Reading the Unreadable SROM: Inside the PSoC4

Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.

This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.

The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.

The nitty-gritty on the ROP (return oriented programming) tricks that [Dmitry] had to pull, and a good look into the design of the system itself, are all up on [Dmitry]’s blog. We can’t wait to see what other buried treasure he’s going to find as he continues to play around with these chips. And in case you’re wondering what type of mad genius it takes to pull this off, consider that [Dmitry] runs Linux on AVRs, fools nRF24 chips into transmitting Bluetooth LE beacons, and re-writes his own airplane’s GPS.

[Main image is a PSoC4200 dev kit, and [Dmitry] has only been working with the 4000 and 4100 series. Just so you know.]

172 thoughts on “Reading the Unreadable SROM: Inside the PSoC4

  1. While these hacks are impressive, I still think they push boundaries that should not be crossed. A locked door is NOT a standing invitation to break in regardless, and there are both moral and ethical bounds that should be respected. Masterful technique in and of itself cannot stand as justification for any act of this nature.

      1. Exactly!! Just think about those #*$(% three-letter-agencies… I am glad that people are working hard on ways to inspect “hidden” parts of µCs or baseband-systems on mobile phones and so on.

      2. In the most common security model – black listing – security has two states 1) Failure, 2) Potential failure.

        In this model security professionals are dependent on hackers transitioning the system from potential failure to failure and in so doing they identify the weakness so that security professional can fix that one weakness and and return the system to potential failure – awaiting the next hack.

        Given that security (in this model) is equally dependent on hackers performing their function – who can you attribute ‘bad’ to one actor and not the other?

    1. Isn’t that like saying it is immoral or unethical to open the back of your fridge if it’s marked “No User Serviceable Parts Inside”, or if something is held together with screw heads that require security bits?

      I think it’s less that this was someone else’s locked door, and more of a locked compartment inside of a cabinet he had bought and had sitting right there on his own workbench.

        1. I’m quite certain it’s the same. Modifying property you lawfully own is quite ethical.

          The analogy of this being like a locked door on a home is the one that I see as false.

          1. Given that the supervisory read-only memory in question is a region of proprietary code your analogy is demonstrably false. As a culture, given the directions we are going in, we have to get over this primitive point of view that physical possession is the only arbiter of property rights, or either we are going to limits development in any number of areas, or we are going to have relief (in the legal sense) rubbed in our faces in ways that are going to be unpleasant for everyone.

            Like it or not this is a matter that needs to be addressed with a better response than what I am seeing here.

          2. So why was it hidden in the first place? This is the whole point, and one that everyone seems to ignore – there is a difference between de facto and de jure, but in the end the effect is the same. This isn’t a ‘right of repair issue at all.

          3. @DV82XL:

            Why is it hidden? I do not know. Ask cypress. I suspect because they did not want anyone messing with the super-low-level access to flash that is possible, damaging flash, and then asking for support from them. Or perhaps they wanted to hide their market segmentation registers, or perhaps they are like qualcomm and think that any bit they produce is gold and needs protection. I do not know.

            I am, however, convinced that I did nothing wrong by exploring this. As for the laws like right-to-repair, they explicitly cover this case. In fact, if said law passes in Nebraska, cypress might have to document this SROM. Take a read: http://nebraskalegislature.gov/FloorDocs/104/PDF/Intro/LB1072.pdf

          4. >” primitive point of view that physical possession is the only arbiter of property rights”

            You’re advocating the view that some person can own parts of the number Pi and arbitrarily restrict anyone from replicating, or even viewing the portion in question in any way. That is completely silly. It is a completely fictious and false view that people can own “intellectual property” – essentially numbers or any arbitrary information.

            Your way ends up with the notion that people should be punished and fined for thinking certain thoughts, because that’s ultimately the same thing. That points out to the weakness of the argument: what are you going to do about it when they do?

            Indeed. What are you going to do about people cracking open things they have? Is any of what you advocate enforceable without sacrificing all the rest of our human rights.

          5. >”Like it or not this is a matter that needs to be addressed with a better response than what I am seeing here.”

            If intellectual property is a meaningful concept, then please hand over to me the hole of a donut – and I mean the hole alone. If you can own an idea, then you can own the hole of a donut, therefore you must be able to give one to me without the donut itself. After all, ownership should not be dependent on physical items.

          6. @Dmitry I know you don’t think you have done anything wrong – that largely is the point here. Ultimately it is impossible to defend against this sort of attack by any physical means but in the long run increasing dependence on these systems is going to raise concerns and the response will not likely be pleasant or easy to like with. No one I know likes DMCA and it was these sorts of acts, justified with the same flimsy excuses that brought that down on all of us. The fact is that all of the justifications about testing security, and presumed rights of possession stopped that from coming, and it is only going to get worse.

            @Dax – “Your way ends up with the notion that people should be punished and fined for thinking certain thoughts, because that’s ultimately the same thing. ”

            Rubbish. You cannot show that any argument I have made here leads to that. My concern is with actions, and the need for self control, in the understanding that continuing to break these systems is going to have consequences down the line that are potentially far greater than any short-term gains realized at the moment.

            Look, I know that I am pissing into the wind here, but the fact that no one from this side of the question wants to consider either the long-term impacts of their actions, or wants to engage in any serious discussion that doesn’t boil down to a justification by means (if I can do it, I should be allowed) but in the end these claims cannot be reduced to the authority or criteria that they appeal to. Again it is not a question of clashing opinion – which this discussion always seems to devolve into – but rather impact, which everyone here at least doesn’t want to address.

          7. @Dmitry – So your argument is that you carried this evolution out to repair a broken chip? That might work in court, but please, that is an insult to both of us. This bill, and others like it, really don’t address this issue as clearly as you seem to think they do and at anyrate are going to be in legal tension with other intellectual property laws. That means that their applicability will have to be established on a case-by-case bases, and most likely will be interpreted in a far more restricted way than their sponsors hoped. At any rate you still having established how this is relevant to the broader question.

          8. It may seem like it when the replacement cost is so low. Is there an implicit or explicit agreement in the purchase? Check the box, agree to this or that. You don’t want to end up like Kyle. How about hacking your self driving car? Aside from voiding all insurance and manufacturer liability. To me it is like cracking the company safe, then saying you HAD to give the method and the combination to everyone, because they should all know it can be done. This basic Eric Cartman reasoning!

          9. “there is a difference between de facto and de jure”

            this is the concept of acquired rights. so Cypress (and presumably others) hid code in some SROM, and for a while no one knew how to read or write there, so they assumed no one can, so they assumed they had (acquired) the right to store their secrets there… except that after a while someone is able to read the SROM. So “in facto” there is apparently no de facto privacy in devices you ship all over the world.

            “Again it is not a question of clashing opinion – which this discussion always seems to devolve into – but rather impact, which everyone here at least doesn’t want to address.”

            So your argument is not one of normative ethics after all, but of positive (= currently considered possible, but by whom?) practical threats we face by some presumed authorities, about real politik, action-reaction patterns and focal points (Schelling points, credible boundary of feasability).

            The river has an east bank and a west bank. People on the east bank are in conflict with those on the west bank, why?
            * because conflicts within the same bank were quickly fought out
            * because actions and reactions are harder to execute, if one first has to swim through the water to attack

            The river is considered (by both parties) a credible boundary for territory… until boats, and bridges … and microscopes, and NOP slides and …

            A tall guy has longer arms than a short guy, and he believes he can steal the wallet from the short guy.
            The short guy pulls a knife which he believes can cut through human tissue. The tall guy takes his gun from his pocket. The short guy loads his rocket launcher, … the tall guy launches a torpedo towards the sub of the short guy, the short guy launches his ICBM carrying nukes (or whatever we believe to be at the root of the tree of focal points…)

            If real politik is to be the guide of human actions (as you imply with impact as opposed to opinion) shouldn’t Cypress have known that their threat model was a bit simplistic?

