Breaking encryption the easy way

Yesterday, I successfully obtained images my Microsoft fingerprint reader. After cleaning up the driver a little, I decided to try my other device.

A little background:

There are 3 ranges of devices which we believe are all very similar:

  1. Digital Persona UareU 4000
  2. Digital Persona UareU 4000B
  3. Microsoft fingerprint reader (and products containing them)

The 4000B is basically a USB2 version of the 4000, and we think the Microsoft devices include ‘repackaged’ 4000B devices. My driver will hopefully support all 3. I own #1 and #3 and have sniffed logs from all 3 device types in my posession.

I plugged in my UareU 4000, and it sprang into life with my driver. I scanned a fingerprint and it gave me this:

Hmm. The data is very jumbled and is probably encrypted. I checked my logs, and sure enough – the data that comes from the 4000 and 4000B devices is jumbled and doesn’t show the same neat structure in comparison to the MS device.

A while ago, I had compared the 4000B firmware with the firmware for the MS devices. There is just one single bit difference between the two, suggesting that the devices are actually identical, yet the 4000B is sending encrypted data and the MS device is not?

I uploaded the 4000B firmware to my MS device, and sure enough, it then started sending encrypted images too. In other words, we have found the single bit in the firmware which turns encryption on and off.

This still leaves the problem that my 4000 device is still sending encrypted images. The firmware is quite different from the 4000B, but by looking at patterns in the byte data, I made an educated guess where the “encryption bit” would be in the UareU 4000 firmware. I uploaded the modified version to my device, and sure enough, it now sends unencrypted images.

I’m glad it turned out to be so easy.

39 Responses to “Breaking encryption the easy way”

  1. Maik Says:

    So I guess there’s no point in trying to crack the “encryption”, which can be done as easily as flipping that bit?

  2. dsd Says:

    Indeed. Breaking encryption would be a very extreme challenge – it is much more sensible to try and work around it, or find weaknesses in the encryption. However, it would have been more enjoyable if they had made it just a little bit harder… :)

  3. TheMatt Says:

    I got it! I’m supposed to see a unicorn, right? Oh…

  4. Josiah Ritchie Says:

    Nice Work! Sounds like it was very useful to have several versions of the device and firmware around.

    TheMatt, your comment made me chuckle. :-)

  5. Sander Souza Says:

    Its sound good! Soon I can use this to put BioAPI to work w my servers! Great WORK man!

  6. joaquin Says:

    nice work, then… can you convert a MS fingerprint in a 4000b, changing the firmware???

  7. dsd Says:

    At this time we have no reason to believe that the MS devices are any different from the UareU 4000B devices, other than:

    - The USB product/vendor ID numbers
    - The products they come bundled in
    - The drivers (and firmware) which come with them

    So, yes, you can “convert” one to the other just by sending the other firmware, as long as you ignore the USB ID’s.

  8. joaquin Says:

    Sorry, my level of linux development is very bad. I have installed Ubuntu, i have the linux kernel source code, i try to compile the driver to test it, but i have problems. My question is, the idea is run the dpfp.c or put the dpfp.c in the kernel of my linux and recompile the kernel with dpfp inside? I read all the website before make this stupid question. sorry again

  9. dsd Says:

    There is no documentation and this isn’t yet intended for end-users, but here are brief details which should get you going (maybe you could add them to the DriverDownload page of the wiki?)

    Cut the firmware using dpfp-firmware-cutter (should be self explanatory), and put the output file in the hotplug firmware directory.

    Make sure /usr/src/linux points at the compiled sources of your running kernel, and from the dpfp/driver directory, run:
    # make
    # insmod dpfp.ko

    To capture a print, use “cat /dev/dpfp0 > image.pgm”

  10. joaquin Says:

    Dear Friends,

    I have a lot of problems, because i can’t compile the driver, finally i found that i need a kernel version greater than 2.6.14, because the function zkalloc is in this version or greater, finally i tested the driver with a uru4000,uru4000b and ms, and works fine all the time. Good job.

  11. dsd’s weblog » Blog Archive » More fun with fingerprints Says:

    [...] dsd’s weblog it’s not you, it’s the e-talking « Breaking encryption the easy way [...]

  12. Anonymous Says:

    where can i download “dpfp-firmware-cutter”?Thanks!

  13. dsd Says:

    In SVN, see http://dpfp.berlios.de/wikka.php?wakka=DriverDownload
    Note that the current driver in svn is not usable.

  14. Alan Says:

    Congratulations on your work so far !
    I’m currently trying to implement a security solution using either Microsoft’s or DigitalPersona and find most of the SDKs available (except griaule’s) are targeted towards the UareU and lack support for Microsoft’s. However, i’m able to get Microsoft’s device at a third of the price of a UareU device.

    Do you know if it’s possible to re-flash Microsoft’s device so it can work as the UareU device, under windows ? My Linux knowledge is scarse, if any, so i feel more comfortable working under windows.

    Regards,
    Alan.

