Yann’s Blog

I thought I’d do a small interlude into the embedded hardware and firmware space (which is generally my main area of work) from the normal EVE-Central heavy side of this blog. I have been musing about the code security protections of the MSP430 micro-controller, specifically the Boot Strap Loader (BSL), which remains enabled at all times, even if the JTAG interface is disabled (via a fuse on most MSP430s).

The BSL disallows memory reads and writes until a “password” has been transmitted over the serial interface. The password is actually a copy of the interrupt vectors (32bytes) used by the micro-controller, which limits the entropy available by a significant margin: addresses are all even aligned, reset vector is generally start of flash, many interrupt vectors will be identical, general case has all interrupt vectors located in flash. The only defense against this low-entropy brute force attack is the rate limit of the BSL: some versions of the BSL prevent you from changing from 9600 baud until after the password has been verified. However, on devices with small amounts of flash (say, 8Kib), there are only about 61,000 passwords generally in use, which reduces the search time tremendously.

Some BSL versions are also susceptible to side channel attacks are discussed in this paper:
Practical Attacks against the MSP430 BSL

Texas Instruments has improved code security on the new F5xxx series devices in a drastic way: an invalid password will cause a complete device erase. Note that the flash memory also differs from the previous generation devices by being rated to erase and program as low as 1.8V (where the core voltage normally sits – the 5 series has an integrated LDO).

I can see two possible attack vectors – undervoltage to the entire processor (I have a ‘5438A running as low as 1.5V, however the BSL is not yet tested down here), or “glitching” the processor (in this case, complete power down) if the start bit of the acknowledgement packet is not transmitted within an allowable window. The second scenario can be defended against in the BSL firmware (delay the acknowledge by a large value).

I have not tried either of these attacks on the 5xxx series yet (specifically, the 5438 and 5438A). Generally, there are easier ways to attack processors to capture embedded code, or simply replicate external functionality based on observed behavior (code security is not on most programmers’ minds). If small-memory variants of the 5xxx series become available (to allow the brute-force searching of the keyspace), the flash memory erase issue would have to be overcome.

In the mean time, you can use some chip disassembly techniques from Flylogic.

On another note, I will be announcing a security related, open source hardware project shortly. Its been keeping me distracted from EVE-Central (trade route tool version 2, specifically), Contribtastic, and working on the EVE-Metrics/EVE-Central unified uploader.

qsgen now is at version 0.2. There aren’t any new features, but some critical issues preventing installation with newer versions of setuptools has been fixed.

qsgen is a Python static website generator which uses Mako and Pygments. Its used to build the web content for the main StackFoundry page, along with TropicSSL and EntropyKing. Its “perfect” in that it does its job without fuss and configuration

Looks like Yahoo and Hotmail/Live/Microsoft have synced up their e-mail blacklists. The server eve-central.com uses for outbound messages has been blacklisted by both of these entities. I am trying to get this resolved, but in the mean time, if you need a password reset, please e-mail us directly. We’ll use an alternate outbound mail method to get your password to you.

Edit: It looks like the group of IP addresses at my co-location facility has been listed in the SBL. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL80992. Now I am also working with the hosting provider to help clean up this mess. Joy.

Edit 2: Things are in motion to help clean up this mess.

Edit 3: SBL entry closed up, we will see when Yahoo/Hotmail/etc pick this up.

Edit: We should be back up – watch your spam folders though

Yahoo! mail is currently not being accepted from the EVE-Central.com and StackFoundry.com servers (38.113.114.184, 38.113.114.187). We are doing the correct customer support contact magic in order to re-enable delivery with Yahoo!, but cannot give definite timelines.

We would like to remind all EVE-Central.com mail feed users that you should NOT sign up webmail accounts or externally hosted accounts, including rebranded accounts (such as Yahoo or Google for your domain). The mail feed is for live processing on your server, not for batch downloading from another server. The daily CSV dumps are available for this reason.

So, I got a WikiReader. The first thing I would like to say is that this device is very very hard to open (and yes I did remove the two screws in the battery compartment ). I haven’t attempted a full disassembly yet as I actually like the main functionality, and didn’t want to completely obliterate the case just yet.

Here is the WikiReader, unpacked. I wasn’t expecting a nice box and manual (even the iPhone doesn’t come with that), but was very pleasantly surprised.

Apologizes for the very poor picture quality – these are simply iPhone snaps – I didn’t take the time to break out the 5D.

The two main complaints I have so far are the scrolling of text and the keyboard. The scrolling makes the text largely unreadable – there are some different display techniques here which could improve the display. The keyboard could also take a few cues from Apple, such as the magnified key presses, which would go a long way to improving usability. There are some other bugs in the contents (such as the lack of full UTF-8 support), but those are minor at this point.

Aside from those complaints, this device is actually quite slick. The performance is EXCELLENT. Random takes no more than a second to load the next article, search automatically filters based on your entry very quickly, and the history feature even remembers where you were in an article. The device is light and portable, and the whimsical asymmetric design is a nice touch and not over-done.

But enough with the quick mini review, what technical fun toys are there for you to play with?

Well, the WikiReader has a built in calculator – while powering up the device, hold the center (History) button.

