Arno Nym
| reply to TheIndividual
Re: Analysis of the Alchemy 5.1 binaries
A backdoor or phone home function is still possible if it is in every firmware binary. I only checked for differences. I have yet to compile my own binary. Sifting through the whole source for trojan code would take a long time.
The squash filesystem has a magic number. Open the firmware image with a hexeditor and look for hsqs (0x68 0x73 0x71 0x73) or shsq (0x73 0x68 0x73 0x71). In the Alchemy 5.1 binaries, this signature is found at offset 0xB84A0. Copy everything from that point on into a new file. This file can be mounted on a system with a matching squashfs driver (mount -o loop -t squashfs image.sqfs /mnt). The squashfs 2.0 final driver does not recognize the filesystem images from Alchemy 5.1, but the squashfs source from the Alchemy source package can be compiled on an i386 as well. To create a new squashfs image, you would have to use the binary only mksquashfs from the Alchemy source package, concatenate the resulting image file with a header and a kernel and adjust the checksum in the header. This could be the point where the tag is created, so check the resulting filesystem image. You could also try using the newer mksquashfs directly from the author, but to avoid bricking your router, you should first verify that you can mount the filesystem image with a kernel which has been patched with the squashfs code from Alchemy.
It should be noted that the tagging need not be this obvious and it is absolutely possible to create tags in a way which permits exact identification of the group of files which has been compared in order to eliminate the tag. Detagging could thus get all subscribers kicked who offer their downloaded firmware for comparison. You would be better off sacrificing one subscription per release. |
|
TheIndividual
1 edit | reply to pandora
Arno Nym:
I have to admit that I am not that familiar with the firmware structure. Congratulations on your findings, I'm just curious how you did it. Did you strip the squashfs from the binary or did you actually upload it to your router and compare those files? I guess the former, so I would like to know how exactly one can do that and if it would be possible to re-compress a tag-free version?
Sveasoft obviously must be keeping all the different binaries available for possible later downloads, so they do know which file with which md5sum got transfered to who.
Anyways it's nice to know that there are no code differences in all versions, I never really believed in any backdoor and such on P2P versions. |
|
pandora
Premium
join:2001-06-01
Outland
 ·ooma
·Future Nine Corpor..
 ·Comcast
| reply to Arno Nym
said by Arno Nym:
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries.
Is the message encoded or just hidden, is decryption or exposure possible with a tool? Even if we could determine the size of the encryption we'd be able to guess what's stored... userid... date... time??
Can anyone who can download a binary indicate if they download 2 binaries on 2 days (of the same binary from Sveasoft) are they identical... this would help determine if there is a date/time stamp. If they're identical across time... then likely it's encrypting userid... someone with a copy may be able to test then by encrypting the userid into the "stripped" file to see if they get similar results. At least then the "mystery" of the checksum would be solved  |
|
Arno Nym
| reply to viper54g
Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries. |
|