  15. Riky Says:

    i have one U are U 4000 sensor, first i have the installation CD, but now the CD is broken because my stupid brother, please help me

    Model No. : URU4S-U1
    Part No. : 50006-001
    Rev. : 101
    Serial No. : 46811985

    please help me, i need software for my device, to graduate from same university in Indonesia
    Please help me……

  16. chirly Says:

    how to upload the firmware(u.are.u4000)? and where can i get the tools to upload the firmware? please help me!! Thanks very much!!

  17. dsd Says:

    Riky, chirly:
    See the homepage, http://dpfp.berlios.de

  18. chirly Says:

    dsd:
    Nice Work! but where can I find “hotplug firmware directory”?

  19. chirly Says:

    And how to re-flash the EEPOR? if it can be changed.

  20. chirly Says:

    dsd:
    help me please!

  21. Kiran Alamgir Says:

    Please I need a way to upload the firmware of digital persona to MS

    I am using windows currently

  22. Godzilla41 Says:

    Nice project
    I am form thailand i sale finger print product and interest develop Finger in linux Now i have EDK of A5 Fingerprint product of http://www.zksoftware.com

  23. Adzni Says:

    AMi know know if U are U 4000 can be converted to serial? is there such converter?

  24. Adzni Says:

    May I know know if U are U 4000 can be converted to serial? is there such converter?
    Actually, my project is to make U are U 4000 to be a stand alone sensor by adding Bluetooth feature in it. However, stand alone Bluetooth only support serial. your suggestions are highly appreciated

  25. nathan Says:

    to change the firmware in windows…

    if starting from scratch.
    1 – unzip MS software. (DP_PM_xxxxx, avail from Microsoft).
    2 – in *driver*, modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
    3 – modify bit at 0xE9B7 from a 0 to a 1. save it.
    4- plug your MSFR in, and it should ask for drivers. point it to the stuff you unzipped/modified.

    if you already have it installed.
    1 – unplug your MSFP.
    2 – goto windows/system32/
    3 – modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
    4 – modify bit at 0xE9B7 from a 0 to a 1. save it.
    5 – plug the MSFP back it.

    NOTE: Once you flip that one bit, the MS software will NOT work anymore. You can use GrFinger to verify that the image from the fingerprint ready is now encrypted. (before – fingerprint is visible; after – fingerprint is “noise”)

  26. dsd’s weblog » Blog Archive » libdpfp 0.2.0 released Says:

    [...] Not requiring firmware avoids the potential distribution issues we had: we don’t have the rights to distribute their firmware. It is now not required because the device stores it, and even brand new devices seem to ship with the firmware already saved on the device. One reason we might need the firmware again is to disable encryption, but I’m reasonably confident we can do that without a firmware image — just waiting for someone who has a device which is encrypting images to come along so that I can test a theory. [...]

  27. dsd’s weblog » Blog Archive » Fingerprinting Says:

    [...] dsd’s weblog friend of the night « Using git-bisect to find buggy kernel patches Breaking encryption the easy way » [...]

  28. joseph Says:

    Hi im implementing an fingerprint enhancement algorithm using partial derivates just as verifinger algorithm, the idea is to continue the fvs project and is my Ms final work, Im working in windows with the C++ builder, Im about to purchase the UrU4000 but digital persona’s peoples told me that to obtain an image i have also to purchase their damn SDK, do anyone knows how to interactuate with the Driver whit out purchasing their SDK ??? guido.pusiol@gmail.com
    thnx

  29. Galerio Says:

    Well… is there any software that is not Digital Persona that we can use with our MS fingerprint reader? Any better software… Maybe freeware…
    And after having changed the firmware (in the windows dll), can we use software like DigitalPersona PRO?

    Thanks

  30. -zer0- Says:

    i encountered a problem between the digital persona 4000 and 4000b, i developed program where i used the dp 4000 device. i was successfully finished this with grfinger driver (fingercap). the next thing, my company bought dp 4000b device i try to use this as a device to my program but it was not the same as dp 4000. the images output was jumbled or encrypted i think like dsd said.
    the question is what can i do to make the output of dp 4000b the same as dp 4000? i can’t realy understand the way dsd did at his explanation. i hope u can give me the specific way to do it. thank for advance.

  31. Antonio Calo' Says:

    Have you the latest version of Grfinger.dll compatible with diglital persona 4000b

    i have the same problem (Breaking encryption the easy way)

    I have realized a software using grfinger.dll and the effect or problem is the same that figure

    Please Contact or help me

    Best regards
    Antonio Calo’

  32. Problème de couple Says:

    Problème de couple

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  33. natural acne treatment medicine Says:

    natural acne treatment medicine

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  34. clinically proven skin care products Says:

    clinically proven skin care products

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  35. High Performing Teams Says:

    High Performing Teams

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  36. breaking bad heisenberg art Says:

    breaking bad heisenberg art

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  37. lv ルイ ヴィトン バッグ Says:

    lv ルイ ヴィトン バッグ

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  38. loewe ロエベ ショルダーバッグ Says:

    loewe ロエベ ショルダーバッグ

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

  39. メンズ フィットネスシューズ Says:

    メンズ フィットネスシューズ

    dsd’s weblog » Blog Archive » Breaking encryption the easy way

Leave a Reply

You must be logged in to post a comment.