serpor
05/03/2008, 20:06
Hi, I am [l3x] I used to work for TCNiSO (2 years ago) I am the author of SIGMA-X,
I wanted to join the forums so I can clear a few things up that people have written about me.
1) I coded sigma-x without DerEngels help, DerEngel cannot code in asm, he only codes in VB.NET
2) The only thing I used that I did not code was Isabellas web server and Isabellas telnet server, the rest was coded by me in mips asm.
3) Yes I still have the source code, no DerEngel does not have the source code, that’s why there was never any updates to sigma-x since I left in November 2005.
4) I also started the 5100 hacking, I found the ejtag port, I coded the very first blackcat (before it was named blackcat) it was a linux only version, after I coded it and had a way to flash firmware I started coding sigma-x
5) I coded the 5100 bootloader.
6) Isabella made a smaller ejtag interface, mine used 3 quad nand gate ic’s Isabella did it with 1 ic.
7) Isabella started work on a windows version of the software I coded to interface to ejatg, she made it all except for the flash driver which I coded. She named it blackcat because she has a Black Cat heh
8) DerEngel made a GUI in VB.net which interfaced to Isabella and my work (coded in C++).
9) I developed SIGMA-x in 3 months, I did write documentation for it but never released it.
10) The last version of sigma-x I released was sigma-x RC7 but derengel never realeased it because there was a bug which he wanted fixed before he relesed it.
11) The reason DerEngel cant modify sigma-x is because its encrypted (a simple xor encryption)
12) After sigma-x boots it erases its init functions from ram, this includes the descriptor, so there is no way to reverse engeneer it with a ram dump. You would get the core functions with a ram dump but without the init functions its impossible to work it out.
13) Once sigma-X loads it erases functions the modem uses when it boots and frees that ram for use (this was my magic memory management system as I was low on ram)
14) Sigma-x has no backdoor, but sigma 1.3, 1.4, 1.5 does I am sure sigma-x2 would have too, but I don’t know about that one as I was long gone when DerEngel paid programmers to code sigma-x2
15) Sigma-x2 was not coded by DerEngel, he paid a team of programmers to build it. (I am not sure if Isa helped)
16) Isa coded sigma 1.3, 1.4 and 1.5
17) Sigma-x is compressed using lzma
18) The encryption is simple,
There is a key it’s a string say “blah”
To encrypt when I compiled the firmware I would xor parts of the uncompressed firmware against the key like this…
Say the key is blah, blah in hex is 0x62 0x6c 0x61 0x68
byte 1 of the first encrypt block is xored against 0x62 and the answer is written to byte 1
byte 2 of the first encrypt block is xored against 0x6c and the answer is written to byte 2
byte 3 of the first encrypt block is xored against 0x61 and the answer is written to byte 3
byte 4 of the first encrypt block is xored against 0x68 and the answer is written to byte 4
byte 5 of the first encrypt block is xored against 0x62 and the answer is written to byte 5
byte 6 of the first encrypt block is xored against 0x6c and the answer is written to byte 6
byte 7 of the first encrypt block is xored against 0x61 and the answer is written to byte 7
byte 8 of the first encrypt block is xored against 0x68 and the answer is written to byte 8
as you can see, the firmware is just xored against a rolling key, starting at byte 1 of the key and going over each byte until it loops back to the start of the key again.
All of the firmware is encrypted except a small init function which includes the decryptor, the decryptor works the same as the encryptor.
On boot the bootloader uncompresses the firmware from flash into ram and then jumps to the init function.
The init function decrypts all the encrypted blocks and then executes the encrypted init functions.
The last thing it does is zero out the RAM that the decryptor and init functions are stored.
The firmware is then running in ram decrypted with no entry point making reverse engeneering it impossible.
