drfuh5.htm: treatment on the hardware side of accessing eeproms

Treatment on the hardware side of accessing eeproms
by Dr Fuhrball
5 February 1998
Courtesy of Fravia's page of reverse engineering
			Back to Dr Fuhrball's
Back to project 3			Marx Crypto Box the most Secure device ever made
Fravia+ has asked for a treatment on the hardware side of
accessing eeproms. Here it is.

I believe that although this belongs in the dongle section it
also belongs in a new section on cracking hardware. 
The HCU need to expand their horizons to include cracking chips
that include (among others ) pic16xx, dallas 5000, atmel 89c52.
(yes they are all crackable without an ic foundry)


First a small parallel port primer

(quoting from the IBM technical reference 1984)

The parallel printer port consists of an 8 bit output port
(later turned into bi-directional) and a number of handshake
lines. 4 output handshake lines (strobe, auto feed, init, and
select) are all open collector with 4.7k pull up resistors to
+5 volts. There are also 4 input handshake lines (slct, busy,
pe, and ack) The last of which ack is pulled up with two
4.7k resistors in parallel (2.35k).

There exists no power line as such. So dongle designers have
to be creative. Small amounts of power can be pulled off of the
lines with the pull up resistors. The result is that chips used
in dongles must be extremely low power. Therefore cmos chips are
highly desired (cd4000 series, 74c series). In addition many
keys that use storage, have to use the ultra low power eeproms
that are available.

It is also true that pass thru dongles must not adversely affect
the printer which is also attached. This leads to further creativity.


Various timing diagrams for these devices can be found at
microchips web site. (http://www.microchip.com)

here is a copy of the schematic for the software sentinel c plus
(an older version part of which is inside the sentinel pro)
The software sentinel pro is the only key i know of that REALLY
uses a custom designed integrated circuit for the job. All other
keys i have seen use standard chips. (Marx dongles included, 
reguardless of what they say)

I apologize in advance for the poor quality of these schematics.
I no longer (temporarily) have the ability to translate hpgl directly
into gif files. And my scanner and i are not getting along.
download the original Dr Fuhrball's gif1.gif (drfugif1.gif = 70418 bytes) 
shiftclicking here, since, unfortunately, this 
gif seems to cause problems inside some version of Netscape, you may 
alternatively see on-line this RESIZED version of it

Here is a copy of the schematic for the microphar and protec
keys. A much more simplified version, but quite real none the less.
download the original Dr Fuhrball's gif2.gif (drfugif2.gif = 35315 bytes) 
shiftclicking here, since, unfortunately, this 
gif seems to cause problems inside some version of Netscape, you may 
alternatively see on-line this RESIZED version of it


And here is a copy of some keys I built for various purposes.
download the original Dr Fuhrball's gif3.gif (drfugif3.gif = 43675 bytes) 
shiftclicking here, since, unfortunately, this 
gif seems to cause problems inside some version of Netscape, you may 
alternatively see on-line this RESIZED version of it


Notice that all these devices have some things in common.
they all steal power from the strobe line, and they all put data
back on one of the input lines.

here is an example of some really trashy dos basic stuff
to talk to these devices.

5 REM Software Sentinel C plus rev B
6 REM change 18 to rbit=abit for rev A
7 REM change 540 to abit for rev A
8 REM change 560 to <> for rev A
10 port = &H378
11 sport = &H379
12 cport = &H37A
13 ibit = &H4
14 sbit = &H1
15 bbit = &H80
16 abit = &H40
17 sbith = &HFE
18 rbit = bbit
19 DIM resp(64)
20 GOTO 2000
50 FOR k = 0 TO 63
100 a = INP(cport)
110 OUT cport, (a OR ibit) AND sbith
120 GOSUB 6000
130 FOR j = 1 TO 8
140 GOSUB 7000
160 NEXT
170 GOSUB 6000
180 GOSUB 8000
200 GOSUB 7000
300 index = &H20
310 IF (k AND index) = 0 THEN 400
320 GOSUB 8000
350 GOTO 420
400 GOSUB 7000
420 index = index \ 2
430 IF index <> 0 THEN 310
450 response = 0
500 FOR index = 0 TO 15
510 GOSUB 7000
530 response = response * 2
540 status = (INP(sport) AND rbit)
560 IF status = 0 THEN 600
570 response = response + 1
600 NEXT
604 resp(k) = response
610 NEXT
620 FOR k = 0 TO 63
625 PRINT CHR$(resp(k) - ((resp(k) \ 256) * 256));
630 PRINT CHR$(resp(k) \ 256);
660 NEXT
670 PRINT
700 RETURN
1000 a = INP(cport)
1010 OUT cport, (a OR ibit) AND sbith
1020 GOSUB 6000
1030 GOSUB 7000
1050 GOSUB 7000
1070 GOSUB 8000
1090 GOSUB 8000
1110 FOR j = 1 TO 15
1120 GOSUB 7000
1140 NEXT
1200 FOR k = 0 TO 63
1210 GOSUB 6000
1220 GOSUB 7000
1240 GOSUB 8000
1260 index = &H20
1270 IF (k AND index) = 0 THEN 1310
1280 GOSUB 8000
1300 GOTO 1330
1310 GOSUB 7000
1330 index = index \ 2
1340 IF index <> 0 THEN 1270
1350 index = 32768
1360 IF (resp(k) AND index) = 0 THEN 1400
1370 GOSUB 8000
1390 GOTO 1430
1400 GOSUB 7000
1430 index = index \ 2
1440 IF index <> 0 THEN 1360
1450 OUT port, &HFF
1460 SLEEP 1
1470 NEXT
1500 RETURN
2000 PRINT "Bust a dongel options"
2010 PRINT "read  = 0"
2020 PRINT "write = 1"
2025 PRINT "stop  = 2"
2030 INPUT a
2040 IF a = 0 THEN 2100
2050 IF a = 1 THEN 2200
2060 IF a = 2 THEN 2300
2070 GOTO 2000
2100 GOSUB 50
2110 GOTO 2000
2200 GOSUB 1000
2210 GOTO 2000
2300 STOP
6000 OUT port, &HFF 'clock high data high select off
6010 OUT port, &HFC 'clock low data low select off
6020 OUT port, &H5C 'select on
6030 OUT port, &H5D 'clock high data low
6040 OUT port, &H5E 'clock low data high
6050 OUT port, &H5F 'clock high data high
6060 RETURN
7000 OUT port, &H5C 'clock low data low
7010 OUT port, &H5D 'clock high data low
7020 RETURN
8000 OUT port, &H5E 'clock low data high
8010 OUT port, &H5F 'clock high data high
8020 RETURN
Back to project 3
Back to Dr Fuhrball's
Marx Crypto Box, the most Secure device ever made
links
Is reverse engineering legal?