A83: Flash Mem
[Prev][Next][Index][Thread]
A83: Flash Mem
Here's a small synthetical article on everything known on
flash mem:
Unlocking flash mem requires sending a "1" to port 14h and a
bit of preliminary code, but the Z80 will cause an exception if a "1" is sent to
14h out of pages 1Ch, 1Dh and 1Fh.
Also TI has protected it's code very well, the unlocking
sequence is not a ret terminated routine but is included before every different
type of flash use, i.e. spoofing code is sure going to be hard, after each
unlocking sequence, there's also a call to 01A9h, a routine that checks the ROM
page, the stack, interrupts...
For the moment I'm not sure whether the "NOP" code following
the out to 14h is needed or not, if not, one could search for nice pieces of
code such as OUT (C),A / RET... But if that code is needed, we're nearly out of
luck. Nearly since page 1Fh, alias boot code (and thus unchangeable I think)
contains many many segments of unlocking code, just have to find the right one,
otherwise, spoofing is the last chance.
Then again, serious cryptology like RSA requires really LARGE
numbers, with 99 numbers you get ln(10^99)/ln(2)=99ln(10)/ln(2)=328 bit
encryption which is quite strong, but I'm talking about a 99 number key, with
the exponents, you need to handle quite larger numbers, even though there is a
modulo. Wanting to be serious, I reinstalled my base code(also because I wrecked
it trying to send a modified .hex file) and I timed the validation sequence, it
took 10.58 seconds for validating a 512kb stamp certificate I can't really
believe that TI used RSA. I think that they're more close to something like CRC,
and that the strength of their system lies on the hardware limitation to reading
page 1Eh.
Follow-Ups: