Lpc2000

--- In lpc2000@yahoogroups.com, Stuart Wallace <swallace@e...> wrote:
> I'm also interested, from a purely academic perspective, to learn
> more about the possible JTAG based attack (first three instruction
> cycles after boot). Someone really needs to try this kind of 
> attack -- I'd do so, but I haven't got the equipment. It would be 
> good to know either way whether this sort of thing can work. Based
> on the comments with respect to JTAG return-clock synchronisation
> posted earlier on in the thread, it sounds like it won't be
> possible but it would still be interesting to know whether the 
> chip can become confused enough (at invalid clock rates) to allow
> CRP to be bypassed. I wonder whether such a test could be 
> automated? It strikes me that the core's behaviour may not be 
> deterministic at excessive clock rates -- maybe it won't even
> start up if the PLL can't synchronise to a clock input that's far 
> too fast.

Oops!....  You got some good points and could be right....

Actually, I still do not think/believe CPU runs on JTAG clock,
during the time slot "after Reset and before the few instruction
disabling JTAG".  It should be running on XTALIN.
=> If there is no JTAG clock (Normal operation), which clock the CPU
is running on after reset??

If this is the case, open out/widen the hacking window by clocking
the  CPU at much lower frequency (at XTALIN) should get the chip
hacked.
- Pull P1.20/P1.26 low to enable JTAG
- JTAG enabled by hardware by default (after reset)
- CPU get out of reset (running on XTALIN)
- CPU trying to disable JTAG, but acts slower than external JTAG and
  get reset and control by external JTAG device.
- CPU controlled by JTAG, force into another reset by JTAG, CPU runs
  on JTAG clock now and controlled by JTAG.
- NOTE:  this will not work if chips need a higher frequency XTALIN 
  clock to synchronises JTAG clock/signals.  I do not have/use a
  LPC2xxx tools and not familiar with that JTAG interface.

Anyway, opening out the windows is NOT the only possible hacking...
The above description is NOT very important..
=======================================
LPC21xx looks "quite" defenseless to hacking (especially when all
operating parameters like voltages and clock speed are out of spec),
base on the observations:
- Problem is created by JTAG default as enabled and need CPU action
  to disable it. To hack the chip, just disabled/hang up the CPU
  before it could disables the JTAG during normal operation. 
- If JTAG is hardware enabled by default (if P1.20, P1.26 pulled
  low). and if there is no CPU action to disable JTAG.  The JTAG
  should be left enabled for hacking.
- If philips uses JTAG to program fresh chips (blank chips just
  manufactured and without any code inside), that would mean no code
  or initialization needed to get JTAG working properly after the
  reset.   To hack the chip, just create some "similar" condition...
  (Philips guys until now never say that they use the same JTAG for
   factory programming => Still high hope of robust CRP...)

=> "Possible" ways of hacking on LPC2114 to LPC2194
i) Normal supply voltage, Clock the CPU at very low freq, use JTAG
   to force in before CPU could disable it
ii) Normal supply voltage,  Clock the CPU at very high frequency, 
   hangup or screw up flash memory read for first few cycles.   
   change clock back to normal 10-20MHz and let JTAG breaking in.
iii) Power the CPU core voltage at very low voltage (i.e. <1V),
    either messy up the flash memory or even the CPU core.   Raise
    Core voltage to normal 1.8V after that and let JTAG breaking in.
iv) Chip somehow requires longer reset pulse immediately after power
    up. much shorter pulse after that (May be Internal flash is not
    running at 1.8V and need some charge pump??).   Power up the
    chip without (or very short) reset pulse might have the CPU not
    running properly.
v)  Normal supply Voltage & clock freq, when chip is getting out of
    reset, inject a very strong electromagnetic pulse externally to
    hangup the CPU.  

=> "Possible" way of hacking on LPC213x & LPC214x
Methods i,ii and v as above

=> "Possible" way of hacking LPC2103
Cannot think of ...
(JTAG is DISABLED by default after reset, right??)
CRP is much more robust here as JTAG is default as <<OFF>>.

Note:
- Hackers only need 0.001% chances of breaking in, all hacking can 
  be automated.
- I made the assumption that the debug interface has lower chances
  of hanging up than the CPU core
- I'm not familiar with LPC2xxx JTAG.   I do not have/use JTAG tools
- All are NOT proven hacking methods. Unable to prove chips are
  immune to those hackings either.  I hope chips are immune to all
  those hackings else I've great pain of changing all designs.
- Sorry for throwing in a small bomb on LPC2xxx CRP... Hope it does
  not explode...

Regards