-1

I am all the time trying to determine how to reverse engineer this checksum. It should be a simple one, it is just a checksum for a firmware version of a device. Here are 5 hex-strings:

01854000ff1131050600323132393031323430344d45363438304330363730313835ffffffffffffffffffffffffffffffffffffffffffffffffffffff30303232313239303035353138303031485534355f4543455f4456445f535f4e00443120302e3120ff7beff9fff36fff7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff40b
01854000ff1029050600323132393031303830364d45373738304230373541303436ffffffffffffffffffffffffffffffffffffffffffffffffffffff30303132313239303036333133303031485534355f4543455f4456445f535f4e00443520302e3120ff7beff9fff36fff7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffaa87
01854000ff1029050600323034393031323230334d45353135304238303830333132ffffffffffffffffffffffffffffffffffffffffffffffffffffff30303232303439303035393038303031485534355f4543455f4456445f535f4e00443520302e3120ff7beff9fff36fff7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff9e6a
01854000ff1131050600323436393031303330324d45363831304330363632333636ffffffffffffffffffffffffffffffffffffffffffffffffffffff30303332343639303036393038303031485534355f4543455f4456445f535f4e00443120302e3120ff7beff9fff36fff7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe5d6
01854000ff1301050600323436393031343430344d45373435304430373132313239ffffffffffffffffffffffffffffffffffffffffffffffffffffff30303132343639303031333133303031485534355f4543455f4456445f535f4e00443520302e3120ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeb57

It looks like the last 2 bytes (4 hex-letters) are the checksum. I marked the differences in black.

Is anyone able to find out the algorithm, how the checksum is created? I tried already many things to find it out, but either I did it wrong or it didn´t work.

user16556
  • 11
  • 2
  • checksum of what? some packet or what? – nayana Jul 20 '16 at 09:55
  • a simple checksum of a firmware-version of a device, I just added this information to the post, thanks :-) – user16556 Jul 20 '16 at 09:56
  • now, i want you to think about the words "checksum" and "reverse engineering" for a bit ... – specializt Jul 20 '16 at 10:16
  • @specializt s/he want to know the algorithm not the data.. – nayana Jul 20 '16 at 11:03
  • and you too - just lean back, take a deep breath and think about it. What you're trying to achieve / solve is mathematically (and logically) impossible and you need to learn why before you continue your ongoing quest for knowledge ... its quite important, trust me on this one. – specializt Jul 20 '16 at 11:21
  • @specializt I agree that _'reverse engineering a checksum algorithm'_ is an inappropriate title that doesn't make sense. However, I think it's legitimate to say that the OP is in fact reverse-engineering the format used by some firmware which implied to 1) guess where the checksum was encoded (as s/he did) and 2) guess what checksum algorithm was used, assuming it's a simple one (as I did: see my answer below) – Arnauld Jul 20 '16 at 12:12
  • I don't know what you people are talking about. Reverse engineering a checksum makes perfect sense and is not impossible. You are given a set of inputs and outputs of an initially unknown function, and you want to determine that function. There is in fact software _called_ ["RevEng"](http://reveng.sourceforge.net/) for exactly this purpose, to deduce the CRC algorithm given a set of inputs and outputs. – Mark Adler Jul 20 '16 at 15:36
  • To nail this down, you would need to provide some messages with a length other than 1024. – Mark Adler Jul 20 '16 at 20:28
  • no, it doesnt make sense - checksums are one-way calculations, there is not a single method in existence which tells you the original dataset or the used algorithm since an infinite amount of algorithms can produce your desired output, most of which arent even checksum algorithms **but** you can guess a lot, compare patterns and output **probabilities** - which is exactly what RevEng does - it is impossible to "reverse engineer" something which is lost forever but if you have got vast knowledge about "something" you might make educated guesses ... which *might* even lead to the correct result – specializt Jul 21 '16 at 08:16
  • QuickBMS has a [nifty little script](http://zenhax.com/viewtopic.php?t=137) that will brute force every possible permutation of CRC and various other checksums to figrue out the algorithm in use. You'd be surprised the number of ways crc varies, from switching the bit operation order, to of course different polynomials. – Andon M. Coleman Aug 05 '16 at 09:25

2 Answers2

1

My guess:

checksum(data) = CRC16-CCITT(data) XOR 0x6155

(which may be equivalent to another standard CRC16, I don't know)

See here for an online demo

Arnauld
  • 5,847
  • 2
  • 15
  • 32
  • And just as an aside: could it be related to a firmware update of the Nokia **6155**, or is it a pure coincidence? – Arnauld Jul 21 '16 at 13:26
0

Well it can be just about anything.. there are multiple implementation of crc, check for example these, I would apply those crcs on the data and compare their outputs to what you have ..

nayana
  • 3,787
  • 3
  • 20
  • 51