|
Rogero
|
 |
« Reply #180 on: July 29, 2011, 05:49:05 PM » |
|
Correct, there's no looping or brute forcing of commands in the russian tool for MXIC. The write enable is sent, then the status register is cleared and that's it. Simple, really :-|
However, once in vendor mode, I'm going to try sending these commands in a tight loop:
-write instruction
-read status
And repeatedly switch the resistor in and out to see if there's any glitch that causes the the command to be accepted.
If it happens we'll see the WEL bit get set.
I have already checked the code to see if it have some kind of loop and found out as you have mentioned that the commands are sent only once per button click, so I have also created the brute force version (no delay) and was testing it from last night, here's how it works: After you press the "Start Attack" button, the program will check if the drive is in Vendor Mode and in that case will keep checking for the SPI Status : if found locked (0x8C) it will keep sending the "unlock" commands followed by the "read status" on each pass of the loop, and in case the drive kicks out of Vendor Mode , the Attack will abort... http://www.mediafire.com/?dixjltkia0jn7y6and here's some quick tests results: - with Resistor > 2 ohm I could never have "0x00" SPI status after the Switch is closed. - every time the switch is closed with the Attack running, you can see SPI status 0x00 achieved but the drive will always kick out of Vendor Mode. I think something on the hardware side of the formula is still missing, and I hope we will figure it out gradually... Please let me know if anything else can be made on the software side for more testings. Cheers |
|
|
|
|
Logged
|
|
|
|
|
glaze83
|
|
« Reply #181 on: July 29, 2011, 08:28:47 PM » |
|
As I mentioned earlier its not going to happen from the comp -- the minimum delay between commands is 15ms regardless of thread.sleep
We'd have to slow down the drive's clock... any way to do this externally?
|
|
|
|
|
Logged
|
|
|
|
|
l_oliveira
|
|
« Reply #182 on: July 29, 2011, 08:45:48 PM » |
|
If you tinker with the drive clock frequency you might lose the functionality of the SATA port PHY...
|
|
|
|
|
Logged
|
 It's a Rough World |
|
|
|
glaze83
|
|
« Reply #183 on: July 29, 2011, 09:37:15 PM » |
|
won't know until we try? How would we go about that anyways?
Or is there a microchip fast enough we can have running the commands in realtime?
|
|
|
|
|
Logged
|
|
|
|
|
justmeee
|
|
« Reply #184 on: July 30, 2011, 04:08:47 AM » |
|
I tried changing the crystal a long time ago. I thought i could mess with the spi this way. 16/8 mhz drive still working (open/close) but sata is dead.
|
|
|
|
|
Logged
|
|
|
|
|
justmeee
|
|
« Reply #185 on: July 30, 2011, 04:19:45 AM » |
|
I thought about using 1 mhz to "go out of the spi specs". My idea was to use a pci sata card and put the same crystal on it so sata clock from the drive and sata host should be sync and working. If you get it unlocked this way than switch back to 25mhz (hotswap/switch) and use an other sata connection to write or switch the host clock too. This i never tried. I think you have to choose a freqency where the drive is dead cos this indicates that the mtk cant read the spi
|
|
|
|
|
Logged
|
|
|
|
|
Vampirtc
|
|
« Reply #186 on: July 30, 2011, 09:07:50 AM » |
|
and here's some quick tests results:
- with Resistor > 2 ohm I could never have "0x00" SPI status after the Switch is closed.
- every time the switch is closed with the Attack running, you can see SPI status 0x00 achieved but the drive will always kick out of Vendor Mode.
I think something on the hardware side of the formula is still missing, and I hope we will figure it out gradually...
Please let me know if anything else can be made on the software side for more testings.
Cheers
My drive never kicks out of Vendor mode. Only after say every 5-10min if I play too much (0ohm back and forth). I got 0x0 several times, but from what I understand you can only write if voltage is within limits. So in theory you would have to drop voltage for a milisecond or so at the exact time WP is being checked. |
|
|
|
|
Logged
|
|
|
|
|
l_oliveira
|
|
« Reply #187 on: July 30, 2011, 11:37:15 AM » |
|
I tried changing the crystal a long time ago. I thought i could mess with the spi this way. 16/8 mhz drive still working (open/close) but sata is dead.
See ? That's what I meant when I said lose the SATA PHY functionality. |
|
|
|
|
Logged
|
It's a Rough World |
|
|
|
Rogero
|
|
« Reply #188 on: July 30, 2011, 01:45:09 PM » |
|
My drive never kicks out of Vendor mode. Only after say every 5-10min if I play too much (0ohm back and forth).
I got 0x0 several times, but from what I understand you can only write if voltage is within limits. So in theory you would have to drop voltage for a milisecond or so at the exact time WP is being checked.
If you're looking at JungleFlasher screen you won't notice the drive have lost Vendor Mode, because JF is not probing the drive continuously while my version of the program is, and as soon that the switch is closed, 0x00 SPI status is detected and drive will exit Vendor Mode right away (with always JF still showing the drive properties as it is still in Vendor Mode) |
|
|
|
|
Logged
|
|
|
|
|
Vampirtc
|
|
« Reply #189 on: July 30, 2011, 02:02:11 PM » |
|
My drive never kicks out of Vendor mode. Only after say every 5-10min if I play too much (0ohm back and forth).
