[linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

Juergen Urban JuergenUrban at gmx.de
Sun Jun 21 20:02:55 CEST 2009


Hello,

I didn't find a DVB-S driver for the Neotion Pilot (aka @Sky Pilot with 
@SkyChip, USB v1.0), so I decided to write it on my own. In my german blog 
http://satfreak.blog.de/ I write something about the reverse engineering 
process. Now I've a problem with the 1-byte-checksum calculation. Each message 
which I send to the device has a checksum (last byte). I don't know how to 
calculate the checksum.
Did someone know how to reverse engineer a 1-byte-checksum?
Did someone see these type of messages before?
Did someone detect any algorithm in the checksum values?

Here are examples:

static unsigned char ep03_msg109[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x1e, 0x01, 0x00,
	0xca /* Checksum */
};

static unsigned char ep03_msg110[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x1f, 0x01, 0x00,
	0xcb /* Checksum */
};

In the above example the checksum is incremented by one and there is also one 
byte incremented by one in the payload (0x1e -> 0x1f and 0xca -> 0xcb). this 
seems to be a simple addition.

static unsigned char ep03_msg111[] = {
	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
	0x01, 0xd0, 0x20, 0x01, 0x00,
	0xf4 /* Checksum */
};

In the next example the byte is further incremented, but the checksum changes 
much more (0x1f -> 0x20 and 0xcb -> 0xf4).

The device doesn't respond to a message with the wrong checksum. I used this 
to try all values until I found the correct one, but this needs some seconds. 
This behaviour will not be acceptable within a DVB driver.

Much more examples are in my test code which currently uses libusb-1.0:
http://www.pastie.org/519407

Best regards
Juergen Urban



More information about the linux-dvb mailing list