0xB8, 0x9D, 0x5A, 0x85, 0xAB, 0x68, 0xD1; CertPPA.digest.digest
  41. ROM:86FFDA00                     DCB 0xA5, 0x3A, 0xC, 3, 0x5F, 0x1C, 0x86, 0x3F, 0x45, 0xD7; CertPPA.digest.digest
  42. ROM:86FFDA00                     DCB 0x9E, 0x2A, 5, 0xEB, 0xD1, 0x89, 0x2C, 0xC, 0x78, 0xD9; CertPPA.digest.digest
  43. ROM:86FFDA00                     DCB 0x96, 0x66, 0x22, 0x87, 0x92, 0x54, 0xD5, 0xE, 0x2E; CertPPA.digest.digest
  44. ROM:86FFDA00                     DCB 0xF6, 0x36, 0xB3, 0x6E, 0x5F, 0x93, 0x86, 0x19, 0xCC; CertPPA.digest.digest
  45. ROM:86FFDA00                     DCB 0x93, 0x8E, 0x9F, 0xCE, 0xAA, 0xB8, 0x95, 0x44; CertPPA.digest.digest

CertISW

This is certificate of Initial Software Image, which is most important part of mbmloader

  1. ROM:87000000                     DCB "CertISW",0                             ; cert_mark
  2. ROM:87000000                     DCD 0                                       ; cert_version
  3. ROM:87000000                     DCD 0                                       ; cert_type
  4. ROM:87000000                     DCD 0                                       ; minver_src
  5. ROM:87000000                     DCD 0                                       ; minver_pk
  6. ROM:87000000                     DCD 0                                       ; minver_ppa
  7. ROM:87000000                     DCD 0                                       ; minver_rd1
  8. ROM:87000000                     DCD 0                                       ; minver_rd2
  9. ROM:87000000                     DCD 0                                       ; minver_isw
  10. ROM:87000000                     DCD 0                                       ; watchdog_param
  11. ROM:87000000                     DCD 0                                       ; use_DMA
  12. ROM:87000000                     DCD 1                                       ; images_number
  13. ROM:87000000                     DCD 0x350, 0xBB3C, 0x5B276134, 0xE8DB7FAA, 0x19484C32; image_01.data_byte
  14. ROM:87000000                     DCD 0xFF8CCD72, 0xCE925D68                  ; image_01.data_byte
  15. ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_02.data_byte
  16. ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_03.data_byte
  17. ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0                     ; image_04.data_byte
  18. ROM:87000000                     DCD 0x16793A22                              ; magic_1
  19. ROM:87000000                     DCD 0b11111111111111111111111111111111      ; reg_bitfield
  20. ROM:87000000                     DCD 0x48004D30                              ; reg_table.reg_address
  21. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  22. ROM:87000000                     DCD 0x48004934                              ; reg_table.reg_address
  23. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  24. ROM:87000000                     DCD 0x48004948                              ; reg_table.reg_address
  25. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  26. ROM:87000000                     DCD 0x48004944                              ; reg_table.reg_address
  27. ROM:87000000                     DCD 1                                       ; reg_table.reg_value
  28. ROM:87000000                     DCD 0x48004940                              ; reg_table.reg_address
  29. ROM:87000000                     DCD 0x1F419                                 ; reg_table.reg_value
  30. ROM:87000000                     DCD 0x48004D40                              ; reg_table.reg_address
  31. ROM:87000000                     DCD 0x8A00C00                               ; reg_table.reg_value
  32. ROM:87000000                     DCD 0x48004D00                              ; reg_table.reg_address
  33. ROM:87000000                     DCD 0x770077                                ; reg_table.reg_value
  34. ROM:87000000                     DCD 0x48004904                              ; reg_table.reg_address
  35. ROM:87000000                     DCD 0x37                                    ; reg_table.reg_value
  36. ROM:87000000                     DCD 0x48004924                              ; reg_table.reg_address
  37. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  38. ROM:87000000                     DCD 0x48004D20                              ; reg_table.reg_address
  39. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  40. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  41. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  42. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  43. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  44. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  45. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  46. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  47. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  48. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  49. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  50. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  51. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  52. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  53. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  54. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  55. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  56. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  57. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  58. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  59. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  60. