Small ROM at 0x40000000

The Netgear NAS forum
Post Reply
hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Small ROM at 0x40000000

Post by hno » Tue Sep 16, 2008 10:10 pm

There is a 1024 bytes ROM area at 0x40000000.

The full purpose of this area is not yet known, but it's called from the DES3 crypto.

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: Small ROM at 0x40000000

Post by hno » Tue Sep 16, 2008 10:38 pm

The DES3 crypto uses two entry points in this area, which returns blobs in %i0 - %i5

0x400003f0:

0x696c6c47
0x6f49504f
0x496e6672
0x616e7457
0x54727573
0x74474f44

0x400003f8:

0x9635112a
0x7ce09060
0xbed817f7
0x27b728d2
0x91a8468a
0x94b92e42

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: Small ROM at 0x40000000

Post by hno » Tue Sep 16, 2008 10:43 pm

The layout of the 0x40000000 are is

1. initial bootstrap, loading the first stage bootloader at 0x30000000 from somewhere..

2. Then the crypto related blobs mentioned earlier.

3. A 256 bytes blob of unknown data at 0x40000280 - 0x4000037F

4. The signature "IT3107 ROM1.0" ac 0x400003E0

5. The entry points for the crypto blobs

[end]

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: Small ROM at 0x40000000

Post by hno » Thu Sep 18, 2008 6:57 pm

The first key if read in "bottom up" (the way it's used during encryption) reads in ASCII:

"TrustGODInfrantWillGoIPO"

Post Reply