0225/0401/0272 write protection beated by russian hackers !!!

[Vampirtc]

Here is better explanation of write protection:
http://notes-application.abcelectronique.com/005/5-10897.pdf

[glaze83]

no mention of the mxic voltage with a 5ohm resistor?

And the commands work because of the low power state it would seem, essentially brute forcing and checking if the commands were successful, hence the loops.

[tingedace]

do you have an mxic and a winbond board handy? Check the voltage at #cs when a 5ohm resistor is pulling the 3.3v point (with the cut) on the underside of the board down -- it would be expected that #cs remains high on the mxic and low on the winbond. If not, then that pin is not used for #cs with the internal flash. You'd then need to hunt around the chip for a pin which is high on the mxic and low on the winbond. That would theoretically be the #cs pin and we'd have to pull it high on the winbond.

From what I can gather from the data sheet, I don't think that #cs changes during brown out because you can still read the status, so chip must still be selected.

[glaze83]

not from what I recall, the intro brings up an spi status of 0xff whereas the mxic brings up either 0x00 or 0x8c

This is of course with a 5ohm resistor seeing as a 10ohm resistor is not enough to put the winbond into vendor mode.

[Usuario-X]

Do you try to put a potenciometer in the 5v line. The master line of the drive? because the 3.3v line ist no used by the drive only 5 and 12v.

May be works.

In MX maybe you dont need to cut the trace.

[xstationbr2]

Yes MX is not necessary cut traces.

[glaze83]

new thought since pulling cs low externally doesn't seem like its going to happen

any switch / relay that will open and close with a speed greater than 0.01ms ?

This would defeat the brownout detection? And have the voltage 1volt every 0.01ms or sooner.

[CLaeR]

new thought since pulling cs low externally doesn't seem like its going to happen

any switch / relay that will open and close with a speed greater than 0.01ms ?

This would defeat the brownout detection? And have the voltage 1volt every 0.01ms or sooner.

can we use something like this for it?
http://www.national.com/ds/LM/LM555.pdf

[tingedace]

not from what I recall, the intro brings up an spi status of 0xff whereas the mxic brings up either 0x00 or 0x8c

This is of course with a 5ohm resistor seeing as a 10ohm resistor is not enough to put the winbond into vendor mode.

OK, maybe you're right I'd need to check to be sure. Since the brownout threshold is Vwi (write inhibit) I thought it still allowed reads.
Anyhow, it doesn't look like there will be a software-only solution to this.

One more thing I must confess I don't understand exactly is... what is the voltage pull down actually doing? Initially I thought it was tricking the SPI into thinking that #WP was pulled high but I don't see how that would be. Thanks and let's keep at it!

[glaze83]

I believe the low voltage still allows the device to operate but with such little power status registers can glitch and return incorrect values, and I believe the russian program brute forces commands until it receives the right response back then alters the bits once it has access.

[bluemimmos]

The Write Status Register
instruction also allows the Status Register Protect bit (SRP) to be set. This bit is used in conjunction
with the Write Protect (/WP) pin to disable writes to the status register. When the SRP bit is set to a 0
state (factory default) the /WP pin has no control over the status register. When the SRP pin is set to a
1, the Write Status Register instruction is locked out while the /WP pin is low. When the /WP pin is
high the Write Status Register instruction is allowed.

well the problem is how to set the wp pin high; how does the wp pin is tied internally, if its internally tied with ground, then i think there is no possiblke way to make it high without disconnecting it from GND. But if theres a pull down resistor used in ground to wp pin then i think there might be chance to set htw wp pin high. But i am not ee, so pls dont fully rely on me.

and to quote geremia :

You have 2 possibility for a not proper way.
- lift some pin and try some random vcc attack, but consider the spi is wired to vcc and gnd shared with other internal components
- bruteforce spi cmds and parameters to hopefully find out a (plausible?!?) undocumented custom spi cmds (mx and winbod specific) which overrules the WP pin.

And as per the implementation detail provided, it is reffered that wp pin must be tied with gnd by resistor so that applying vcc on wp pin can later make it disable the write protect. so basically, one need to decap that mt1335WE and see how the pins are connected on the spi, how the wp pin is routed to the outer connections. I think geremia has done it already, and hope he can elaborate it clearly, how the wp pin is routed inside the chip.

[glaze83]

geremia had it decapped -- wp is tied to ground

[bluemimmos]

then the only way is to try random vcc attack and see, but what are we trying to do then, if it is known that wp is tied to ground. Is there some backdoor to  bypass the write protection? Can u please how the hack is working on the mxic chipset then? well i need to see some info on how the hack is working.
that will make us clear.

[misterfly]

geremia had it decapped -- wp is tied to ground

Solution to leave from ground now is possible 

[bluemimmos]

geremia had it decapped -- wp is tied to ground

Solution to leave from ground now is possible 

what does that mean? whats the solution? can u shed some light on what u are talking.

[Vampirtc]

geremia had it decapped -- wp is tied to ground

Solution to leave from ground now is possible  

what does that mean? whats the solution? can u shed some light on what u are talking.

Ignore him, read his previous comments and you'll see why.

I believe the low voltage still allows the device to operate but with such little power status registers can glitch and return incorrect values, and I believe the russian program brute forces commands until it receives the right response back then alters the bits once it has access.

I can not see a loop in the source code posted here.

[glaze83]

The !if statements aren't?

[modguru]

it is party time again

[tingedace]

Correct, there's no looping or brute forcing of commands in the russian tool for MXIC. The write enable is sent, then the status register is cleared and that's it. Simple, really :-|

However, once in vendor mode, I'm going to try sending these commands in a tight loop:
-write instruction
-read status

And repeatedly switch the resistor in and out to see if there's any glitch that causes the the command to be accepted.
If it happens we'll see the WEL bit get set.

[Vampirtc]

Correct, there's no looping or brute forcing of commands in the russian tool for MXIC. The write enable is sent, then the status register is cleared and that's it. Simple, really :-|

However, once in vendor mode, I'm going to try sending these commands in a tight loop:
-write instruction
-read status

And repeatedly switch the resistor in and out to see if there's any glitch that causes the the command to be accepted.
If it happens we'll see the WEL bit get set.

I think it would smarter if you would first create timing schematics and calculate your chances. If its even possible its possible you need to hit the exact ns.
I was told the chances are the same as winning the lottery five times in a row.

And lets put things into perspective. People have been trying to solve this for months (possibly a year), even decapped and its obvious those with the know how and experience haven't shared anything relevant.