            If real politik and focal points (which rely on credibility, on human belief systems) are to be the guide of human actions, and you warn us of some ominous “impact” we will suffer, then according to the rules of real politik the threat must be made clear and credible (like “you will be soaking wet, cold and tired after you slowly swam across the river, while we will be alarmed, ready, dry and prepared”). What “impact” are you referring to? Some kind of all-out cyber war 3 letter agencies and MegaCorps will wage against the rest of the world? Credible how? Using all the latent hidden powers located in our own devices?

    2. All of you can twist and prevaricate as much as you like, but breaking into a locked area is a criminal act. Point Final. The only reason you are attempting to justify this is because you think it is cool that he had the chops to do it – because the problem is hard and you’re impressed. But what he was doing is wrong in a fundamental sense and I doubt that anyone would be leaping to his defence if this act was carried out in any other domain. And that’s the question you need to ask yourselves: if this crack was not a major technical accomplishment, or if the perpetrator did some real damage, would you be so quick to defend it.

      1. >if the perpetrator did some real damage, would you be so quick to defend it.
        No, but he did NOT, so i don’t see your point. On the contrary, he showed that there is a security hole that could be used by criminals (including agencies of all flavors).
        Are you working for the NSA or the gouvernment or maybe Cypress?

        1. Oh for Christ’s sake… No. I am a retired chemist/metallurgist that worked in aviation. And your point is meaningless, for the same reason that the law separates the concepts of breaking, entering and theft rather that see them as the same.

          The attitudes that are being shown over antics like this demonstrates a disturbing degree of moral and ethical bankruptcy in this and the broader hacker community. The fact that none of you seem to be able to see this is even more depressing.

          1. It is distressing that you’re claiming people down own the property they paid for. You keep repeating how it is ethically and morally bankrupt to do this to your own property, but you keep skipping over the part where you explain why you would think this is anywhere near true.

          2. I think you’re misunderstanding the mindset of the maker. We have an inherent need to understand our devices and a locked door is like a moth to a flame.

            Also just because a door is locked doesn’t mean it should remain so nor should it have ever been locked in the first place. The whole locked door should remain locked mindset can and has been dangerous. For example the Trojan Horse

            “Cor, big horse innit”
            “Yeah, dunno how it got ‘ere. Woulda taken a lot of people to build it. Wonder where the ‘eck they are?”
            “It’s not like it coulda just got ‘ere on it’s own? Oi, what’s this ‘ere door?”
            *rattle* *rattle*
            “It’s locked, hmm, oh well obviously we aren’t meant to know whats in there ‘ay”
            “Oh well, bring ‘er inside, we’re only guards meant ta protect the city. Who are we to be so nosy ‘eh?”

          3. Well I don’t misunderstand the mindset of those who will react badly, if not to this instance, then to the general trend that it represents. Is this one hack going to have any far reaching impacts on its own? Oh more than likely not. Is it another stone in the pile? Yes, and that’s the problem. This sort of activity is going to have repercussions and these are not going to make things better or easier for anyone. This is playing a game that will eventually be lost because your opponent can make the rules, and the freedoms of action that we enjoy now will be restricted in the future.

          1. Never mind the law at this point. There is a general agreement across domains, and broadly accepted, that there is a distinction between physical ownership of something like a chip (or a book) and ownership of what is written. No one would make the claim that because you have paid to buy a book that you can treat the author’s work as if it was your own. It is the same thing here. you are not buying the code, you are buying what it does, and if you don’t agree with that fine, but do not expect those that made it to take the same view. They will take steps to deal with what they will properly see as a threat to their investment, and here is the key point: the restrictions that they created, or have written into law, will (if what has already happened is any indication) will be far, far worse than any inconvenience that currently exists by having the code hidden.

            That’s where all this blather about your property rights falls down; they believe they have property rights too and when they exercise them all of us get hurt.

          2. You buying a book means you can treat the book as your own. You can cut out pages and reorganize them. You can even cut out parts of the book and make new products from them. This has been determined in court, time and time again. You can’t go and make new copies of the book, but this isn’t what the article is talking about.

        2. “Don’t you see Butters? I had to tell everyone! Once I broke in I had to tell everyone that your house is vulnerable. And I had to give them all the combination to your alarm system, and o all our friends. It is the only proof that I did in fact break in! All the houses are vulnerable. I did you a favor!” Eric Cartman.

      2. Don’t be such a Turd Sandwich dude… I bought it, and I can break it, or break into it as I see fit.. its mine .. remember,, I bought it… you and your Draconian attitude need to realize what property rights are.. and if I choose to tell my friends about it and how I did it, well that’s what freedom of speech/information is all about.. grow up Mr. DV82XL.. its the 21st century, and you seem to be stuck in the 1950’s….

        1. Grow up? Asshole I was a grownup before you were born, and you have no idea of how property rights work, what they mean, and how they came about. However I have a feeling that because of the sorts of attitudes I am seeing here, you are going to learn, and to yours, and everyone else’s detriment. Do any of you idiots think that a continued parade of these things are going to go unanswered? There is eventually going to be a response that is going to be very unpleasant for everyone, and if you think your degrees of freedom are being restricted now in this area, you have no idea. As we depend more and more on these systems, what little tolerance there for those that set out to compromise them will vanish and this will be used to take draconian measures against those that do. When that happens the sorts of sophomoric arguments that I am seeing here just won’t cut it.

          1. “you have no idea of how property rights work”

            Maybe not. You could help by posting a link to the exact property right that’s being violated here.

          2. While you might have been a grownup before IMT was born, it’s highly unlikely that you were before I was born, unless you personally remember the Great Depression. And while IMT’s view of property rights might be a bit excessively bohemian, yours is very definitely excessively authoritarian. Note that the OP did not publish the code he found, only the method by which he found it, which is a thing anyone who owns one of these chips can duplicate. If that can be made illegal, so can breathing. Cypress can always block the pathway [Dmitry] used; he even suggests how they could easily do so. But criminalizing what [Dmitry] did only means the power [Dmitry] unlocked will only ever be available to criminals.

            It happens that I saw Zer0Days last night, the documentary about the StuxNet worm. Without people willing to do what [Dmitry] did, we will all be screwed.

          3. @localroger – I don’t have an authoritarian position on property rights, if you have been reading what I have written, I have a fear of provoking the creation of draconian intellectual property rights which I believe will be the consequence of these sorts of activities if they are disseminated. In that regard it matters little if the he did not publish the code he found, only the method by which he found it.

            If you truly remember the Great Depression, that would put you well into your nineties, more than many alive, you should be acutely aware of how little it takes to bring things down around or ears, and that one of the surest provocations is to ignore matters that others take seriously. If not then very recent history is poised to teach everyone that lesson again.

          4. DV8, if you cannot practice freedom because of your fear that you will lose that freedom, then you have already lost that freedom. Also, you might read more closely; I do not remember the Great Depression, I said that if you were an adult when I was born, then you probably do. You are practicing exactly that kind of sloppiness in your interpretation of IP law. The fact is multiple supreme court decisions have upheld the right to tinker and explore. It’s true they don’t uphold the right to change behaviors of things like car exhaust or radio transmitters, or to publish what was hidden. But it’s not illegal, and as a practical matter in anything calling itself a free society can’t be illegal, to investigate what you’ve bought and supposedly own yourself to learn how it works.

