Breaking encryption the easy way
Yesterday, I successfully obtained images my Microsoft fingerprint reader. After cleaning up the driver a little, I decided to try my other device.
A little background:
There are 3 ranges of devices which we believe are all very similar:
- Digital Persona UareU 4000
- Digital Persona UareU 4000B
- Microsoft fingerprint reader (and products containing them)
The 4000B is basically a USB2 version of the 4000, and we think the Microsoft devices include ‘repackaged’ 4000B devices. My driver will hopefully support all 3. I own #1 and #3 and have sniffed logs from all 3 device types in my posession.
I plugged in my UareU 4000, and it sprang into life with my driver. I scanned a fingerprint and it gave me this:
Hmm. The data is very jumbled and is probably encrypted. I checked my logs, and sure enough - the data that comes from the 4000 and 4000B devices is jumbled and doesn’t show the same neat structure in comparison to the MS device.
A while ago, I had compared the 4000B firmware with the firmware for the MS devices. There is just one single bit difference between the two, suggesting that the devices are actually identical, yet the 4000B is sending encrypted data and the MS device is not?
I uploaded the 4000B firmware to my MS device, and sure enough, it then started sending encrypted images too. In other words, we have found the single bit in the firmware which turns encryption on and off.
This still leaves the problem that my 4000 device is still sending encrypted images. The firmware is quite different from the 4000B, but by looking at patterns in the byte data, I made an educated guess where the “encryption bit” would be in the UareU 4000 firmware. I uploaded the modified version to my device, and sure enough, it now sends unencrypted images.
I’m glad it turned out to be so easy.
January 30th, 2006 at 7:20 pm
So I guess there’s no point in trying to crack the “encryption”, which can be done as easily as flipping that bit?
January 30th, 2006 at 7:44 pm
Indeed. Breaking encryption would be a very extreme challenge - it is much more sensible to try and work around it, or find weaknesses in the encryption. However, it would have been more enjoyable if they had made it just a little bit harder… :)
January 30th, 2006 at 8:24 pm
I got it! I’m supposed to see a unicorn, right? Oh…
January 31st, 2006 at 2:45 pm
Nice Work! Sounds like it was very useful to have several versions of the device and firmware around.
TheMatt, your comment made me chuckle. :-)
February 1st, 2006 at 2:43 pm
Its sound good! Soon I can use this to put BioAPI to work w my servers! Great WORK man!
February 1st, 2006 at 11:05 pm
nice work, then… can you convert a MS fingerprint in a 4000b, changing the firmware???
February 1st, 2006 at 11:25 pm
At this time we have no reason to believe that the MS devices are any different from the UareU 4000B devices, other than:
- The USB product/vendor ID numbers
- The products they come bundled in
- The drivers (and firmware) which come with them
So, yes, you can “convert” one to the other just by sending the other firmware, as long as you ignore the USB ID’s.
February 2nd, 2006 at 9:30 pm
Sorry, my level of linux development is very bad. I have installed Ubuntu, i have the linux kernel source code, i try to compile the driver to test it, but i have problems. My question is, the idea is run the dpfp.c or put the dpfp.c in the kernel of my linux and recompile the kernel with dpfp inside? I read all the website before make this stupid question. sorry again
February 3rd, 2006 at 7:54 pm
There is no documentation and this isn’t yet intended for end-users, but here are brief details which should get you going (maybe you could add them to the DriverDownload page of the wiki?)
Cut the firmware using dpfp-firmware-cutter (should be self explanatory), and put the output file in the hotplug firmware directory.
Make sure /usr/src/linux points at the compiled sources of your running kernel, and from the dpfp/driver directory, run:
# make
# insmod dpfp.ko
To capture a print, use “cat /dev/dpfp0 > image.pgm”
February 5th, 2006 at 10:14 pm
Dear Friends,
I have a lot of problems, because i can’t compile the driver, finally i found that i need a kernel version greater than 2.6.14, because the function zkalloc is in this version or greater, finally i tested the driver with a uru4000,uru4000b and ms, and works fine all the time. Good job.
February 15th, 2006 at 8:24 pm
[...] dsd’s weblog it’s not you, it’s the e-talking « Breaking encryption the easy way [...]
February 24th, 2006 at 2:43 pm
where can i download “dpfp-firmware-cutter”?Thanks!
