On Aug 17, 2008, at 3:57 PM, Philip Pemberton wrote:
I live and
breathe 8051s...I was considering doing exactly that.
Heh, I used to do a lot of 8051 stuff. It was the second (or maybe
third?) MCU I used. Started when someone sent me a box of HTEC
"Kitty Card" 8032 CPU boards -- these were apparently the things
that controlled the old Argos "Premier Points" loyalty card tills.
They make great test rigs for 8052 code.
As a side effect of all this fiddling, I have four AT89S8252 chips
and a couple of Atmel ISP 8052s (AT89S52?). I've also got some
Dallas DS89C420 High Speed 8051 parts and the relevant ISP pods.
Cool stuff. I have lots and lots (and LOTS) of various mcs51
chips. My favorite are the current ones from Philips, the P89V66x
family. In older mcs51s, I have several tubes of the original DIP-40
8751s...I use those for lots of little projects. I also have an in-
circuit emulator for debugging.
4x Motorola SN74LS373P latches -- 8-bit tristate
latches. Pin 1 (/
OE) is wired to what appears to be a common enable.
The other important one will be pin 11 (/LE, latch enable).
1x 11.0592MHz crystal
Ahh, the right frequency for standard async serial baud rates on
the 8051.
I've also found a diode and some other stuff that
appears to drive
the /OE line on the latches somehow, and also links up to the
loopback switch?!
Ok, now that is odd.
I'm also looking into power-glitch attacks on the
MCU -- apparently
a few old 8051 chip revs were vulnerable to having Vcc rapidly
dropped to 0V and then restored quickly. This apparently cleared
the protection flip-flops and caused the chip to allow code
readback. It still doesn't solve the problem of the encryption
array, but if there's at least 64 bytes of 0xFF in the ROM, finding
the key won't be hard (64-byte sliding window scanner and a quick
"if top_half == bottom_half" check should find most of the
candidates). That's the problem with straight-XOR, it falls quickly
against a known-plaintext attack.
Ugh, that sounds like a lot of trouble...it'd probably be a lot
easier just to write new firmware and make it do whatever we want.
-Dave
--
Dave McGuire
Port Charlotte, FL