CHECKSUM CHALLENGE

We're offering US$100 to have a checksum/CRC algorithm
reverse-engineered.

We have a microcontroller-based system that connects via modem to a
remote PC. The PC runs a software that talks to the microcontroller,
sending and receiving data. The person that developed this system for
us is no longer available.
We have the protocol to control the system but we don't know the
checksum algorithm and therefore can't get the new data accepted by
the receiving machine.
Apparently the last two bytes of each data packet are Checksum/CRC.
The first byte is the number of bytes that follows in the packet (we
don't know if this byte is computed in the Checksum/CRC).

Examples of the data and resultant checksum are provided below.

If interested, please email me for further details. I will let you
know how many others have applied. The money goes to the first one who
returns a working algorithm preferably implemented in VB.

Thanks,

Carlos Gomez
carlos_gomez_73@hotmail.com

06 FF 01 FF 09 FF 46 FF 36 FF D8 FF F5
06 FF 01 FF 09 FF 0A FF 3C FF F1 FF 95
06 FF 01 FF 09 FF 7C FF 2A FF E0 FF A3
06 FF 01 FF 09 FF A6 FF 36 FF D8 FF C1
06 FF 01 FF 09 FF D6 FF 2A FF DE FF 5B
06 FF 01 FF 07 FF 06 FF 1E FF 7D FF D7
06 FF 01 FF 07 FF 24 FF F5 FF 23 FF 91
06 FF 01 FF 08 FF 80 FF 1E FF 22 FF 9D
06 FF 01 FF 08 FF 9E FF 42 FF 72 FF C1

"Carlos Gomez" <carlos_gomez_73@hotmail.com> wrote in message
news:9c8240fb.0402110845.74918022@posting.google.c om...

And tossing in a bunch off FF's that aren't part of the packet doesn't help
either!!!!

Carlos Gomez wrote:

Did you try to look at a packet as :
06 01 09 46 36 D8 F5

Rene
--
Ing.Buero R.Tschaggelar - http://www.ibrtses.com
& commercial newsgroups - http://www.talkto.net

"Max Firmware" <null@null.tw> writes:
i.e. possibly to maintain one bit density for various
transmission/sync'ing requirements.

there is the ancient (in)famous case at cornell university that tried
out new (RF_ wireless technology for campus communication between
various mainframe operations. the mainframe communication controller
used standard crc for detecting transmission errors. however, the
wireless modem used similar polynomial for permuting transmission bits
(maintain one-bits transmission density?). the result was that
transmission errors tended to be permuted in such a way that they
weren't caught by the CRC.

ancient ref (nearly 20 years old)
overview:
http://vm.marist.edu/~vmshare/vmshscn1
detail
http://vm.marist.edu/~vmshare/read?f...ft=PROB&line=1
description
http://vm.marist.edu/~vmshare/read?f...=PROB&line=474

discussion of crc polynomial issues:
http://vm.marist.edu/~vmshare/read?f...=PROB&line=660
from a co-worker (at the time) ... purely random coincidence but he
happen to send me some email a couple weeks ago (after over ten years
lapse). in any case, in the above, he references an article on the
subject he worte for april 1985 PC tech journal titled "high
performance crc generation".

above fragments as single article:
http://vm.marist.edu/~vmshare/browse...IL&ft=PROB#660


--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

On 11 Feb 2004 08:45:36 -0800, carlos_gomez_73@hotmail.com (Carlos
Gomez) wrote:

so using your first line as an example
the length is 06
the actual data is 01 09 46 36
and the checksum is d8 f5
is this correct?

If this is correct, do you know the endianess of the microcontroller?
This is not a lot of information to go on but it seems solvable.

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

[posted and mailed]

On Wed, 11 Feb 2004, Carlos Gomez wrote:
I don't suppose it would work to give your resident programmer(s)
a bonus to solve this problem as part of a *job* or anything... :-)

Do you have the source code of the software?
Do you have the executable code of the software?
Do you know any contact information for the person who developed
the software (name, place of residence, new employer)?
Do you have any programmers on payroll who can do this work for
you?

