Hacking a code-protected hard disk

Our friend [Sprite_TM] took a look at the security of a code-protected hard disk. The iStorage diskGenie is an encrypted USB hard drive that has a keypad for passcode entry. After cracking it open he found that the chip handling the keypad is a PIC 16F883 microcontroller. He poked and prodded at the internals and found some interesting stuff. Like the fact that there is an onboard LED that blinks differently based on the code entered; one way for the right code, another for the wrong code of the right number of digits, and a third for a wrong code with the wrong number of digits. This signal could be patched into for a brute force attacking but there’s a faster way. The microcontroller checks for the correct code one digit at a time. So by measuring the response time of the chip an attacker can determine when the leading digit is correct, and reduce the time needed to crack the code. There is brute force protection that watches for multiple incorrect passwords but [Sprite_TM] even found a way around that. He attached an AVR chip to monitor the PIC response time. If it was taking longer than it should for a correct password the AVR resets the PIC before it can write incorrect attempt data to its EEPROM. This can be a slow process, but he concluded it should work. We had fun watching the Flash_Destroyer hammer away and we’d like to see a setup working to acquire the the code from this device.

Comments

  1. goldscott says:

    AVRs attacking PICs?! Noooo!!!

  2. Zem says:

    God I love articles/blogs like this. I can literally read stuff like this for hours and never get bored!

  3. sp00nix says:

    Crafty sir. Crafty.

  4. Necromant says:

    Hm… I really wonder how it actually locks the data. If it doesn’t transparently encrypt that – it’s useless. You can:
    1. Replace a controller board with the one from the same, but unprotected drive
    2. Are we able to dump the firmware/eeprom?
    3. Is there a signal from pic that actually tells the other circuitry that a correct password has been entered? If so the crack will be ‘solder a wire from Vcc to pass_ok_pad’

  5. Hmm If i remember correctly, there is a way to reset the internal code protection fuses and just read back the code. Involves etching away the packaging and using an UV light at the correct angle to hit the fuses. Any one remember the article that went over this?

  6. nave.notnilc says:

    @necromant
    did you read the writeup? :P

    anyway, great stuff as always from Sprite_TM

  7. Ruud says:

    It’s a great article. For all the Dutch folks there’s a translated version at http://tweakers.net/reviews/1764/de-diskgenie-op-de-pijnbank-gelegd.html (Sprite_tm is also a moderator on the forums over there).

  8. uC says:

    @Roman

    The fuse reseting trick was Bunnie from xbox hacking fame.

    http://www.bunniestudios.com/blog/?page_id=40

  9. Just me says:

    “When you want to unlock the disk, you get 50 tries. After that, you have to enter a special code (described in the manual) and then you can try for another 50 times. After that, the disk locks up and you can only reset it, erasing all the data on the disk.”

    So, after 99 tries just swap the disk to something not-so-important and then the device erases it. You get 100 new tries?

  10. Necromant says:

    @nave.notnilc
    Looks like I’ve missed the aes part. I guess I’ll open up my silicon power armor and have a closer look what it does do store the passwd…

  11. blue carbuncle says:

    Nicely done Sprite_TM :) Not that I have ever seen one of these, but good stuff to know. Kudos on the due diligence as always :)

  12. Brennan says:

    As a side note, I just love it when the guy doing the PCB layout rotates the ICs (specifically the microcontroller) 45 degrees. It looks so cool.

  13. mjrippe says:

    Excellent write-up! I love articles like this!

  14. Fragged says:

    Just change your password to 9999. NO PROBLEMO.

  15. asimilator says:

    @Just me

    He doesn’t go into details about the reset when you reach the max tries (100), but I would bet that it just erases the key from the PIC rather than actually doing anything to the HDD.

    So swapping HDDs wouldn’t do anything.

  16. Shadyman says:

    @goldscott: Don’t worry, it’s almost time for Episode III: Revenge of the PIC

  17. Tim says:

    Awesome, this is very similar to the “timing attack” which was used a while back on older Xbox 360’s (before the JTAG exploit) to downgrade the console to the base 1888 kernel. It worked by attaching a microcontroller to the 360’s motherboard to monitor the POST codes, and bruteforcing one of the bootloader’s authorization keys (which the 360 checked one byte at a time) by measuring the time it took to get a “fail” code. MS soon fixed that with an update of course

  18. hans says:

    Why do I always associate PICs with amateurism?

  19. Stranger says:

    Hi, I was going to purchase one of these. I admit I do not know what most of you are talking about, have you hacked into this unit or are you saying it is possible? There is a difference.
    Thx

  20. cde says:

    @JustMe, it was explained in the article. The Pic generates a lockkey based on a new password/hd. It sends that lockkey to the encryption micro, which generates a encryption key based on that to encrypt everything on the HD. Once a password has be rendered useless by the 100 tries, the pic and encryption micro generate new lock keys.

    Switching the harddrive out when the 100 tries are up and putting it back in, even with the new, correct password, the key the encryption micro is trying to decode the harddrive data with would be different.

    TL;DR version, it won’t work, Sprite TM has tried it.

  21. @hans PICs are just another tool, not all problems are nails, and not all tools are hammers; so yeah, like if your problem calls for a legacy microcontroller that only executes an instruction every fourth clock cycle (or less), and has less features than all of it’s competitors… or maybe you just need to pound in a few nails… PIC is definitely your tool.

  22. therian says:

    @Atomic Dirt Bike
    “has less features than all of it’s competitors…”
    now give some examples in details…
    It just funny to watch how people reference to something they haven’t touch and information is so outdated, stop comparing oldest chip family to modern ones, why don’t you compare 18f instead of 16f. Its PIC’s strong advantage that they so diverse and yes there is very low level devices variations also Microchip usually don’t discontinue its oldest chips

  23. Mincer says:

    Did anyone crack it or not??

  24. Mincer says:

    Did anyone crack it? How did you manage it?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,742 other followers