As a comparison, I have a GPS that is quite old. We did have access to
the binary program as there were updates that we could apply. I don't
recall if we knew much about the format, but none of us had the
development tools, just this file. The problem was there was a constant
somewhere in the code that specified numbers for two WAAS satellites.
Those satellites had been taken offline permanently and now the WAAS
feature didn't work.
So we needed to figure out how to fix this.
How long do you think that took?
> 128kB target for a 64180 with 12 HW interrupts, some of them in the 10-
> 20kHz range. If you miss one IR, the programm will not run correct, so
> your results are nonsense.
>
> Yes, with header it's a little bit easier. In the described job of 1985,
> there where no headers in the target, so I can't find the word with the
> ADC constant by just searching for the name. I knew, that name and even
> know, that the constant change was the only mod of this word... but...
>
> I'm shure, you never tried reverse engineering of FORTH targets.
No, I have not reverse engineered a Forth program, but I don't see how
that is any harder than any other binary. It's just code. You have to
follow the execution and find the program structure, the data structure
and how the data is manipulated. It may be tedious, but it is never
impossible. Ask the NSA. What do you think it takes to write the code
that performs the crypto functions in portable equipment that might
become compromised? It is many orders of magnitude beyond what you are
describing.
> You have to single step and find out what and where NEXT is (assumed you
> know its a FORTH Target. Then you have to keep track of SP and RP
> (assumed, you know, it's FORTH) If you don't know, it's FORTH you are lost
> very soon. Especially if you don't realize, that it has 2 stacks.
>
> Then you can set a breakpoint to NEXT an trie to find out, what happened.
>
> That is not trivial on an embedded system with HW interrupts. Likely it
> won't work.
Don't ever fool yourself in thinking something is hard when you haven't
actually tried to crack it. Heck, I have seen so many things cracked
that were intentionally designed to be secure it's not funny. Why do
you think they passed the DMCA in the US? Because they simply *can't*
protect things by obscurity or even intentional encryption, so they made
breaking that encryption a felony... which is like locking your front
door, only keeps honest people honest.
>>>> Trade secrets are fine, but don't count on the simple security fuse. It
>>>> is not really a hard thing at all to get past those. Check on the web,
>>>> there are lots of examples of people opening chips and reverse
>>>> engineering if not outright reading the data inside or the chip design.
>
>>> But if you combine the security fuse with some words with a lot of stack
>>> juggling a flag ( DUP DROP ROT ROLL >R R@ R> pick -ROLL OVER DROP MUL DIV
>>> XOR MOD SHIFT -SHIFT 2* 2/ ... ) on the stack with nonsense data (I think
>>> 16 entries are terrible enough) and some seconds after starting the
>>> program, another stack juggling... you retrieve the flag and stop the
>>> program: "Checksum ERROR!"
>
>> I'm not sure what you are describing here. The security fuse is
>> supposed to stop you from being able to read the contents of the program
>> memory. But it only stops you from *reading* the program memory. There
>> are other ways of getting the contents if you want to spend some money.
>
> It's a scenario when someone break the fuse-bit and reads the content of
> the program memory...
I can't say I follow.
>>> I think that they need several days just to find out, that it is FORTH,
>>> especially if you don't have any hint to FORTH in your code and doc.
>
>> I'm not sure that is terribly relevant.
>
> If you don't know, it's FORTH you will be lost!
Hardly. It's just a bunch of either subroutine calls or jumps through
lists. I think someone would get the hang of that pretty quickly. It's
no rocket science.
>>> Another trick: put a serial number TO92 (DALLAS DSxxxx?) to the board and
>>> check this number, then you even couldn't clone the program.
>
>> Yeah, I've thought of that, but it is cumbersome and expensive to deal
>> with that in production.
>
> With the right strategy you can handle that in the final test of the
> system.
But it is extra time spent on every unit. Time is money and the DSxxxx
parts aren't as cheap as they should be. I've never seen one that is
under $0.50 at any quantity including the one that is barely more than a
serial number.
Besides, this is also not secure. If I have one of these boards, I can
find the key in the FPGA and set my own, or I can read the serial number
in the Dallas part and use my own MCU that outputs the same number in
the same way.
--
Rick C