[fprint] AES1660

[Vasily Khoruzhick]

On Wed, Nov 14, 2012 at 1:05 PM, Andreas <krawatten at andreas-loos.com> wrote:
> Dear friends of AES1660,
>
>
> here you find my analysis of what is happening in the usb traffic between
> win driver and AES1660:
>
> http://www.andreas-loos.com/AES1660.zip
>
> The zip contains virtually anything I know so far. Vasily asked for usb logs
> with complete traffic that can be compared. For this, take for instance log
> 2 (my favorite reference), log 5 and log 8.
>
> The good news is that many commands seem to be not encrypted like in AES2550
> (or was it AES2850?). To be CORRECT in detail: There *are* in fact lots of
> encrypted commands, as Vasily remarks, but for them encryption is obviously
> the same in each run. So I think, these parts can be easily reproduced as
> black box.
>
> The bad news is that we still cannot switch the thing into raw mode or know
> anything about the encryption. (Thanks for your helpful comments, Vasily!
> You are probably right, keys are probably not transferred unencrypted and
> the 583 byte thing is surely not a single long key.)
>
> Any ideas how to proceed?
>
> Best,
> andreas

Look at log you've send to me,
seq no 277, it's definitely non-encrypted data from sensor!
0x49, 0x44, 0x02 - envelope?
0x0d, 0x00, 0x00 - some multibyte command, no payload
0xe0, 0x22, 0x02 - E-data from sensor, 4 bit per pixel. Exact data
starts from 0x22 byte, and looks like it's some 31-byte pattern:

2501 4892 a46d 93ec ff37 816c db7e 5b5a 1280 2449 da36 c9fe 7f13 c8b6 edb7 a5

Then after 0x222 bytes:
0xde, 0x10, 0x00 - histogram data
After 0x10 bytes:
0xdf, 0x06, 0x00 - authentication message

Regards
Vasily