0225/0401/0272 write protection beated by russian hackers !!!

[bluemimmos]

@glaze83  now its sure that the thing with winbound is with the timing, it may be worth a try to set the timing in the russian unlock program and try to drop the voltage low as equal to 1 on the winbound chipset.
can someone give a try.

[glaze83]

Not gonna happen without a realtime os, which is what the 12c508 or any other micro controller is.

the write protect setup time and write protect hold time are the same on both chips however the cs must be low on the winbond during setup time and high during hold time -- not something we can complete in 20ns and 100ns without help from another ic.

[Pacote-san]

Not gonna happen without a realtime os, which is what the 12c508 or any other micro controller is.

the write protect setup time and write protect hold time are the same on both chips however the cs must be low on the winbond during setup time and high during hold time -- not something we can complete in 20ns and 100ns without help from another ic.

They clearly state that there is no pic involved on the pcb
hmm

[glaze83]

well something has to control the #cs line

[bluemimmos]

yes @glaze83, but isnt the holding low and high done in the range of milliseconds rather than nanoseconds.
AFAIK, its 10 to 20 ms, so may be we can program the russian tool to do it for just that much time from one of the parallel port pin or serial port pin. this way we can control the #cs low for some time and high again for the next time. IS it feasible or i am just thinking on my own..

[glaze83]

its nanoseconds for that, and all commands sent in windows are delayed at least 15ms since they are not realtime, that's the consensus when looking up thread.sleep(x)

[bluemimmos]

so glaze83 i am somewhat sure thsat, the unlocking of winbound is not happening due to the timing , i mean we need to low the cs and high it again in few nanoseconds and thats where the task is difficult, if somone can find more detail, i may try to write code for a pic uc to do that. let us see where things goes.

[Pacote-san]

They will sell it for 8 bucks so it would be a really simple diagram, with very a very simple/cheap ic

Just waiting for the diy asap

[bluemimmos]

this is what i gathered. i think may help dig more



When the SRP pin is set to a1, the Write Status Register instruction is locked out while the /WP pin is low. When the /WP pin is
high the Write Status Register instruction is allowed.


The Write Enable instruction (Figure 4) sets the Write Enable Latch (WEL) bit in the Status Register to
a 1. The WEL bit must be set prior to every Page Program, Sector Erase, Chip Erase and Write Status
Register instruction. The Write Enable instruction is entered by driving /CS low, shifting the instruction
code “06h” into the Data Input (DI) pin on the rising edge of CLK, and then driving /CS high.


8.3 Power-up Timing and Write Inhibit Threshold

PARAMETER             SYMBOL              SPEC      UNIT
                               MIN    MAX

VCC (min) to /CS Low          tVSL(1)         10          μs
Time Delay Before Write Instruction tPUW(1)          1    10       ms
Write Inhibit Threshold Voltage    VWI(1)          1    2       V


Note:
1. These parameters are characterized only.
Figure 17.



Clock High, Low Time, for Fast Read (0Bh) and
all other instructions except Read Data (03h)   tCLH,tCLL(1)    11      ns

Write Protect Setup Time Before /CS Low    tWHSL(4)    20              ns
Write Protect Hold Time After /CS High       tSHWL(4)    100              ns
Write Status Register Cycle Time                   tW     10     15      ms


this may be the reason that the russian program has the delay of 10 ms since write status register cycle time is from 10 - 15 ms.

[glaze83]

epiphany!

It's a dual channel N type mosfet to control the 3.3v to 1v switching.

Doing it manually we can not get anywhere near 20ns to pull it low and 100ns to pull it high

[bluemimmos]

http://media.digikey.com/photos/Vishay%20Photos/ORNTA5-1T1.JPG


well as glaze83 said we cannot do it manually, but i think the new jf will integrate it on it, so it can do it within such short time, but as still, it need a real time os as windows etc cannot handle all this, short timings.

max1678 is a 4pin nchannel mosfet; may be tehy used it in sputnik.

