Heavy duty procrastination

[TerraHertz]

Recently I bought a 2nd hand Tektronix TLA 614 logic analyzer. As mentioned in https://www.eevblog.com/forum/testgear/new-toy-tek-tla614-logic-analyzer/ it works BUT... it's one of those things where Tek made one acquisition board with all the options, and you pay money (lots of it) for a software key that unlocks options above the base model.
Skipping over the morals of that behavior, it appears that they implemented the 'key holder' data store in a Dallas DS1225AD nonvolatile SRAM aka 'RAM-in-a-box'.

So what? Well those contain a small battery. The Dallas data sheet says '10 year lifetime'. It's been about 10 years since this TLA 614 was made. And so since mine is an 'option 1S' ie not base model, and the software keys are no longer available from Tektronix even if by some bizarre twist I'd actually go along with that extortionist scam... it's kind of urgent to get the DS1225 out of the PCB and back up the data.

But there's a problem. For one thing, it's soldered in, not socketed. Second, I have some background in both designing and cracking 'secure' systems like this, and have seen (and used) a few nasty tricks. The general idea when you're implementing electronics that's supposed to keep expensive secret data secret, is to lay traps that destroy the data when anyone tries to get at it. Seriously, I can tell some funny tales about that. But another time.

The point is, I'm feeling a great amount of unease in going up against whatever Tek may have done with this NVRAM. Maybe nothing. Maybe... I can think of at least one bastard of a thing I would definitely have done if I was them.

When faced with such a challenge, there's only one thing to do. Procrastinate.

Another issue with the TLA 614 is where to put it. I've run out of test bench space. Time to do some rearrangement. As part of this change I recently bought (cheap) another second hand 19" rack. But it's too deep for where I want to put it. Which makes for a perfect Procrastination Project. Something to do when you're avoiding doing something else.

How do you shrink a 19" rack? Simple! you cut it in half (removing some of it) then weld it back together. Which is where my weekend went. Pics below.

Yeah I know, it's not electronics. But it's going to _hold_ a lot of electronics. Close enough?

[Bertho]

But there's a problem. For one thing, it's soldered in, not socketed. Second, I have some background in both designing and cracking 'secure' systems like this, and have seen (and used) a few nasty tricks. The general idea when you're implementing electronics that's supposed to keep expensive secret data secret, is to lay traps that destroy the data when anyone tries to get at it. Seriously, I can tell some funny tales about that. But another time.

Sniff the data from the hardware while being read by the system?

Use the logic analyzer to analyze the data on the chip...

[TerraHertz]

I do have _another_ logic analyzer.... 

For a while I worked at a company that made smart card readers. I wasn't working with those, but was on the same floor as people who were. The documentation on the encryption algorithm used was kept in a huge walk-in safe, with ridiculous security. One of those 'always two people, never one person alone with the data', dual keys, etc scenes.
In the readers, the module that contained the critical code was a potted block, that contained bare chips in ways that would break and lose the data if anyone tried to open it up.

In a video gambling game I did once, which used an FPGA to decrypt the program code on the fly as the CPU fetched it, the FPGA also contained logic that could detect whether there was a CPU emulator being used in place of the standard CPU. If there was, the FPGA deliberately immolated itself - large numbers of tristate buffers would try to fight each other, frying the chip in milliseconds.

I'm pretty sure that NVRAM will contain at least part of the option key data. There may be other parts in a flash memory also on the board. Once way to prevent successful removal would be to bump-mount a bare chip to the PCB _under_ the Dallas RAM-in-a-box, and also glue it to the underside of the Dallas thing. Desolder and remove the NVRAM, break the bare chip underneath. Board no longer works.
That's the kind of thing people who really care about data security actually do.
Whether Tek was like that around 2001 remains to be seen.

The 'hardware read-captures' method is typically countered by including staged-frequency-of-occurrence reads. Some data gets read all the time, some every few hours, some every few days, some every few months, etc. The aim is to _eventually_ try reading some data that the cracker never saw being read. If you find that the commonly read data is correct but the 'rare' data is bad, then you know you have an attempted crack. What you do then depends on what the lawyers will allow. If there are any.

And of course, in all anti-crack security systems, you make sure the entire system is 'busy', with huge amounts of camouflage (ie pointless, but _looks_ important) data flow. Filling up any watching LA buffers with junk.


I wonder if Tek mentioned when selling logic analyzers, that there's a critical part soldered in, that has only a 10 year lifetime? And will probably completely cripple the instrument when the potted-in battery dies.
Bet it's in the fine print somewhere, so no one can sue them.

[SeanB]

Don't think they will have done anything about protecting the data, just get a hot air station and toast the board while pulling the chip out. For easy holding epoxy a handle onto the chip to get it out fast while heating, then solder in a socket for the new one after reading the chip out, after doing the battery surgery or buying a new one. It is only a simple battery backed clock chip in any case, no special protection just a few dozen bytes of battery backed RAM and a few clock registers.

BTW, nice work on the rack shrink, you definitely have done reduction of a big rack there.... Made it into a petite one.

[grumpydoc]

Like SeanB I doubt there's much protection - you might even find that the key is checked once and then just sets a bit in the NVRAM to show the option is enabled.

The difference is most of the people using a logic analyser will be honest and not try to crack the system, even if they could do so fairly easily.

[mrflibble]

BTW, nice work on the rack shrink, you definitely have done reduction of a big rack there.... Made it into a petite one.

Yeah, that's a nice rack you got there. 

[Bertho]

The DS1225 is a non-encrypted NVRAM. So, seeing the data in there should be enough for a replay-attack. It may also include (often rewritten) data for "run-time hours" and such stuff. Probably rather easy to see when the system runs.

I seriously doubt it that the system is too much obfuscated. You can verify easily by capturing the access to the NVRAM. With 8kByte data, it is not too much to skim through.

However, you may need to get the data out sooner than later because there may be calibration values in there as well.

[Lurch]

For a while I worked at a company that made smart card readers. I wasn't working with those, but was on the same floor as people who were. The documentation on the encryption algorithm used was kept in a huge walk-in safe, with ridiculous security. One of those 'alway two people, never one person alone with the data', dual keys, etc scenes.
In the readers, the module that contained the critical code was a potted block, that contained bare chips in ways that would break and lose the data if anyone tried to open it up.

On Mikes YouTube channel there's a recent video of a chip and pin machine teardown, quite a few levels of security IIRC. I think the gist was it would be unlikely the data would be of any use by the time you got the potted block anyway by the looks of it.

[SeanB]

Like this one?


underside by SeanB_ZA, on Flickr

Batteries went flat a few years ago, and there is one on each board, even the printer and the modem had some NVRAM on them.

[Lurch]

Like this one?

Essentially yes. This one was a reasonably modern GSM terminal, although I doubt there is much difference inside.

[free_electron]

not a problem with the tek machine: if it is like their csa scopes :

the nvram only holds the serial number. option keys are stored on harddisk (and printed on a label on the back of the machine).
swap battery , hook up gpib and send the command to set the serial number. the command is listed in the maintenance manual

[robrenz]

Very nice technique and execution on the rack compression

[TerraHertz]

Like SeanB I doubt there's much protection - you might even find that the key is checked once and then just sets a bit in the NVRAM to show the option is enabled.

I'm not bothering to speculate much on how the option protection was done. I'll find out when I start looking. My only concern is to avoid losing potentially critical data - which is why I took three different forms of hard disk image, including raw binaries of the MBR (all of track 0) and partition boot sectors. That's another place options data may have been hidden.

The difference is most of the people using a logic analyser will be honest and not try to crack the system, even if they could do so fairly easily.

Please explain to me how doing whatever I like with a piece of 2nd hand 10 year old test gear I bought on ebay, including attempting to back up data that's required for the machine to work, is dishonest? I have no contractual agreement with Tektronix. Especially since 'Tektronix' as far as I'm concerned is these days a kind of zombie parody of the old Tektronix I used to admire.

