逆向工程 - RF数据包中的校验和/CRC算法是什么？ - 吾爱随笔录

RF数据包中的校验和/CRC算法是什么？

逆向工程协议 CRC 联网

2021-06-13 08:42:28

我正在努力找出射频设备的校验和，这似乎很简单，但到目前为止还没有运气......

前 3 个字节是 SyncWord，然后 9 个字节是有效载荷，最后一个字节可能是校验和。

          +-------+-------+-------+-------+ ... +--------+--------+
          | byte0 | byte1 | byte2 | byte3 | ... | byte11 | byte12 |
          +-------+-------+-------+-------+ ... +--------+--------+
          <---- SyncWord (3) ----> <--- Payload (9) ----> <- CRC ->

这似乎是某种线性函数，但我无法弄清楚。

任何帮助将不胜感激！

一些有序的输出

0xE1,0xC0,0x0A,0x0E,0xAA,0x70,0x30,0x30,0x96,0x84,0x27,0x13,0xF6
0xE1,0xC0,0x0A,0x0E,0xAA,0x60,0x30,0x30,0x96,0x84,0x27,0x13,0xE6
0xE1,0xC0,0x0A,0x4E,0x8A,0x60,0x38,0x34,0x94,0x84,0x27,0x13,0x10
0xE1,0xC0,0x0A,0x4E,0x8A,0x70,0x38,0x34,0x94,0x84,0x27,0x13,0x20
0xE1,0xC0,0x0A,0x4E,0xAA,0x60,0x30,0x34,0x94,0x84,0x27,0x13,0x28
0xE1,0xC0,0x0A,0x4E,0xAA,0x60,0x38,0x34,0x94,0x84,0x27,0x13,0x30
0xE1,0xC0,0x0A,0x4E,0xAA,0x70,0x30,0x34,0x94,0x84,0x27,0x13,0x38

0xE1,0xC0,0x0A,0x4F,0x8A,0x70,0x30,0x14,0x9C,0x81,0x25,0x12,0xFB
0xE1,0xC0,0x0A,0x4F,0xAA,0x70,0x30,0x14,0x9C,0x81,0x25,0x12,0x1B
0xE1,0xC0,0x0A,0x0E,0xAA,0x70,0x30,0x34,0x94,0x85,0x27,0x13,0xF9
0xE1,0xC0,0x0A,0x0E,0x8A,0x60,0x38,0x34,0x94,0x85,0x27,0x13,0xD1

样品

0xE1,0xC0,0x0A,0x5F,0x8E,0x74,0x39,0x15,0x9C,0x89,0x03,0x33,0x24
0xE1,0xC0,0x0A,0x1F,0xAE,0x74,0x39,0x15,0x9C,0x89,0x03,0x33,0x04
0xE1,0xC0,0x0A,0x5F,0xAE,0x74,0x39,0x15,0x9C,0x89,0x03,0x33,0x44
0xE1,0xC0,0x0A,0x5F,0xAE,0x64,0x31,0x11,0x9E,0x89,0x03,0x33,0x2A
0xE1,0xC0,0x0A,0x1F,0x8E,0x74,0x31,0x11,0x9E,0x89,0x03,0x33,0xDA
0xE1,0xC0,0x0A,0x5F,0x8E,0x74,0x31,0x11,0x9E,0x89,0x03,0x33,0x1A
0xE1,0xC0,0x0A,0x5F,0x8E,0x64,0x39,0x11,0x9E,0x89,0x03,0x33,0x12
0xE1,0xC0,0x0A,0x1F,0xAE,0x64,0x39,0x11,0x9E,0x89,0x03,0x33,0xF2
0xE1,0xC0,0x0A,0x5F,0xAE,0x64,0x39,0x11,0x9E,0x89,0x03,0x33,0x32
0xE1,0xC0,0x0A,0x5F,0xAE,0x74,0x39,0x11,0x9E,0x89,0x03,0x33,0x42
0xE1,0xC0,0x0A,0x1F,0x8E,0x64,0x31,0x15,0x9E,0x89,0x03,0x33,0xCE
0xE1,0xC0,0x0A,0x5F,0x8E,0x64,0x31,0x15,0x9E,0x89,0x03,0x33,0x0E
0xE1,0xC0,0x0A,0x5F,0x8E,0x74,0x31,0x15,0x9E,0x89,0x03,0x33,0x1E
0xE1,0xC0,0x0A,0x1F,0xAE,0x74,0x31,0x15,0x9E,0x89,0x03,0x33,0xFE
0xE1,0xC0,0x0A,0x5F,0xAE,0x74,0x31,0x15,0x9E,0x89,0x03,0x33,0x3E
0xE1,0xC0,0x0A,0x5F,0xAE,0x64,0x39,0x15,0x9E,0x89,0x03,0x33,0x36
0xE1,0xC0,0x0A,0x1F,0x8E,0x74,0x39,0x15,0x9E,0x89,0x03,0x33,0xE6
0xE1,0xC0,0x0A,0x5F,0x8E,0x74,0x39,0x15,0x9E,0x89,0x03,0x33,0x26
0xE1,0xC0,0x0A,0x5F,0x8E,0x64,0x31,0x11,0x9C,0x88,0x03,0xB3,0x87
0xE1,0xC0,0x0A,0x1F,0xAE,0x64,0x31,0x11,0x9C,0x88,0x03,0xB3,0x67
0xE1,0xC0,0x0A,0x5F,0xAE,0x64,0x31,0x11,0x9C,0x88,0x03,0xB3,0xA7
0xE1,0xC0,0x0A,0x5F,0xAE,0x74,0x31,0x11,0x9C,0x88,0x03,0xB3,0xB7
0xE1,0xC0,0x0A,0x1F,0x8E,0x64,0x39,0x11,0x9C,0x88,0x03,0xB3,0x4F
0xE1,0xC0,0x0A,0x5F,0x8E,0x64,0x39,0x11,0x9C,0x88,0x03,0xB3,0x8F

