A modchip described in the article - a small PCB with an epoxy blob on it, soldered to the Cisco switch PCB using four thin wires

Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

An unidentified IC on the a different counterfeit Cisco board, with markings soldered offA 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.

The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.

Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.

Perhaps It’s Time To Talk About All Those Fakes And Clones

A while back, I bought a cheap spectrum analyser via AliExpress. I come from the age when a spectrum analyser was an extremely expensive item with a built-in CRT display, so there’s still a minor thrill to buying one for a few tens of dollars even if it’s obvious to all and sundry that the march of technology has brought within reach the previously unattainable. My AliExpress spectrum analyser is a clone of a design that first appeared in a German amateur radio magazine, and in my review at the time I found it to be worth the small outlay but a bit deaf and wide compared to its more expensive brethren. Continue reading “Perhaps It’s Time To Talk About All Those Fakes And Clones”

Is Your Device Actually USB 3.0, Or Is The Connector Just Blue?

Discount (or even grey market) electronics can be economical ways to get a job done, but one usually pays in other ways. [Majenko] ran into this when a need to capture some HDMI video output ended up with rather less than was expected.

Faced with two similar choices of discount HDMI capture device, [Majenko] opted for the fancier-looking USB 3.0 version over the cheaper USB 2.0 version, reasoning that the higher bandwidth available to a USB 3.0 version would avoiding the kind of compression necessary to shove high resolution HDMI video over a more limited USB 2.0 connection.

The device worked fine, but [Majenko] quickly noticed compression artifacts, and interrogating the “USB 3.0” device with lsusb -t revealed it was not running at the expected speeds. A peek at the connector itself revealed a sad truth: the device wasn’t USB 3.0 at all — it didn’t even have the right number of pins!

A normal USB 3.0 connector is blue inside, and has both sets of pins for backward compatibility (five in the rear, four in the front) like the one shown here.

A USB 3.0 connection requires five conductors, and the connectors are blue in color. Backward compatibility is typically provided by including four additional conductors, as shown in the image here. The connector on [Majenko]’s “USB 3.0” HDMI capture device clearly shows it is not USB 3.0, it’s just colored blue.

Most of us are willing to deal with the occasional glitch or dud in exchange for low prices, but when something isn’t (and never could be) what it is sold as, that’s something else. [Majenko] certainly knows that as well as anyone, having picked apart a defective power bank module to uncover a pretty serious flaw.

Unmasking The Identity Of An Unusual Nintendo DS

The Nintendo DS family encompasses a dizzying array of portable game systems released over a span of 17 years. The original DS received several refreshes and special editions, and when the next generation 3DS came along, it spawned a whole new collection of spin-offs. But even among all those machines there’s a name that even Mario himself would never have heard of: the Nintendo DS ML.

In a recent video, [The Retro Future] says he discovered this oddball system selling for around $25 USD on Chinese shopping site Taobao and bought one so he could get a closer look at it. Externally the system looks quite a bit like the refreshed DS Lite, but it’s notably larger and the screens look quite dated. That was already a strong hint to its true identity, as was the placement of its various buttons and controls.

Note the conspicuous absence of Nintendo’s name.

But it wasn’t until [The Retro Future] cracked the system open that he could truly confirm what he had on his hands. This was an original Nintendo DS, potentially a new old stock unit that had never been distributed, which was transplanted into a custom enclosure designed to look like one of the later upgraded models. As for what this seller meant by calling this chimera the DS ML is anyone’s guess, though one of the commenters on the video thought “Maybe Legal” had a nice ring to it.

Now assuming these really are brand new systems that were simply installed in fresh cases, $25 is arguably a good deal. So long as you aren’t concerned with playing the latest titles, anyway. But at the same time its a reminder that you get what you pay for when dealing with shady overseas sellers. It’s just as likely, perhaps even more so, that these were used systems that got spruced up to make a quick buck.

Fake components are everywhere. In fact there’s an excellent chance most of the people reading this site have received some fake parts over the years, even if they didn’t realize it at the time. When there’s fly by night companies willing to refurbish a nearly 20 year old Nintendo handheld for $25, what are the chances that Bosch actually made that $2 temperature sensor you just ordered on eBay?

