Cold Boot

Newbie post here.
Locked
techno
Junior Member
Posts: 36
Joined: Wed Mar 05, 2008 10:12 pm
Location: Washington

Cold Boot

Post by techno »

It's been a few days and I've gotten no response. I guess it's safe to assume nobody has logged a Cold Boot yet.

Just figured that there should be all kinds of juicy info being moved to the box. Not saying that we would be able to understand what was actualy takeing place though.

Techno
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

I'm sure somebody has but how will you log whats happening?
techno
Junior Member
Posts: 36
Joined: Wed Mar 05, 2008 10:12 pm
Location: Washington

Post by techno »

Using SPILog.

From what I understand if you change the UID of a unit to match that of another good unit you should be able to log everything sent to the original unit without the unit your using to log the data reseting.

Please correct me if I'm wrong...
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

You are right, If you faked a good UID, you can log SPI to that box. But the XC chip will reject the auth command.
techno
Junior Member
Posts: 36
Joined: Wed Mar 05, 2008 10:12 pm
Location: Washington

Post by techno »

Thats fine...

Once the cold boot is loged I should be able to step through one command at a time loging the response from XC. I would of course have to reload SPI back into ram after the inital reset though. Then continue one at a time. This taking place on the original unit of course .

I do wonder if the unit with the fake id would atleast reset with a cold boot start though. There are obviously commands that can be sent to any unit regardless of there id.
drknebula
Junior Member
Posts: 108
Joined: Thu Feb 01, 2007 6:13 pm
Location: Orion constellation

Post by drknebula »

That's a cool idea...I would think one would have to code a program to log the responses from the XC that runs in RAM unless the data exchanges can be observed from a memory range or by looking at certain registers at the end of each step. Perhaps Usbbdm already has some assembly code somewhere that logs XC chip output...?
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

He probably doesn't so lets make one and deliver data through rc232/serial port. USB could probably proved us with the code for the serial port since spi and it probably wont take more than 100 lines. Possibly a better research project but isn't there some sort of hardware that watches for copying of this data?
drknebula
Junior Member
Posts: 108
Joined: Thu Feb 01, 2007 6:13 pm
Location: Orion constellation

Post by drknebula »

Hmm...I will be surprised if the box has security features to prevent access to the XC <-> CPU data exchanges. If there is a direct link between the chips, I would think any data exchange would result in that data going straight into CPU registers or an address range in memory. Usbbdm do you have any insight into this? Is it possible to do what we are talking about?
techno
Junior Member
Posts: 36
Joined: Wed Mar 05, 2008 10:12 pm
Location: Washington

Post by techno »

I believe this could probably be done easily with XC Mangler...
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

Not sure if xc mangler is firmware related ? Cold fire may help us to understand how it works and, if it's the case, on which model and firmware rev it can works for ?
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

krunkcraig wrote:He probably doesn't so lets make one and deliver data through rc232/serial port. USB could probably proved us with the code for the serial port since spi and it probably wont take more than 100 lines. Possibly a better research project but isn't there some sort of hardware that watches for copying of this data?
Yes krunkcraig, there is a thread somewhere in this forum that mention about this kind of external device but I don't remember if a user can open the com coming and going from the xc to reply any boot in real time to the mcu ?
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Post by haute »

hi, if we can modify the function DViCAInitCCPPAddrFilter, and not add any UA filter.
we can receiver all auth commands of other UAs. For study it.
it is possible?
thx
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

it might be an interesting point ...but i believe the XC chip is hardware and not software(settings are build in it) it has one way do things and that is with proper key....

i wasted lot of time try all kinds of stuff....
techno
Junior Member
Posts: 36
Joined: Wed Mar 05, 2008 10:12 pm
Location: Washington

Post by techno »

Those keys had to be written after the XC and battery were installed. If the keys were not in ram there would be no reason for a battery and you wouldn't get E-11 if the battery fails.

You may not be able to read the keys but there has to atleast be a way to write them.
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

so each chip as four checksums. Each box is programed after the battery is installed. UID is coded in the xc chip. Maybe we could disable the security catch, isn't there a supervisor mood. Then we have the ability to copy the data from the ram. I know people have studied the way the xc talkes to the broadcom.
Locked

Who is online

Users browsing this forum: No registered users and 7 guests