Hacker News new | comments | ask | show | jobs | submit login
Modchips of the State (trmm.net)
101 points by Adrock 13 days ago | hide | past | web | favorite | 18 comments

I think I found some flaws with this, now I think I am rather experienced but I haven't seen everything.

1) He didn't demonstrate it in real hardware without outside power and ground, while he says an arm core is very small, capacitors are large unless you change the laws of physics. Also I never saw a reliable clock generator the size of a 0402 (or even 1208 now that I think about it) passive. Like I said I haven't seen everything, if there are answers to these I'd love to see them.

2) He faked in some addition to unprogrammed memory, he theorizes the change can only work one way (change a high to low) so an obvious countermeasure is to fill empty memory with random bit patterns.

3) IIRC he intercepts an spi flash in series on the data (MISO) wire. Not only does this assume the spi clock is regular, I think it's totally wrong because he says he turns high to low. Usually the quiescent state of a net like this is high, due to pullup on one or both sides to Vdd (high state.) The mark on the data wire is a short to ground against this pullup to get a low state. Now I haven't seen everything, nor have I looked at any datasheets of parts used in any real system, of course the pullup can be anywhere along the wire, or in one or many integrated circuits along the net, but it really strikes me as incomplete because he says he turns high to low and I didn't notice him mentioning anything about any pullup and how to deal with it.

So until I see something better than this talk I am writing this off as feeding the FUD.

1) One could feasibly wire to nearby power/ground, although that would certainly be more obvious. The clock for this is ~17 MHz (I believe), so one can certainly achieve 'good enough' with a microcontroller's internal clock.

2) While that is an obvious countermeasure, it's one nobody is currently taking (judging by the large block of 1's in the SPI flash chip he read from the server).

3) You're thinking of a protocol like I2C, not SPI. For SPI it's 1 input driving 1 output, and nothing is bi-directional, so a microcontroller or FPGA interposing itself on a data line can definitely modify the state (or pass it through unchanged) as it pleases.

<edit> It's worth pointing out that, given that the contents of the flash get predictably read out at boot time, you could probably let the device 'train' to calibrate it's internal (poor) clock and any software-based adjustments to its timing guesses over multiple boot cycles. Especially if you have access to identical hardware for initial lab testing.

Okay, I am in the habit of using pulls, and even some micros have pulls that can be switched in. That may be pointless when there is only one slave on the SPI, as it probably is in the attacked system, as the /CE is probably strapped active so the device will never switch that pin to high Z.

He didn't demonstrate it in real hardware without outside power and ground

Are you sure about this? The writeup says (emphasis added):


My FPGA proof of concept implant is a little larger than the passive resistor component we would want to hide it in, although that is not a significant limitation. Thanks to Moore's Law, an entire ARM Cortex M0+ CPU could fit in the space used by two transistors on the 6502 CPU". The 1.2mm^2 of a 0603 is significantly larger than necessary to fit a fairly complex CPU and ASIC, along with some of the passive components necessary to make it work in the difficult environment of this implant.

Normally the SPI bus requires six connections to function, but the implant has only part of a single one. It doesn't connect to power or ground, so it must be parasitically powered by the current flowing from the SPI flash to the BMC during normal operation (similar to the RFID CPUs that have enough capacitance to run even when they are shorting the antenna coil).


I'd like to think that you are wrong, and that the implant was (as described) a hardware proof of concept without outside power and ground. But if you are correct, this would seem to make the writeup so intentionally misleading as to not be worth further consideration.

I think his demo POC had outside power and ground. He believes the actual implant was powered parasitically from the SPI's bus current.

That would be pretty cool to see demoed itself. As he states we have RFID CPUs that can work with fantastically small amounts of power only from their antennas.

I think his demo POC had outside power and ground.

I would hope this is not the case. If it was, I don't see how it can be legitimately called a hardware proof-of-concept. I agree, though, that the lack of outside power and ground doesn't seem to be explicitly stated in the writeup. The video comes a little closer, with one of the questions after the talk asking whether using more pins would make things easier: (from the automatic transcript of https://youtu.be/C7H3V7tkxeA?t=1868, punctuation added and some typos corrected):

"But do you see a way to actually get more power into your setup, maybe using other power sources other than the two pins?"

"So the question is about would there be some way to do more arbitrary changes through redesigning the implant? One of the goals was to fit with only those two pins so that a single piece on the motherboard could be replaced. You know, with a dual probe soldering iron you can pop it out and stick a new one down in a matter of seconds. So yes, if you have more pins where you can get more power from you can do much more interesting things, but that would require a different set of changes to the motherboard."

I'm pretty sure the author is claiming that their FPGA implant was working off of just two pins on the motherboard. If they are relying on some technicality (such as "all the other pins are from a source other than the motherboard") this would make me write off the entire article as untrustworthy. But until there is proof to the contrary, I'm inclined to believe that they used no outside power or ground, and that they indeed built a hardware POC.

Edit: I sent email to the author asking for clarification.

I don't think his proof of concept is trying to recreate the entire implant as it is seen in the wild. His POC is trying to answer "A) can i put something in the middle of this one wire on the SPI bus and twiddle it enough to exploit the BMC" which his demo seems to prove.

Did he prove that B) he can do it in the footprint of a surface mount resistor? No. His information on how small uCs can be is supposed to support that.

Did he prove that C) the implant can do it _with only one wire_ going to it with no power and ground? No. He makes references to RFID CPUs to show that it should be possible to power it parasitically.

Does not doing B or C invalidate A and make the whole A, B, C implant impossible? I don't think so.

I would really like to see a POC for C though. That would be super interesting to me. That would be the next logical step for this or another researcher.

You can draw a small amount of current from the logic signal in high state and store it in a small amount of capacitance, a low enough power device would be able to operate off of it. There is a class of sensors which use and interface called 1-wire which is ground and signal/power (2 pins).

You don't need a very accurate clock (quartz) for ~100 Mhz SPI. A ring oscillator is just a chain of inverters. If you want to match the bus frequency accurately you can train a PLL against the signal clock.

Not sure what the point is about the pullup, to flip the bit you need only to overpower the output buffers of the other chip.

Cramming it all in a 0402 would be a stretch but I could see it being possible with the right resources. Having only 2 pins would be pretty useless if you can't snoop the address though. And modern NOR devices on a motherboard is almost certainly using the high speed 4 pin serial interface rather than standard SPI.

I'd love to have this verified but I don't think #3 is applicable because SPI is push-pull and not open collector.

If you think this writing is feeding FUD do you believe the demo is fake?

The demo shown in the talk was in an emulator, I have no doubt that he actually added his script into the filesystem in the emulation.

For the demo its in an emulator but he says the real version works 1 in 8 or 1 in 80 times. Is he lying?

I don't think there is any deception with that, but if he said he did not have a power supply arranged for it then I missed it.

not all chip functions are documented or even acknoledged by the OEM. white paper doesnt document all the functions of the chip. look around at various whitepapers and you will see voids in the documentation, or referals so the user agreement and lisencing to access info and use of proprietary tech. If you are into low level programming and IDE design you will see mnemonic instructions laid out ina table with gaps in the address mapping and an explanation that they are reserved, or unavailable, same with expected bit inputs or outputs- reserved "unmaped" or "unused"

BMCs are "typically unsecure with no protection, no detection and no recovery"

What are the economic forces behind this, and would it be feasible to change this state of affairs?

Time to incorporate a supply chain verification/hardware security firm named SETEC ASTRONOMY and see who gets the reference.

Too many secrets!

Nitwits, Rubes, and Oafs

Awaits FBI rotundness?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact