Few comments after reading Wiki
michael at michaelshiloh.com
michael at michaelshiloh.com
Wed May 23 18:30:51 CEST 2007
On Wed, 23 May 2007, Werner Almesberger wrote:
> Simon Matthews wrote:
>> Could you tell me the make and model of the new MPU, and maybe some
>> links to datasheets.
>
> It's the Samsung 2442,
> http://www.samsung.com/Products/Semiconductor/MobileSoC/ApplicationProcessor/ARM9Series/SC32442/um_s3c2442b_rev12.pdf
>
>> I am intrigued to see how they implement the protection.
>
> Yeah, me too :-) Section 6 basically says that it works, but doesn't
> give any details on how. I'd try the following types of attack:
>
> - confuse the state machine:
> disable the NAND controller block between sending command and address,
> and see what happens.
>
> - combine operations:
> start a write command, turn the NAND control lines to GPIO, send
> the address, take the rejection, send a "harmless" command, switch
> the GPIOs back to NAND control, and send the address.
>
> - completely bypass the NAND control block:
> set the slowest memory timing, control the NAND signals through GPIO,
> then do a memory write to put the right kind of data on the bus.
>
> A logic analyzer may be handy for this type of experiments. (There
> are some quite resonably priced PC-based ones, alas none of them seem
> to play nice with Linux :-( Alas, building my own with a small FPGA
> is a bit too much work for a lunch break project.)
There are a couple of PC-based LAs that work with Linux. Look for the xoscope
project, I think it has links to a couple of such LAs.
Michael
More information about the community
mailing list
