Few comments after reading Wiki

[Werner Almesberger]

Simon Matthews wrote:
> Could you tell me the make and model of the new MPU, and maybe some
> links to datasheets.

It's the Samsung 2442,
http://www.samsung.com/Products/Semiconductor/MobileSoC/ApplicationProcessor/ARM9Series/SC32442/um_s3c2442b_rev12.pdf

> I am intrigued to see how they implement the protection.

Yeah, me too :-) Section 6 basically says that it works, but doesn't
give any details on how. I'd try the following types of attack:

- confuse the state machine:
  disable the NAND controller block between sending command and address,
  and see what happens.

- combine operations:
  start a write command, turn the NAND control lines to GPIO, send
  the address, take the rejection, send a "harmless" command, switch
  the GPIOs back to NAND control, and send the address.

- completely bypass the NAND control block:
  set the slowest memory timing, control the NAND signals through GPIO,
  then do a memory write to put the right kind of data on the bus.

A logic analyzer may be handy for this type of experiments. (There
are some quite resonably priced PC-based ones, alas none of them seem
to play nice with Linux :-( Alas, building my own with a small FPGA
is a bit too much work for a lunch break project.)

- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Buenos Aires, Argentina     werner at almesberger.net /
/_http://www.almesberger.net/____________________________________________/