Where did you get these examples?
Can you use the software as an "oracle" to compute checksums on
arbitrary data?
If not, how many different example data sets do you have?
Are you sure that the examples you gave are absolutely correct
(i.e., no data corruption -- which is, after all, the point of having
a checksum)?
Are you only trying to get an algorithm to deal with 6-byte data,
or a general-purpose algorithm for any lengths of data?


If (1) you really cannot find the binary executable involved;
(2) you have no paid programmers on staff; (3) you have an oracle
for producing these packets; and (4) you are only interested in
a checksum formula that works for packets under, say, 100 bytes;
then if you post the URL where we can find about 10000 different
examples, I bet someone here will do it as an exercise.
Otherwise, you're probably better off (1) translating the binary
by hand; (2) paying your employees to do it; (3) beating your head
against a wall; or (4) beating your head against the other wall.

Remember, post a *URL* to a *web page* with lots of examples!
(If you have no web space, then I'll even post the data for you,
if you'll email me privately at the address above with the "nospam."
removed.)

HTH,
-Arthur

"Arthur J. O'Dwyer" <ajo@nospam.andrew.cmu.edu> wrote in
news:Pine.LNX.4.58-035.0402112212520.10604@unix40.andrew.cmu.edu:

<snip>

It might also help if said web page stated which data are the payload and
which data are the checksum. Afterall, if all you know is a pile of bits
they could mean anything at all.

Ian Woods

--
"I'm a paranoid schizophrenic sado-masochist.
My other half's out to get me and I can't wait."
Richard Heathfield

"Arthur J. O'Dwyer" <ajo@nospam.andrew.cmu.edu> writes:
If it's a straightforward crc or checksum it can probably be solved
from the data provided, without needing to resort to more time
consuming traditional reverse engineering methods, but the "challenge"
angle makes me yawn.

Why not just say "We've stuffed up and lost control over our own code,
now we are in trouble, our own staff can't solve the problem, and we
need an expert to do so, but we're only prepared to pay $100, so would
all monkeys please forward your solutions in the hope we will dish out
some peanuts."

This sort of 'challenge' insults the intellegence, Honesty would get you
further.

Al

Carlos Gomez wrote:
--
Please remove capitalised letters to reply
My apologies for the inconvenience
Blame it on the morons that spam the net

On Thu, 12 Feb 2004 04:57:31 GMT, the renowned onestone
<onestoneXYZ@ABCbigpond.net.au> wrote:

Oooh ooh ohh ANNNH! ANNH! ANNH!

;-)
Best regards,
Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
speff@interlog.com Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog Info for designers: http://www.speff.com

In article <%IDWb.52516$Wa.39790@news-server.bigpond.net.au>,
onestone <onestoneXYZ@ABCbigpond.net.au> wrote:
It reminds me of the time someone in the window seat on a plane offered
to pay me $20 so they could have the aisle (he was tall but I am taller).
Now he was obviously uncomfortable and if he'd just asked for the seat
I might have given it to him, or traded off, but when he put a dollar
value on it it was darned easy to see I'd rather sit in the aisle than
have $20!

--
Ben Jackson
<ben@ben.com>
http://www.ben.com/

"onestone" <onestoneXYZ@ABCbigpond.net.au> schreef in bericht
news:%IDWb.52516$Wa.39790@news-server.bigpond.net.au...
Why not say 'we cracked it' and want more

--
Thanks, Frank.
(remove 'x' and 'invalid' when replying by email)

Ben Jackson wrote:
realize they have something you want. On the other hand if you use some
other form of friendly bribery like, "I'll buy you lunch if you take me
to XXX," it often yields better results.

--
"I'm a war president. I make decisions here in the Oval Office
in foreign policy matters with war on my mind." - Bush

On Thu, 12 Feb 2004 08:26:11 +0100, "Frank Bemelman"
<fbemelx@euronet.invalid.nl> wrote:


I spent about 15 minutes on the problem and have determined
that it is probably isn't a standard crc. This problem comes up
quite a bit in embedded systems with custom programming.
Often a ready made solution is bought and then the company
goes out of business or no longer supports the item and
changes are needed.

