Originally Posted by
nikos_
To create 0201 cmd ...
To create the 0201 command you need to make in this format. "020100" is special instruction to gamma to receive an update string next two bytes tells gamma which 3DES key to use from possible 16 keys. For example 02010003 tells gamma to use the forth key. Its forth because starts from 0. example: 020100020048F4347C4D8FC5E3A29A67C67DD205 .... here the gamma is told to use the third key because 020100002 (is 2 here starting from zero is 3rd key). Next is the length of the message. In this example is 48 (hex bytes). Next is the 8 byte DES cipher-block chained checksum (des-mac). This like digital signature. Next is 40 hex bytes of update message. Finally is the single byte CRC.
Re: To create 0201 cmd ...
Many people PM about how to create gamma update commands. Here is explain I put together for PMs
020100DKLNMMMMMMMMUSUL PAYLOAD CC
02 = Gamma update PDU
01 = CLA
00 = P1
DK = Index to 16byte Gamma update 3DES Key.
LN = Length of Message
MM = 8 Byte DES MAC
US = Update Selector (what to update)
For GSMK US = 01
For PMSK US = 02
For IV_PAD US = 03
For GMASK US = 04
For PMASK US = 05
For KEK US = 06
For COCO US = 08
For HSN US = 09
For ExiKey US = 0B
For AxiKey US = 0C
For ProviderID US = 10
For GroupKey US = 12
For ProductKey US = 13
For OS Erase US = 20
FOR OS Update US = 21
UL = Length of Update (for example for HSN UL = 03, for GMSK UL = 10, etc...)
PAYLOAD is the Update
CC = Message CRC or Checksum. Simply XOR message with 0x3F
OK to have multiple updates in one command.
Example:
020100DKLNMMMMMMMM0903HNHNHN0803COCOCO10 03PIPIPICC
This command will update HSN (HN), Coco (CO) and Provider ID (PI) in one go.
The DES MAC is calculated by prepending an 8 octet confounder to the plaintext, performing a DES CBC-mode encryption on the result using the key and an initialization vector of zero, taking the last block of the ciphertext, prepending the same confounder and encrypting the pair using DES in cipher-block-chaining (CBC) mode using a a variant of the key, where the variant is computed by eXclusive-ORing the key
The message after LN is encrypted using the Triple DES mode CBC until the CC using 16 byte key in index DK
@xaniaras,snakie k loipoi gnwstes to des mac pws mporoume na to upologisoumai gia na kanoume decrypt mia grammi?
mipws einai ektos thematos k edw??
