Fujitsu iRMC S4, S5, S6 License

Fujitsu iRMC S4, S5, S6 License

@qwertykolea

FoL:

  • Firmware, in our case: FTS_TX2540M1D3099iRMCKronos4FirmwareUpdatef_TX2540M10969Fsdr0336_1265146.BIN
  • 7Zip
  • Python or PyCharm, I'll use Python
  • Ghidra
  • Serial number
  • PoC script (Links #3)

Body:

  • Extracting libfts_license.so.1.12.1 via 7Zip
/usr/local/lib/libfts_license.so.1.12.1
  • Obtaining values for HMAC_KEY, HMAC_MSG, and AES_IV
Run CodeBrowser
Select libfts_license.so.1.12.1 to import
Select Bytes: ...
AES_IV = 0d 0e 0a 0d 0b 0e 0e 0f 00 01 02 03 09 08 07 06

HMAC_KEY = 01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04

HMAC_MSG = 46 75 6a 69 74 73 75 21 01 01 80 28 00 00 ff ff
  • Transforming values for HMAC_KEY, HMAC_MSG, and AES_IV on hex

HMAC_KEY = b"\x01\x02\x03\x04\x01\x02\x03\x04\x01\x02\x03\x04\x01\x02\x03\x04"

HMAC_MSG = b"\x46\x75\x6a\x69\x74\x73\x75\x21\x01\x01\x80\x28\x00\x00\xff\xff" * 4

AES_IV = b"\x0d\x0e\x0a\x0d\x0b\x0e\x0e\x0f\x00\x01\x02\x03\x09\x08\x07\x06"

  • Put HMAC_KEY, HMAC_MSG, and AES_IV on PoC script (Links #3)
iRMC.py
  • Run script
Edit with IDLE
Run... Customized
  • Type in your serial number
Serial number
Licence key

Links:

  1. https://support.ts.fujitsu.com
  2. https://watchmysys.com/blog/2023/01/fujitsu-irmc-s4-license/
  3. https://gist.github.com/halmartin/28e013a9034be04777073bccc918cb95
  4. https://gist.github.com/bjornbouetsmith/a9a46931fa2741aee62b79a67b3edd53
  5. https://notepad-plus-plus.org/downloads/
  6. https://www.7-zip.org/
  7. https://www.python.org/downloads/
  8. https://github.com/NationalSecurityAgency/ghidra


Report Page