Pull Passwords Out of Silicon

[q3k] got tipped off to a very cool problem in the ongoing Pwn2Win capture-the-flag, and he blew it out of the water by decoding the metal interconnect layers that encode a password in a VLSI IC. And not one to rent someone else’s netlist extraction code, he did it by writing his own.

The problem in the Pwn2Win CTF came in the form of the design files for a hypothetical rocket launch code. The custom IC takes an ASCII string as input, and flips a pin high if it matches. Probably the simplest way to do this in logic is to implement a shift register that’s long enough for the code string’s bits, and then hard-wire some combinatorial logic that only reads true when all of the individual bits are correct.

(No, you don’t want to implement a password-checker this way — it means that you could simply brute-force the password far too easily — but such implementations have been seen in the wild.)

Anyway, back to our story. After reversing the netlist, [q3k] located 320 flip-flops in a chain, suggesting a 40-byte ASCII code string. Working backward in the circuit from the “unlocked” pin to the flip-flops, he found a network of NOR and NAND gates, which were converted into a logic notation and then tossed into Z3 to solve. Some cycles later, he had pulled the password straight out of the silicon!

This looks like a really fun challenge if you’re into logic design or hardware reverse engineering. You don’t have to write your own tools to do this, of course, but [q3k] would say that it was worth it.

Thanks [Victor] for the great tip!
Featured image by David Carron, via Wikipedia.

15 thoughts on “Pull Passwords Out of Silicon

      1. Yes, you buy one of those crossword books and there’s only about 300 unique clues total, by the time you’ve done the first 10 puzzles, the only thing stopping you filling them in faster is writers cramp.

    1. Im propably cutting corners here (not even read the source). But a shift register gets the key presses in sequence, puts em on a bus(databus) and apparently some nor and nand gates result into either no(low) or succesfull (high) trigger pin. Ttl login, 40xx or 74xxNN primers might give you an idea.put those yellybean parts in silicon and you got yourself a custom chip. Why use an arduino when a 555 timer and some 74ls?? Coild do it? Or even more crazy, just some transistors?

  1. > Probably the simplest way to do this in logic is to implement a shift register that’s long enough for the code string’s bits, and then hard-wire some combinatorial logic that only reads true when all of the individual bits are correct.

    That isn’t the simplest route. Have a 9b counter which counts through the sequence, and as each digit is entered, sets a buried flop to “mismatch” if bit N is wrong. Once the counter gets 320 bits, if the mismatch bit is not set, then output “match”. 10 flops total, instead of 320.

    The shift register is the easiest solution if your chip accepts a continuous string of bits and wants to output a signal if there is a matching substring anywhere in that sequence.

  2. I like the other post better about the guy who pulled a password a magneticly held password with a crt, when he plugged a hard drive into an old Pc and did a sector read and read the password off his screen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.