0xE1,0xC0,0x0A,0x5E,0x0F,0x24,0x91,0x01,0x86,0x81,0x01,0x30,0x75
0xE1,0xC0,0x0A,0x1E,0x2F,0x24,0x91,0x01,0x86,0x81,0x01,0x30,0x55
0xE1,0xC0,0x0A,0x1E,0x2F,0x34,0x91,0x01,0x86,0x81,0x01,0x30,0x65
0xE1,0xC0,0x0A,0x5E,0x2F,0x34,0x91,0x01,0x86,0x81,0x01,0x30,0xA5
0xE1,0xC0,0x0A,0x1E,0x0F,0x24,0x99,0x01,0x86,0x81,0x01,0x30,0x3D
0xE1,0xC0,0x0A,0x1E,0x0F,0x34,0x99,0x01,0x86,0x81,0x01,0x30,0x4D
0xE1,0xC0,0x0A,0x5E,0x0F,0x34,0x99,0x01,0x86,0x81,0x01,0x30,0x8D
0xE1,0xC0,0x0A,0x1E,0x2F,0x34,0x99,0x01,0x86,0x81,0x01,0x30,0x6D
0xE1,0xC0,0x0A,0x1E,0x2F,0x24,0x91,0x05,0x86,0x81,0x01,0x30,0x59
0xE1,0xC0,0x0A,0x5E,0x2F,0x24,0x91,0x05,0x86,0x81,0x01,0x30,0x99
0xE1,0xC0,0x0A,0x1E,0x0F,0x34,0x91,0x05,0x86,0x81,0x01,0x30,0x49
0xE1,0xC0,0x0A,0x1E,0x0F,0x24,0x99,0x05,0x86,0x81,0x01,0x30,0x41
0xE1,0xC0,0x0A,0x5E,0x0F,0x24,0x99,0x05,0x86,0x81,0x01,0x30,0x81
0xE1,0xC0,0x0A,0x1E,0x2F,0x24,0x99,0x05,0x86,0x81,0x01,0x30,0x61
0xE1,0xC0,0x0A,0x1E,0x2F,0x34,0x99,0x05,0x86,0x81,0x01,0x30,0x71
0xE1,0xC0,0x0A,0x5E,0x2F,0x34,0x99,0x05,0x86,0x81,0x01,0x30,0xB1
0xE1,0xC0,0x0A,0x1E,0x0F,0x24,0x91,0x01,0x84,0x80,0x01,0xB0,0xB2
0xE1,0xC0,0x0A,0x1E,0x0F,0x34,0x91,0x01,0x84,0x80,0x01,0xB0,0xC2
0xE1,0xC0,0x0A,0x5E,0x0F,0x34,0x91,0x01,0x84,0x80,0x01,0xB0,0x02
0xE1,0xC0,0x0A,0x1E,0x2F,0x34,0x91,0x01,0x84,0x80,0x01,0xB0,0xE2
0xE1,0xC0,0x0A,0x1E,0x2F,0x24,0x99,0x01,0x84,0x80,0x01,0xB0,0xDA