I got 0x0 several times, but from what I understand you can only write if voltage is within limits. So in theory you would have to drop voltage for a milisecond or so at the exact time WP is being checked.
If you're looking at JungleFlasher screen you won't notice the drive have lost Vendor Mode, because JF is not probing the drive continuously while my version of the program is, and as soon that the switch is closed, 0x00 SPI status is detected and drive will exit Vendor Mode right away (with always JF still showing the drive properties as it is still in Vendor Mode) I am aware of that, but like I told you I get out of Vendor mode only after 5-10min. I used your application. Could you update your application so that it displays when you enter 0x0 (for example: 0x0 at 23:21), because after I get 0x0, its quickly updated to say 0xFE. Or a 0x0 counter. Or create a log so we know whats going on. |
|
|
|
|
Logged
|
|
|
|
|
CLaeR
|
|
« Reply #190 on: July 30, 2011, 02:11:07 PM » |
|
If you're looking at JungleFlasher screen you won't notice the drive have lost Vendor Mode, because JF is not probing the drive continuously while my version of the program is, and as soon that the switch is closed, 0x00 SPI status is detected and drive will exit Vendor Mode right away (with always JF still showing the drive properties as it is still in Vendor Mode)
as i understand flash chip after power down less than ~1v go to reset state and exit vendor mode. what if use some chip to lower power at right moment, send spi unlock, and high power to normal state before flash go to reset state. |
|
|
|
|
Logged
|
|
|
|
|
glaze83
|
|
« Reply #191 on: July 30, 2011, 03:07:50 PM » |
|
Would slowing the clock as we lower the voltage to 1v, then raising it back up to its normal clock speed and voltage possibly still glitch it mess with its registers without tripping the brownout detection?
Or, when running on a lower clock speed could we have serial access to tx and rx?
|
|
|
|
|
Logged
|
|
|
|
|
CLaeR
|
|
« Reply #192 on: July 30, 2011, 04:19:44 PM » |
|
Power supply voltage fluctuations can shift the threshold level of the transistors. As a result
some flip-flops will sample their input at different time or the state of the security fuse will be
read incorrectly. This is usually achieved by either increasing the power supply voltage or
dropping it for a short period of time, normally from one to ten clock cycles. In general, its harder to find and exploit
than clock glitches because in addition to the timing parameters, the amplitude and
rising/falling times are variables.
|
|
|
|
|
Logged
|
|
|
|
|
glaze83
|
|
« Reply #193 on: July 31, 2011, 12:34:55 AM » |
|
another new thought of my many throughout this thread.
If the chip has low and high voltage detection and incorrect values can be returned a low and high voltages then is it not possible to have a fast switching mosfet constantly switch between 1volt and say 5 volts as to not trigger low or high voltage detection yet allow us to receive the status register values we need?
|
|
|
|
|
Logged
|
|
|
|
|
bonx
|
|
« Reply #194 on: August 01, 2011, 02:22:09 AM » |
|
Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards
|
|
|
|
|
Logged
|
|
|
|
|
|
bluemimmos
Hacker
Posts: 70
Its me, me, me and only me...... :D
|
|
« Reply #196 on: August 01, 2011, 05:59:06 AM » |
|
Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards
which acid did u used, and can u give detail picture of wp wire that need to be cut? if u can pls post high resolution pics and acid that u used. Will like to try this, and what can i use to secure wires after decaping with acid ? is it ok to use hotglue to secure the pit that is opened with acid? |
|
|
|
|
Logged
|
|
|
|
|
bonx
|
|
« Reply #197 on: August 01, 2011, 07:19:06 AM » |
|
Hi, Thanks! I'll try it as soon i'll be back home. |
|
|
|
|
Logged
|
|
|
|
|
bonx
|
|
« Reply #198 on: August 01, 2011, 07:39:32 AM » |
|
Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards
which acid did u used, and can u give detail picture of wp wire that need to be cut? if u can pls post high resolution pics and acid that u used. Will like to try this, and what can i use to secure wires after decaping with acid ? is it ok to use hotglue to secure the pit that is opened with acid? I don't remember if it is nitric or sulfuric, i'll have a look on the label. For pictures, i'll do my best, but i only have a 20x magnifier. The wire i disconnected is the longest one, which we can see on geremia's picture. I glued a thin wire on the chip and soldered it on the wp wire. Be careful, acid is highly dangerous and soldering very hard. On another mt1335 chip, i disconnected wp from gnd and tried the russian tool with an adjustable resistor. At 1.9 ohms, i was able to unlock the winbond spi. What i did not understood, is that when i flashed with lt firmware, it was locked again. Backups were working fine. At this time, i thought that JF relocked the spi, but with the chip unlocked by wiring wp to vcc, it is different. Saddly, i do not have this drive anymore (used for flash). |
|
|
|
|
Logged
|
|
|
|
|
asapreta
|
|
« Reply #199 on: August 01, 2011, 09:27:47 AM » |
|
On another mt1335 chip, i disconnected wp from gnd and tried the russian tool with an adjustable resistor.
At 1.9 ohms, i was able to unlock the winbond spi.
But was it decaped too? |
|
|
|
|
Logged
|
|
|
|
|
