Monday, August 9, 2010

Atmel ATMEGA2560 Analysis (Blackhat follow-up)

At this years Blackhat USA briefings, the ATMEGA2560 was shown as an example of an unsecure vs. secure device.  We have received a few requests for more information on this research so here it goes...

The device did not even need to be stripped down because of designer lazyness back at Atmel HQ.  All we did was look for the metal plates we detailed back in our ATMEGA88 teardown last year and quickly deduced which outputs were the proper outputs in under 20 minutes.

Atmel likes to cover the AVR 'important' fuses with metal plating.  We assume to prevent the floating gate from getting hit with UV however the debunk to this theory is that UV will SET the fuses not clear them!

Image above shows you the location of the plates and two small red marks inside smaller, higher mag'd image.

For those who must absolutely know how to unlock the device, just click on the, "Money Shot!"

Sunday, August 8, 2010

Saturday, August 7, 2010

Parallax Propeller P8X32A Quick Teardown

Parallax has a really neat 8 core 32 bit CPU called the 'Propeller'.  It's been out for a few years but it is gaining popularity.  There is no security with the device as it boots insecurely via a UART or I2C EEPROM.  None the less, we thought it was interesting to see an 8 core CPU decapsulated!

The image above is the Propeller optically imaged 50x magnification.  One can clearly see 8 columns that appear almost symmetric (except in the middle region).  The upper 8 squares are each 'cogs' 512 * 32 SRAMs as described in the manual.  The middle left 4 and right 4 squares are the ROM's Parallax describes.  The 8 rectangular objects are the 32KB SRAM as described.  The 8 cores are basically the 8 columns above the middle ROM's to include the 512 * 32 SRAMs because they describe each cog as having it's own 512 * 32 SRAM :).

After removing the top metal (consisted mainly of routing tracks), we can see the 8 cores a little more clearly.  The metal over the 4 left ROMs has begun to remove as well in the image.

Above is a single COG rotated 90 degrees clockwise.  There are 8 of these objects in the upper half of the die.

Last but not least is the logo by Parallax.  Nice job Parallax on this beast!  We have one favor-  implement some flash on the next generation with a security bit ;).

Friday, August 6, 2010

Echostar v NDS appellate court ruling update

Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.

The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.  You can download ruling in PDF form here.

As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.

I wish all persons whom this lawsuit effects the best (yes even you Charlie),

Christopher Tarnovsky