There is also a factory test mode available – while powering up the device, hold either the Search or Random button:

As you likely (can’t) see in the image, the bulk of the functionality is a set of Forth applications, including the aforementioned calculator. They’re largely there for factory test, but at least one of them lets you draw pretty pictures.

Not drawn using the draw application, but another LCD test app – you don’t want to see my artwork

The WikiReader also contains a thermistor, which appears to be there for maintaining LCD contrast automatically:

Last but not least, there is a Console, which probably is exposed in the hidden programming/debug port available in the battery compartment (peel off the big white rectangular sticker – not the FCC/CE/Regulatory sticker).

Our open-source beta-site has been getting some updates recently:

1. New alpha trade-finder, which can do route combining and removes some superfluous garabage which can’t be traded.
2. Streamlining some of the layout code to remove IGB dependence (to help us get a better design for the new in game browser
3. New upload methods to work with Contribtastic
4. Small cleanups across the board

There is still work pending on the continuously updated statistics engine (with caching), replacing our very aging market reports system. The exact implementation direction is not yet determined.

If you want to poke at the code, it is also available under the AGPL 3.0 license.

I took some time to learn a bit about computer vision, using OpenCV. The end goal here is to produce a Rock Band playing “robot”, using nothing but a specially modified controller (a AT90USB + bunch of FETs) and a computer with a video capture input.

Below is a video of my first attempt at using OpenCV. It applies several filters to isolate the keys on the racetrack approximately 2 frames ahead of the goal position. The primary heuristic right now is a threshold detect filter after all of the isolation steps. If you watch closely, you can see missed or over-pressed keys, especially when the whole racetrack lights up.

Note that the video output has an overlay color square which announces the software has detected a keypress. The actual gameplay is from another YouTube video – there is no closed loop control yet.

This will take some more tuning to iron out differences, possibly preserving some state from frame to frame. Right now color information is not used, but a separate classifier pipeline and some scoring mechanic might produce better results.

I will publish the git repository with the very-alpha implementation soon.

I have built a new binary of libevecache 0.1.2 for Windows. Included are several important fixes to the CSV export file.

Note that filename globbing (such as using *.cache) is NOT working under cmd.exe in Windows (PowerShell not tested), since Windows does not do filename globbing for commands. As a temporary workaround, use bash

libevecache just gained two releases this weekend. Version 0.1 was a functional single shot cache file to .CSV file converter capable release, but had huge memory leak and pointer ownership issues, which made Contribtastic! very unstable and generally unusable.

After spending some quality time with Valgrind, all of the remaining issues are now resolved, and version 0.1.1 is available for mass consumption. Look for Contribtastic early betas soon. One new feature of libevecache in version 0.1.1 is the dumper is capable of digesting a whole CachedMethodCalls folder in one shot (just pass it the list of files on the command line). When you run dumper with the --market flag, you can safely redirect stdout to the file of your choice.

Success!

Thanks to some community contributions, libevecache has grown quite a bit this weekend!

New features include:

1. Shared object support (will give an object reference in place of the previous holder type)
2. DBRow decoding (needs more string identifiers for columns in other cache file formats)
3. The dumper utility now learned about --market, which lets it produce market CSV files from a cache file.

   atrus@atp (master) :~/Marketlogs/marketreader$ util/dumper --market tests/Lonetrek-Armageddon-2009.07.30\ 062647.cache > o
   atrus@atp (master) :~/Marketlogs/marketreader$ cat o
   Cache File Dumper
   File: tests/Lonetrek-Armageddon-2009.07.30 062647.cache
   price,volRemaining,typeID,range,orderID,volEntered,minVolume,bid,issued,duration,stationID,regionID,solarSystemID,jumps,
   54000000.0,1,643,32767,1185915256,5,1,False,2009-07-04 09:01:17.000,90,60004012,10000016,30001363,5
   54000000.0,5,643,32767,1187317153,8,1,False,2009-07-06 18:13:31.000,90,60002419,10000016,30001363,5
   55499999.0,1,643,32767,1217266843,1,1,False,2009-07-26 17:58:17.000,90,60000838,10000016,30001367,1
   ...
   52749999.0,1,643,32767,1221169229,1,1,False,2009-07-29 18:25:11.000,30,60003838,10000016,30001377,0
   57999999.88,1,643,32767,1221534269,2,1,False,2009-07-29 23:31:51.000,90,60002326,10000016,30001429,0
   57999999.88,2,643,32767,1221581224,2,1,False,2009-07-30 00:22:49.000,90,60003874,10000016,30001401,0
   45720000.0,5,643,40,1173825903,5,1,True,2009-07-05 16:35:12.000,90,60004027,10000016,30001368,0
   53999.99,1,643,32767,1190937468,1,1,True,2009-07-06 05:58:44.000,90,60004291,10000016,30001368,0
   46956001.5,1,643,3,1212303440,1,1,True,2009-07-22 23:37:54.000,90,60003841,10000016,30001376,0
   53784.31,1,643,32767,1131184395,1,1,True,2009-05-21 14:34:50.000,90,60003889,10000016,30001405,0
   

Update your clones today!

I am going to buckle down and produce an EVE-Central uploader which uses libevecache in the next week. Look for a beta version sometime by Friday.