IBM LPFK reverse engineering

Dave McGuire mcguire at
Sun Aug 17 20:58:02 CDT 2008

On Aug 17, 2008, at 3:57 PM, Philip Pemberton wrote:
>>   I live and breathe 8051s...I was considering doing exactly that.
> Heh, I used to do a lot of 8051 stuff. It was the second (or maybe  
> third?) MCU I used. Started when someone sent me a box of HTEC  
> "Kitty Card" 8032 CPU boards -- these were apparently the things  
> that controlled the old Argos "Premier Points" loyalty card tills.  
> They make great test rigs for 8052 code.
> As a side effect of all this fiddling, I have four AT89S8252 chips  
> and a couple of Atmel ISP 8052s (AT89S52?). I've also got some  
> Dallas DS89C420 High Speed 8051 parts and the relevant ISP pods.

   Cool stuff.  I have lots and lots (and LOTS) of various mcs51  
chips.  My favorite are the current ones from Philips, the P89V66x  
family.  In older mcs51s, I have several tubes of the original DIP-40  
8751s...I use those for lots of little projects.  I also have an in- 
circuit emulator for debugging.

>   4x Motorola SN74LS373P latches -- 8-bit tristate latches. Pin 1 (/ 
> OE) is wired to what appears to be a common enable.

   The other important one will be pin 11 (/LE, latch enable).

>   1x 11.0592MHz crystal

   Ahh, the right frequency for standard async serial baud rates on  
the 8051.

> I've also found a diode and some other stuff that appears to drive  
> the /OE line on the latches somehow, and also links up to the  
> loopback switch?!

   Ok, now that is odd.

> I'm also looking into power-glitch attacks on the MCU -- apparently  
> a few old 8051 chip revs were vulnerable to having Vcc rapidly  
> dropped to 0V and then restored quickly. This apparently cleared  
> the protection flip-flops and caused the chip to allow code  
> readback. It still doesn't solve the problem of the encryption  
> array, but if there's at least 64 bytes of 0xFF in the ROM, finding  
> the key won't be hard (64-byte sliding window scanner and a quick  
> "if top_half == bottom_half" check should find most of the  
> candidates). That's the problem with straight-XOR, it falls quickly  
> against a known-plaintext attack.

   Ugh, that sounds like a lot of'd probably be a lot  
easier just to write new firmware and make it do whatever we want.


Dave McGuire
Port Charlotte, FL

More information about the cctalk mailing list