ansaurus

Question

Determining CRC algorithm from data + CRC - embedded application.

Answer 1

+3 A:

The code you posted from loc_34FA6 down is basically the following:

unsigned short
crc16_update(unsigned short crc, unsigned char nextByte)
{
    crc ^= nextByte;

    for (int i = 0; i < 8; ++i) {
        if (crc & 1)
            crc = (crc >> 1) ^ 0xA001;
        else
            crc = (crc >> 1);
    }

    return crc;
}

This is a CRC-16 with a 0xA001 polynomial. Once you find out the range of data for which the CRC-16 applies, you initialize CRC to 0xFFFF and the call this function for each byte in the sequence. Store the return value and pass it back in the next time through. The value returned at the end is your final CRC.

I'm not sure what the prologue is doing...

Judge Maygarden 2008-12-30 21:46:03

Thank you very much! I am trying combinations of ranges now. I'll refocus on the disassembly also, since you've told me that piece is what I thought it was. I believe the first section of the code that I posted is moving the DPP0 (data page pointer) to the beginning of the checksummed range.

mattbarn 2008-12-30 22:18:43

Maybe I'm missing something, but it looks like this section only processes one byte. The return (rets) occurs after iterating over 8 bits in one byte.

Judge Maygarden 2008-12-30 22:33:37

It definitely looks like you're right. I'll need to move up the xref chain from here to see how this function gets called.

mattbarn 2008-12-30 22:56:41

The prologue sets up the data page pointer (DPP0) in order to access that initial byte. r13/r12 are used to pass a 30-bit pointer, which probably means that this particular byte is located in another device (an external EEPROM would make sense) within the controller

e.James 2008-12-30 23:14:47

Thank you, James. This particular CPU does not have any internal ROM so it's loading all of this data and code off of the flash chip.

mattbarn 2008-12-30 23:26:38

Answer 2

+1 A:

More generally, part of the concept of CRC is that the when you compute the CRC of some data file, and then append the CRC on the end, you get a file who's CRC is some value that depends on the length of the file, but not it's contents. (For some CRC algorithms, it doesn't even depend on the file length.)

So, if you suspect the app you're trying to reverse-engineer is using say CRC16, and you have a program that computes CRC16, and you have multiple samples of the same length, just compute the CRC16 of those data files (which include the checksum). If it comes back with the same checksum data every time (for files of the same length), then they must contain a CRC checksum using the same width and polynomial.

For example, I once had to reverse engineer some files where the developer thought he was being clever by changing the CRC32 algorithm by changing two constants. I didn't have to find the object code that verified the checksum, disassemble it and then figure it out the hard way. This simple test nailed it.

Die in Sente 2009-01-07 19:23:22

ansaurus

tags:

views:

answers:

Determining CRC algorithm from data + CRC - embedded application.

related questions