Michael B. Brutman wrote:
I'm kind of glad that somebody else has replicated
my frustration, but
now what? (I'm spent many hours on this, but I don't know the 8051 at
all .. I've been debugging with a light box.)
The problem is that the 8051 on the LPFK is copy-protected -- the 8051 has two
layers of this:
- Encryption table: this is a 32-byte table that is XNOR'd with data as it
is read out of the chip. Obviously, this table is write-only...
- Lock Bit 1 -- disables further program memory writes.
- Lock Bit 2 -- same as LB1, also disables reading from program memory.
It looks like LB1 and LB2 have been programmed on the LPFK's 8051. The only
ways I can think of to get around this would be to decap it and reset the lock
bits, or try various power glitching attacks to try and bypass the protection
circuitry. I've no doubt that the latter has been done, just I don't know what
magic parameters to use...
Are we just missing the magic bytes to send to it to
get it talking when
in 'active' mode?
Pretty much. It seems to expect an init sequence. If I send it the string
"SFFFFFFFF" with an LF terminator (as mentioned on the codeninja page), then
all the LEDs blink briefly. Nothing after that though, and changing the FFs
for 00s has no effect on the LED pattern.
At this point, an RS/6000 with the LPFK connection kit would be really useful,
but from what I gather they aren't exactly common... All you really need to do
is rig a pair of serial ports on e.g. a PC to monitor the RXD and TXD lines on
the LPFK, then dump whatever the RS6k sends to the LPFK and how it responds.
This is needle-in-a-haystack stuff.
Or as my friend just pointed out, the "brute force method" would be to remove
the 8051 in the LPFK and replace it with an 8051 derivative running different
software. That would involve buzzing out the entire circuit of the LPFK and
writing an alternative firmware that *does* accept the Codeninja command set.
But is it worth it? You'd still need to swap the 8051 chip... I'd much rather
make the original LPFK work with as few modifications as possible.
Thanks,
--
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/