[linux-dvb] @Sky Pilot, Neotion Pilot, Checksum hacking

Juergen Urban JuergenUrban at gmx.de
Mon Jun 22 23:58:57 CEST 2009


On Monday 22 June 2009 07:13:49 Andreas Oberritter wrote:
> Juergen Urban wrote:
> > Now I've a problem with the 1-byte-checksum calculation. Each message
> > which I send to the device has a checksum (last byte). I don't know how
> > to calculate the checksum.
> > Did someone know how to reverse engineer a 1-byte-checksum?
> > Did someone see these type of messages before?
> > Did someone detect any algorithm in the checksum values?
> >
> > Here are examples:
> >
> > static unsigned char ep03_msg109[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x1e, 0x01, 0x00,
> > 	0xca /* Checksum */
> > };
> >
> > static unsigned char ep03_msg110[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x1f, 0x01, 0x00,
> > 	0xcb /* Checksum */
> > };
> >
> > In the above example the checksum is incremented by one and there is also
> > one byte incremented by one in the payload (0x1e -> 0x1f and 0xca ->
> > 0xcb). this seems to be a simple addition.
> >
> > static unsigned char ep03_msg111[] = {
> > 	0x81, 0x05, 0x01, 0x00, 0x02, 0x01, 0x06, 0x00,
> > 	0x01, 0xd0, 0x20, 0x01, 0x00,
> > 	0xf4 /* Checksum */
> > };
>
> It's a simple XOR of all bytes with an initial value of 0x84.
>
> unsigned int calc_cs(const unsigned char *buf, unsigned int n)
> {
>         unsigned int i, cs = 0x84;
>
>         for (i = 0; i < n; i++)
>                 cs ^= buf[i];
>
>         return cs;
> }
>
> Regards,
> Andreas
>

Thanks. I didn't thought that a simple XOR has this effect. Now I see that the 
initial value of 0x84 is same as 0x81 ^ 0x05, so the first 2 bytes are not part 
of the message. I got it working in my test application.

Best regards
Juergen Urban




More information about the linux-dvb mailing list