Also, in my opinion the act of selling a system that has all the hardware for the full option set, but crippling it in software and requiring buyers to pay more to get the extra options uncrippled - that's dishonest.

If I do happen to be able to figure out how to uncripple it in an unofficial way, I'll consider that to be an act of liberation - freeing nice hardware from stupid restrictions imposed by marketdroids and bean counters. Exactly the same kind of 'there there, you're free now' warm feeling I get when removing layers of asset tags from equipment I've bought.

[Monkeh]

The difference is most of the people using a logic analyser will be honest and not try to crack the system, even if they could do so fairly easily.

Please explain to me how doing whatever I like with a piece of 2nd hand 10 year old test gear I bought on ebay, including attempting to back up data that's required for the machine to work, is dishonest? I have no contractual agreement with Tektronix.

He meant that the vast majority of customers buying a product like this new would simply buy the options rather than try and hack them, not that you're being dishonest.

[KerryW]

As far as I know, the internal battery only holds the contents when Vcc drops below the battery voltage.  You should be able to cut the Vcc line and add 2 diodes and an external battery of your own choosing.  Just make sure that the unit is powered on when you change the external battery (10 years from now).

Kerry

[grumpydoc]

The difference is most of the people using a logic analyser will be honest and not try to crack the system, even if they could do so fairly easily.

Please explain to me how doing whatever I like with a piece of 2nd hand 10 year old test gear I bought on ebay, including attempting to back up data that's required for the machine to work, is dishonest? I have no contractual agreement with Tektronix.

He meant that the vast majority of customers buying a product like this new would simply buy the options rather than try and hack them, not that you're being dishonest.

Yes, exactly - I did not mean to imply that you are being dishonest at all, just that - for this type of equipment - the threat perceived by the manufacturer will be low so esoteric protection probably won't have been high on their list of priorities.

The systems that you also described - smart card readers destined to go into POS terminals, for instance, live in an environment where the threats are much higher and so do need extra protection - hence my feeling that I wouldn't particularly expect the data in the NVRAM to be encrypted.

[alxnik]

Although I cannot comment on this specific machine, having worked with chip & pin, keep in mind that we are talking about a whole other level of security.

These machines have a cryptoprocessor which holds the crypto keys in internal RAM which are erased if a tampering attempt is detected or the battery is removed. But...These cryptoprocessors although they are ARM based, they are purpose built. Also there are many many false positives and the maintenance cost is high enough that you really have to require that level of security in order to implement it.

smartcards generally can hold symmetric & public keys and can execute crypto functions with these. In the chip & pin (EMV) case, they are used to encrypt sensitive data and sign them. However even in this case, the communication itself is not encrypted because these cards are pretty slow.

Long story short: Yes this can be done. The probabilty this scheme is implemented on non banking/cryptographic machines is close to nil.

[TerraHertz]

Some more rack-procrastination. The roller base for the rack is now finished. See: http://everist.org/tales/20130924_rack_roller_base.htm

The pic below is a test fitting, before painting.

[Stonent]

Older Sun Workstations used to store their MAC in a Dallas chip. If it went flat it would boot up with a MAC of FF:FF:FF:FF:FF:FF.
You could create a MAC at the boot monitor that would hold until the unit was power cycled. But yes those Dallas chips go bad after a while.

There are some guides where you can file away the edge of the chip and expose the battery pads and solder a coin cell to it.

http://www.tns-soft.com/nvram_redux.html

[SeanB]

Neat welding there, makes my chicken scratchings look very bad.

[TerraHertz]

I liked that rack (and the price) so much that today I bought another one from the same guy.
Turns out they have a contract to remove _many_ of these racks from some Sydney infrastructure, and so there are more for sale if anyone wants. Price is $45, and they come with sides, front and back doors, top, and a fan unit in the top. Except the fans are 48V DC, which will tell you what kind of infrastructure they are from. They are all identical, with dimensions 600 W x 900 deep x 1880 H.

The seller's email address (with permission to post here) is: rumeyj@yahoo.com

It's pick up only, in Kingsgrove, Sth Sydney.
Otherwise they get sent to scrap.