          5. Investigating yes, publishing howtos? Yes, publishing howtos. Before the Internet was a thing you could legally buy books which were legally published on how to grow pot, make methamphetamine, kill people, commit suicide, and execute a terrorist campaign in an occupied country. It’s still legal to publish and own those books, although you might now be held culpable if someone follows your advice on how to kill people and actually kills someone. The OP doesn’t really go anywhere near that gap though.

            You are singing a very fearful and oppressive tune. You ought to try to get it out of your head.

          6. @localroger – You’re missing the point here. anyway I remember when every issue of a certain magazine was recalled and pulled off the shelves of every library that had a copy due to an overly detailed description of phone phreaking techniques – also a pre internet event. Apparently freedom of the press and all that wasn’t enough to stop that from coming down. There are repercussions for disseminating information, you have to ask if the cost is worth it.

          7. Well yes, there are repercussions for disseminating information, THAT IS WHY WE DISSEMINATE INFORMATION. You have to decide whether the repercussions are worse than the alternative. I guess we have settled our sides here on that matter, eh?

          8. Well yes that is the point here, but rather than discuss it all I’ve seen is sturm und drang about freedom and rights and precious little on answering my concerns over repressions. Even your statement is somewhat confusing given you haven’t really staked out your position clearly on that aspect

          9. It’s unfortunate that the hackaday post system is so primitive. I wanted to reply to a more deeply nested comment of yours but the system prevents me from doing so. This is perhaps the next best comment of yours to reply to.

            At first I thought your concern was an ethical one in breaking the lock that Cypress put in place to hide the SROM (and by extension their apparent means of product differentiation). This is a ridiculous claim as others have pointed out, but then I caught wind of what I think is the actual point: Cypress locked away the contents of their SROM, code which is proprietary. It’s not the lock mechanism that is the issue, but rather the fact that Cypress has given us software which they do not wish to share the secrets to.

            To that end, I feel that placing blind faith in a product is a poor idea for any number of reasons. Many of those reasons were already discussed in previous comments and threads so I won’t repeat them again. You say that you’re a chemist/metallurgist by trade so perhaps there are no similar analogues in your line of work, but in the hardware (and software, including firmware and HDL) industry this is a rather large faux pas. There is no good solution to this problem, but claiming some kind of moral or ethical stance is reason enough to “leave the lock untested” is a very poor idea indeed.

            Unscrutinized protection mechanisms (in electronics or physical security) are not provably strong; Given how rampant systems-level exploits are it would seem it is ethical and moral to attack these systems with as much vigor as possible to ensure they are secure. This post exposes a flaw in the lock; would you not prefer this to be corrected and new/better hardware to be created, or are you happy to turn a blind eye, stick your fingers in your ears and say “lalalalala we shouldn’t be doing this, we should trust the vendors” while TLAs and the black hat community are free to exploit our devices? Would you think this is an acceptable approach for physical security?

      3. > “but breaking into a locked area is a criminal act. Point Final. ”

        So if I lock my door with the keys inside and have to break the door to my house, I’m a criminal?

        Or if I buy a locked chest, prying it open should put me in jail?

        Now elaborate why, if I purchase an encrypted document, the act of breaking the encryption should be a criminal act?

          1. Well I didn’t expect to be agreed with, but I did hope for a meaningful examination of the subject, and in that I’m certainly disappointed by many of the responses

      4. “breaking into a locked area is a criminal act” On what basis? I can understand using the information might be a crime, but it’s hard to see an any basis for the assertion that reading undocumented sections of the device is criminal.

        In many cases, the entire reason for claiming proprietary rights is to conceal a crime, for example, the VW emissions test code. My understanding is that the main reason that chip makers make all the NDA demands is to make it harder for competitors to sue them for infringements.

        Would it be illegal for a competitor who suspects theft of intellectual property to examine the hidden code for evidence of the theft? If so, why should the law protect the thief? If not, then the assertion that reading the SROM is a crime is false.

      5. No it is not wrong. Despite your claims to the contrary it cannot be immoral to study or modify something which you own.

        Something I find interesting about your arguments is that you jump between claims of law and claims of morality as if the two are one and the same. This is a mental flaw that I have mostly seen in lawyers. I suspect that years of law school brainwashes one into no longer being able to see the difference. Are you a lawyer? There is some relation between law and morality however there is also some relation between an onion and a fish. They are about as closely related.

        Your other claim of immorality regarding ‘hacking’ seems to involve security. Do you think the world is less secure when someone reverse engineers a chip such as this? The world is less secure when designers rely on obscurity to secure their products.

        Think of it like this. There are two factors which determine the likelihood that any for of security will ever be broken. The first is difficulty. The second is motivation. How motivated are people to break that security? Well.. how motivated are they to break the security when it is only for the challenge of doing so, or to get more use out of some cheap chip on a hobbyist level or to get cred on HaD? Now, how motivated are they when their goal is to actually steal something with real financial benefit to themselves. Or how about crazy terrorists that want to cause real mayhem?

        Quite a bit more huh?

        I would propose that anything broken by a hobbyist, if it was ever important at all has likely been broken by someone with far worse intentions already. This kind of event should be a wake up call that security in locked, binary blobs is no security at all. If anything it is a service.

        But that’s just a response to the effect of ‘hacking’ that you seem to wet your pants about. What other effects are there?

        I remember when hobbyist electronics was supposedly dying because of the moves first from discrete components to ICs. Why build something when all you are doing is hooking your speaker, switches, etc.. to a black box IC? It’s still just a black box? Then there was the move to SMD that almost seemed to finish it off.

        It took a generation to get over that. Now we finally have people realizing that technological improvement did not have to be the death of hobbyist electronics, it was a whole slew of new opportunities! Too bad we lost a generation of kids that might have become engineers. Too bad we lost a generation of hobbyist inventiveness.

        More and more functionality in binary blobs and locked ROMs could be the next ‘death’ of the hobbyist. This is the last thing we need. It slows down progress. In the long run it isn’t just some company that loses out. It’s the whole human race.

        But is it even just the human race? No it’s the planet. Locked ROMs mean trash. One use devices that cannot be modified into anything else when their original use is over. More crap in a landfill. That’s what you are arguing for.

        If that’s what you want… go get your own planet asshole!

      6. “but breaking into a locked area is a criminal act” – true in a literal sense that you are trying to present. But why allow this to governments, while denying it to the people? Half of those on the top should be in jail for much, much bigger crimes.Crimes like hundreds of thousands of dead people, for example. As someone said above, I’m glad that capable people like Dmitry are doing this type of work, to make sure there are no backdoors used to spy on/exploit common folk like me, who cannot pull this off. Well done Dmitry.

      7. If I lock myself out of my car or my house and I break the lock to get inside, am I breaking the law? Of course not! Your using terms like “breaking and entering” in a totally incorrect manner. The legal definition of breaking and entering is when I break into someone else clearly established property. It is NOT clearly established that the memory space of a chip is the property of the company that made that chip or part. Now, the copyright on whatever code may reside there might be. However that deals with copyright issues. Copyright infringement is NOT stealing. That’s a misapplication of the word. More importantly, simply examining something is not even copyright infringement. If someone took the code they found in that memory space and passed it off as their own and distributed it, that might be copyright infringement. However, simply examining it and finding it’s flaws is not! Anyway, it’s definitely not stealing nor is it breaking and entering.

      8. breaking into a locked area (a safe) a physical safe that I own is NOT illegal.I may not know WHY the previous owner locked that safe but I have the RIGHT to open it.As for it’s actual contents such as stock certificates or certificate’s of deposit in someone else’s name I may or may not have the right to use/claim them.

        or…

        I purchased a physical safe.I have the right to use that safe,but do I have the right to get a torch and take it apart to see how it was made?Yes,I do.Do I have the right to make my own safes and sell them through my own safe company based on the pattern that was in that safe? Well..if it was patented then I would NOT have the right to sell them.But then I would not have to torch and disassemble the safe because I could look at the patent on file with the patent office and see the details of how it was put together among other things.

    3. Just as I should be able to soup up a lawnmower that I lawfully own, I can also modify the firmware of electronics that I lawfully own. Hopefully that solves the ethical quandary for you. Also, copyright law, patent law and DMCA do not apply here if that is your concern.

      1. The fact is you cannot lawfully run a modified lawnmower in many jurisdictions – run one without a muffler, for example and you can find yourself ticketed for violating noise bylaws. Indeed it is not the act of removing it that is the offence, but the use of it, nevertheless there are restrictions.

        1. A muffler is a noise ordinance issue, a matter of local government. Other issues are things like EPA and CARB requirements. They are not requirements from the manufacturer, but laws on the books. I can definitely replace my carburetor or paint it John Deer green without getting permission.

          If the PSoC controlled a radio, and modifying it cause me to violate FCC rules, that would of course not be allowed.

          Again I think your analogies are broken.

          1. No, no, the lawnmower is YOUR analogy, not mine. But the fact remains that there are legitimate restrictions on what you can do with one, mandated by law, your property or not, which is the point here.

          2. >”mandated by law”

            The law is not a reason unto itself. You’re making the fallacy of arguing that something is morally and ethically so because the it’s the law, when the relationship between moral and legal is a one way street: what is right should be the law, but what the law is does not say what is right.

          3. @Dax – Again no, that is not the argument I am making.

            Look, property rights are ultimately a social construct between people wherein it is agreed that some rights of action over an item can be exercised by some but not others. If that agreement isn’t broad then the owner can either appeal to the community in general to enforce these rights by the projection of collective might, (the law) or restrict access to the item (via a lock). If the latter is effectively compromised the only recourse is to the former. The problem there is that restrictions in law simply cannot be tuned as finely as those of a lock and the splatter hits everyone.

            This being the case, I believe it would be better not to violate locks without a really good reason (and “to see if I can do it” isn’t one) rather than suffer under bad laws that restrict users that had no intention of cracking anything.

        2. So it’s fine to look inside the mower, work out how to change the muffler, and tell others how to, and any weaknesses you found.

          Which is what Dmitry has done. Everybody’s happy. Good.

          1. No he didn’t, he took apart a portion of device that was sealed off by the manufacturer for a ego trip and bragging rights. This is no different than dissecting the code that controls the EFI in car.

            In terms of what a programmer sees and does with the chip it changes nothing.

          2. @zerg:

            now this is blatantly false. A programmer can now:
            – protect against rootkits on such a chip or detect them
            – write flash in different ways (using low level access)
            – explore privileged registers to find other useful things (like an extra timer i found)
            – unlock extra flash
            – add their own syscalls if they desire for their application case

      1. Then you shouldn’t buy graphics cards. They all do it. Sometimes for market segment reasons, but often due to binning. It costs more to test more of the chip, or rather if you test and it doesn’t pass you have to throw it away or bin it into a lower class version. (fewer shaders enabled, lower max frequency, etc)
        What gets a little shady is even if the manufacturing defects are reduced to the point that more higher performing units would pass they won’t drop the lower performance tier or drop the price on the higher performance parts.

        1. Can confirm. I’ve worked at one of the big CPU manufacturers in diagnostics. Once yield started to improve on a new product, cores and cache were fused off to meet low cost market demand when there were too few low bin parts. ATE and burn-in test time is very expensive.

    4. you’re on hackaday.com, where everything used to be lowercase and people broke into stuff. sorry this doesn’t use an arduino experimenters’s kit to turn on an led when someone presses a button.

      1. Which is exactly why these issue need to be brought up here, and with this community. If there is ever going to be any rational accommodation between all of the stakeholders, it is going to have to start with some rational discussion – which is why I bring the it up every time. Apparently however no one here wants to look beyond being impressed by some feat of technical legerdemain (which I freely admit this is) and some rather simplistic concepts of ownership to the impacts that this will have on a rapidly changing landscape.

        I’m not looking to change any minds here, because you are right in that most here won’t chose to consider these aspects – but I believe everyone here needs to, regardless if they are comfortable with them or not.

        1. It would help your argument if you would actually provide your argument, rather than just insisting we’re wrong/unethical/amoral/etc.

          Courts have repeatedly enshrined the right to repair/modify your own property at will, with no interference of the manufacturer. There are other laws which may apply, like emissions/noise/etc., but that is a different issue.

          1. If it comes down to you thinking the law defines what is ethical/moral, then you’re simply wrong.

            If it comes down to you thinking the manufacturers will act to further limit our rights, then… well, the only reaction is to push back against those efforts. If we back away from defending our rights, then we give up those rights… without any fight at all.

            I’m trying to think of other motivations you might have, but I’m having a hard time with it.

          2. Those of you that are invoking Right of Repair have no idea just how deep that rabbit hole is. Aviation, where I spent my career on the maintenance and manufacturing side, started struggling with third-party components and repairs long before anyone outside the industry even thought about it. No the courts have not enshrined anything and the few consumer laws out there haven’t been tested fully. It is complicated because there are real liability issues, on one hand everyone wants manufacturers to take responsibility for what they produce, but when you start to introduce third party parts and service into this the legal issues start to get complex fast and is not something that makes underwriters sleep well at night. For most consumer items this may not be a big deal, but as the complexity increases it does become an issue. Furthermore you cannot demand that the OEM provide unlimited support for old and discontinued products without seeing that reflected in the cost to the user.

            We simply can’t run demanding that an item is my property once I bought it and I can do whatever I want with or to it, and turn around and demand that the OEM assume any degree of responsibility for anything bad that occurs, yet this is exactly what has been happening. There are no absolutes here – it is a question of balance. You all really need to wrap your minds around the fact that property rights are formed via a social contract and that you are not the only party to that contract, nor are you in a position to dictate its terms. If you are not willing to see that on your own, it will be shoved down our necks, like it or not,

    5. I find opinions like yours to be highly disturbing.

      What makes you think that a corporation should somehow be the arbiter of how you use a product that they sold you, lock, stock, and barrel? Had Dmitry signed a contract with Cypress, that would be different — he would be willingly and knowingly agreeing not to poke his nose in — but AFAIK he didn’t. He bought the unit. Period.

      If I buy something, the company that sold it to me no longer owns it in any way, shape, or form. They have no right — legally, ethically, or morally — to tell me what I can or cannot do with my own property. And once I buy it, it IS my own property! If they don’t want me poking my nose in, then they shouldn’t sell it to me!

      He didn’t rent the chip. He bought it outright, and that means everything IN the chip, too. Including the code. No clickwrap EULA here. Preventing the copying and redistribution of that code is one thing — there’s an ethical sense to that from a lot of perspectives. But not even being able to look at it, analyze it, and talk about it?

      That’s just plain ridiculous.

      Somewhere down below you posited that hacks like this are why the DMCA exists. Newflash: that’s false. Whether you agree with the law or not, the DMCA exists because content providers (RIAA, MPAA, etc.) lobbied the lawmakers for a law that gives their business model another advantage. End of story. It didn’t appear out of some moral obligation on the part of the lawmakers or businesses behind it.

      The current trend in intellectual property has placed our society on a path where, taken to its logical conclusion, nobody will ever again be able to own anything at all. You will rent everything. There will be restrictions on things as stupid as whether or not you can replace the carpet in your new house.

