Enter the Dragon(Book), Pt 2
Nobody has been able to find this backdoor to date (one reason I’m talking about it). While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way). From the C specification; Environmental Considerations, Section 5.2—in particular section 5.2.4.1 (Translation limits)—seems to offer the most relevant discussion on the topic. Here’s a concise/complete example: typedef struct _copper { char field1[0x7fffffff];…
Atmel AT90SC3232CS Smartcard Destruction
Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS. We had already several AT90SC3232 and AT90SC3232C. We assumed that the CS was just a 3232C with an extra IO pad. Well, one should never ass-u-me anything! The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device. Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device. A 350nm, 4 metal process was used on the AT90SC3232CS…
Common Coding Mistakes – Wide Character Arrays
This post contains a few of my thoughts on common coding mistakes we see during code reviews when developers deal with wide character arrays. Manipulating wide character strings is reasonably easy to get right, but there are plenty of “gotchas” still popping up. Coders should make sure they take care because a few things can slip your mind when dealing with these strings and result in mistakes. A little bit of background: The term wide character generally refers to character data types with a width larger than a…
Windows Vulnerability Paradox
For those who read just the first few lines, this is not a critical vulnerability. It is low impact but interesting, so keep reading. This post describes the Windows vulnerability I showed during my Black Hat USA 2011 workshop “Easy and Quick Vulnerability Hunting in Windows”. The Windows security update for Visual C++ 2005 SP1 Redistributable Package (MS11-025) is a security patch for a binary planting vulnerability. This kind of vulnerability occurs when someone opens or executes a file and this file (or the application used to…
Atmel AT91SAM7S Overview
Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual… The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes. After decapsulating the die from…
ATMEGA88 Teardown
An 8k FLASH, 512 bytes EEPROM, 512 bytes SRAM CPU operating 1:1 with the external world unlike those Microchip PIC’s we love to write up about :). It’s a 350 nanometer (nm), 3 metal layer device fabricated in a CMOS process. It’s beautiful to say the least; We’ve torn it down and thought we’d blog about it! The process Atmel uses on their .35 micrometer (um) technology is awesome. Using a little HydroFluoric Acid (HF) and we partially removed the top metal layer (M3). Everything is now clearly visible for our…
ST201: ST16601 Smartcard Teardown
ST SmartCards 201 – Introduction to the ST16601 Secure MCU This piece is going to be split into two articles- The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology. They have overgone a few generations. We consider this device to be a 3rd generation. In a seperate article yet to come, we are going to apply what you have read here to a smartcard used by Sun Microsystems, Inc. called Payflex. From what we have gathered on the internet, they are used to control access to…
Infineon SLE4442
The SLE4442 has been around for a long time. Spanning a little more than 10 years in the field, it has only now began to be replaced by the newer SLE5542 (We have analyzed this device too and will write up an article soon). It is basically a 256 byte 8 bit wide EEPROM with special write protection. In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC). The code is locked tightly inside the memory area of the device and if you…
Safenet iKey 1000 In-depth Look Inside
We received a lot of attention from our previous article regarding the iKey 2032. We present to you a teardown of a lesser, weaker Safenet, Inc. iKey 1000 series USB token. We had two purple iKey 1000 tokens on hand that we took apart-Cypress 24 pin CY7C63001/101 type USB controller is a likely candidate underneath the epoxy above Cypress’ USB controllers run from a 6 Mhz oscillator and an 8 pin SOIC EEPROM might be beneath this smaller epoxy area Once we took our initial images…
In retrospect – A quick peek at the Intel 80286
We thought we would mix the blog up a little and take you back in time. To a time when the fastest PC’s ran at a mere 12 Mhz. The time was 1982. Some of us were busy trying to beat Zork or one of the Ultima series role-playing games. You were lucky to have a color monitor on your PC back then. We happen to have a 1982 era Siemens 80286 If anyone is interested in donating any old devices such as an i4004 or i8008,…