Saw ur last post in Dream OS thread Sent at: Fri Feb 29, 2008 9:00 pm by da_doors1106 -----------------------------------------------------------------------------------------looks like

he disabled ur previous login, what was posted about him before? -----------------------------------------------------------------------------------------Re: Saw ur last post in Dream OS thread Sent at: Sat Mar 01, 2008 1:40 am by bitemytaco2 -----------------------------------------------------------------------------------------an email from l3x (the guy who really coded the original sigma for derengel) tha t he sent to my friend we run http://www.surfboardhacker.net, the best modem hacking forum, we put tcni so to shame Hi, I am [l3x] I used to work for TCNiSO (2 years ago) I am the author of SIGMAX, I wanted to join the forums so I can clear a few things up that people have writ ten about me. 1) I coded sigma-x without DerEngels help, DerEngel cannot code in asm, he only codes in VB.NET 2) The only thing I used that I did not code was Isabellas web server and Isabel las telnet server, the rest was coded by me in mips asm. 3) Yes I still have the source code, no DerEngel does not have the source code, that s why there was never any updates to sigma-x since I left in November 2005. 4) I also started the 5100 hacking, I found the ejtag port, I coded the very fir st blackcat (before it was named blackcat) it was a linux only version, after I coded it and had a way to flash firmware I started coding sigma-x 5) I coded the 5100 bootloader. 6) Isabella made a smaller ejtag interface, mine used 3 quad nand gate ic s Isabel la did it with 1 ic. 7) Isabella started work on a windows version of the software I coded to interfa ce to ejatg, she made it all except for the flash driver which I coded. She name d it blackcat because she has a Black Cat heh DerEngel made a GUI in VB.net which interfaced to Isabella and my work (coded i n C++). 9) I developed SIGMA-x in 3 months, I did write documentation for it but never r eleased it. 10) The last version of sigma-x I released was sigma-x RC7 but derengel never re aleased it because there was a bug which he wanted fixed before he relesed it. 11) The reason DerEngel cant modify sigma-x is because its encrypted (a simple x or encryption) 12) After sigma-x boots it erases its init functions from ram, this includes the descriptor, so there is no way to reverse engeneer it with a ram dump. You woul d get the core functions with a ram dump but without the init functions its impo ssible to work it out. 13) Once sigma-X loads it erases functions the modem uses when it boots and free s that ram for use (this was my magic memory management system as I was low on r am) 14) Sigma-x has no backdoor, but sigma 1.3, 1.4, 1.5 does I am sure sigma-x2 wou ld have too, but I don t know about that one as I was long gone when DerEngel paid

programmers to code sigma-x2 15) Sigma-x2 was not coded by DerEngel, he paid a team of programmers to build i t. (I am not sure if Isa helped) 16) Isa coded sigma 1.3, 1.4 and 1.5 17) Sigma-x is compressed using lzma 18) The encryption is simple, There is a key it s a string say blah To encrypt when I compiled the firmware I would xor parts of the uncompressed fi rmware against the key like this Say the key is blah, blah in hex is 0x62 0x6c 0x61 0x68 byte 1 of the first encrypt block is xored against 0x62 and the answer is writte n to byte 1 byte 2 of the first encrypt block is xored against 0x6c and the answer is writte n to byte 2 byte 3 of the first encrypt block is xored against 0x61 and the answer is writte n to byte 3 byte 4 of the first encrypt block is xored against 0x68 and the answer is writte n to byte 4 byte 5 of the first encrypt block is xored against 0x62 and the answer is writte n to byte 5 byte 6 of the first encrypt block is xored against 0x6c and the answer is writte n to byte 6 byte 7 of the first encrypt block is xored against 0x61 and the answer is writte n to byte 7 byte 8 of the first encrypt block is xored against 0x68 and the answer is writte n to byte 8 as you can see, the firmware is just xored against a rolling key, starting at by te 1 of the key and going over each byte until it loops back to the start of the key again. All of the firmware is encrypted except a small init function which includes the decryptor, the decryptor works the same as the encryptor. On boot the bootloader uncompresses the firmware from flash into ram and then ju mps to the init function. The init function decrypts all the encrypted blocks and then executes the encryp ted init functions. The last thing it does is zero out the RAM that the decryptor and init functions are stored. The firmware is then running in ram decrypted with no entry point making reverse engeneering it impossible. This is the first time I have talked about sigma-x since I left, I now work at S ony and do not do any hacking anymore, I have not hacked anything since the good old days at TCNiSO, Excuse the spelling I typed this out realy quick Regards L3x