\myheading{Getting CRC polynomial and other CRC generator parameters} \renewcommand{\CURPATH}{CRC/cracker} Sometimes CRC implementations are incompatible with each other: polynomial and other parameters can be different. Aside of polynomial, initial state can be either 0 or -1, final value can be inverted or not, bits of the final value can be reflected (reversed) or not. Input byte can be reflected/reversed before processing as well. Trying all these parameters by hand to match with someone's else implementation can be a real pain. Also, you can bruteforce 32-bit polynomial, but 64-bit polynomials is too much. Deducing all these parameters is surprisingly simple using Z3, just get two values for 01 byte and 02, or any other bytes. \lstinputlisting[style=custompy]{\CURPATH/CRC_cracker.py} This is for CRC-16 (Modbus): \begin{lstlisting} poly=0xa001, init=0xffff, ReflectIn=True, XORout=0, ReflectOut=True \end{lstlisting} Sometimes, we have no enough information, but still can get something. This is for CRC-16: \begin{lstlisting} poly=0x96bc, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0x7cfc, init=0x0, ReflectIn=False, XORout=-1, ReflectOut=False poly=0x5814, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0x6182, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0xa287, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0x726b, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0x41c1, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0xe83d, init=0x0, ReflectIn=True, XORout=-1, ReflectOut=True poly=0xa001, init=0x0, ReflectIn=True, XORout=0, ReflectOut=True total results 9 \end{lstlisting} One of these results is correct (last). We can get something even if we have only one result for one input byte: \begin{lstlisting}[style=custompy] # recipe-259177-1.py, CRC-64-ISO # many solutions! width=64 samples=["\x01"] must_be=[0x01B0000000000000] sample_len=1 \end{lstlisting} \begin{lstlisting} poly=0xd800000000000000, init=0x0, ReflectIn=True, XORout=0, ReflectOut=True poly=0xfe4fffffffffffff, init=0x0, ReflectIn=False, XORout=-1, ReflectOut=True poly=0xfffffffffffff27f, init=0x0, ReflectIn=False, XORout=-1, ReflectOut=False poly=0xd80, init=0x0, ReflectIn=False, XORout==0, ReflectOut=False poly=0x1b0000000000000, init=0x0, ReflectIn=False, XORout=0, ReflectOut=True poly=0xa7ffffffffffffbf, init=0xffffffffffffffff, ReflectIn=False, XORout=0, ReflectOut=True poly=0x6c000, init=0x0, ReflectIn=True, XORout==0, ReflectOut=False poly=0xb40b40b40b4816, init=0xffffffffffffffff, ReflectIn=True, XORout==0, ReflectOut=False poly=0xe73cf3cf3cf3cf3c, init=0xffffffffffffffff, ReflectIn=False, XORout=-1, ReflectOut=True poly=0x53ffffffffffffff, init=0xffffffffffffffff, ReflectIn=True, XORout=0, ReflectOut=True poly=0x7ffffffffff93fbf, init=0xffffffffffffffff, ReflectIn=False, XORout==0, ReflectOut=False poly=0xcc2055dc9e9bc60f, init=0xffffffffffffffff, ReflectIn=False, XORout=-1, ReflectOut=True poly=0x3ffffffffffc9fff, init=0xffffffffffffffff, ReflectIn=True, XORout==0, ReflectOut=False poly=0x9fd82e25acc7fcf3, init=0xffffffffffffffff, ReflectIn=False, XORout=-1, ReflectOut=False poly=0x367a57106cf7678, init=0xffffffffffffffff, ReflectIn=False, XORout==0, ReflectOut=False poly=0x92492492492e924, init=0xffffffffffffffff, ReflectIn=True, XORout==0, ReflectOut=False poly=0x1d24924924924924, init=0xffffffffffffffff, ReflectIn=True, XORout=0, ReflectOut=True poly=0x31ba, init=0x0, ReflectIn=True, XORout==0, ReflectOut=False poly=0x153225b1d0d61af, init=0xffffffffffffffff, ReflectIn=False, XORout==0, ReflectOut=False poly=0x461861861861861, init=0xffffffffffffffff, ReflectIn=True, XORout=0, ReflectOut=True poly=0x30c30c30c30f861, init=0xffffffffffffffff, ReflectIn=True, XORout==0, ReflectOut=False total results 21 \end{lstlisting} (The first result is correct.) The files: \url{\RepoURL/\CURPATH}. The shortcoming: longer samples slows down everything significantly. I had luck with samples up to 4 bytes, but not larger. Further reading I've found interesting/helpful: \begin{itemize} \item \url{http://www.cosc.canterbury.ac.nz/greg.ewing/essays/CRC-Reverse-Engineering.html} \item \url{http://reveng.sourceforge.net/crc-catalogue/1-15.htm} \item \url{http://reveng.sourceforge.net/crc-catalogue/16.htm} \item \url{http://reveng.sourceforge.net/crc-catalogue/17plus.htm} \end{itemize}