Breaking encryption the easy way

Yesterday, I successfully obtained images my Microsoft fingerprint reader. After cleaning up the driver a little, I decided to try my other device.

A little background:

There are 3 ranges of devices which we believe are all very similar:

  1. Digital Persona UareU 4000
  2. Digital Persona UareU 4000B
  3. Microsoft fingerprint reader (and products containing them)

The 4000B is basically a USB2 version of the 4000, and we think the Microsoft devices include ‘repackaged’ 4000B devices. My driver will hopefully support all 3. I own #1 and #3 and have sniffed logs from all 3 device types in my posession.

I plugged in my UareU 4000, and it sprang into life with my driver. I scanned a fingerprint and it gave me this:

Hmm. The data is very jumbled and is probably encrypted. I checked my logs, and sure enough – the data that comes from the 4000 and 4000B devices is jumbled and doesn’t show the same neat structure in comparison to the MS device.

A while ago, I had compared the 4000B firmware with the firmware for the MS devices. There is just one single bit difference between the two, suggesting that the devices are actually identical, yet the 4000B is sending encrypted data and the MS device is not?

I uploaded the 4000B firmware to my MS device, and sure enough, it then started sending encrypted images too. In other words, we have found the single bit in the firmware which turns encryption on and off.

This still leaves the problem that my 4000 device is still sending encrypted images. The firmware is quite different from the 4000B, but by looking at patterns in the byte data, I made an educated guess where the “encryption bit” would be in the UareU 4000 firmware. I uploaded the modified version to my device, and sure enough, it now sends unencrypted images.

I’m glad it turned out to be so easy.

31 thoughts on “Breaking encryption the easy way

  1. Maik

    So I guess there’s no point in trying to crack the “encryption”, which can be done as easily as flipping that bit?

  2. dsd Post author

    Indeed. Breaking encryption would be a very extreme challenge – it is much more sensible to try and work around it, or find weaknesses in the encryption. However, it would have been more enjoyable if they had made it just a little bit harder… :)

  3. Josiah Ritchie

    Nice Work! Sounds like it was very useful to have several versions of the device and firmware around.

    TheMatt, your comment made me chuckle. :-)

  4. Sander Souza

    Its sound good! Soon I can use this to put BioAPI to work w my servers! Great WORK man!

  5. joaquin

    nice work, then… can you convert a MS fingerprint in a 4000b, changing the firmware???

  6. dsd Post author

    At this time we have no reason to believe that the MS devices are any different from the UareU 4000B devices, other than:

    – The USB product/vendor ID numbers
    – The products they come bundled in
    – The drivers (and firmware) which come with them

    So, yes, you can “convert” one to the other just by sending the other firmware, as long as you ignore the USB ID’s.

  7. joaquin

    Sorry, my level of linux development is very bad. I have installed Ubuntu, i have the linux kernel source code, i try to compile the driver to test it, but i have problems. My question is, the idea is run the dpfp.c or put the dpfp.c in the kernel of my linux and recompile the kernel with dpfp inside? I read all the website before make this stupid question. sorry again

  8. dsd Post author

    There is no documentation and this isn’t yet intended for end-users, but here are brief details which should get you going (maybe you could add them to the DriverDownload page of the wiki?)

    Cut the firmware using dpfp-firmware-cutter (should be self explanatory), and put the output file in the hotplug firmware directory.

    Make sure /usr/src/linux points at the compiled sources of your running kernel, and from the dpfp/driver directory, run:
    # make
    # insmod dpfp.ko

    To capture a print, use “cat /dev/dpfp0 > image.pgm”

  9. joaquin

    Dear Friends,

    I have a lot of problems, because i can’t compile the driver, finally i found that i need a kernel version greater than 2.6.14, because the function zkalloc is in this version or greater, finally i tested the driver with a uru4000,uru4000b and ms, and works fine all the time. Good job.

