Mar 31, 2008 at 7:34 PM
Ok, I put some code out in the Do Stuff button on click event that does encryption and decryption. So now I need to see if I can use this with the certs that are sent to see how the hostauthenticator and deviceauthenticator fit in. Anybody know what this would be used for? I assume it is something to determine if the cert is valid or not. So I think you use the host cert to encrypt stuff to send to it and the private key to decrypt stuff from the host that they use the device public cert to encrypt. I am sure this is over simplified.
Mar 31, 2008 at 8:24 PM
Another thing I found out is that the 6 bytes that are prepended to the cert before being base 64 encoded have actual meaning. They seem to start with 0 0 1 0 3 count where the count is something in the cert. I checked the client and host certs that i had and the difference in the size of the certs was the difference in those two numbers. In the host cert the value was 98 and in the device cert the value was 216. Another thing to figure out.
Mar 31, 2008 at 10:26 PM
I agree. Since the whole point of this lame exercise (thanks, Microsoft) is to do a key exchange. On one hand the authenticator sent by the server could be random garbage that is just encrypted with the host cert then sent back.
Another thing I noticed when messing around with it is that the authenticators are usually 20-bytes --which could indicate that it's a hash value of something...
Apr 1, 2008 at 3:48 AM
Edited Apr 1, 2008 at 3:49 AM
Presently i try to found the original value of the hash....
I try to intercept the sha function.. i found another important information about the sha1 function the function use by the message exchange use a Salt random number to offuscate the real data this is this is the explication for the hash isn't similar eacht time you repaing the same MCX

Apr 1, 2008 at 4:04 AM
Edited Apr 1, 2008 at 4:04 AM
i found this for more explication about the salt in sha1 algo

Apr 1, 2008 at 4:23 PM
Well, I have verified that the authenticator is not a SHA1 hash of the certificate.
Apr 1, 2008 at 5:25 PM
just a crazy idea: what if the hostconfirmauthenticator and deviceconfirmauthenticator is just random data each (server and device) send along when they send their certificate? Maybe that random data is used later when they try to validate each other's certificate..? In other words, the first server post and first device post (as shown by Sanmilie) is nothing more than a data exchange to start the process and don't mean anything at that point...
Apr 2, 2008 at 12:01 AM
for this data the fact is

1. hostconfirmauthenticator varie each time you paring the mcx
2. hostconfirmauthenticator is look like a SHA1 hash
3. if this value is alterd the device not return a responce.
4. the device can valide only a known data.

Apr 3, 2008 at 4:43 PM

I moved your posts to the private discussion area.

Apr 5, 2008 at 4:50 PM
Material for creating the function for authntificator is in the private discution
Apr 23, 2008 at 12:26 PM
Has this project died??? I'm interested in getting involved with development, my c# skills are very high. And I believe I can be a benefit to this project.

Apr 24, 2008 at 2:55 PM
Nope, hasn't died. Just progressing really slowly. I haven't had as much time lately to work on it and the stuff we are working on now I am not as familiar with. I will add you to the project. Welcome aboard.
May 12, 2008 at 5:29 PM
Edited May 12, 2008 at 5:30 PM
interesting discussion:
A SoftSled By Any Other Name

Ciao SunboX
May 28, 2008 at 12:09 PM
How do I get on board here. I have a lot of spare time coming up in a little over a month. I am an 3rd year SE major at CalPoly, I know C and Java, and I am excellent with math. Let me know jpthomas@calpoly.edu
May 28, 2008 at 1:17 PM
Well, if you want you can download the code and figure out how the confirm authenticators are generated.  We need to generate one in order to send back to the host (Vista).  If you look at the discussion by sanmilie about the linksys mcx information it shows the communication back and forth.  We have been able to decipher the host certificate and I think we can generate a client certificate back but can't figure out how the deviceconfirmauthenticator is generated.  Sanmilie has been creating pseudo C code based on assembly stuff he has found in some of the media center .dll's and .exe's to help us decypher how the authenticator is generated and some of the other inner workings.  If you can look at his stuff and maybe create some java code or if you want to try, some c# code, that would be great.  Welcome aboard.


Jun 18, 2008 at 4:11 PM
Has anyone made any progress? It's been a while since the most recent activity. I've finally finished all of my summer examinations so I should have more sparetime to help out with the project.

What's the current status? Are we still working slowly with trying to create a C# representation of the psuedo C code?
Jun 19, 2008 at 6:10 PM
We are pretty much at a stand still right now.  I was hoping for some other people to come on board and help out.  I have run out of free time right now.  I hope to pick this up in the future when things settle down for me.

Jun 20, 2008 at 3:04 AM
I've been watching this project with some interest.  I might be able to help (probably like many others, free time is the limiting factor).  Is the plan still to disassemble and reverse-engineer the relevant Vista MCE binaries?  Where is the best place to follow Sanmilie's work?

- Shanon
Jun 21, 2008 at 6:56 PM
Send jlambert a PM to make you a developer. I would however I don't have the privileges. Relevant private threads exist which detail Sanmilie's previous findings.