We are reverse engineering the BIOS and EC firmware of an old laptop in order to create a keygen for their password recovery mechanism.
To make the experience fit your profile, pick a username and tell us what interests you.
We found and based on your interests.
slides-recon-2018.pdfAdobe Portable Document Format - 5.28 MB - 04/12/2018 at 11:15 |
|
|
Earlier this year at the Recon conference in Brussels, Redford and myself gave a talk about this project. While we're still pending a full writeup, the slides of the presentation are freely available here.
After another long hiatus, I've come back to this project. Let's break this thing!
I've etched a new board that lets me access important pins (serial TX, RX, CLK, BUSY ; RST and power lines) without having to fiddle with the previous hacky breakout board.
I've then attached an STM32F303RE on a Nucleo board as a general interface board to the EC's serial and reset. I also attached a ChipWhisperer with a shunt sensor board to the EC's power line. And finally, I added an oscilloscope to the voltage shunt and a logic analyzer to serial lines, for good measure.
After checking connectivity to the bootrom and that I was getting power traces, it was time to dive in.
The EC has a 7-byte ID code that it keeps in flash. This code is used by the built-in bootrom to allow/deny access to the flash via the 'Standard Serial I/O' protocol for programming (selectable via M0/M1 straps). If the programmer does not provide the code, no flash dump/write access is allowed.
The serial protocol is synchronous. The clock comes from the programmer, and the EC exposes a Busy line used to synchronize whether its' ready to receive commands.
To unlock the flash, the programmer sends 12 bytes: a command prefix (0xF5), the address of the ID code (?, 0x0FFFDF), the length of the ID code (?! 7) and 7 bytes of ID code.
After the programmer sends the ID code check function, another command (0x70) can be used to check whether the ID code verification succeeded.
I at first tried power trace side-channel analysis attack (since I had a ChipWhisperer laying around gathering dust) when the bootloader checks the password, but my makeshift shunt probe was just too noisy.
So, before having to redesign the makeshift probe into something more useful, I figured it might be easier to try a simpler timing attack first. I quickly made the STM32 measure the time between the last bit of the code sent and the time until the busy line got deasserted again (which takes quite a bunch of cycles after the last ID byte received, hmm). Just looking at the data directly didn't make me optimistic, as all the results were jittery at first glance. However, I sent over the data (50 measurements per first byte, iterating over 256 values) to Redford. To my surprise he was able to find an outlying byte - 0xFF!
After running the measurements a few more times, we were quite sure that the timing was indeed different when the first byte of the key is 0xFF. I then disconnected the EC from its' 16MHz crystal to a signal generator, which I clocked down to a 666KHz square wave. With the chip now running slowly, I was able to quickly discern the time difference when measuring the time-until-not-busy for each possible byte of the key:
After bruteforcing the rest of the bytes, one at a time, I was able to find out the key: 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0x00.
How anticlimactic. But yes, after making my STM read bytes from the EC reliably, we now have a flash dump of the EC.
That was easy. Now, onto reverse-engineering M16C code.
In the meantime, a photo of the poor Embedded Controller on the torture^Whealing bench.
Yes, it's still alive :).
Some progress has been made the past few days on the actual Renesas EC chip. A detailed log will probably follow in the upcoming few days, once I get the chance to take a few pictures and screenshots.
In 2014 I etched a PCB to mount the EC on after desoldering it from the mobo. I know this, because it says 'q3k delineavit 2014'. It is now 2016, and I finally managed to hook it up to a bus pirate and issue it a few Standard Serial I/O commands. As predicted, though - it is locked. However, the next step is to use my shiny new ChipWhisperer to take a snap a few powertraces while we feed it data.
First things first, I will have to figure out how to make the chipwhisperer talk this weird synchronous-UART protocol that the EC bootrom uses.
By the way, the chip is a Renesas M306K9FCLRP.
Still alive! Quick update!
Well, it turned out this TLCS-870 was probably only the power management controller, and a very nice red herring. Whoops.
However, we have some suspicion about a Renesas chip on the board, also a uC, which might be the real embedded controller. We still need to start messing around with it, but we're both out of time, as usual. However, do expect some differential power analysis side channel attack stuff soon. Very soon.
Redford did a whole lotta work reverse engineering the BIOS code and figured out that most of the interesting stuff (password check, challenge/response for lost password) is actually done by something off the main x86 processor. We figured out that it's probably the EC/KBC (Embedded/Keyboard Controller) which we found earlier on the laptop mainboard.
The controller is a generic microcontroller, with a bit of a twist - it's a pretty obscure one. It's labeled as a TMP87PH48, which is a programmable version of the TMP87CH48. Never heard of it? We neither.
As it turns out, it's based off the “TLCS-870" architecture, which is kind of like-ish to a weird Z80. We quickly skimmed through some specs we found for the CPU core itself, decided that it's probably powerful enough to run password verification code, and started figuring out what to do next.
Usually, the CH48 model is a mask-ROM model. Thankfully, our laptop shipped with the PH version, which is one-time programmable by the user. And, thanks to that, it actually contains a programming and verification interface. As it turns out, if you pull one of its' pins low, it can be treated as a generic PROM chip. This means we can read out the code from the chip just by asserting a 15-bit address on a port and reading out 8 bits of data on another port. Easy!
Since I didn't have an oldschool (EE)PROM programmer on hand, I quickly hacked together my own, the result of which can be seen in the picture at the beginning of this article - most of the jumper cables are address and data lines, some are just used to strap other pins to +5V and GND (a requirement from the chip datasheet). The home-etched board contains the EC from the laptop, soldered out with a Hot Air gun, then soldered into the board. The design of this (generic) board was done in KiCAD.