      That’s not a society I want to live in, and if you do, then I would posit that you need to take a step back and look at it from the point of view of the little guy. This is about power and control; I, for one, will not cede my power or control to big companies. Power corrupts; absolute Power corrupts absolutely; and big companies have a lot of money, which equates to Power.

      I don’t want them deciding what’s “ethical” and “moral” — because, from their skewed viewpoint, the only things “ethical” and “moral” are the things that make them more money. They don’t care if they screw everyone else.

      1. You don’t want others deciding what is moral and ethical, but it was actions such as this that set in motion the very process that brought about the restrictions you are whining about. Nevertheless, if you don’t like the way things are, guaranteed continuing to provoke money and power isn’t likely to beget any change you will be happy with. There are other paths, not easy ones, but they are still there, the tragic thing that actions like this are going to see those restricted or closed without producing one sold gain for what you believe in. That’s where this becomes an ethical issue, when it becomes fuel for bringing down something worse, and for what?

        1. Let’s see here… You don’t address the validity of anything I’ve said, and your overall message can be summarized as “don’t exercise your rights, or they might take more of them away!”

          That’s just… wow.

          I think I’m done here. You can lead a horse to water…

      2. Thank you!

        btw, i spend my evening analyzing disassembled ARM-code (which btw is a major PITA with all these indirect jumps…), am i a terrorist now? Uh i’m scared of myself!!!

    6. I’m sorry but if you paid for it you own it. I don’t care what the EULA, DMCA, etc says. There is no moral or ethical boundry to cross or respect. If they don’t want people to know what is inside their chips then they can keep their little precious in their own damn warehouse or cave and never sell them.

  2. @DV82XL
    Security is everybody’s business.
    Any kind of criminal may have discovered this and might take advantage of this new information.
    We as engineers can now be better prepared to understand where a security issue can exist.
    Or Cypress can pull their heads out and tell their customers that this problem exists. ( They may have already known …….)
    Not everyone has the same moral compass.

  3. By the way, if you are interested in these things maybe you should make a local copy of the linked article, just in case… This guy lives in the US and there is this “nice little thing” called “DCMA”…

  4. If a chip has more physical flash/RAM than advertised, odds are the unused bits didn’t pass the manufacturer’s testing. Ie. use at your own peril. In rare cases fully working, higher-capacity parts are gimped to satisfy demand for a cheaper part, but there’s no way of knowing.

    1. I am convinced that in this case it is market segmentation because:

      the register that says amount of flash says 16K (i filed a big with cypress about this because this is an 8k part and the register is documented)

      the hidden register that limits flash says “hide 1/2”

      given the first fact, I suspect this is a perfectly good 16K part.

      FWIW all of my tests show that the second 8K is no worse than first
      but yes, you could be right

  5. You can prob, still get the modules for $4 on mouser. The RS232 converter part is worth the $4 bucks alone. Beats anything out of china for performance. Ch340G is not a good performer. Be sure to get the better one. There are two types on mouser both are $4 bucks.

    I would love to see an arduino bootloader and gui on this chip. This chip has a insane number of i/o’s. Beats out the 2560 for performance too.

    1. Everyone says it but it works fine in my Arduino Uno clone. No mysterious crashes or lockups, as it happens with other usb-serial contraptions sometimes. Is that some noobs who happen to have old Windows (8 detects it automatically) and can’t install drivers by themselves?

      1. The ch340g is just a rs232 device. Nothing more nothing less. The cy7C6521 from cypress can do the rs232 stuff and so much more. It’s just a matter of configuration. I trust cypress more than any other place in china. Remember the fake FTDI devices, it started in china.

        I am not saying its true, for all I know the ch340g chips are just a redone fake china FTDI device. I have not seen anything to prove it. It would not take much to re-function/redo the fake chips.

        I don’t hate the ch340g parts, I just think the cypress parts are better.

      1. Correction:
        The PSoC 4 prototyping kits have a USB to serial bridge
        The PSoC 5 prototyping kits have a USB to JTAG bridge

        I have had one each PSoC 4100 and PSoC 4200 sitting around after the software didn’t work a year ago so I just downloaded the latest version and I will see how that goes.

      1. That one seems to be an entirely different architecture. I haven’t played with it at all yet. Even the 4, I stumbled on by accident due to it being cheap and the manual saying it cannot be read. I’ll still documenting psoc4 registers. I’ll be publishing a manual on hidden registers in there soon

  6. Cypress are not unique in having hidden, un-debuggable ROMs, but the ones I’ve seen are only used for bootloaders. Some Luminary/TI Cortex-Ms had the firmware libraries in ROM, but those were not hidden, and seemed to be implemented as actual ROM.

    1. This one is actual ROM too. The HaD article is slightly wrong here (perhaps my write-up wasn’t clear).

      The persistent rootkit I propose lives in flash not SROM. If you mark an area of flash as “reserved for supervisor,” the “Whole chip erase” command does not erase it, and user cannot read, write, or erase it normally either – like it doesn’t exist, so the rootkit can live there easily. In a chip that has a whole 8k of hidden flash, this is plenty of room for a rather large chunk of code. On a chip with no hidded flash (like some 4100-series chips), the user might notice having 32512 bytes of flash instead of 32768. Or perhaps not (rootkit can intercept those write api and pretend to read and write)

  7. Considered ‘uncool’ within industry circles. What’s more important, your urge to prove extreme cleverness, or the livelihoods of the countless individuals placed at risk?

    1. False choice and, frankly, emotional blackmail.

      Tinkering like this no more puts the livelihoods of countless individuals at risk any more than mom and pop repair shops put car dealerships out of business.

    1. You’re missed that opportunity, denis.

      Wait until you go commercial with 6-months worth of ‘secured’ firmware, and see how you feel when several Chinese knock-offs turn up on Alibaba.

      Go Away, yourself!

      1. In the day and age we live in this is inevetable, if you didnt have the foresight to see that coming and put measures in place to prevent it either by marketing or some technical means your the problem. China isnt going anywhere and has to be factored into the buisness model. And chastising folk on here most certainly ismt going to affect chinas ability to clone your product. Moreover such full disclosure allowes a biisness to defend against this attack vector in a product which chinese engineers are likely already aware of.

  8. Data sheet: “SROM cannot be read.”
    Home hacker: “Really, says who?”

    Red rag to a bull in my opinion, and I’m happy that Dmitry has prevailed, because some day, when Cypress have gone out of business, someone will have one of these chips and a requirement to investigate some odd behaviour, and now the documentation is “out there” for that someone to do so.

    We have too many proprietary black boxes these days, and the secrecy ultimately only serves to hurt people in the end. Having it programmable means that had someone with more nefarious goals in mind stumbled on this first, you could have deliberately rootkitted ARM controllers in the wild doing who knows what. The fact also remains that humans made the SROM code in the first place, and while it ought to be of a reasonably high standard, bugs can sometimes creep in.

    This opens the door to someone going in and restoring things back to intended operation.

    1. Another hollow attempt at justification. We all know that just about everything using this chip is going to be landfill by then even if there are mission critical assemblies that are using it in the first place and it would be both necessary and cost effective to doing ant repair at that level. And even assuming that someone will know it can be done.

      Hypotheticals like this break down completely as soon as you look at them in any practical way.

      1. Give up… seriously… just give up… we’ve heard you iterate the same points before, and no just picking another challenger for the reprise is not going to improve your chances.

        Opinions are like arseholes… everybody’s got one… and we’ve seen yours flashed around much too often in this thread.

        1. good summary, he should just give up – but that is unlikely as do you notice that people with the most unreasonable position are the ones who stick to it the most in the light of other views?

