Speaking outloud, so slap me...

Trying to further the development of the Android on the Revue? Talk about it hear and document it on the wiki: http://www.wiki.gtvhacker.com

Moderator: Revue Mod

webdude12
Android 1.0
Posts: 13
Joined: Sat Dec 03, 2011 9:09 pm
GTV Device Owned: Logitech Revue

Speaking outloud, so slap me...

Post by webdude12 »

I understand the reason we cant do custom roms is becuase we cant sign the update, because we need the private key. What I do not know is this. Is the private key somewhere on the box, or is it only in Logitech's hands.

Because coming from a different hacking community (D*v, D*sh), I know its fairly trivial to dump any hardware chip within a piece of hardware to get its code. If this is the case, not knowing any of the Revue's hardware chipset at all, does anyone know which chip we need to dump and disassemble the code?
jeffrapp
Android 1.0
Posts: 12
Joined: Sun Aug 07, 2011 5:29 am

Re: Speaking outloud, so slap me...

Post by jeffrapp »

SLAP!

No, the private key isn't stored on the box (or at least it shouldn't be - I'll assume Google knows better). With a key system, you get 2 different key: a private key and a public key. Basically, you use your private key to "sign" or encrypt an item. You can then freely give your public key out to whomever you choose, because it cannot be used to sign anything. It's only purpose is to verify or decrypt items that have been signed by the private key.

To get the private key, you'll need to either a) break into Google, or b) try to find the private key by, what is essentially, brute force. The long and short of it is, you'll probably have a better chance of breaking into Google and finding the key before you can brute force it.
webdude12
Android 1.0
Posts: 13
Joined: Sat Dec 03, 2011 9:09 pm
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by webdude12 »

Thats what I was thinking... Do we know the strength of the key system? 128, 256, etc? With the right equipment, bruteforce is not always out the question. Have to remember, with the ability to use GPUs to brute force, upto 28.6 billion/sec with a high class system. Not saying we all have that, but if we had an idea of the test formula, it would be possible to reverse engineer this.
Reality
Android 1.0
Posts: 3
Joined: Wed Dec 07, 2011 3:08 pm
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by Reality »

I'll bite.

28.7 billion attempts a second? That's pretty good.

A 256-bit RSA encryption scheme doesn't care ( http://www.gtvhacker.com/index.php/Startup lists crypto type and key length )

256 bit == 2^256 ~= 1.15792089 × 10^77

We'll round down to 1, followed by 76 zeros.

So, your awesome GPU cracker? If we used that, it would take roughly 4 * 10^66 seconds to calculate it, brute force.

There are 100 × 10^22 stars in the observable universe.

If each of these stars had 1,000,000,000 such GPUs, all cracking, and all interconnected with a zero latency link, it would only take 4.13543176 × 10^33 seconds to brute force.

The best guess for the age of the universe is currently roughly 433.6 x 10^15 seconds (plus or minus .13 billion years). So, if every star in the observable universe had 1,000,000,000 such crackers, and they started bruting at the big bang, it MIGHT be roughly half way through the brute force calculation.

But, keep on suggesting ideas...
Discovered
2.2 Froyo
Posts: 232
Joined: Thu Dec 08, 2011 9:57 am
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by Discovered »

i think it might just be possible.. haha it would be really cool to see this.
LGVM670 - CM 9
IPhone 3GS - IOS 5.1.1
Revue - HC 3.2
Aspire 3000 - JoliOS
havikx
1.6 Donut
Posts: 146
Joined: Mon Aug 08, 2011 8:14 pm
GTV Device Owned: Logitech Revue
Location: New Jersey, SEVEN3II

Re: Speaking outloud, so slap me...

Post by havikx »

+1 for brute forcing the boot loader.
HTC one s - cm10 jellybean unofficial
T-mobile g1 - cm6
T-Mobile g2- andromadus ics beta
T-Mobile hd2- cm9 by tytung
HP touchpad- CM9 alpha 2
Logitech revue- OTA downgrade 3.1
Member xda forums
webdude12
Android 1.0
Posts: 13
Joined: Sat Dec 03, 2011 9:09 pm
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by webdude12 »

Becuase the loader is encrypted we can not get the exact routine the Revue uses to decrypt.

However Im assuming that people have tested the public key and signature against other known bootloaders and it did not pass.

Reason I ask is this. Back in my days with the other hacking crowd, we discovered a 64 bit hex encryption key using a small group of and routine that could only do around 100 attempts per second and about 20 of us. Did we get lucky? Very much so.

Must brute force attempts start at 0000 and goto 9999 (To keep it simple). But first we noticed a few things. None of the known keys are in numeric order. I.e. 1234, 5678, etc So we thru all those out. Second we noticed that none of the keys are all the same. I.e. 3333, 7777, etc. So we thru all those out. We then pre calculated all the keys in a database that we had left. We then randomingly sorted the keys and divided them into of 1000000. Our script we wrote then would download a group at a time,test it, then when completed marked it as tested, and download the next untested group. This allowed is to start and stop the test as we pleased. In a lil under 3 weeks we had the key we needed.

Not saying we can def find the key this way. It could very well included some of the values we are throwning out. Plus we need to come up with the routine to test the key, the database etc, but if anyone has any ideas, Im willing to play. :D

To give examples we can throw out keys like this (Because of the 4444):

3F2A 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8
27EF C31D E400 1B6B 0F84 243F C4B2 FB83
258A 5862 6767 5417 F781 5379 08B2 476D
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312
F7B1 15D6 B14F 4444 170A EE56 C495 1A32
9783 459E 954F 2AAB C9A7 685F 2CE0 990D
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0
2116 71F2 E39D 5707 699F 410E 38F1 60D6
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
Reality
Android 1.0
Posts: 3
Joined: Wed Dec 07, 2011 3:08 pm
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by Reality »

Even though its encrypted, we can know. Turns out if you're really smart and ask really nicely, it kinda just tells you.