This is the first time I have talked about sigma-x since I left, I now work at Sony and do not do any hacking anymore, I have not hacked anything since the good old days at TCNiSO,
Excuse the spelling I typed this out realy quick
Regards
L3x
I wanted to join the forums so I can clear a few things up that people have written about me.
1) I coded sigma-x without DerEngels help, DerEngel cannot code in asm, he only codes in VB.NET
2) The only thing I used that I did not code was Isabellas web server and Isabellas telnet server, the rest was coded by me in mips asm.
3) Yes I still have the source code, no DerEngel does not have the source code, that’s why there was never any updates to sigma-x since I left in November 2005.
4) I also started the 5100 hacking, I found the ejtag port, I coded the very first blackcat (before it was named blackcat) it was a linux only version, after I coded it and had a way to flash firmware I started coding sigma-x
5) I coded the 5100 bootloader.
6) Isabella made a smaller ejtag interface, mine used 3 quad nand gate ic’s Isabella did it with 1 ic.
7) Isabella started work on a windows version of the software I coded to interface to ejatg, she made it all except for the flash driver which I coded. She named it blackcat because she has a Black Cat heh
8) DerEngel made a GUI in VB.net which interfaced to Isabella and my work (coded in C++).
9) I developed SIGMA-x in 3 months, I did write documentation for it but never released it.
10) The last version of sigma-x I released was sigma-x RC7 but derengel never realeased it because there was a bug which he wanted fixed before he relesed it.
11) The reason DerEngel cant modify sigma-x is because its encrypted (a simple xor encryption)
12) After sigma-x boots it erases its init functions from ram, this includes the descriptor, so there is no way to reverse engeneer it with a ram dump. You would get the core functions with a ram dump but without the init functions its impossible to work it out.
13) Once sigma-X loads it erases functions the modem uses when it boots and frees that ram for use (this was my magic memory management system as I was low on ram)
14) Sigma-x has no backdoor, but sigma 1.3, 1.4, 1.5 does I am sure sigma-x2 would have too, but I don’t know about that one as I was long gone when DerEngel paid programmers to code sigma-x2
15) Sigma-x2 was not coded by DerEngel, he paid a team of programmers to build it. (I am not sure if Isa helped)
16) Isa coded sigma 1.3, 1.4 and 1.5
17) Sigma-x is compressed using lzma
18) The encryption is simple,
There is a key it’s a string say “blah”
To encrypt when I compiled the firmware I would xor parts of the uncompressed firmware against the key like this…
Say the key is blah, blah in hex is 0x62 0x6c 0x61 0x68
byte 1 of the first encrypt block is xored against 0x62 and the answer is written to byte 1
byte 2 of the first encrypt block is xored against 0x6c and the answer is written to byte 2
byte 3 of the first encrypt block is xored against 0x61 and the answer is written to byte 3
byte 4 of the first encrypt block is xored against 0x68 and the answer is written to byte 4
byte 5 of the first encrypt block is xored against 0x62 and the answer is written to byte 5
byte 6 of the first encrypt block is xored against 0x6c and the answer is written to byte 6
byte 7 of the first encrypt block is xored against 0x61 and the answer is written to byte 7
byte 8 of the first encrypt block is xored against 0x68 and the answer is written to byte 8
as you can see, the firmware is just xored against a rolling key, starting at byte 1 of the key and going over each byte until it loops back to the start of the key again.
All of the firmware is encrypted except a small init function which includes the decryptor, the decryptor works the same as the encryptor.
On boot the bootloader uncompresses the firmware from flash into ram and then jumps to the init function.
The init function decrypts all the encrypted blocks and then executes the encrypted init functions.
The last thing it does is zero out the RAM that the decryptor and init functions are stored.
The firmware is then running in ram decrypted with no entry point making reverse engeneering it impossible.
This is the first time I have talked about sigma-x since I left, I now work at Sony and do not do any hacking anymore, I have not hacked anything since the good old days at TCNiSO,
Excuse the spelling I typed this out realy quick
Regards
L3x