          I agree that their code is propriety – what that means is that you can’t copy it and sell it to other people, and not copy it and use it in another device you own.. Nobody in this post suggested that…
          However, if you buy it you should be able to do what you want with it, the same way that if I buy a novel I can burn it, put the pages in a different order, or read it upside down. Or write a review of it..

          Dmitry is doing a great job. And hopefully the type of work he does sends a message to places like Cypress – telling them that if they continue building things like this that can be transparently taken over and used against their customers – that one day they might be sued out of existence. ie if you build things knowing they have the massive security flaws that even a single (very competent) person can find, you are eventually going to be found liable..

          1. Secrecy on these sorts of matters ultimately has never helped anyone. Ultimately, the secret will get out. You cannot put the genie back in the bottle once it’s out.

            Now, do we want it shared openly, levelling the playing field? Or do we want it shared in secret, possibly between people with bad intentions? A good example of the latter would be these IoT dolls… Hello Barbie let’s go Stazi indeed! Those sorts of vulnerabilities need to be documented publicly for the greater good. Cypress SROM? Who knows what secrets are lurking? Unlikely to be something so nasty, this code should be well vetted and tested, but then again, we’re dealing with the bottom-of-the-range chips here.

            As for Cypress’ rights, copyright adequately covers distribution of the SROM firmware. The SROM will be licensed to users of the Cypress SoCs, the code won’t be validly licensed anywhere else. The code is useless on an LPC810, so why the secrecy? “Look but don’t touch” is fine … document it, point out that messing with this stuff will void warranty, and move on.

            Reading above, I see mention that it is an actual ROM… not flash, so reprogramming it could be difficult… but the fact we can get at it does mean it is open to peer review… which is usually a good thing. Sure it can take some time (e.g. shell shock took decades to find), and the clean-up can be messy (e.g. heart bleed), but in order to start the process, we first must identify the problem, and we can’t do that unless people actively investigate it.

            That said, some will blindly argue for intellectual property rights … which are a flawed concept in many ways because you cannot be forced to leave the relevant neurons at the door (by reasonable means) when you leave a company, you can only promise to not consciously use that information in future work. Most will honour that promise, some will unwittingly slip up and the odd few will disregard any such agreement and spill the beans anyway.

            IP laws are helpful to individual inventors just starting out, if and only if they can afford to defend their patents, many cannot. If the foe is big enough, they’ll just ignore you anyway. A good example being the development of wideband FM: https://en.wikipedia.org/wiki/Edwin_Howard_Armstrong#Wide-band_FM_radio

        2. I have no intention, you don’t like what I am writing? Too damned bad. If I have to live with the eventual fallout from these actions I’ll air my opinions over them.

          1. At the end of the day, if I buy something, it’s mine. I’ll do whatever the hell I feel like with it in spite of any laws people attempt to pass to limit my rights. The *ONLY* case where people could have a legit right to bitch is when I try to sell or distribute modified code that didn’t belong to me.

            Am I saying I’m willing to disregard imaginary property legislation, the DMCA, license agreements, and hurt feelings from the OEM? You betcha. And I’ll sleep just fine no matter how much you decide to whine about it.

            What was performed here is no worse than a firmware patch for your car. Can the manufacturer refuse to support it and void my warranty? Sure. Can they try to have me arrested for modifying my own car? No, they can go f**k themselves. Chances are, if you care about voiding your warranty…. you’re on the wrong site.

          2. For a bunch of folks that seem smart it just doesn’t sink in for some reason. No it’s not illegal (in most cases) to do a firmware patch for your car. Screw with the emissions settings in some jurisdictions, and it is. But the end game is that if enough people do start to do this sort of thing, or more likely have it done by a third party, and it will and the locks will get tighter and the sanctions will get harsher. Worse the utility of the device will get compromised or limited, and we know this will happen because it already has in some instances. This is what you want?

          3. Hey Idiot American. Your government and corporations can suck my d$#k. Fuck USA telling people what they have the “right” to do and not do. Thoughts aren’t property.

          4. And you DV82XL do not seem to get, that if they want to make sanctions harsher, it does not matter if someone has tampered with what ever example scenario you want to apply it to. Besides, i bet Cypress has already done things differently in newer families, making it harder to hack, so they already made the locks tighter.

            I have a better example here for you: Would you like your online banking have a hole in it and no one telling you that?

            Right now DV82XL, you are being a spambot, we heard you, we don’t agree with you.

          5. @ jii – “Right now DV82XL, you are being a spambot, we heard you, we don’t agree with you.”

            Right. I love how those that take an ascendent tone on freedom of actions are so quick to demand that those that do not share their opinions stop objecting. That is usually the sign of some hypocrite that doesn’t want to look too closely at their own beliefs, and is uncomfortably aware how weak their rationalizations are.

          6. “Don’t try to open the door, because if you do, they’ll lock it harder and you won’t be able to open the door!” Do you even read what you’re writing? Your brain has turned into ROM I’m afraid.

          7. No, don’t run off at the mouth and show others or they will lock the door harder or worse make it difficult for those with legitimate keys to get in.

          8. @Dmitry – Rereading the first paragraph I can see how it could be interpreted that way. I understood it as presenting an opportunity for doing exactly what you eventually did. In my defence, you hardly emphasized the security aspect.

          9. @some guy – Even if, and this aspect was hardly emphasized, it still doesn’t make my stated concerns less valid, in fact it elevates them is some instances.

          10. DV82XL
            You are the only one here spamming your opinion, so maybe re-evaluate your own weak rationalizations. Take a look how many posts here are yours and replies to you. I guess you just can’t accept that people don’t agree with you and you just can’t let one or few posts speak for themselves, but you keep posting over and over and over again.

            It’s fine that we don’t agree and you can keep your opinion, but the spamming is way out of line already.

            And nice way to not reply to what i said, but just attack me personally. Way to go dude.

      2. I’m not sure you should dismiss the security argument so easily. In general, we consider the white hat hackers necessary to prevent the black hats from running roughshod over all our systems. Whether this particular system is mission-critical is not relevant to the broad importance of identifying and disclosing vulnerabilities. Security researchers should be allowed to probe the weaknesses of any system when the purpose is to improve the security of that system. While it is true that a lock is not an invitation to break in, a bad lock should be identified and replaced. Otherwise we get security theater instead of actual security.

  9. Great Job Dmitry, don’t pay attention the one person making the comments a chore to read. I prefer to know if their are security holes in my devices, and there is never a good argument against obtaining that information. Besides, problems can only be fixed if they are known. Keep up the good work.

  10. I do wonder VK4MSL just how understanding you would be if the amature radio frequncies were overrun with unlicenced activity by people exercising rights that they arrogated to themselves by whim.

    1. It’s different because that would do harm to the usability of amature
      Frequencies. Breaking firmware security only the bad people that felt something had to be hidden in the first place. We need to break more firmware security to show companies that they cannot create restrictions on our freedoms in support of their private profit.

      1. @ Redhatter (VK4MSL) – So am I to assume you are happy about this state of affairs on the bands, and are leaping to the defence of those doing such things? Don’t bother to answer, it’s a rhetorical question

        1. The difference being… the end user does not own the radio bands. They can do what they like inside a Faraday cage, they can even share the results of what they did in that Faraday cage. They own the equipment … they can do what they like with it.

          They have the responsibility to use that equipment in accordance to the relevant legal restrictions. Me swinging my fists isn’t a crime. Me letting one of my fists make airborne contact with your nose is — we call that assault. So long as my fists and your nose are sufficiently separated… I can swing them around all day long.

