https://github.com/TorgoTorgo/ghidra-findcrypt
Basically most of the cryptographic algorithms have some kind of constants that are used to perform various type of operations. For example initialization vectors, seeds, base points, S-Boxes, etc.
When a cryptographic algorithm is implemented in a programming language, those constants are embedded in the program as data and (in our case) compiled into the binary. So it’s possible to search where such constants appear, track the functions that use them and recognize what’s going on and which algorithms are being used, even if the binary is stripped.
For this operation we used ghidra-findcrypt on the bootloader binary.
![[Untitled 88.png|https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/]]
NOTE: ghidra-findcrypt detected a BLAKE2 IV but this is a false positive since BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the same as SHA-256 IV.