Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: Bootloader / CRP summary update

2006-01-06 by unity0724

Ummm...  hello, not that I'm not interested of. <<<Is question of
 whether can somebody please show me some proven way of hacking the
 chip and document the process properly (I would be very interested
 in that)!! >>>  if want to crack chip, just crack it.  Philips is
 not going to tell us chip is "CRACK-able"
The thread had been going on for 2 weeks without any solid
 findings.  All are just "PURE SPECULATIONS".

I've already listed a possible way of cracking the chip. Can
 somebody please try out:
=> I think the ARM7 Core is much robust than the Flash memory,
 cracking along that path might be successful..
- Enable the CRP on a  CRP capable device (LPC2124 or LPC2214)
- Clock the chip at >100mhz for first few instructions, try to screw
 up the bootloader attempting to disable the JTAG (first few
 instruction only)
- The ARM7 CPU core seems capable of running up to around 200MHz
  but I do not think the flash+ECC circuit can take it.  Especially
  the ECC.
- Chip is cracked if ARM7 skips the first few instructions (whatever
  the few instructions will be mis-interpreted as:  logical and, or,
  mov, shift command).  The chip can be cracked as long as the
  instruction pointer/program counter move by just 3-5 instructions
  counts and PINSEL2 not written properly.
- After that you might have enough clock cycles to force in your
  JTAG control (before any bootloader tries to disables it again
  after reading the 0x87654321 from 0x1fc)
- If you cannot get it work the first few time, try with
  higher/lower frequencies,
- Or on that first few instruction cycles, drive the Core Voltage 
  at 0.9V to 1.2V where the flash might not even work. Power back
  to normal 1.8V after that few instructions.   You have full
  control of the clock pulses and voltage.
- Again, this is just purely speculation.   50% of LPC2124 are 
  even having about 3-5% chances of reset failures when I drive it
  at 50MHz.  (Hee, actually the chip does not even meet the 50Mhz
  datasheet clock input spec.   I do  not know  if the XTALI pin
  could take >100MHz, May be need to power core at 2.1V to run ARM7
  at >100Mhz)
- Power the Core voltage at very low voltage might have much better 
  successful rate.   I believe the ARM core might still work if you
  power it at 1V and few MHZ.   But can that flash work at 1V?? 
  (Come to think of that, may be I better switch my LPC2124 to
  LPC2136 with LDO and brown-out detect)  Guys with JTAG tools...
  pls try power the chip at much lower voltage and crack it...

If you cannot get that working (means the chip cracked).   I can  
 always think of more ideas for you....  We can try another 10-20
 methods....
But having one Big questions of:  What do we get if the LPC2xxx chip 
 proven can be cracked?? Crack it and read back our own code?? (we
 are supposed to be victims), or Making $$$ from some class action 
 suit??   :) :)

If anybody not comfortable with philips CRP then better switch to
 atmel. But I can ensure you there would be much more Atmel hackers
 (than philips) in China and Taiwan as that's Atmel's big market.  
Those chip hackers are REAL hackers and I'm NOT a chip hacker.

Happy new year to everybody...I still do not want my new year mood 
vaporized due to "CRP too fragile"...
Regards




--- In lpc2000@yahoogroups.com, "jayasooriah" <jayasooriah@y...> 
wrote:
>
> I dont know why are so eager to quench this discussion just because
> you have no (or very simplistic) requirements in relation to code
> security. It is perfectly alright for you to be not interested.
> 
> There are many people here, including myself, who are concerned (to
> say the least) as to how safe IP that is loaded onto on-chip flash 
is
> when the part is in thehands of the those who know what they are 
doing.
> 
> The ball is now in Philips' court.  Give them time to respond
> credibly, or not at all as they see fit.  We all know how to make
> inferences.
> 
> --- In lpc2000@yahoogroups.com, "unity0724" <unity0724@y...> wrote:
> > Many thanks to the summary and conclusion, and clarifications
> > showing "no simple way of cracking the read protection."
> > ...
> > Somebody please provide some proven way of cracking the chip 
> > else this thread should be concluded.
>

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.