Few comments after reading Wiki
Werner Almesberger
werner at openmoko.org
Wed May 23 18:17:29 CEST 2007
Simon Matthews wrote:
> Could you tell me the make and model of the new MPU, and maybe some
> links to datasheets.
It's the Samsung 2442,
http://www.samsung.com/Products/Semiconductor/MobileSoC/ApplicationProcessor/ARM9Series/SC32442/um_s3c2442b_rev12.pdf
> I am intrigued to see how they implement the protection.
Yeah, me too :-) Section 6 basically says that it works, but doesn't
give any details on how. I'd try the following types of attack:
- confuse the state machine:
disable the NAND controller block between sending command and address,
and see what happens.
- combine operations:
start a write command, turn the NAND control lines to GPIO, send
the address, take the rejection, send a "harmless" command, switch
the GPIOs back to NAND control, and send the address.
- completely bypass the NAND control block:
set the slowest memory timing, control the NAND signals through GPIO,
then do a memory write to put the right kind of data on the bus.
A logic analyzer may be handy for this type of experiments. (There
are some quite resonably priced PC-based ones, alas none of them seem
to play nice with Linux :-( Alas, building my own with a small FPGA
is a bit too much work for a lunch break project.)
- Werner
--
_________________________________________________________________________
/ Werner Almesberger, Buenos Aires, Argentina werner at almesberger.net /
/_http://www.almesberger.net/____________________________________________/
More information about the community
mailing list