Mastodawn

Slow but steady progress on the #BSBACM this evening. Stumbled on two commands in the secure processor firmware which had the same handler code - $0A and $0B.
Turns out they're encryption and decryption functions for IPPV. A 56bit key and 64bit data block go in, a 64bit data block falls out.

The neat bit is it revealed what the crypto hardware does: not the full encrypt/decrypt, but a non-linear function!

Phil M0OFX Nov 14

Which pad is which? #BSBACM edition.
First we trace out the power pads...

There are 52 bond pads and 48 pins, so 4 of those pads need to double up...

#ICRE #ICReverseEngineering #NakedDieFriday

Show thread

Phil M0OFX Nov 6

Answer: it's either a ring oscillator or a pulse-shaping network. Probably a ring oscillator.
This is in the #BSBACM ASIC, between the secure processor and the cryptoprocessor and UART. Seems like glitching the cryptoprocessor is a non-starter then.

Phil M0OFX Oct 20

Sent off a couple of sets of BSB chips for decapping and delayering. Hopefully by the end of this I'll have a copy of most/all of the ACM secure ROM to poke at. #BSBACM

Phil M0OFX Jun 13, 2024

Tonight's been interesting. @infosecdj sent 20x chip shots of the #BSBACM ASIC and OSD chip. Turns out the ASIC contains two 65C02 cores!
Looks like one runs code from an internal ROM (which I'd love to dump and disassemble) and the other runs external code from ROM, and talks to the OSD.
One of the functional blocks is giving me strong vibes of possibly being a DES crypto engine.

Would love to get a discussion going!

ASIC: https://siliconpr0n.org/map/general-instrument/72523-1/infosecdj_mz_nikon20x/
OSD: https://siliconpr0n.org/map/general-instrument/72522-1/infosecdj_mz_nikon20x/
#ICRE

Loading...