February 24th, 2006 at 6:14 pm
In SVN, see http://dpfp.berlios.de/wikka.php?wakka=DriverDownload
Note that the current driver in svn is not usable.
February 27th, 2006 at 7:57 pm
Congratulations on your work so far !
I’m currently trying to implement a security solution using either Microsoft’s or DigitalPersona and find most of the SDKs available (except griaule’s) are targeted towards the UareU and lack support for Microsoft’s. However, i’m able to get Microsoft’s device at a third of the price of a UareU device.
Do you know if it’s possible to re-flash Microsoft’s device so it can work as the UareU device, under windows ? My Linux knowledge is scarse, if any, so i feel more comfortable working under windows.
Regards,
Alan.
March 9th, 2006 at 4:28 am
i have one U are U 4000 sensor, first i have the installation CD, but now the CD is broken because my stupid brother, please help me
Model No. : URU4S-U1
Part No. : 50006-001
Rev. : 101
Serial No. : 46811985
please help me, i need software for my device, to graduate from same university in Indonesia
Please help me……
March 15th, 2006 at 12:03 pm
how to upload the firmware(u.are.u4000)? and where can i get the tools to upload the firmware? please help me!! Thanks very much!!
March 15th, 2006 at 1:49 pm
Riky, chirly:
See the homepage, http://dpfp.berlios.de
March 15th, 2006 at 3:12 pm
dsd:
Nice Work! but where can I find “hotplug firmware directory”?
March 15th, 2006 at 3:17 pm
And how to re-flash the EEPOR? if it can be changed.
March 16th, 2006 at 1:24 pm
dsd:
help me please!
March 20th, 2006 at 5:35 pm
Please I need a way to upload the firmware of digital persona to MS
I am using windows currently
April 7th, 2006 at 10:30 pm
Nice project
I am form thailand i sale finger print product and interest develop Finger in linux Now i have EDK of A5 Fingerprint product of http://www.zksoftware.com
April 20th, 2006 at 10:23 am
AMi know know if U are U 4000 can be converted to serial? is there such converter?
April 20th, 2006 at 10:26 am
May I know know if U are U 4000 can be converted to serial? is there such converter?
Actually, my project is to make U are U 4000 to be a stand alone sensor by adding Bluetooth feature in it. However, stand alone Bluetooth only support serial. your suggestions are highly appreciated
May 17th, 2006 at 6:32 pm
to change the firmware in windows…
if starting from scratch.
1 - unzip MS software. (DP_PM_xxxxx, avail from Microsoft).
2 - in *driver*, modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
3 - modify bit at 0xE9B7 from a 0 to a 1. save it.
4- plug your MSFR in, and it should ask for drivers. point it to the stuff you unzipped/modified.
if you already have it installed.
1 - unplug your MSFP.
2 - goto windows/system32/
3 - modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
4 - modify bit at 0xE9B7 from a 0 to a 1. save it.
5 - plug the MSFP back it.
NOTE: Once you flip that one bit, the MS software will NOT work anymore. You can use GrFinger to verify that the image from the fingerprint ready is now encrypted. (before - fingerprint is visible; after - fingerprint is “noise”)
August 16th, 2006 at 5:25 pm
[...] Not requiring firmware avoids the potential distribution issues we had: we don’t have the rights to distribute their firmware. It is now not required because the device stores it, and even brand new devices seem to ship with the firmware already saved on the device. One reason we might need the firmware again is to disable encryption, but I’m reasonably confident we can do that without a firmware image — just waiting for someone who has a device which is encrypting images to come along so that I can test a theory. [...]
August 30th, 2006 at 3:24 am
[...] dsd’s weblog friend of the night « Using git-bisect to find buggy kernel patches Breaking encryption the easy way » [...]
October 26th, 2006 at 6:42 am
Hi im implementing an fingerprint enhancement algorithm using partial derivates just as verifinger algorithm, the idea is to continue the fvs project and is my Ms final work, Im working in windows with the C++ builder, Im about to purchase the UrU4000 but digital persona’s peoples told me that to obtain an image i have also to purchase their damn SDK, do anyone knows how to interactuate with the Driver whit out purchasing their SDK ??? guido.pusiol@gmail.com
thnx
September 13th, 2007 at 9:11 pm
Well… is there any software that is not Digital Persona that we can use with our MS fingerprint reader? Any better software… Maybe freeware…
And after having changed the firmware (in the windows dll), can we use software like DigitalPersona PRO?
Thanks