The design of this (generic) board was done in KiCAD. The home-etched board contains the EC from the laptop, soldered out with a Hot Air gun, then soldered into the board. Since I didn't have an oldschool (EE)PROM programmer on hand, I quickly hacked together my own, the result of which can be seen in the picture at the beginning of this article - most of the jumper cables are address and data lines, some are just used to strap other pins to +5V and GND (a requirement from the chip datasheet). This means we can read out the code from the chip just by asserting a 15-bit address on a port and reading out 8 bits of data on another port. As it turns out, if you pull one of its' pins low, it can be treated as a generic PROM chip. ![]() And, thanks to that, it actually contains a programming and verification interface. Thankfully, our laptop shipped with the PH version, which is one-time programmable by the user. ![]() Usually, the CH48 model is a mask-ROM model. We quickly skimmed through some specs we found for the CPU core itself, decided that it's probably powerful enough to run password verification code, and started figuring out what to do next. Never heard of it? We neither.Īs it turns out, it's based off the “TLCS-870" architecture, which is kind of like-ish to a weird Z80. It's labeled as a TMP87PH48, which is a programmable version of the TMP87CH48. The controller is a generic microcontroller, with a bit of a twist - it's a pretty obscure one. We figured out that it's probably the EC/KBC (Embedded/Keyboard Controller) which we found earlier on the laptop mainboard. Redford did a whole lotta work reverse engineering the BIOS code and figured out that most of the interesting stuff (password check, challenge/response for lost password) is actually done by something off the main x86 processor. But yes, after making my STM read bytes from the EC reliably, we now have a flash dump of the EC. With the chip now running slowly, I was able to quickly discern the time difference when measuring the time-until-not-busy for each possible byte of the key:Īfter bruteforcing the rest of the bytes, one at a time, I was able to find out the key: 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0x00. I then disconnected the EC from its' 16MHz crystal to a signal generator, which I clocked down to a 666KHz square wave. To my surprise he was able to find an outlying byte - 0xFF!Īfter running the measurements a few more times, we were quite sure that the timing was indeed different when the first byte of the key is 0xFF. However, I sent over the data (50 measurements per first byte, iterating over 256 values) to Redford. Just looking at the data directly didn't make me optimistic, as all the results were jittery at first glance. I quickly made the STM32 measure the time between the last bit of the code sent and the time until the busy line got deasserted again (which takes quite a bunch of cycles after the last ID byte received, hmm). So, before having to redesign the makeshift probe into something more useful, I figured it might be easier to try a simpler timing attack first. I at first tried power trace side-channel analysis attack (since I had a ChipWhisperer laying around gathering dust) when the bootloader checks the password, but my makeshift shunt probe was just too noisy. To unlock the flash, the programmer sends 12 bytes: a command prefix (0xF5), the address of the ID code (?, 0x0FFFDF), the length of the ID code (?! 7) and 7 bytes of ID code.Īfter the programmer sends the ID code check function, another command (0x70) can be used to check whether the ID code verification succeeded. The clock comes from the programmer, and the EC exposes a Busy line used to synchronize whether its' ready to receive commands. If the programmer does not provide the code, no flash dump/write access is allowed. This code is used by the built-in bootrom to allow/deny access to the flash via the 'Standard Serial I/O' protocol for programming (selectable via M0/M1 straps). The EC has a 7-byte ID code that it keeps in flash. And finally, I added an oscilloscope to the voltage shunt and a logic analyzer to serial lines, for good measure.Īfter checking connectivity to the bootrom and that I was getting power traces, it was time to dive in. I also attached a ChipWhisperer with a shunt sensor board to the EC's power line. I've then attached an STM32F303RE on a Nucleo board as a general interface board to the EC's serial and reset. I've etched a new board that lets me access important pins (serial TX, RX, CLK, BUSY RST and power lines) without having to fiddle with the previous hacky breakout board. ![]() After another long hiatus, I've come back to this project.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |