Thursday, May 29, 2008

Speaking at Defcon 16

After Black Hat, I'll be speaking at Defcon 16 regarding an entirely different subject. The abstract follows.

In 1990, a wire-bound book was published in Paris by the title of «Voyage au centre de la HP28 c/s». It presents a very thorough account of the inner workings of the Hewlett Packard 28 series of graphing calculators. Designed before the days of prepackaged microprocessors, the series uses the Saturn architecture, which HP designed in-house. This architecture is very different from today's homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits in width. The fundamental unit of addressing is the nibble, rather than the byte. Floats are represented as binary-coded decimal, and a fundamental object in the operating system is an algebraic expression.

This architecture is still used, albeit in emulation, in the modern HP50g. With this talk, I intend to call attention to a fascinating, professional, and well-documented feat of reverse engineering. Using little more than their ingenuity and an Apple ][e, Paul Courbis and Sebastien Lalande reverse engineered a black box calculator into a real computer, one which became user-programmable in machine language as a result. More than that, they documented the hack in such exquisite detail that their book is not just a fascinating read, but also veritable holy scripture for anyone trying to write custom software for this machine.

Expect a thorough review, in English, of the contents of the book. This is not a sales pitch; electronic copies of both the translation and the original are free to all interested readers. Topics include the datatypes of the computer algebra system, hacking an upgrade into the memory bus, bootstrapping an assembler, writing in machine language by tables, and adding an I/O port for software backups.


If you'd like a copy of the book in advance, grab the original French from the site of Paul Courbis or email me for a rough draft of the English translation.

--Travis Goodspeed
<travis at utk.edu>

Sunday, May 18, 2008

Repurposing the TI EZ430U, Part 1

by Travis Goodspeed <travis at utk.edu>
at the Extreme Measurement Communications Center
of the Oak Ridge National Laboratory

JTAG port

Lately I've been playing with the EZ430U, which is the adapter that ships with the TI EZ430 kits. The kits are an amazing deal, $20 gets you a spy-bi-wire MSP430 FET, while $50 gets you a similar FET with two wireless sensor nodes. Page 13 of SLAU227 contains the schematic diagram for Rev 2.0 of the MSP430U board, which ships packages as both the classic EZ430f2013 and the new EZ430rf2500; the only hardware difference is the color of the board, being green or red respectively.

The software differences, however, aren't so forgiving. While the classic kit readily creates a USB->serial device under Linux, the RF kit is as yet unusable in Linux as the interface was altered to support a second serial line, one to target board.

Each kit is composed of two types of boards, a programmer (EZ430U) and a target (RF2500T or T2012). While the target boards are a lot of fun, an email I received after my initial release of msp430static introduced me to something just as fun. Namely, the JTAG fuse of the EZ430U board is left unblown. The following diagram shows pin connections from the row of 5 testpoints on the side of the board.

The lack of a common ground is no problem, as ground and power both come from the same computer through USB. You'll need a proper JTAG FET; another EZ430 won't do. (The EZ430 programmer only supports spy-bi-wire; it cannot program traditional JTAG boards.)

Having ripped the firmware from both the RF kit and the 2013 kit, I thought it might be interesting to compare the two. For a brief visual comparison, consider the following memory maps. The first is of an EZ430U from a classic 2013 kit, the second is of the EZ430U from an RF kit.
ez430u memmap ez430urf memmap
Taking the difference of the two images yields
ez430u memmap diff
The lowest bands of the image, being ram and I/O, ought to be ignored. Still, higher memory makes it visually clear that the firmware images are different. Comparing library checksums confirms this: few functions are identical between the two revisions.

The RF firmware reports itself to the USB controller as "0451:f432" while the classic board reports itself as "0451:f430". The identification appears must reside in the ROM of the 3410 chip, as the RF variant identifies itself as f432 even when loaded with the classic variant's firmware.

The second installment of this series continues with details of the TUSB3410 firmware, which resides on an EEPROM.

Friday, May 16, 2008

Speaking at Black Hat USA 2008

I'll be speaking at BlackHat USA 2008 in Vegas this August. My abstract follows:

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.


Cheers,
Travis Goodspeed
<travis at utk.edu>

Thursday, May 15, 2008

Syringe Logic Probe

I hope my faithful readers will forgive a quick detour into electronic arts-n-crafts. Rest assured, I won't abandon assembly language to make toilet-paper covers and tea cozies. Instead I intend to demonstrate how a diabetic MacGyver would tap a difficult pin on a circuit board.

After building Sump's Logic Analyzer out of a spare Spartan 3 board, I needed a logic probe with a sharp tip. What's sharp enough to grab a pin on a QFP device or those microscopic columns of solder that are exposed around the perimeter of a QFN device? An insulin syringe, of course!
syringe probe
The tip is razer sharp, easily digging far enough into a pin to hold its place. A finger's weight on the plunger keeps the probe in place; it has never once slipped to short two pins, as my multimeter's probe is wont to do.
closeup of syringe tip
I haven't yet tested the probe's electrical properties at high frequencies, but it works well enough for sniffing AES keys from an SPI bus.


Cheers,
--Travis Goodspeed
<travis at utk.edu>