dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
87
share rss forum feed


Arno Nym

@unknown

1 recommendation

reply to Sveasoft6

Analysis of the Alchemy 5.1 binaries

FYI:

I have analyzed the three binaries of Alchemy 5.1 which I have obtained from three different sources.

The kernel is identical in all three firmware binaries.

The filesystem image (squashfs) is different in each version. In each filesystem, all files have the same creation timestamp, but different timestamps across firmware binaries. Each filesystem contains 500 files. 498 of these files are identical across all three binaries. The same two files are different in each version: hmanagement.asp and ui_cisco.gif.

A couple of lines in hmanagement.asp have superfluous whitespace before the end-of-line. Each of the binaries has a different combination of spaces and tabs in this file.

The gif is visually identical across all three firmware binaries, but uses a differently permutated color map in each binary.

The source code which has been made available by one subscriber contains a fourth variation of these files. The asp file in the source package contains almost no superfluous whitespace before the end-of-lines. The gif in the Alchemy 5.1 source package is identical to the one in the publically released Satori 4.0 source package but different from the files in each of the three Alchemy 5.1 binaries.

The mksquashfs program (GPL software by Phillip Lougher) which the build process uses to pack the filesystem before it is attached to the kernel is distributed as binary-only. Its source is absent in both the Alchemy 5.1 and the Satori 4.0 source package.

Make your own mind up about these findings.


Arno Nym

@unknown
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.

tdb

join:2002-05-30
Concord, NC
Reviews:
·CT Communications
said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.

Somebody might want to notify the author of snow, since it appears that it is not free for commercial use.
--
Linux, it's what's for dinner.


TLS2000
Crazy Canuck
Premium
join:2004-02-24
Mississauga, ON
Reviews:
·TekSavvy Cable
·Rogers Hi-Speed

1 edit

1 recommendation

reply to Arno Nym
After talking with one of the mods here I feel I must retract part of one of my previous posts.

In a previous post, I accused the mods, or Sveasoft, of editing my post to remove an MD5 checksum.

It has been proven to me that it was not possible for either the mods, or Sveasoft to have edited my post. While I will not take back anything else I have said in this thread, I feel like I made an accusation without basis in fact. I apologise to both the Mods on this forum, as well as Sveasoft for that action in particular.

I am hosting the firmware, and will soon be hosting the source for Alchemy 5.1. I will also be hosting any future versions of the source and binaries that I get a hold of. This direct action is being taken because Sveasoft has revoked my subscription. It was revoked not because I redistributed, but because I had the nerve to post an MD5 chechsum of my copy of the binary obtained from Sveasoft's download site.

I will not post links on this board for it, due to a public statement by the moderators on this board.

In order to keep this post alive, we should all try to prevent from making unfound accusations. We should also try to avoid a flame war.

Again, Sveasoft6 See Profile, sortofageek See Profile, I apologise.
--
Tom Murdoch

viper54g

join:2004-07-16

1 edit
reply to Arno Nym
said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.

"The snow source code and the algorithms contained within it are free for non-commercial use"

I'm wondering if James has paid a license for this...


Arno Nym

@unknown
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
said by Arno Nym:
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.

Is the message encoded or just hidden, is decryption or exposure possible with a tool? Even if we could determine the size of the encryption we'd be able to guess what's stored... userid... date... time??

Can anyone who can download a binary indicate if they download 2 binaries on 2 days (of the same binary from Sveasoft) are they identical... this would help determine if there is a date/time stamp. If they're identical across time... then likely it's encrypting userid... someone with a copy may be able to test then by encrypting the userid into the "stripped" file to see if they get similar results. At least then the "mystery" of the checksum would be solved


TheIndividual

@anonymizationservice

1 edit
Arno Nym:
I have to admit that I am not that familiar with the firmware structure. Congratulations on your findings, I'm just curious how you did it. Did you strip the squashfs from the binary or did you actually upload it to your router and compare those files? I guess the former, so I would like to know how exactly one can do that and if it would be possible to re-compress a tag-free version?
Sveasoft obviously must be keeping all the different binaries available for possible later downloads, so they do know which file with which md5sum got transfered to who.

Anyways it's nice to know that there are no code differences in all versions, I never really believed in any backdoor and such on P2P versions.


Arno Nym

@unknown
A backdoor or phone home function is still possible if it is in every firmware binary. I only checked for differences. I have yet to compile my own binary. Sifting through the whole source for trojan code would take a long time.

The squash filesystem has a magic number. Open the firmware image with a hexeditor and look for hsqs (0x68 0x73 0x71 0x73) or shsq (0x73 0x68 0x73 0x71). In the Alchemy 5.1 binaries, this signature is found at offset 0xB84A0. Copy everything from that point on into a new file. This file can be mounted on a system with a matching squashfs driver (mount -o loop -t squashfs image.sqfs /mnt). The squashfs 2.0 final driver does not recognize the filesystem images from Alchemy 5.1, but the squashfs source from the Alchemy source package can be compiled on an i386 as well. To create a new squashfs image, you would have to use the binary only mksquashfs from the Alchemy source package, concatenate the resulting image file with a header and a kernel and adjust the checksum in the header. This could be the point where the tag is created, so check the resulting filesystem image. You could also try using the newer mksquashfs directly from the author, but to avoid bricking your router, you should first verify that you can mount the filesystem image with a kernel which has been patched with the squashfs code from Alchemy.

It should be noted that the tagging need not be this obvious and it is absolutely possible to create tags in a way which permits exact identification of the group of files which has been compared in order to eliminate the tag. Detagging could thus get all subscribers kicked who offer their downloaded firmware for comparison. You would be better off sacrificing one subscription per release.