  10. Pingback: dsd’s weblog » Blog Archive » More fun with fingerprints

  11. Alan

    Congratulations on your work so far !
    I’m currently trying to implement a security solution using either Microsoft’s or DigitalPersona and find most of the SDKs available (except griaule’s) are targeted towards the UareU and lack support for Microsoft’s. However, i’m able to get Microsoft’s device at a third of the price of a UareU device.

    Do you know if it’s possible to re-flash Microsoft’s device so it can work as the UareU device, under windows ? My Linux knowledge is scarse, if any, so i feel more comfortable working under windows.


  12. Riky

    i have one U are U 4000 sensor, first i have the installation CD, but now the CD is broken because my stupid brother, please help me

    Model No. : URU4S-U1
    Part No. : 50006-001
    Rev. : 101
    Serial No. : 46811985

    please help me, i need software for my device, to graduate from same university in Indonesia
    Please help me……

  13. chirly

    how to upload the firmware(u.are.u4000)? and where can i get the tools to upload the firmware? please help me!! Thanks very much!!

  14. Kiran Alamgir

    Please I need a way to upload the firmware of digital persona to MS

    I am using windows currently

  15. Adzni

    AMi know know if U are U 4000 can be converted to serial? is there such converter?

  16. Adzni

    May I know know if U are U 4000 can be converted to serial? is there such converter?
    Actually, my project is to make U are U 4000 to be a stand alone sensor by adding Bluetooth feature in it. However, stand alone Bluetooth only support serial. your suggestions are highly appreciated

  17. nathan

    to change the firmware in windows…

    if starting from scratch.
    1 – unzip MS software. (DP_PM_xxxxx, avail from Microsoft).
    2 – in *driver*, modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
    3 – modify bit at 0xE9B7 from a 0 to a 1. save it.
    4- plug your MSFR in, and it should ask for drivers. point it to the stuff you unzipped/modified.

    if you already have it installed.
    1 – unplug your MSFP.
    2 – goto windows/system32/
    3 – modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
    4 – modify bit at 0xE9B7 from a 0 to a 1. save it.
    5 – plug the MSFP back it.

    NOTE: Once you flip that one bit, the MS software will NOT work anymore. You can use GrFinger to verify that the image from the fingerprint ready is now encrypted. (before – fingerprint is visible; after – fingerprint is “noise”)

  18. Pingback: dsd’s weblog » Blog Archive » libdpfp 0.2.0 released

  19. Pingback: dsd’s weblog » Blog Archive » Fingerprinting

  20. joseph

    Hi im implementing an fingerprint enhancement algorithm using partial derivates just as verifinger algorithm, the idea is to continue the fvs project and is my Ms final work, Im working in windows with the C++ builder, Im about to purchase the UrU4000 but digital persona’s peoples told me that to obtain an image i have also to purchase their damn SDK, do anyone knows how to interactuate with the Driver whit out purchasing their SDK ???

  21. Galerio

    Well… is there any software that is not Digital Persona that we can use with our MS fingerprint reader? Any better software… Maybe freeware…
    And after having changed the firmware (in the windows dll), can we use software like DigitalPersona PRO?


  22. -zer0-

    i encountered a problem between the digital persona 4000 and 4000b, i developed program where i used the dp 4000 device. i was successfully finished this with grfinger driver (fingercap). the next thing, my company bought dp 4000b device i try to use this as a device to my program but it was not the same as dp 4000. the images output was jumbled or encrypted i think like dsd said.
    the question is what can i do to make the output of dp 4000b the same as dp 4000? i can’t realy understand the way dsd did at his explanation. i hope u can give me the specific way to do it. thank for advance.

  23. Antonio Calo'

    Have you the latest version of Grfinger.dll compatible with diglital persona 4000b

    i have the same problem (Breaking encryption the easy way)

    I have realized a software using grfinger.dll and the effect or problem is the same that figure

    Please Contact or help me

    Best regards
    Antonio Calo’

Comments are closed.