The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

February 1, 2023 by Arya Voronova 7 Comments

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

A modchip described in the article - a small PCB with an epoxy blob on it, soldered to the Cisco switch PCB using four thin wires

Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

February 1, 2023 by Arya Voronova 32 Comments

Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

A 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.

The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.

Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.

The hack's author performing the operation described at his workdesk, with a separate camera window showing the acupuncture needles being used to touch the board points

Find SWD Points Quickly, No Extra Hardware Needed

January 31, 2023 by Arya Voronova 9 Comments

Say you’re tinkering with a smart device powered by a CPU that uses Serial Wire Debug (SWD), but doesn’t mark the testpoints. Finding SWD on a board — how hard could it be? With [Aaron Christophel]’s method, you can find the SWD interface on a PCB within a few minutes’ time. All you need is two needles, a known-to-be-ground connection, an SWD dongle of some kind, and a computer with an audio output. What’s best — you could easily transfer the gist of this method to other programming interface types!

The idea is simple: you wire the ground up, connect the needles to SWDIO and SWCLK, launch [Aaron]’s Python script, then start poking around all the unnamed test points. The script runs JLink software to probe for SWD devices attached to the probes — if an SWD interface isn’t found, it beeps idly, but as soon as the device is detected, your computer will start beeping at you in a lively manner. In this way, you don’t have to re-scan devices manually, solder to any test points except the GND one, or try and hold both probes on test points with one hand – the scanning process itself is hands-free.

Depending on how many points your board has and whether you try to optimize the process by probing points closest to the SWD pins on the CPU, you might hit the jackpot immediately, or you might have to poke around for a minute-two. That said, [Aaron]’s method seems to be the best you can do while remaining relatively extra-hardware-free, and if you want to make it a tinge more permanent, clothespins are there for you.

In case you don’t mind extra hardware – could we interest you in some 3D printed needle probe desks? There’s a wide variety of those, whether you’d like some tentacle-like ones, or ones that make your desk look like like an acupuncture table. Or, say, would you like a more automatic method of finding all kinds of debug interfaces? Then JTAGulator might be what you’re looking for.

Continue reading “Find SWD Points Quickly, No Extra Hardware Needed” →

Reverse-Engineering The Conditional Jump Circuitry In The 8086 Processor

January 27, 2023 by Maya Posch 13 Comments

The condition PLA evaluates microcode conditionals.

As simple as a processor’s instruction set may seem, especially in a 1978-era one like the Intel 8086, there is quite a bit going on to go from something like a conditional jump instruction to a set of operations that the processor can perform. For the CISC 8086 CPU this is detailed in a recent article by [Ken Shirriff], which covers exactly how the instructions with their parameters are broken down into micro-instructions using microcode, which allows the appropriate registers and flags to be updated.

Where the 8086 is interesting compared to modern x86 CPUs is how the microcode is implemented, using gate logic to reduce the complexity of the microcode by for example generic parameter testing when processing a jump instruction. Considering the limitations of 1970s VLSI manufacturing, this was very much a necessary step, and an acceptable trade-off.

Each jump instruction is broken down into a number of micro-instructions that test a range of flags and updates (temporary) registers as well as the program counter as needed. All in all a fascinating look at the efforts put in by Intel engineers over forty years ago on what would become one of the cornerstones of modern day computing.

Inside Globus, A Soviet-Era Analog Space Computer

January 23, 2023 by Dan Maloney 13 Comments

Whenever [Ken Shirriff] posts something, it ends up being a fascinating read. Usually it’s a piece of computer history, decapped and laid bare under his microscope where it undergoes reverse engineering and analysis to a degree that should be hard to follow, but he still somehow manages to make it understandable. And the same goes for this incredible Soviet analog flight computer, even though there’s barely any silicon inside.

The artifact in question was officially designated the “Индикатор Навигационный Космический,” which roughly translates to “space navigation indicator.” It mercifully earned the nickname “Globus” at some point, understandable given the prominent mechanized globe the device features. Globus wasn’t actually linked to any kind of inertial navigation inputs, but rather was intended to provide cosmonauts with a visual indication of where their spacecraft was relative to the surface of the Earth. As such it depended on inputs from the cosmonauts, like an initial position and orbital altitude. From there, a complicated and absolutely gorgeous gear train featuring multiple differential gears advanced the globe, showing where the spacecraft currently was.

