Dave McGuire wrote:
I live and breathe 8051s...I was considering doing
exactly that.
Heh, I used to do a lot of 8051 stuff. It was the second (or maybe third?) MCU
I used. Started when someone sent me a box of HTEC "Kitty Card" 8032 CPU
boards -- these were apparently the things that controlled the old Argos
"Premier Points" loyalty card tills. They make great test rigs for 8052 code.
As a side effect of all this fiddling, I have four AT89S8252 chips and a
couple of Atmel ISP 8052s (AT89S52?). I've also got some Dallas DS89C420 High
Speed 8051 parts and the relevant ISP pods.
How complex is the board? (I've not yet opened
mine)
Not very - it consists of:
4x Motorola SN74LS373P latches -- 8-bit tristate latches. Pin 1 (/OE) is
wired to what appears to be a common enable.
32x HP QLMP-2541 LEDs
32x membrane keyswitches (6x sets of rubber membranes with matching PCB pads
-- 2x 1x4 and 4x 1x6)
1x 74LS00
1x MAX232CPE
1x Intel P80C51BM
1x 11.0592MHz crystal
.. and a bunch of passive components
Disassembly is easy. Six screws on the bottom, plus one inside holding the
ground tag to the metalwork, then the PCB lifts up and out. Reassembly is just
as easy.
Most chip datecodes are around 1996. LEDs appear to be wired common-anode. A
resistor is wired between each LED anode and +5V, and the LS373s drive the
cathodes (Qn outputs). I'm guessing the input lines (Dn inputs) are wired
common on all the 373s, either D0=>D0 or munged (D0=>Dx, D1=>Dy, ...)
The keys appear to be wired into a 4x8 matrix -- for a total of 32 keys. There
are eight pull up resistors and four diodes on the matrix. Fair guess that
said parts will make it somewhat easier to trace the matrix back to the 8051
pads with a multimeter. I've also found a diode and some other stuff that
appears to drive the /OE line on the latches somehow, and also links up to the
loopback switch?!
Buzzing out the key matrix shouldn't take more than a few minutes. Possibly
4-bit scan output from the MCU via the diodes, and 8-bit scan return, which
will be what the PURs are for. I'm still not sure about the wiring around the
line driver and LS00, that's still a mystery and will probably involve some
component removal and track-tracing to unravel.
I'm also looking into power-glitch attacks on the MCU -- apparently a few old
8051 chip revs were vulnerable to having Vcc rapidly dropped to 0V and then
restored quickly. This apparently cleared the protection flip-flops and caused
the chip to allow code readback. It still doesn't solve the problem of the
encryption array, but if there's at least 64 bytes of 0xFF in the ROM, finding
the key won't be hard (64-byte sliding window scanner and a quick "if top_half
== bottom_half" check should find most of the candidates). That's the problem
with straight-XOR, it falls quickly against a known-plaintext attack.
That still leaves the problem of getting the code in the first place. Reverse
engineering the board and rewriting the firmware may well be easier. Though
not easier from the POV that an LPFK will require modification before it's of
any use. It's entirely possible to reverse the modification (hint: fit a
turned-pin IC socket, and use desoldering wick to remove the old chip!) but
I'd still rather not modify it if it's possible to figure out the IBM protocol.
Thanks,
--
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/