          As it happens, unscrupulous vendors market low-end “commercial” two-way radios as “CB radios”, and they fall into the hands of unlicensed bargain hunters. Usually, we help such people get foundation licenses, and the problem then evaporates. It’s not like those sets can do much damage anyway. That or they get bored with the fact that they can’t get to their “CB mates” on those bands… and disappear of their own accord.

          If they occupy a small simplex frequency in some locality, and not cause problems, is this an issue? I’m not a radio inspector. The law states that I as a licensed operator may not make contact with an unlicensed station unless for emergency purposes. If they do it regularly enough or cause problems, we can make a complaint to the ACMA. If they don’t cause problems, then why bother?

          Sometimes, people see XYZ wireless widget, and decide to import them, then we find them smack bang in the middle of one of our bands. 433MHz being a favourite: people think it’s an ISM band — it isn’t. People think it’s “unlicensed”, it isn’t. However, such devices were imported whilst the ACMA was asleep at the wheel, and so now we put up with them. Not a problem that CTCSS can’t fix.

          Not a great situation… but not a lot we can do about it either. In general though, it is rare that someone like this causes true problems. Unlicensed car drivers cause more issues.

          Similarly, these parts… people buy them, they can do what they like with them. Yes, there’s a responsibility to ensure that what they are doing does not do harm to others. The probability of such research causing life-threatening damage is small, as the ROM in question is not writeable. Flipping a bit is not going to turn a $5 dev board into a bomb that blows up a large city. Changing that ROM (if it were possible) or exploiting it to change firmware within the chip is not illegal if the person owns the device — but in doing so, they assume responsibility for what may occur. No different to if they de-solder the chip and put on a fresh one with their own firmware. Even if Cypress’ firmware protections were perfect … they can not prevent a chip from being replaced.

          Tinkering with these hidden parts is also liable to void any warranty Cypress may have in supporting those that do. Commercial enterprise is unlikely to do this for the simple matter that such warranties are generally considered worth having.

          The warning here is to people who rely on Cypress’ firmware to keep their code safe. The point being: it won’t. This is something their customers need to know, and while it’d be nice if Cypress had a fix out in new batches before this flaw had been revealed… it is at least out in the open. They’ll likely work on exactly how this is exploited, develop a fix, release it in the next production run. Everyone benefits.

    2. Oh, there is a major difference here. Radio frequencies are a form of common good, where amateurs tend to be very conscious about each other’s equality of rights to aether. There is no profit (financial or otherwise) to be made by deliberately being an a*hole on RF. Whereas this hack is an example of power user versus a corporation, where the user wants full control of his possession, and the corporation just wants to protect the revenue stream. How do you like the world with chipped filament cartridges, consoles that suddenly become incapable of running Linux, laptops with whitelisted hardware? You argue that bragging too much about successful hacks tends to entice the big guys to tighten control. But how about if the market would simply control itself? Endless zero-day vulnerabilities disclosed by white hats contribute to overall safety. If you had a defective lock in your house that has been discovered to be very easy to pick, would you rather ask the discoverer to keep the mouth shut or have the lock improved?

    1. The fact that you guys can’t see the difference, or that your obstreperously ignoring it is telling in itself. The right to read that code was not part of the purchase, nor was it implied. If it was it would not have been hidden.

      1. It would be illegal for him to modify the code, and then pass the chip off as original. It has been shown time and time again that IP rights do NOT apply to property that is for your own use. This has gone to the Supreme Court no less than 7 times, and time it was the same. IP rights stop for personnel use, continue for reselling.

        1. Do you grasp the argument I am making at all? Yes it would be actionable under law if he sold this information, but that does not mean he is granted a right to read the code simply by purchasing the chip.

      2. I would have no problem writing over it. Cypress has already stated that they have a need “to protect their IP”, and have not released any portable or open tools for their chips with a PLC area. If this reverse engineering work brings me closer to programming these boards via other means, I am all for it. grats on burning your saturday down “grandpa”.

    1. Seriously I’m not trying to troll this thread, and for sure I am not making an effort here for laughs. But it’s clear that no one here wants to address this issue with anything more substantial than flimsy justifications, focus on the hack, nevermind the implications. That is until they show up to bite you in the ass.

      1. Yes……. 7 Supreme Court rulings against your argument sure is “flimsy”. What kind of lawyer are you again? One that doesn’t know how to read the law of the United States of America?

        1. DV82 is not American. He is from The True North, living in an igloo and hunting polar bears for fun, just like me. Occasionally we get tired of shoveling snow and we are back to Hackaday, while fighting rabid beavers with our other hand. We get very boneheaded from the cold sometimes, so please excuse us. Aurevoir, the snow is piling up again.

      2. Well for someone who isn’t trying to do a thing you are doing a _hell_ of a job of doing that thing. It’s not that nobody wants to address the issue, it’s that they have addressed the issue over and over again and they keep coming to a conclusion that you don’t like. You yourself have offered nothing more substantial than flimsy justifications for your own corporatist view (except let’s not forget “if you use those rights you think you have they’ll get taken away”).

        I am not a zealot on this but frankly if someone sells me a black box with a window covered by a piece of tape and a label that says DO NOT LOOK THROUGH WINDOW, I am the kind of contrarian old coot who will look through the fucking window just to spite the asshole who made the label. What [Dmitry] did was both awesome and legal. It might have been over the edge if he’d published the hidden code, but all he published was the method by which he unhid it. If you make that illegal, you can make breathing illegal. There has to be a limit to the power the law can claim. Otherwise there is no such thing as freedom at all.

        1. “I am not a zealot on this but frankly if someone sells me a black box with a window covered by a piece of tape and a label that says DO NOT LOOK THROUGH WINDOW, I am the kind of contrarian old coot who will look through the fucking window just to spite the asshole who made the label”

          Well that says it all doesn’t it? The fact that the bulk of those here will agree with you just shows as I stated at the beginning, this is moral and ethical bankruptcy of breathtaking proportions. It doesn’t matter, this is not a fight you’re going to win in the end because I’m not the one your going to be fighting.

          1. So looking at something is a “moral and ethical failing of breathtaking proportions?” You need to take a chill pill and try for a sense of perspective. [Dimitry] showed us that it was possible to make rootkits for a device nobody thought that would be possible for. That is an extremely valuable thing to know. He didn’t publish either his rootkit code or the code he uncovered, only the fact that it _could_ be uncovered and a general description of what he found and what it made possible. If you make that illegal, then pretty much nothing is legal. You have consistently failed to address this criticism of your own point of view. If we cannot exercise freedoms because we fear losing them, then we have already lost or never had those freedoms.

          2. No, no, and no again. It is not the act of looking that is at issue here, it is, (quite frankly) bragging about it and showing other how that is. You can’t reframe these aspects as some exercise of rights and freedoms as they will cause repercussions that will have a deleterious impact on everyone else. And again, it is not just this one single instance that will be the proximate cause when it hits the fan, but the sum of them. Given that already we have seen the utility of some devices to legitimate users reduced or the annoyance of using them go up by DRM that was inflicted on us largely due to abuse by others of these sorts of hacks, or the assumed thread they represent, I think I have a valid concern.

          3. What some of us are trying to convey is we don’t view it as unethical to look through the window. Just because someone tells you to do something, doesn’t mean it’s a reasonable request.
            In this case, the label/window hides some information about the box from me, information that could be important to me as the user of the box. It might even obscure something about the box that could make it dangerous (a backdoor) or reveal that I was defrauded by the manufacturer (VW scandal).
            Therefore I see the individual right of control over one’s belongings as more important than the right of businesses to obscure elements of the objects they sell me to protect their intellectual property.
            So I hope you’ll remember before calling people ethically bankrupt that some of us have strong ethical beliefs, they just differ from yours.