More information on the problem would be helpful.
Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

Paul Rubin wrote:
It's not a normal CRC, as far as I can tell. I ran a program I made a while
ago to brute-force CRC polys against the data provided, and tried every
polynomial up to 16-bits. Also tried variations on flipping endians and
which parts of the packet were included, and no matches came up. So it's
almost certainly not a normal CRC.

--
Michael Brown
www.emboss.co.nz : OOS/RSI software and more
Add michael@ to emboss.co.nz - My inbox is always open

On Thu, 12 Feb 2004 23:50:37 +1300, "Michael Brown" <see@signature.below> wrote:

maybe it is a simple XOR-type checksum ...

carlos_gomez_73@hotmail.com (Carlos Gomez) wrote:
#include <stdio.h>
#include <string.h>

unsigned char samples[]={
0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF, 0x46, 0xFF, 0x36, 0xFF, 0xD8, 0xFF,
0xF5, 0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF, 0x0A, 0xFF, 0x3C, 0xFF, 0xF1,
0xFF, 0x95, 0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF, 0x7C, 0xFF, 0x2A, 0xFF,
0xE0, 0xFF, 0xA3, 0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF, 0xA6, 0xFF, 0x36,
0xFF, 0xD8, 0xFF, 0xC1, 0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF, 0xD6, 0xFF,
0x2A, 0xFF, 0xDE, 0xFF, 0x5B, 0x06, 0xFF, 0x01, 0xFF, 0x07, 0xFF, 0x06,
0xFF, 0x1E, 0xFF, 0x7D, 0xFF, 0xD7, 0x06, 0xFF, 0x01, 0xFF, 0x07, 0xFF,
0x24, 0xFF, 0xF5, 0xFF, 0x23, 0xFF, 0x91, 0x06, 0xFF, 0x01, 0xFF, 0x08,
0xFF, 0x80, 0xFF, 0x1E, 0xFF, 0x22, 0xFF, 0x9D, 0x06, 0xFF, 0x01, 0xFF,
0x08, 0xFF, 0x9E, 0xFF, 0x42, 0xFF, 0x72, 0xFF, 0xC1 };

unsigned char carlos(unsigned char *buf)
{
size_t i;

for (i=0; i<sizeof samples; i += 13)
{
if (memcmp(buf,samples+i,12) == 0) return *(samples+i+12);
}
return 0x58;
}

int main(void)
{
unsigned char case_a[]={0x06, 0xFF, 0x01, 0xFF, 0x09, 0xFF,
0x7C, 0xFF, 0x2A, 0xFF, 0xE0, 0xFF}; /* 0xA3 */
unsigned char case_b[]={0x06, 0xFF, 0x01, 0xFF, 0x08, 0xFF,
0x80, 0xFF, 0x1E, 0xFF, 0x22, 0xFF}; /* 0x9d */
unsigned char case_c[]={'B', 'i', 'l', 'l', 'P', 'G',
'.', 'm', 'e', '.', 'u', 'k' }; /* 0x58 */

printf("carlos(case_a) == 0x%02x (exp 0xA3)\n",carlos(case_a));
printf("carlos(case_b) == 0x%02x (exp 0x9d)\n",carlos(case_b));
printf("carlos(case_c) == 0x%02x (exp 0x58)\n",carlos(case_c));
}

Bill, send the cash to my Nochex account.

onestone <onestoneXYZ@ABCbigpond.net.au> wrote in message news:<%IDWb.52516$Wa.39790@news-server.bigpond.net.au>...
At the current rate of exchange $100 _IS_ a bag of peanuts :-)

Ha ha ha. This is sad. Sorry buddy, but it costs alot more than $100
for this kind of service, and I usually have alot more information to
work with than some packet dump. Try adding a zero to your price and
doubling it.... Good luck

-J

carlos_gomez_73@hotmail.com (Carlos Gomez) wrote in message news:<9c8240fb.0402110845.74918022@posting.google. com>...

Coffee? Cocktail? Banana?