SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software

[Kuba Tyszko] like many of us, has been hacking things from a young age. An early attempt at hacking around with grandpa’s tractor might have been swiftly quashed by his father, but likely this was not the last such incident. With a more recent interest in cracking encrypted applications, [Kuba] gives us some insights into some of the tools at your disposal for reading out the encrypted secrets of applications that have something worth hiding.  (Slides here, PDF.)

There may be all sorts of reasons for such applications to have an encrypted portion, and that’s not really the focus. One such application that [Kuba] describes was a pre-trained machine-learning model written in the R scripting language. If you’re not familiar with R, it is commonly used for ‘data science’ type tasks and has a big fan base. It’s worth checking out. Anyway, the application binary took two command line arguments, one was the encrypted blob of the model, and the second was the path to the test data set for model verification.

The first thing [Kuba] suggests is to disable network access, just in case the application wants to ‘dial home.’ We don’t want that. The application was intended for Linux, so the first port of call was to see what libraries it was linked against using the ldd command. This indicated that it was linked against OpenSSL, so that was a likely candidate for encryption support. Next up, running objdump gave some clues as to the various components of the binary. It was determined that it was doing something with 256-bit AES encryption. Now after applying a little experience (or educated guesswork, if you prefer), the likely scenario is that the binary yanks the private key from somewhere within itself reads the encrypted blob file, and passes this over to libssl. Then the plaintext R script is passed off to the R runtime, the model executes against the test data, and results are collated.

[Kuba]’s first attack method was to grab the OpenSSL source code and drop in some strategic printf() function calls into the target functions. Next, using the LD_PRELOAD ‘trick’ the standard system OpenSSL library was substituted with the ‘fake’ version with the trojan printfs. The result of this was the decryption function gleefully sending the plaintext R script direct to the terminal. No need to even locate the private key!

Continue reading “SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software”

New Product: The Raspberry Pi Debug Probe

It’s fair to say that among the new product launches we see all the time, anything new from the folks at Raspberry Pi claims our attention. It’s not that their signature Linux single-board computers (SBCs) are necessarily the best or the fastest hardware on paper, but that they’re the ones with meaningful decade-plus support. Add to that their RP2040 microcontroller and its associated Pico boards, and they’re the one to watch.

Today we’ve got news of a new Pi, not a general purpose computer, but useful nevertheless. The Raspberry Pi Debug Probe is a small RP2040-based board that provides a SWD interface for debugging any ARM microcontroller as well as a more generic USB to UART interface.

The article sums up nicely what this board does — it’s for bare metal ARM coders, and it uses ARM’s built-in debugging infrastructure. It’s something that away from Hackaday we’ve seen friends using the 2040 for as one of the few readily available chips in the shortage, and it’s thus extremely convenient to have readily available as a product.

So if you’re a high level programmer it’s not essential, but if you’re really getting down to the nuts-and-bolts of an ARM microcontroller then you’ll want one of these. Of course, it’s by no means the first SWD interface we’ve seen, here’s one using an ESP32.

Exploring The History Of EPROM In The Soviet Union

An article on the history of EPROMs in the Soviet Union by [Vladimir Yakovlev] over at The CPU Shack Museum caught our attention. It is part one of a series on the topic, and walks you through the earliest Soviet EPROMs families.

Early EPROM programmer using punched paper tape (Intel, Electronics Magazine 1971)

The first of which, from the 1970s, is the K505RR1 developed and manufactured in Kyiv, equivalent to the first-generation Intel 1702A. It could hold 2048 bits, organized as 256×8, and offered a whopping 20 reprogramming cycles and data retention of 5000 hours.

The narrative proceeds to introduce several subsequent generations, design facilities, manufacturing techniques, and representative chip examples. A few tidbits — unlike Western EPROMs, the Soviets managed to put quartz windows in plastic packages (see the KP573 family).

In addition to the common gray or white, they also used different terracotta colored ceramic packages. An odd ceramic flat-pack EPROM is shown, and also some EPROMs whose dies have been painted over and re-badged as OTP chips.

Intel began producing EPROMs in 1971 as reported by the inventor, Intel’s Dov Frohman-Bentchkowsky, in Electronics Magazine’s 10 May edition (pg 91). We learned, amongst other things, that the 1701 did not have a quartz window, but could still be erased by exposure to X-rays. A friendly word of warning — browsing electronics advertisements from 50 years ago can easily consume your entire morning.

Once the package is sealed, information can still be erased by exposing it to X radiation in excess of 5×104 rads, a dose which is easily attainable with commercial X-ray generators.

To dig deeper, check out the CPU Shack’s write-up on the history of EPROMs in general, and a piece we wrote in 2014 about the history of home computers behind the Iron Curtain.