Re: Fluke Signatures....

I brute forced every possible mask and every possible CRC seed value for 16 bit
CRC, using the standard polynomial feedback, and nothing worked.

I was able to find matches for 2 different values but never a third:

For instance, using 0x4080 as the polynomial feedback, and an initial value of
0x3513, and then inverting the CRC results I could get:

93D0 - FF 00
9351 - FF 01

but,

92D2 - FF 03

I could find matches for every pair I tried (I didn't try them all), but could
find anything that allowed a third match.

FWIW: Any of these 16 bit CRCs can be cracked with a 32meg lookup table (not
really that un-doable given today's computers, this is after all, only the size
of a small Compact Flash Card.)

Starting with any 16 bit CRC, and any 8 bit value:

Given the same starting 16 bit value and the same 8 bit value, the results will
always be the same 16 bit results.

So given 65536 lookup tables, with 256 (word) entries per table, any 16 bit CRC
can be cracked.

The trick would be to write some type of Fluke program that can dump all
possible, 16 million, values to a hard drive (and let it run for a while).

You would need some type of program that would give you:

Start|Byte| Results
--------------------
0000 00 = ????
0000 01 = ????
.
.
.
0000 FF = ????
0001 00 = ????
.
.
.
etc.

Note that the program would not have to dump them in sequential order.

The software after that would be a breeze.

FWIW: If it is possible to calculate these CRCs 1 bit at a time (like the way
*real* CRCs work), the lookup table would only need to be 256k. (65536 lookup
tables with only two word entries for each table, one entry for 0, the other for
1.)

The Fluke program would have to dump:

Start|Bit| Results
--------------------
0000 0 = ????
0000 1 = ????
0001 0 = ????
0001 1 = ????
.
.
.
etc

Finding the right algorithm is obviously a better solution, but the above would
crack *any* 16 bit CRC. Just something to think about...

-Zonn

On Sun, 13 Oct 2002 20:11:19 -0700, John Robertson <jrr@flippers.com> wrote:

>
>I have found a nice CRC web site that allows one to change many of the
>settings of the CRC to try out various polynomials.
>
>http://www.gpfn.sk.ca/~rhg/csc8550s02/crc.html
>
>I've been tossing in a few numbers at random to see if I can see what
>variation of the CRC-16 polynomial it is. I believe that Fluke used the
>standard CRC-16 formula with a preset CRC value as there is mention in the
>docs about dividing the data into a fixed number. Now to figure out the
>number... I'm just using an old posting of mine where I tried some two byte
>data chunks on the Fluke ROM Signature generator...but I'm not getting very
>far yet.
>
>I don't know how to solve hexadecimal polynomial problems...considering
>that we pretty much know the formula X16 + X15 + X2 + 1, and the data and
>the result, but the mystery "binary number" is the tricky bit ... I'm way
>too rusty (like 30 years since I last did this) to figure this one out
>without a bit of help...
>
>Sig. - DATA (two bytes)
>93D0 - FF 00
>9351 - FF 01
>9390 - FF 02
>9311 - FF 03
>.....
>93AF - FF FE
>932E - FF FF
>
>John :-#)#
>
>At 10:45 PM 12/10/2002 -0700, John Robertson wrote:
>
>>Seed file? I used the Pacman 6E as I recall. Just ran the calculator
>>utility included with Hexedit (http://www.expertcomsoft.com/) a nice
>>windows file editor - search and replace etc...
>>
>>There was mention that the signature was created using "The ROM signature
>>is obtained by successively dividing the data in ROM by a binary number"
>>in the manual as you may recall...what order would the data be divided?
>>Would this matter?
>>
>>John :-#)#
>>
>>At 11:38 PM 12/10/2002 -0400, Kev wrote:
>>
>>>Ah yes but what are you using for a seed file for the CRC 16 /32
>>>calculators?
>>>
>>>I belive the Fluke version is possibly based on some of the original
>>>articles that were in BYTE circa 1983. I'll need to research that a bit
>>>more.
>>>
>>>Kev
>>>
>>>
>>>
>>> >Still looking for this one - what is the algorithm used to generate the ROM
>>> >Signature in the 9100/9010s? Have tried almost all the CRC programs I could
>>> >download, none were correct. It's not CRC-16, CRC-32, CCITT, CHECKSUM....
>>> >
>>> >Anyone get any further?
>>> >
>>> >Attached is the file that I used to try and identify the signature and
>>> >these are the results:
>>> >
>>> >CRC-16 =58B8
>>> >CRC-32 =C1E6AB10
>>> >CCITT =E63C
>>> >
>>> >(the "Correct" Fluke signature is = 8B1A)
>>> >
>>> >The file is from a video game, it's a 4K size chunk of the main program...
>>> >
>>> >John :-#)#
>>> >
Received on Sun Oct 13 23:01:47 2002