          4. So you think it’s just peachy that when someone who isn’t as ethical as Dmitry roots the keypad controller in your phone to turn it into a key logger, that none of us will even know it’s possible because people like Dmitry were circumspect enough not to brag about the weaknesses they found?

            As I said upthread I happened to watch Zer0Days last night. We need people like Dmitry, and we need them to feel empowered to explore the devices we depend on. Because without them we are all hosed.

          5. @localroger – we have long been hosed in that regard anyway now, we don’t leak data about ourselves anymore – we hemorage it. That horse bolted the barn long ago. At this juncture all I want is not having to use devices and services that assume that I am a potential criminal. In the end you are playing right into the hands of those you are fighting and every win like this is a small precursor to a greater loss and the tragedy is that few of you see it.

          6. @DV8, it’s not that we don’t see what you “see.” It’s that we see PAST it. Hiding in fear is never the correct answer. Knowledge is always better than ignorance. Resistance is always better than passive acceptance. If there is a thing in your hand you supposedly own with a label that says DO NOT REMOVE, there is never a good reason not to remove the goddamn label, because more than half the time it’s there to hide the fact that the damn thing is poisoning you.

          7. @localroger – That is pure unaditerater sophistry and I am pretty sure you know it is. Look, this is not an issue of freedom any more than it is an issues of rights or civil disobedience against repression, and it is ludicrous to frame it as such as a justification. Indeed it is what you previously wrote: peeping behind a closed curtain because it is there and someone has made it clear they do not want you to look. That’s all it is here, and little else. Is there, as the OP claims a security vulnerability being exposed? Perhaps, but this was certainly not emphasised to the degree I have seen elsewhere when this was the primary motivation. But I’ll let that go because it hardly matters as in the end this is just as hollow a justification in this instance as yours are because I don’t believe that was the reason he mounted the attack.

          8. @DV8: Indeed it is what you previously wrote: peeping behind a closed curtain because it is there and someone has made it clear they do not want you to look. That’s all it is here, and little else.

            And what else is necessary? If you put a lock on a door, people will tug on it. If that lock is defective people will go through the door. That is what happened here. Is tugging on the lock criminal? Laws and laws and laws say no. It certainly would be criminal to steal stuff from beyond the door. Might even be bad to make duplicates of the key should you be able to. But to say “Hey, there’s a place with a lock that just gives when you tug on it?” We cannot make it illegal to say that, because then it will be pretty much illegal to say anything at all. If you’re afraid of losing a freedom because you used it, you do not have that freedom anyway.

  11. OK this is my final word on the matter, nothing I write is going to change minds here anyway. Like it or not there is and always has been a moral and ethical ambivalence surrounding this kind of hacking even when it is technically within the letter of the law. It has been my observation that at least among those that code, that their perspective on this matter has always been a reflection of what end of the stick they find themselves on at any given time. Absolutes are in very short supply it would seem.

    Regardless, in this and similar matters it is necessary to look beyond the moment and consider the repercussions of any act, and not only the immediate impacts of the act itself but how it fits into a larger picture. The bald fact is that things are far worse now in the domain of intellectual property than they were when code began to be a consumer product, and a very large part of that reason was the conflict that developed from small individual acts like this. Justifications abounded then as they do now, but the bottom line is that the user’s experience has only worsened in many small and large ways, and several of their rights and freedoms in this domain have been restricted.

    Furthermore the trend towards data mining as a business model in exchange for information services is a direct result of any other revenue stream having been rendered unusable due to the actions of those that would use the cracks and hacks (done of course with the highest moral and ethical motivations) to get something without paying for it.

    We reap what we sow. This is a conversation this community needs to have – seriously considering what impacts your behavior is going to have down the line, not just in terms harsh laws, but in terms of the broader culture that your actions are creating. I don’t have the answers, but I think there is value in considering the questions.

    DV8 2XL

    1. We reap what we sow. This is a conversation this community needs to have

      Well, I think we have actually had that conversation, and your problem is that we have pretty much come down on a conclusion you don’t like. Data mining isn’t a problem because hackers stole the keys to the bit torrent. It’s a problem because corporate actors are evil and they will do it anyway if they can. And they are evil for a reason; their corporate charter REQUIRES them to be evil, to literally put their shareholders’ stock prices above any other interest such as life, health, or ethics.

      And of course those evil corporate actors don’t like the stuff people like [Dmitry] do. Well I say to them, eat socks. We mortals only find out what the ratfuckers are doing to us thanks to people like [Dmitry]. Did I mention that I saw Zer0Days yesterday? We need these hackers. Yeah we might already be hosed, but without them we wouldn’t even know that we ARE hosed.

    2. Based on proprietary information that has been shared with me as part of my employment over the years, the data mining increases margins, not “recovers them when others are rendered unusable”. Companies with perfectly good incomes are adding data mining to increase their cut of the pie, and good deeds and instruction following persuade them they should be trying to get away with more, not less. If a player never gets a foul, they are considered too timid and get replaced. The “fouls” are how they find the boundaries of their freedoms, and honestly, they expect us to do the same. That reciprocality is both a significant basis for their claims to need protections, and the claims that (some of them) make that they are not impinging upon our freedoms.

      Of course, now that they have found how far they can go with that, we’re starting to see a new generation that do not even attempt to justify the moral aspect, and state boldly that it is simply more profitable. The most horrifying examples thereof are in pharmaceuticals, however, and not in consumer devices.

  12. @DV82XL You keep saying that people have a flimsy justification. No one has to justify anything. No laws were broken, no morals were broken. People have the right to look at the code that runs on their devices. Your false assumption that they don’t is what is wrong here.

    The company didn’t even say to users please don’t look in this box, they assumed that it was too hard to look into and now it isn’t. This doesn’t expose that Dmitry was wrong to figure out and tell people how to open that box, it exposes that Cypress were wrong to assume that it couldn’t be looked into, and possibly not protecting their customers enough.

  13. I once discovered a way to turn on the hidden FM radio in most phones including the N*k*a 110.
    Its even possible with a malformed SMS, to “toggle” the radio for 0.1 seconds as the sensor for the headphones is in software so it “blips”. If anyone wants to know more please PM me.

  14. I wonder about all this binned hardware. How much electricity do those parts that aren’t even enabled consume? How much money does that cost the end users? Probably not much individually but add it all up for everyone… I’m guessing a lot. How much CO2 is released to produce that electricity? On our warming planet! How much non-renewable fuel is consumed making that electricity?

    Just so some corporations can make a higher profit? How is that moral?

  15. Dmitry. Thanks for sharing your research!!! It’ll make awesome reading on the train tomorrow. Oh, and i love the reference to aleph one. ;-)
    HaD. It’s gems like this that make my day! Thanks for posting!! :-)

  16. Elephant in the room! This is about politics. Corporations and individuals are part of the state. The state is a tool to negotiate (sometimes very violently) rights of both sides. The locked SROM as well as what [Dimitry] has done is part of the conflict between the capital and the labor.

  17. Dear HaD, It would be swell to have voting system in the reply section that people or better yet, the author could mark comments as relevant to the article. That way the reader could filter for useful information and not be clouded by a flame/moral/troll war.

  18. This seems like such an uncontroversial topic that would have only attracted a handful of comments any other day. I suppose it’s down to being both quite technical and such a well done article that it’s hard to contribute much signal beyond “Good job, Dmitry!”, which allowed the noise to so dominate the comments.

    Still, even if I can’t contribute much signal: Good job, Dmitry! It was a terrific write-up of some terrific work, and you should be proud of it. I really enjoyed reading it, and learned some concepts and approaches that I think will be genuinely useful to me in the future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s