The programmer/reader interface is very basic - just a Spartan6 FPGA with a bit of Verilog to receive an address (one byte, then multiplied by 0xFF) over UART from a PC, then reply with 256 bytes of data read from the EC starting from the requested address. The code is available at https://code.hackerspace.pl/q3k/ec-prom-dump/. A quick and dirty Python script dumped all 32kbytes of memory a few times to check for read errors.
The code could've easily be written for a microcontroller with a lot of I/O pins (or with a I/O multiplexer) - I just had an FPGA on me, so that's what I chose. And, of course, a cheap EEPROM programmer would also do the job.
And then, after all of this, we saw dumps. Bitflipped, but statistical analysis will help us with this. As far as I know, Redford has already combined 16 read passes into one file which shows a high likelyhood of 100% accuracy.
Now for more reverse engineering. We still don't know where the actual password is stored - this uC does not have any nonvolatile memory...
Create an account to leave a comment. Already have an account? Log In.
toshiba satellite pro U200
Pc serial no: 66866181G
Challenge code: ML9KF-6M7WJ-W5W5N-9TK0P-76EAP
RESPONSE CODE: ???????
CAN YOU HELP ME
hi i dont know if this thread is alive but i need help
My laptop is a tecra z50-a-18m
serial is 1F031654H
challenge VGR1A-D68RQ-QEJTJ-CDVLT-ULM7A
i am also restarting the laptop to see if can get the same challenge as some u have so that i can give a response. If u see this pls reply so that i know this is still active
#Unlock #Toshiba #Tecra, #Satellite , #Portege , #Satellite, #Qosmio #Bios #Password
With #Challenge Code and #Response Code
1. Switch on the notebook, when the boot logo appears press [F2].“Password=' will be display.
2. Press keys in the order [CTRL], [TAB], [CTRL] and [ENTER].The Serial number and Challenge code will be displayed.
Please Note:For some reasons it could happen that no PC Serial No. and Challenge Code will displayed instead of "Not Certified" appears. In this case remove the AC-adapter and the battery for a short time and try it again.
3. Please make the payment below or contact meMy Skype : haisung4344
VERY IMPORTANTDo not power off the computer once you provide us with a Response code. There’s a unique Response code .Don’t turn off your notebook, don’t restart it, don’t enter anything except generated Response code.
4. You will receive the "Response code".
#Unlock #Toshiba #Tecra, #Satellite , #Portege , #Satellite, #Qosmio #Bios #Password
With #Challenge Code and #Response Code
1. Switch on the notebook, when the boot logo appears press [F2].“Password=' will be display.
2. Press keys in the order [CTRL], [TAB], [CTRL] and [ENTER].The Serial number and Challenge code will be displayed.
Please Note:For some reasons it could happen that no PC Serial No. and Challenge Code will displayed instead of "Not Certified" appears. In this case remove the AC-adapter and the battery for a short time and try it again.
3. Please make the payment below or contact meMy Skype : haisung4344
VERY IMPORTANTDo not power off the computer once you provide us with a Response code. There’s a unique Response code .Don’t turn off your notebook, don’t restart it, don’t enter anything except generated Response code.
4. You will receive the "Response code".
Hey guys. Nice job!
Did you really write a python code to generate the response code?
I have a Tecra r840 and it is not working because of a password protection.
Can you help?
Tks and great job!
Thanks for all the info in this post.
I also have an old Portege R100 with bios password. Can you please provide a response code for it? The Challenge code is 03C5R-VV2K7-QYQTP-5UTXY-U38A9.
Thanks for this awesome post and I am really happy to be hear on this post.
Visit us to read and know how to screenshot on Toshiba laptop
http://www.toshibasupportphonenumber.com/blog/how-to-take-a-screenshot-on-a-toshiba-laptop/
can you help me? challenge code:5pgw5-1kwt1-61rhm-ujv5e-qe0bl
When You give generator for public ?? I want unlock my old toshiba.
challenge Code : UDEFF-PJ6D3-ERE62-7NB7H-WAF2M
response: JH0QK-TRAK3-L559Q-WH6GR-ANJ5Y
challenge Code : J899H-GNL8Y-YW028-5PCXJ-HHDF1
response: 08P2J-EB08M-WT5B1-CKTXA-8CH7L
Challenge Code : 754BM-VWJRT-XR1CL-67EL2-GJE20
response: HWJ81-JEC7N-TNRW8-D63NY-L8NRJ
Challenge Code : EM9F2-GBLKE-8WAG9-7GJ45-XMNRU
response: U60LG-XTG21-LEBG5-E29TU-9HJJA
new challege code : 06D2L-DV5MX-492G3-BMTE6-BEFJM
Response code: DWWYL-CR5T9-1XJTQ-0FKJL-NB8FG
new challege code : 745BM - VWJRT - XR1CL - 67EL2 - GJE20
Response code: HWJ81-JEC7N-TNRW8-D63NY-L8NRJ
Could you guys shed some light over here?
I have an old Tecra A9 which is locked, have tried a couple of things without success.
PC Serial No. = 87076886H
Challenge Code = 24DEB-W85N4-N3AGD-NCU3U-XHG0C
Response Code = ??
Picture with Challenge: https://ibb.co/iqbhYx
I appreciate any help, computer is powered on.
Thanks,
AAAC
UPDATE: Had to shut it off after 36+ hours.
The google cannot find anything infomation about the response Code of Toshiba
Become a member to follow this project and never miss any updates
hi friend
i need remove password
Thanks in advance
pc serial no = 16032907H
challeng code = 2VX0P-1QJ85-Q89PK-WKQBB-XHWLW
RESPONSE CODE=????
Note: What is in the challenge code is zero and not O