0xE1,0xC0,0x0A,0x0F,0xAA,0x60,0x30,0x14,0x9C,0x88,0x23,0x13,0xD1
0xE1,0xC0,0x0A,0x0F,0xAA,0x70,0x30,0x14,0x9C,0x88,0x23,0x13,0xE1
0xE1,0xC0,0x0A,0x0F,0x8A,0x70,0x30,0x14,0x9C,0x88,0x23,0x13,0xC1
0xE1,0xC0,0x0A,0x0F,0x8A,0x60,0x38,0x14,0x9C,0x88,0x23,0x13,0xB9
0xE1,0xC0,0x0A,0x0F,0xAA,0x60,0x38,0x14,0x9C,0x88,0x23,0x13,0xD9
0xE1,0xC0,0x0A,0x0F,0x8A,0x70,0x38,0x14,0x9C,0x88,0x23,0x13,0xC9
0xE1,0xC0,0x0A,0x0F,0x8A,0x60,0x30,0x10,0x9E,0x88,0x23,0x13,0xAF
0xE1,0xC0,0x0A,0x4F,0xAA,0x60,0x30,0x10,0x9E,0x88,0x23,0x13,0x0F
0xE1,0xC0,0x0A,0x4F,0x8A,0x70,0x30,0x10,0x9E,0x88,0x23,0x13,0xFF
0xE1,0xC0,0x0A,0x4E,0xAA,0x60,0x30,0x34,0x94,0x84,0x27,0x13,0x28
0xE1,0xC0,0x0A,0x4E,0x8A,0x70,0x30,0x34,0x94,0x84,0x27,0x13,0x18
0xE1,0xC0,0x0A,0x4E,0xAA,0x70,0x30,0x34,0x94,0x84,0x27,0x13,0x38
0xE1,0xC0,0x0A,0x4E,0x8A,0x60,0x38,0x34,0x94,0x84,0x27,0x13,0x10
0xE1,0xC0,0x0A,0x4E,0xAA,0x60,0x38,0x34,0x94,0x84,0x27,0x13,0x30
0xE1,0xC0,0x0A,0x4E,0x8A,0x70,0x38,0x34,0x94,0x84,0x27,0x13,0x20
0xE1,0xC0,0x0A,0x4E,0x8A,0x60,0x30,0x30,0x96,0x84,0x27,0x13,0x06
0xE1,0xC0,0x0A,0x0E,0xAA,0x60,0x30,0x30,0x96,0x84,0x27,0x13,0xE6
0xE1,0xC0,0x0A,0x0E,0x8A,0x70,0x30,0x30,0x96,0x84,0x27,0x13,0xD6
0xE1,0xC0,0x0A,0x0E,0xAA,0x70,0x30,0x30,0x96,0x84,0x27,0x13,0xF6

1个回答

校验和算法确实很简单。它添加所有有效载荷字节模 0xFF，然后添加 26。

我写了一个脚本来测试它：

#!/usr/bin/python

import binascii

def checksum(data):
    payload = data[3:-1]
    checksum = 26
    for c in payload:
        checksum += c
    checksum &= 0xFF
    return checksum

with open("input.txt","r") as f:
    for line in f:
        line = line.strip()
        if line == "":
            continue
        line = line.replace(",","")
        line = line.replace("0x","")

        data = binascii.unhexlify(line)

        if checksum(data) == data[-1]:
            print("pass")
        else:
            print("fail")

我把你上面的样本复制到了input.txt，他们都通过了。

至于我是如何发现的，我在谷歌上搜索了同步词（不知道那是什么），1 字节校验和和其他一些帖子提到了简单的加法。我还测试了多个 CRC8 变体，但没有一个有效。我还发现它表明校验和似乎反映了输入的变化，例如：

0xE1,0xC0,0x0A,0x4E,0x8A,0x60,0x38,0x34,0x94,0x84,0x27,0x13,0x10
0xE1,0xC0,0x0A,0x4E,0x8A,0x70,0x38,0x34,0x94,0x84,0x27,0x13,0x20

将0x60改为0x70所以没有通过校验增加0x10它-我认为-不那么明显的结直肠癌。

其它你可能感兴趣的问题

上一篇从二进制代码解析操作码下一篇如何在 x64dbg 中添加插件？