Re: CRC reverse engineering

There are many CRC-16 bit primes, 1 is used the most (called CRC-16), then 1
other, but there are a lot more.
CRC is usally used on longer message lengths, 4 bytes seems a little short.
Could be a home brew, LRC with some more stuff like the credit cards.

"mvrpfswe" <mvrpfswe@xxxxxxxxx> wrote in message
news:1178122600.529857.86340@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have a CRC reverse engineering problem that I have not been able to
solve. I am currently running out of ideas of how to approach the
problem, please help.

Here is a description of what I have done so far.

The application of this is to read out serial numbers from electronic
markers these are all hard coded and can not be altered. The data
below has been read out of unique electronic markers (The guts of the
markers consists of one Zarlink 15076CKG and some support components,
I don't have the data*** for the part it seams to be a custom IC).

Each line represents one marker and the byte mapping is:
4 bytes of a binary serial number MSB first (this I have verified
since the markers are tagged with the matching number)
2 bytes of ??? probably a type field (all markers are of the same
type)
2 bytes of something that looks like a CRC.
The data is read from the marker at register address 0x60 through
0x67.

To make any use of the makers I need to figure out the algorithm to
compute the last 2 bytes so I can verify that the correct serial has
been read out. I have considered reading the data multiple times and
have a voting scheme to determine if the correct data has been read,
but I think it's a very ugly and crude solution around a (simple??)
problem.

Here is what I have done so far (many of the ideas taken from postings
in this group, many thanks to you all).

According to other postings here it states that the xor between two
CRC with only a single bit change is the same.
- This is true for all.

I also found that if
A^B = D
A^C = E
Then the crc polynomial is (2*D)^E if A, B and C is a factor of 2 (bit
shift by 1) from each other (somewhere in the data stream).
There are 2 sections in the data that has the property S/N low byte
0x80 and 0xA0 the computation of this gives polynomial 0xE507.

I have tried all possible (brute force) CRC(16bit) start bytes with
all possible final xor combinations and come up short.
Also tried to append all combinations of 1 or 2 bytes to the dataset
in the end without success.

I tried to use a 32-bit CRC only using the lower 2 bytes as the result
value.
-There is one polynomial 0xCA18E507 that with 0 or all F:s as start
with an xor value at the end generates a combination that matches S/N
0x80 through 0x83 but none of the others.
Also tried to vary the start CRC state with all combinations (using
the 0xCA... polynomial) without any success.

I used a modified version of the crc16wierd.c algorithm posted by
xmath. It does return values with the same properties as the data in
the markers just not the same.

Marker data:
0x00, 0x03, 0xB4, 0x7E, 0x40, 0x44, 0xA8, 0x5A,
0x00, 0x03, 0xB4, 0x80, 0x40, 0x44, 0xB0, 0xDA,
0x00, 0x03, 0xB4, 0x81, 0x40, 0x44, 0xEF, 0x0C,
0x00, 0x03, 0xB4, 0x82, 0x40, 0x44, 0xEA, 0x71,
0x00, 0x03, 0xB4, 0x83, 0x40, 0x44, 0xB5, 0xA7,
0x00, 0x03, 0xB4, 0x85, 0x40, 0x44, 0xB6, 0x5D,
0x00, 0x03, 0xB4, 0x86, 0x40, 0x44, 0xB3, 0x20,
0x00, 0x03, 0xB4, 0x88, 0x40, 0x44, 0xEF, 0x78,
0x00, 0x03, 0xB4, 0x89, 0x40, 0x44, 0xB0, 0xAE,
0x00, 0x03, 0xB4, 0x8C, 0x40, 0x44, 0xB6, 0x29,
0x00, 0x03, 0xB4, 0x8F, 0x40, 0x44, 0xB3, 0x54,
0x00, 0x03, 0xB4, 0x90, 0x40, 0x44, 0xEA, 0x99,
0x00, 0x03, 0xB4, 0x93, 0x40, 0x44, 0xEF, 0xE4,
0x00, 0x03, 0xB4, 0x9C, 0x40, 0x44, 0xEC, 0x6A,
0x00, 0x03, 0xB4, 0x9E, 0x40, 0x44, 0xB6, 0xC1,
0x00, 0x03, 0xB4, 0xA0, 0x40, 0x44, 0xEA, 0x5C,
0x00, 0x03, 0xB4, 0xA1, 0x40, 0x44, 0xB5, 0x8A,
0x00, 0x03, 0xB4, 0xA2, 0x40, 0x44, 0xB0, 0xF7,
0x00, 0x03, 0xB4, 0xA5, 0x40, 0x44, 0xEC, 0xDB,
0x00, 0x03, 0xB4, 0xA6, 0x40, 0x44, 0xE9, 0xA6,
0x00, 0x03, 0xB4, 0xA8, 0x40, 0x44, 0xB5, 0xFE,
0x00, 0x03, 0xB4, 0xAB, 0x40, 0x44, 0xB0, 0x83,
0x00, 0x03, 0xB4, 0xAC, 0x40, 0x44, 0xEC, 0xAF,
0x00, 0x03, 0xB4, 0xAD, 0x40, 0x44, 0xB3, 0x79,
0x00, 0x03, 0xB4, 0xB3, 0x40, 0x44, 0xB5, 0x62,
0x00, 0x03, 0xB4, 0xB4, 0x40, 0x44, 0xE9, 0x4E,
0x00, 0x03, 0xB4, 0xB5, 0x40, 0x44, 0xB6, 0x98,
0x00, 0x03, 0xB4, 0xB6, 0x40, 0x44, 0xB3, 0xE5,

There must be a more elegant way of figuring this out rather then a
brute force, if anyone has any Idea on how to approach this problem
please let me know.

Thanks
Johan



.

Loading