Exetools - Reversing embedded systems

Exetools (https://forum.exetools.com/index.php)

- Electric Section (https://forum.exetools.com/forumdisplay.php?f=53)

- - Reversing embedded systems (https://forum.exetools.com/showthread.php?t=20739)

Reversing embedded systems

Hi, this is a little bit off topic/forum, but I didn't know exactly to post this.

Does anybody know any good reversing forums specialized in hacking/reverse engineering embedded systems.

Reason for asking is that I have a controller board, containing an Atmega 1280 MCU, which is bricked. I would like to extract the firmware from the MCU flash, but the LB1 or LB2 lock-bits are set, which prevents programming/reading/verifying flash & EEPROM contents.
Apparently the only way to reset the lock-bits is to completely erase the chip, which of course is not a viable option for me. Would be interesting to see if somebody managed to rest the 2 bits without erasing the flash & EEPROM

I cannot help you on this specific situation; unfortunately!

What about the famous "chip-off" way? Is it possible for you?

Quote:

Originally Posted by blue_devil (Post 129092)

I cannot help you on this specific situation; unfortunately!

What about the famous "chip-off" way? Is it possible for you?

Unfortunately that is not possible, because I don't own the million dollar equipment required to perform this type of operations

Quote:

Originally Posted by rcer (Post 129099)

Unfortunately that is not possible, because I don't own the million dollar equipment required to perform this type of operations

I feel you bro :( Don't you have any debug or JTAG pins to move on?

Yes the board has a 6pin SPI header & 10 pin JTAG header, and I can read the chip with SPI, but JTAG access, debugging, and verifying memory contents has been disabled, and the the LB1 and LB2 lock-bits have been set, so its not possible anymore to change any fuse settings, unless you completly erase the chip first. Reading the flash & eeprom contents with the current settings returns garbage (i.e FFFF FFFF )for the complete memory contents

Introduction to Embedded Systems Security and Reverse Engineering (Chinese)

Quote:

hxxps://zhuanlan.zhihu.com/p/49831082

O.K. I will check this out

This is generally a very, very interesting topic!
But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?
(I have problems with the translation and probably not only me)
Would be worth a new entry in the "General" category of Exetools ?
Example: "Reversing embedded systems" (Little hint for the admins)
Would surely enrich the forum ?
(Maybe we could vote on it, if the topic would be desired)

Quote:

Originally Posted by Trit0n (Post 129108)

I have the same problem with translation, also without registering it seems that you cannot query anything.

I know that exetools is the lead forum for software hacking/reversing, and in general not geared towards hardware hacking/reversing, but it would be nice if this could be added/implemented, because there are a lot of very knowledgeable members on this forum who could assist/help less skilled members

Quote:

Originally Posted by Trit0n (Post 129108)

to be honest, I am thinking about this too, but we need to know how many people are interest in this topic so we can open it.

Interesting article on a real world example:

Quote:

https://www.wired.com/story/unciphered-ironkey-password-cracking-bitcoin/

Quote:

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. ...

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time.

i guess, maybe the most recent tech i know is decap. there is also glitch based exploit, but that is very rare information.

Quote:

Originally Posted by Trit0n (Post 129108)

But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?

Attached you can find an english-translated version (google).
Hope this helps.

P.S. Apologies if you weren't meaning you need a translated page.

Quote:

Originally Posted by tonyweb (Post 129169)

Attached you can find an english-translated version (google).
Hope this helps.

P.S. Apologies if you weren't meaning you need a translated page.

pdf converted in case...

I do not have download permissions, so I cannot know what was already posted as the translated version. Maybe my version is worse than the posted one.
But this is my humble contribution of the PDF translated version to the forum.
Hope this helps someone.