Continue reading “Unmasking The Identity Of An Unusual Nintendo DS”

STM32 Clones: The Good, The Bad And The Ugly

Whenever a product becomes popular, it’s only a matter of time before other companies start feeling the urge to hitch a ride on this popularity. This phenomenon is the primary reason why so many terrible toys and video games have been produced over the years. Yet it also drives the world of electronics. Hence it should come as no surprise that ST’s highly successful ARM-based series of microcontrollers (MCUs) has seen its share of imitations, clones and outright fakes.

The fakes are probably the most problematic, as those chips pretend to be genuine STM32 parts down to the markings on the IC package, while compatibility with the part they are pretending to be can differ wildly. For the imitations and clones that carry their own markings, things are a bit more fuzzy, as one could reasonably pretend that those companies just so happened to have designed MCUs that purely by coincidence happen to be fully pin- and register compatible with those highly popular competing MCU designs. That would be the sincerest form of flattery.

Let’s take a look at which fakes and imitations are around, and what it means if you end up with one. Continue reading “STM32 Clones: The Good, The Bad And The Ugly”

Deep-Sleep Problems Lead To Forensic Investigation Of Troublesome Chip

When you buy a chip, how can you be sure you’re getting what you paid for? After all, it’s just a black fleck of plastic with some leads sticking out of it, and a few laser-etched markings on it that attest to what lies within. All of that’s straightforward to fake, of course, and it’s pretty easy to tell if you’ve got a defective chip once you try it out in a circuit.

But what about off-brand chips? Those chips might be functionally similar, but still off-spec in some critical way. That was the case for [Kevin Darrah] which led to his forensic analysis of potentially counterfeit MCU chips. [Kevin] noticed that one of his ATMega328 projects was consuming way too much power in deep sleep mode — about two orders of magnitude too much. The first video below shows his initial investigation and characterization of the problem, including removal of the questionable chip from the dev board it was on and putting it onto a breakout board that should draw less than a microamp in deep sleep. Showing that it drew 100 μA instead sealed the deal — something was up with the chip.

[Kevin] then sent the potentially bogus chip off to a lab for a full forensic analysis, because of course there are companies that do this for a living. The second video below shows the external inspection, which revealed nothing conclusive, followed by an X-ray analysis. That revealed enough weirdness to warrant destructive testing, which showed the sorry truth — the die in the suspect unit was vastly different from the Atmel chip’s die.

It’s hard to say that this chip is a counterfeit; after all, Atmel may have some sort of contract with another foundry to produce MCUs. But it’s clearly an issue to keep in mind when buying bargain-basement chips, especially ones that test functionally almost-sorta in-spec. Caveat emptor.

Counterfeit parts are depressingly common, and are a subject we’ve touched on many times before. If you’d like to know more, start with a guide.

Continue reading “Deep-Sleep Problems Lead To Forensic Investigation Of Troublesome Chip”

X-Ray Sleuthing Unveils The Fake In Your Adaptors

Lets face it, the knock-off variety of our favourite adaptors, cables and accessories are becoming increasingly challenging to spot. We would be the first to admit, to have at some point, been stooped by a carefully crafted counterfeit by failing to spot the tell-tale yet elusive indicators such as the misplaced font face, the strategically misspelled logo or perhaps the less polished than expected plastic moulding and packaging. When you finally come around to using it, if you are lucky the item is still more or less functionally adequate, otherwise by now the inferior performance (if not the initial cost!) would have made it pretty obvious that what you have is infact a counterfeit.

[Oliver] recently found himself in a similar situation, after acquiring a seemingly original Lightning to Headphone Adaptor. Rather than dismay, [Oliver] decided to channel this energy into an excellent forensic investigation to uncover just what exactly made this imitation so deceptive. He began by comparing the packaging, printed typeface and the plastic moulding, all of which gave very little away. [Oliver] concluded that atleast superficially, the clone was rather good and the only way to settle this was to bring out the X-ray, of course!  

The resulting images of the innards make it blatantly obvious as to why the adaptor is indeed very fake. For a start, compared to the original adaptor, the clone hosts a far more thin BOM count! If you are really serious in getting some training to better spot counterfeits, check out a post we featured earlier on the subject!