Cracking a SAM7XC cryptographic coprocessor

attacking-RFID-crypto-coprocessor

[Adam Laurie] spent time tearing into the security of the SAM7XC chip produced by Atmel. Even if he hadn’t found some glaring security holes just reading about his methodology is worth it.

The chip is used in a secure RFID system. The chip is added to the mix to do the heavy lifting required when using encryption. [Adam] grabbed a couple of open source libraries to put it to the test. The firmware is locked down pretty tight, but his explorations into the content of the RAM yield a treasure trove of bits. After investigating the sample code for the chip he’s shocked to learn that it uses RAM to store the keys at one point. The rest of his journey has him dumping the data and sifting through it until he gets to the “Master Diversification Key”. That’s the big daddy which will let him decrypt any of the tags used.

He reported his findings to Atmel in September of 2011. Their response is that they have no way of protecting RAM from exploit. [Adam] asserts that the problem is that the sample software wasn’t designed with the vulnerability of RAM in mind. The keys should never be stored there specifically because it is vulnerable to being dumped from a running system.

AVR programmer made without a programmer

[blueHash] uses this cheap development board as an AVR programmer. What’s interesting to us is that it solves the chicken-or-egg problem that is usually encountered when bootstrapping a programmer. We’ve written about this issue before. Most programmers use microcontrollers, which first need to be flashed using a programmer. But it turns out the chip on this dev board has a DFU mode which gets around that conundrum.

He grabbed a uSD dev board for about $6. It’s got a crystal, an ATmega32u4 chip, and on the other side there’s a MicroSD card slot. We looked around and found an Atmel Datasheet (PDF) which describes the Device Firmware Upgrade mechanism. The AVR devices which support DFU are factory configured to use it. This dev board is designed to use DFU so all [blueHash] needed to do is find and configure a ISP firmware package that worked with this chip.

Programming the XMEGA with an ISP

Atmel’s XMEGA series of microcontrollers are neat little pieces of hardware; with a very fast clock, a ton of IO, USB, and up to 8 UART ports, these neat little chips serve as a nice bridge between AVRs and PICs and the very powerful ARM chips coming out on the market. Unfortunately, the XMEGAs don’t use the extremely common ISP programming header found on just about every AVR dev board making them a bear to program. [Szu] over in Poland came up with a very easy way to program these chips, all while using the programming hardware you already have on hand.

[Szu]‘s build uses a few resistors and diodes to break out a USBASP connection to the XMEGA’s PDI interface. On the software side of things, [Szu] wrote an update to the USBASP firmware to allow it to program PDI devices, and also has a patch for AVRdude to allow uploading firmware from the command line.

A very cool build, and one that allows for very, very powerful devices that build on the AVR code you’ve already written.

Defense Against the Dog Arts

It’s possible that it was [Matt Meerian]‘s awesome pun that won us over, not his ultrasonic bicycle dog defense system, but that would be silly. [Matt] wanted an elegant solution to a common problem when riding a bicycle, dogs. While, obscenities, ammonia, water, pepper spray, and others were suggested, they all had cons that just didn’t appeal to [Matt]. He liked the idea of using C02 powered high pressure sound waves to chase the dogs away with, but decided to choose a more electronic approach.  He used a Atmel ATmega644 as the MCU, four 25kHz transmitters, and two 40kHz transmitters. When the rider sees a dog he simply flips a switch and it activates the transducers (along with, cleverly, a human audible horn so he doesn’t have to look down to know it’s working). So far [Matt] has not had a dog chase him in order to test it’s efficacy, but his cat clearly seems unaffected by the device as you can see after the break. [Read more...]

Dell Streak screen repair yields a few welcome surprises

dell-streak

[Rupert’s] friend cracked the screen on his beloved Dell Streak 5 phone and handed it off to see if [Rupert] could repair it. He says that the glass replacement was a relatively straightforward affair – a process he documented in thorough detail worthy of iFixit.

He did come across a few interesting tidbits along the way, including an Atmel Mega168P hanging out on the broken screen’s digitizer board, which now resides in his parts bin. The most intriguing thing [Rupert] discovered however was that the phone’s on-board memory chip wasn’t soldered in as he would have expected. Instead, he found a standard microSD slot with a 2GB card in tow. He didn’t happen to have a larger card on hand, but after researching a bit he did find out that swapping the card is a relatively simple process.

If you happen to have one of these phones sitting around, or come across a damaged unit at any point, it definitely seems worth it to resurrect it and change the factory card out for something along the lines of a 32GB model. We certainly wouldn’t complain if we had a rooted 32GB Streak kicking around!

Half Keyboard, Half Guitar, Totally Radical, the Tabstrummer!

While tablature-based music probably annoys “properly” trained musicians to no end, it has given many musicians and musical-hobbyists their first introduction to the world of guitar. The [Tabstrummer] takes this to a whole new level, allowing chords to be programmed into this instrument and played back. Once pre-programmed chord is set, the “conductor-strings” are strummed to allow the chord to play.

This device is based around an Atmel microcontroller and features a MIDI output as well as an audio-out jack. Besides the interesting electrical hardware, the housing seems to be quite well-built featuring what appears to be an acrylic or polycarbonate body. Although not quite the same thing, possibly some influence was gained from the [Keytar]. It’s heyday may be past, but not forgotten.

Check out the video below for a Christmas-themed jam played on the [Tabstrummer] or check out their video page for several more songs. This “hack” is being considered as a commercial product, so the inventors would love to hear your feedback! [Read more...]

A study in AVR power saving techniques

amtel_avr

[Scott] found the iCufflinks from Adafruit Industries pretty interesting, but he thought that the stated run time of 24 hours was a bit short. He figured he could improve the product’s power consumption at least a little bit, to improve the overall battery life.

From their schematics, he placed an order for parts and built two identical iCufflink mock-ups side by side – one running their code and one running his. He took baseline current draw measurements, then got busy slimming down the cufflinks’ software. It had been 20 years since he touched assembly, and he has never written it for an AVR, but judging by his work he’s not rusty in the least.

He slowed the ATtiny’s clock down and tweaked a few other settings for a savings of 53μA, but the real improvements came via a fairly simple fix. The original code called for the processor to institute a counting loop to sleep, which he found to be very wasteful. Instead, he chose to put the processor in an idle state, using the chip’s watchdog timer to wake it when it was time to pulse the LED. The power savings from this change alone was a whopping 261μA!

When he was said and done, the changes save about 315μA of current draw, and should allow the cufflinks to run for up to 38 hours without swapping batteries. In [Scott’s] opinion, a nearly 60% improvement in battery life is pretty good for a day’s work, and we’re inclined to agree.

Follow

Get every new post delivered to your Inbox.

Join 91,307 other followers