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  61. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  62. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  63. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  64. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  65. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  66. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  67. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  68. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  69. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  70. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  71. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  72. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  73. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  74. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  75. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  76. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  77. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  78. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  79. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  80. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  81. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  82. ROM:87000000                     DCD 0                                       ; reg_table.reg_address
  83. ROM:87000000                     DCD 0                                       ; reg_table.reg_value
  84. ROM:87000000                     DCD 0                                       ; reg_type_01
  85. ROM:87000000                     DCD 0x300                                   ; reg_type_02
  86. ROM:87000000                     DCD 0x350                                   ; image_offset
  87. ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; zero_hole
  88. ROM:87000000                     DCD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; zero_hole
  89. ROM:87000000                     DCB 0x52, 0x98, 0xE1, 0x4A, 0, 0, 0, 0, 0x3D, 6, 0, 0; digest.signer_info
  90. ROM:87000000                     DCB 0, 0, 0, 0                              ; digest.signer_info
  91. ROM:87000000                     DCD 0                                       ; digest.signature_info
  92. ROM:87000000                     DCD 3                                       ; digest.key_id
  93. ROM:87000000                     DCB 0x21, 0xBF, 0x48, 0x4A, 0x3A, 0x45, 0xB, 0x94, 0x67; digest.digest
  94. ROM:87000000                     DCB 0xBA, 0xC5, 0xC5, 0x7D, 0xC7, 0xA6, 0x6B, 0xBC, 0x59; digest.digest
  95. ROM:87000000                     DCB 0xFE, 0xC0, 0x8D, 0xD4, 0xAE, 0xCD, 0xD6, 0x41, 0x5C; digest.digest
  96. ROM:87000000                     DCB 0xDC, 0x23, 6, 0x3F, 0x33, 0xC3, 0x25, 0xAC, 0x8B; digest.digest
  97. ROM:87000000                     DCB 0xD0, 0x69, 0xF, 0xD2, 0xB1, 0x77, 0xCB, 0x63, 0xD7; digest.digest
  98. ROM:87000000                     DCB 0xE, 0x3A, 0x5B, 0x92, 0x6D, 0xA, 0xF1, 0x5C, 0x29; digest.digest
  99. ROM:87000000                     DCB 0x1F, 0x5E, 0x99, 0xF5, 0xB8, 0x81, 0x9C, 2, 0x87; digest.digest
  100. ROM:87000000                     DCB 0x17, 0x1D, 0x45, 0x5E, 0x5D, 0x47, 0xA9, 0x2B, 2; digest.digest
  101. ROM:87000000                     DCB 0x46, 0x25, 0xA2, 0x1F, 0xC2, 0x5E, 0x50, 0xA5, 0x24; digest.digest
  102. ROM:87000000                     DCB 0x85, 0x1E, 0xC5, 0xE7, 0xC8, 0x87, 0xC6, 0xF4, 0x50; digest.digest
  103. ROM:87000000                     DCB 0xB1, 0x65, 0xC0, 0xF6, 0xB9, 0x79, 0xC1, 0xC9, 0xFC; digest.digest
  104. ROM:87000000                     DCB 0x54, 0x98, 0x30, 0xE4, 0x14, 0xC7, 0xB7, 0x4B, 0x92; digest.digest
  105. ROM:87000000                     DCB 0xC1, 0xAE, 0x4E, 0xDB, 0x3B, 0x79, 0xD9, 0x91, 0x45; digest.digest
  106. ROM:87000000                     DCB 0x9A, 0xE9, 0x28, 0xC, 0x3B, 0xEF, 0x42, 0x53, 0x6D; digest.digest
  107. ROM:87000000                     DCB 0x9C, 0xEF, 0xB6, 0x37, 0xAC, 0xBF, 0x72, 0xF7, 0xE3; digest.digest
  108. ROM:87000000                     DCB 0x33, 0xDC, 0x67, 0x22, 0x56, 0x77, 9, 0x54, 0x9D; digest.digest
  109. ROM:87000000                     DCB 0x45, 0x62, 0x84, 0x72, 0x55, 0xC1, 0x38, 0xC, 0x6A; digest.digest
  110. ROM:87000000                     DCB 1, 0x67, 0x1B, 0xE6, 0xEE, 0xD0, 0x2B, 0xD9, 0x78; digest.digest
  111. ROM:87000000                     DCB 0x56, 0x7F, 0xCB, 0x19, 0xF, 0x3D, 0x46, 0xE6, 0xFA; digest.digest
  112. ROM:87000000                     DCB 0x81, 0x90, 0x7A, 0xBC, 0x96, 0xAB, 0x58, 0x81, 0xB1; digest.digest
  113. ROM:87000000                     DCB 0xB2, 0x62, 0x60, 0x66, 0x1E, 0xFE, 0xB6, 0x1F, 0x48; digest.digest
  114. ROM:87000000                     DCB 0x1A, 0x98, 0xEC, 0xA3, 0xE4, 0xFF, 0x62, 0xF, 0x9F; digest.digest
  115. ROM:87000000                     DCB 0xEA, 0xA, 0x37, 0xBB, 0x80, 0xF0, 0xE2, 0xA3, 0x1F; digest.digest
  116. ROM:87000000                     DCB 0xBD, 0xB8, 0xEE, 0xE9, 0x11, 0x9D, 0x98, 0x15, 1; digest.digest
  117. ROM:87000000                     DCB 0x37, 0x3C, 0xA7, 0xCB, 0x5F, 0xB2, 0x37, 0x5E, 0xFD; digest.digest
  118. ROM:87000000                     DCB 0xFC, 0x37, 0xCE, 0x80, 9, 0xB8, 0x56, 0x74, 0xFF; digest.digest
  119. ROM:87000000                     DCB 0x83, 0xEF, 0xD0, 0xE0, 0x3E, 0x8F, 0xC7, 0xF, 0x1C; digest.digest
  120. ROM:87000000                     DCB 0x67, 0xFE, 0x58, 0xE6, 0xE6, 0x8D, 0x65, 0x4A, 0xF4; digest.digest
  121. ROM:87000000                     DCB 0x20, 0xF9, 0xAD, 0x8D                  ; digest.digest


Finding a hash collision

Finding a new key whose sha1 hash collides with the one stored in hardware would be a very difficult task too, but as far as we know it has not been proven to be as hard as cracking the key directly. The generate & test method is probably useless here, though. This statement was being left from the beginning when the certificates inside mbmloader was not fully understood. The hardware stores the hash of the root public key for validating the public key inside mbmloader's pk cert section. And the private key of it is used to sign the sha1 hash of the ISW content. So finding a hash collision means to modify the ISW content in a way that could benefit us(like patching further signature checking) while retaining the same hash value.

Moreover, finding a fast hash collision on the sha1(root_public_key)(not the brute-force way from RSA components -> modulus -> hash), even succeeded, will simply repeat the public key -> private key problem.

Some useful information about RSA cryptoanalisys

First of all - read this Cryptoanalisys on Wikipedia

As we know may be useful thease methods:

Classical cryptanalysis:

Hash functions:

Attack models:

Side channel attacks:

External attacks:

Useful literature for studying:

  1. U.S. Patent 4405829
  2. Cracking RSA-500
  3. Cracking RSA-500
  4. A. Menezes, P. van Oorschot, S. Vanstone. RSA public-key encryption // Handbook of Applied Cryptography. , 1996.
  5. Boneh, Dan (1999). "Twenty Years of attacks on the RSA Cryptosystem". Notices of the American Mathematical Society (AMS) 46 (2): 203–213.
  6. Factorisation of RSA-768
  7. Factorisation of RSA-768
  8. Applied Cryptography sources in C, Brus Shnaier
  9. Applied Crypto, Brus Shnaier
Personal tools
Namespaces
Variants
Actions
Navigation
see also
Toolbox