Those of you hoping for a complete teardown will be disappointed; the device, which bears evidence of coming from the time of the Apollo-Soyuz collaboration in 1975, is far too precious to be taken to bits, and certainly looks like it would put up a fight trying to get it back together. But [Ken] still manages to go into great depth, and reveals many of its secrets. Cool features include the geopolitically fixed orbital inclination; the ability to predict a landing point from a deorbit burn, also tinged with Cold War considerations; and the instrument’s limitations, like only supporting circular orbits, which prompted cosmonauts to call for its removal. But versions of Globus nonetheless appeared in pretty much everything the Soviets flew from 1961 to 2002. Talk about staying power!

Sure, the “glass cockpit” of modern space vehicles is more serviceable, but just for aesthetics alone, we think every crewed spacecraft should sport something like Globus. [Ken] did a great job reverse-engineering this, and we really appreciate the tour. And from the sound of it, [Curious Marc] had a hand in the effort, so maybe we’ll get a video too. Fingers crossed.

Thanks to [saintaardvark] for the tip.

Take A Deep Dive Into A Commodity Automotive Radar Chip

January 17, 2023 by Dan Maloney 24 Comments

When the automobile industry really began to take off in the 1930s, radar was barely in its infancy, and there was no reason to think something that complicated would ever make its way into the typical car. Yet here we stand less than 100 years later, and radar has been perfected and streamlined so much that an entire radar set can be built on a single chip, and commodity radar modules can be sprinkled all around the average vehicle.

Looking inside these modules is always fascinating, especially when your tour guide is [Shahriar Shahramian] of The Signal Path, as it is for this deep dive into an Infineon 24-GHz automotive radar module. The interesting bit here is the BGT24LTR11 Doppler radar ASIC that Infineon uses in the module, because, well, there’s really not much else on the board. The degree of integration is astonishing here, and [Shahriar]’s walk-through of the datasheet is excellent, as always.

Things get interesting once he gets the module under the microscope and into the X-ray machine, but really interesting once the RF ASIC is uncapped, at the 15:18 mark. The die shots of the silicon germanium chip are impressively clear, and the analysis of all the main circuit blocks — voltage-controlled oscillator, power amps, mixer, LNAs — is clear and understandable. For our money, though, the best part is the look at the VCO circuit, which appears to use a bank of fuses to tune the tank inductor and keep the radar within a tight 250-Mz bandwidth, for regulatory reasons. We’d love to know more about the process used in the factory to do that bit.

This isn’t [Shahriar]’s first foray into automotive radar, of course — he looked at a 77-GHz FMCW car radar a while back. That one was bizarrely complicated, though, so there’s something more approachable about a commodity product like this.

Continue reading “Take A Deep Dive Into A Commodity Automotive Radar Chip” →

It’s Not Easy Counting Transistors In The 8086 Processor

January 16, 2023 by Maya Posch 15 Comments

For any given processor it’s generally easy to find a statistic on the number of transistors used to construct it, with the famous Intel 8086 CPU generally said to contain 29,000 transistors. This is where [Ken Shirriff] ran into an issue when he sat down one day and started counting individual transistors in die shots of this processor. To his dismay, he came to a total of 19,618, meaning that 9,382 transistors are somehow unaccounted for. What is going on here?

The first point here is that the given number includes so-called ‘potential transistors’. Within a section of read-only memory (ROM), a ‘0’ would be a missing transistor, but depending on the programming of the mask ROM (e.g. for microcode as with a CISC x86 CPU), there can be a transistor there. When adding up the potential but vacant transistor locations in ROM and PLA (programmable logic array) sections, the final count came to 29,277 potential transistors. This is much closer to the no doubt nicely rounded number of 29,000 that is generally used.

[Ken] also notes that further complications here are features such as driver transistors that are commonly found near bond wire pads. In order to increase the current that can be provided or sunk by a pad, multiple transistors can be grouped together to form a singular driver as in the above image. Meanwhile yet other transistors are used as (input protection) diodes or even resistors. All of which makes the transistor count along with the process node used useful primarily as indication for the physical size and complexity of a processor.