[glaze83]

Or is it an ic delay line..... 555timer ....

http://www.doctronics.co.uk/555.htm

this is where my deductive powers end and those that have any EE skills figure this out... if indeed I'm right haha

[CasioNo15]

well something has to control the #cs line

Just to clarify, I also don´t know how this hack really works, but I think you are forgetting one thing. You are not communicating directly with the spi, it´s all going through sata to the drive controller, so I am not really sure if you have to deal with the timings of the cs line and the rest of the spi protocol. I think the drive controller just gets the commands and makes the rest. It´s the same when you flash the spi. You have to send the "Write Enable" instruction before the "Page Program" and you are also not dealing with any timings of the protocol or the cs line there.
I found this image at logic-sunrise and it looks correct. We are not pulling cs to ground, it´s the 3.3V line.
I´m not telling you are wrong, just some thoughts I had when reading this, what do you think.

Hope it´s allowed to post it directly. Pin 1 on the pcb is at the top right corner.


Source: http://www.logic-sunrise.com/news-320046-unlock-russian-tool-enfin-le-flash-des-0225-et-0272-sans-materiel-maj3.html

[glaze83]

ok another interesting thought

Can someone make a pop up box appear that says "remove resistor, replace resistor, then press ok" at each thread.sleep in the send_ser_write commands

Code:

private bool send_ser_set_write_enable_9504(ushort port, byte drive_pos, byte status)
        {
         Thread.Sleep(20);
            if (!this.send_ser_ata_68(port, drive_pos, status, 0, 0x88, 6))
            {
                return false;
            }
            Thread.Sleep(20);
            if (!this.send_ser_ata_1b(port, drive_pos, status, 1, 0, 0, 0, 0))
            {
                return false;
            }
            return true;
        }

        private bool send_ser_write_status_reg_9504(ushort port, byte drive_pos, byte status, byte bits)
        {
         Thread.Sleep(20);
            if (!this.send_ser_ata_68(port, drive_pos, status, 0, 0, 1))
            {
                return false;
            }
            Thread.Sleep(20);
            if (!this.send_ser_ata_1b(port, drive_pos, status, 1, 0, 0, 0, 0))
            {
                return false;
            }
            Thread.Sleep(20);
            if (!this.send_ser_ata_68(port, drive_pos, status, 0, 0, 1))
            {
                return false;
            }
            Thread.Sleep(20);
            if (!this.send_ser_ata_68(port, drive_pos, status, 1, 0, bits))
            {
                return false;
            }
            Thread.Sleep(20);
            if (!this.send_ser_ata_1b(port, drive_pos, status, 2, 0, 0, 0, 0))
            {
                return false;
            }
            return true;
        }

I believe vcc has to rise and fall after each command. At least thats what the datasheet has lead me to believe since it explicitly states that and nothing is mentioned in the mxic

[bluemimmos]

that is what i am thinking too....; but implementing it on the 555 timer, we need to use good combination of r1, r2 and c1. i think going in nf or pf with c1 will allow us to go on the nanosecond range..

[Pacote-san]

If anyone need can test later (even build the ne555n board, just give me the details on parts and diagram)

[Tiros]

Just to clarify, I also don´t know how this hack really works, but I think you are forgetting one thing. You are not communicating directly with the spi, it´s all going through sata to the drive controller, so I am not really sure if you have to deal with the timings of the cs line and the rest of the spi protocol.....
I found this image at logic-sunrise and it looks correct. We are not pulling cs to ground, it´s the 3.3V line.

I agree, the MTK chip handles all that.
The issue is the Winbond has "brownout" protection, to disable writing during a low VCC condition. The MX does not.
The "pulldown" lowers vcc, enough to trick the MX, but not enough to screw the MTK sata. The Winbond detects the vcc drop and disables writing. The "timing" issue, is with regard to the vcc, trying to get past the brownout protection "feature" of the Winbond.

[CLaeR]

Uploaded with ImageShack.us
its from old mt 1319 controller, i think it can be usable for our controller

[Vampirtc]

We connected logic analyzer to SPI, and recorded while commands were sent to MT1335WE through SATA. Nothing...not even in vendor mode.
Could it be that the switch device that TX is using with their chip raplacement could give as a clue: http://i8.photobucket.com/albums/a20/Tonyintn/photo-3.jpg
It is connected on SPI...

[glaze83]

that's the external spi to a mt1339e chip -- not the mt1335we

you measured the external spi which does nothing natively