Few comments after reading Wiki

[Werner Almesberger]

Marcin Wiacek wrote:
> So, the scenario can be: spefifying area by "virus" and getting device to
> reset to have full control...

At which time your (still protected) firmware sets the protection
again, and executes the regular code. But yes, if you add an
easily changeable vector before that point, you lose :-)

The bypass I'm thinking of is a little harder, either by messing
up the NAND state machine in the MCU (so it doesn't notice we're
about to write), or, if they've been really careful, by toggling
the bits through GPIO and carefully timed memory accesses.

Something your virus author may still do, of course. And that's
when the second chip kicks in.

- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Buenos Aires, Argentina     werner at almesberger.net /
/_http://www.almesberger.net/____________________________________________/