Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: [lpc2000] Re: CRP (Code Read Protection) investigation by stepping through the boot loader

2006-04-24 by Robert Adsett

Good point. You are right that they could have changed something else along 
with the flash and removing the need to program the flash could have opened 
up an avenue that didn't exist before.

As far as any security scheme goes, it's less a matter of if they can be 
circumvented then how much effort it takes.  At the very least the human 
factor limits how secure any mechanism is.  And I agree there has yet to be 
any demonstrated exploit of the LPC2000 protection.  It's not clear how 
much effort has gone into trying to find one though.

At 08:15 PM 4/23/2006 +0000, Danish Ali wrote:
>But I think ROM/FLASH might make a difference.
>Because Philips must somehow get the bootloader into FLASH.
>  - It might be that the JTAG is enabled at reset and the bootloader _must_
>turn off protection before a JTAG attack can take place.
>And a blank flash bootloader does not do this.

That appears to be a high probability given the reverse engineering 
published so far.

>  - It might be that Philips put in an extra probing pad (not bonded out)
>that controls whether the JTAG is enabled or disabled at reset (and it
>is merely a matter of belt-and-braces as to why the bootloader
>explicitly re-disables it).

 From an earlier Philips post

>3) How is Bootloader programmed for the first time?
>
>Via JTAG on a tester. JTAG is accessible in virgin devices. Once
>bootloader is programmed and CRP is enabled the tester can't access
>the JTAG.

That suggests to me that there isn't an extra bond pad and suggests that 
the test at this stage might even be in package.

Note that this fits very nicely with the reverse engineering published so far.

The disagreement between antagonist comes from whether it is possible 
hijack the JTAG control of the CPU before the CPU van be turned off.  So 
far, AFAIK, no one has demonstrated the possibility.  I'm not sure anyone 
has even tried.

Robert

" 'Freedom' has no meaning of itself.  There are always restrictions,   be 
they legal, genetic, or physical.  If you don't believe me, try to chew a 
radio signal. "  -- Kelvin Throop, III
http://www.aeolusdevelopment.com/

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.