IBM LPFK reverse engineering
mcguire at neurotica.com
Sun Aug 17 20:58:02 CDT 2008
On Aug 17, 2008, at 3:57 PM, Philip Pemberton wrote:
>> I live and breathe 8051s...I was considering doing exactly that.
> Heh, I used to do a lot of 8051 stuff. It was the second (or maybe
> third?) MCU I used. Started when someone sent me a box of HTEC
> "Kitty Card" 8032 CPU boards -- these were apparently the things
> that controlled the old Argos "Premier Points" loyalty card tills.
> They make great test rigs for 8052 code.
> As a side effect of all this fiddling, I have four AT89S8252 chips
> and a couple of Atmel ISP 8052s (AT89S52?). I've also got some
> Dallas DS89C420 High Speed 8051 parts and the relevant ISP pods.
Cool stuff. I have lots and lots (and LOTS) of various mcs51
chips. My favorite are the current ones from Philips, the P89V66x
family. In older mcs51s, I have several tubes of the original DIP-40
8751s...I use those for lots of little projects. I also have an in-
circuit emulator for debugging.
> 4x Motorola SN74LS373P latches -- 8-bit tristate latches. Pin 1 (/
> OE) is wired to what appears to be a common enable.
The other important one will be pin 11 (/LE, latch enable).
> 1x 11.0592MHz crystal
Ahh, the right frequency for standard async serial baud rates on
> I've also found a diode and some other stuff that appears to drive
> the /OE line on the latches somehow, and also links up to the
> loopback switch?!
Ok, now that is odd.
> I'm also looking into power-glitch attacks on the MCU -- apparently
> a few old 8051 chip revs were vulnerable to having Vcc rapidly
> dropped to 0V and then restored quickly. This apparently cleared
> the protection flip-flops and caused the chip to allow code
> readback. It still doesn't solve the problem of the encryption
> array, but if there's at least 64 bytes of 0xFF in the ROM, finding
> the key won't be hard (64-byte sliding window scanner and a quick
> "if top_half == bottom_half" check should find most of the
> candidates). That's the problem with straight-XOR, it falls quickly
> against a known-plaintext attack.
Ugh, that sounds like a lot of trouble...it'd probably be a lot
easier just to write new firmware and make it do whatever we want.
Port Charlotte, FL
More information about the cctalk