Each bit doubles the search space.

64 bits took 20 people 3 weeks?
65 will take 20 6 weeks, or 40 3 weeks.
66 will take 20 12 weeks, or 80 3 weeks.
67 will take 20 24 weeks, or 160 3 weeks.
68 will take 20 48 weeks, or 360 3 weeks.
69 will take 30 96 weeks (just shy of two years), or 720 3 weeks.

Without hand holding, I believe it would take 10,737,418,240 people to brute a 93-bit key in 3 weeks. And that's roughly 4 billion more people than the earth's population. So you can't start adding any more people. So assume that we somehow have 10 billion people to help. And each one is going to dedicate a sufficiently powerful machine to the cause. We have to start doubling time now, as we can't double people any more.

256 - 93 = 163

If we double the time 21 times, we get 6,291,456 weeks. Which is 120,989 years. It takes us down to 142 bits left.

Also bear in mind at this point, that there weren't 10 billion people around (still aren't), and they weren't helping you from that far ago (fun fact: it is thought that the most recent common ancestral male evolved about that time [ http://en.wikipedia.org/wiki/Y-chromosomal_Adam ] ). And we still have to either double the number of people, the speed of the algorithm, or the time it will take (or a combination of each) 142 times to yield a full search through the brute force.

...but its 256. Go on and run the numbers on that, and then when you're convinced the heat death of the universe won't occur between now and the solution, let me know how many people it will take.

Your whole "We'll remove patterns" theory is bunk. 4444 doesn't make a key invalid. We're talking about extremely large random numbers. With lots of digits. Your proposal makes about as much sense as finding a pattern in lotto numbers. Maybe you should do that, and then pay somebody at Logitech or Google for the private key. Because, and let me state this very clearly:

You. And your children. And their children. And their children. And their children. Will die. And the planet they live on will be eaten by the sun. And said sun will exhaust its fuel. All of these things will happen before (withholding a p != np discovery, huge breakthrough in quantum computing, or mathematical breakthrough in factorization of large numbers) you crack the bootloader.

IF you happen to make such a breakthrough, you would be better served NOT releasing such to the public. You could use it to break all sorts of things that would get you WAY more money than the value of being able to use a ROM on a $100 (or $300, depending on when you purchased) piece of x86 hardware.

A far better use of your time would be to go dig through Intel Architecture Manuals, and read some papers (Aleph 0ne's 'Smashing the Stack for Fun and Profit' is a START...and then there are thousands of other papers to read...and manuals to consume...), and then find a break in the software (instead of the crypto system underneath it).

But, please, keep suggesting these *awesome* ideas that have no regard for population of the planet or age of the universe.
webdude12 wrote:Becuase the loader is encrypted we can not get the exact routine the Revue uses to decrypt.

However Im assuming that people have tested the public key and signature against other known bootloaders and it did not pass.

Reason I ask is this. Back in my days with the other hacking crowd, we discovered a 64 bit hex encryption key using a small group of and routine that could only do around 100 attempts per second and about 20 of us. Did we get lucky? Very much so.

Must brute force attempts start at 0000 and goto 9999 (To keep it simple). But first we noticed a few things. None of the known keys are in numeric order. I.e. 1234, 5678, etc So we thru all those out. Second we noticed that none of the keys are all the same. I.e. 3333, 7777, etc. So we thru all those out. We then pre calculated all the keys in a database that we had left. We then randomingly sorted the keys and divided them into of 1000000. Our script we wrote then would download a group at a time,test it, then when completed marked it as tested, and download the next untested group. This allowed is to start and stop the test as we pleased. In a lil under 3 weeks we had the key we needed.

Not saying we can def find the key this way. It could very well included some of the values we are throwning out. Plus we need to come up with the routine to test the key, the database etc, but if anyone has any ideas, Im willing to play. :D

To give examples we can throw out keys like this (Because of the 4444):

3F2A 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8
27EF C31D E400 1B6B 0F84 243F C4B2 FB83
258A 5862 6767 5417 F781 5379 08B2 476D
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312
F7B1 15D6 B14F 4444 170A EE56 C495 1A32
9783 459E 954F 2AAB C9A7 685F 2CE0 990D
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0
2116 71F2 E39D 5707 699F 410E 38F1 60D6
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
webdude12
Android 1.0
Posts: 13
Joined: Sat Dec 03, 2011 9:09 pm
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by webdude12 »

I think you missed my point of how we brute forced and that where I did say we got lucky. The idea is not to start a 0 and count up, but in turn methodically randomly pick key and try them. After a key has been test and fails, randomly pick another one.

Not saying it would get the key, but saying that people play the lottery every day with random numbers and every once in a while some one win a million dollars. I personally have 4 computers at home that are on 24 hours a day, but used maybe 10 tops. So if I can make them process some tests with the off chance I might hit the lottery then why not.

That's my whole point. But without having the formula to test generated keys aganist, I can't even play. :-)
Discovered
2.2 Froyo
Posts: 232
Joined: Thu Dec 08, 2011 9:57 am
GTV Device Owned: Logitech Revue

Re: Speaking outloud, so slap me...

Post by Discovered »

See that is a good point.
LGVM670 - CM 9
IPhone 3GS - IOS 5.1.1
Revue - HC 3.2
Aspire 3000 - JoliOS
Post Reply