Forums

CRP on other than LPC2292 please substantiate your "believe"

Started by lpc2100_fan March 19, 2007
Jaya,

while I would really like you to get a chip and board LPC2292 from
somebody and then publish that protected code, I wonder how you arrive
at the conclusion that the same CRP issues, is they exist, also exist
for other devices.
Quote from your posting:
"I BELIEVE this vulnerability that exists on LPC2292 is generic to
most, if not not all, variants."
Do you consider such as statement without having investigated the
facts being scientific? You are working at an university, could you
publish any scientific report with an "I believe.." statement when you
have the opportunity to check whether or not your statement is correct?
You posted a few comments to the LPC2378. Could you please confirm
that you were (not?) able to do the same procedure you did for the
LPC2292?

So, to substantiate your claim that you can read out protected
customer code from other LPC2000 devices as well and as you have
obviously worked with the LPC2378, that would be an interesting
candidate.

Bob

An Engineer's Guide to the LPC2100 Series

--- In l..., "lpc2100_fan" wrote:
> Jaya,
>
> while I would really like you to get a chip and board LPC2292 from
> somebody and then publish that protected code,

Please organise one for me. Meanwhile it is best not to speculate and
get things wrong.

> I wonder how you arrive
> at the conclusion that the same CRP issues, is they exist, also exist
> for other devices.
> Quote from your posting:
> "I BELIEVE this vulnerability that exists on LPC2292 is generic to
> most, if not not all, variants."

I was responding to a question as to my opinion. I was NOT making a
statement.

> Do you consider such as statement without having investigated the
> facts being scientific? You are working at an university, could you
> publish any scientific report with an "I believe.." statement when you
> have the opportunity to check whether or not your statement is correct?
> You posted a few comments to the LPC2378. Could you please confirm
> that you were (not?) able to do the same procedure you did for the
> LPC2292?

Your imputation is based on false premises.

Although I have looked into, and have copies of, Boot Loaders from
2103, 2105, 2148, 2212, 2292, and 2378, ANYONE could have replaced
Boot Loader on these parts before SILL was used extract the images.

The ONLY Boot Loader that I am satisfied came direct from the
manufacturer is that on my LPC2292.

I DO NOT have any other part with me at the moment, with or without
validated Boot Loaders, on which to carry out experiments assuming I
have the time to do this.

For the above reasons, I restricted my claim to LPC2292/1.64 only.

> So, to substantiate your claim that you can read out protected
> customer code from other LPC2000 devices as well and as you have
> obviously worked with the LPC2378, that would be an interesting
> candidate.

I did not make the "claims" you attribute to me.

If NXP already knew of this vulnerability, and fixed it in subsequent
version of Boot Loaders, it is quite obvious the method is not likely
to work on these "other" parts.

If NXP does not know of this vulnerability, what I was able to do on
my LPC2292 is likely to work on any of the "other" parts. It is quite
unlikely that a defect of this nature is accidentally fixed.

> Bob

Regards,

Jaya

PS: As to the insinuation by a another poster that I was exploiting
the situation for commercial benefit, let me make two points:

1/ I do not run a business selling SILL that breaks CRP.

[The version of SILL that alluded me to this vulnerability has been
withdrawn and NDA/SLA renders its distribution, whatever the purpose,
unlawful.]

2/ No version of SILL that breaks CRP is available for sale.
Jaya,

personally I thought the original post wasn't too clear, but you then
cleared up what you meant in subsequent posts from what I can see. Some of
the assumptions various people have made seem a little off the wall however
the underlying issue still appears to remain. If you have managed to gain
access to the bootloader such that you can replace it without having to
erase the contents of flash then all I want to know is have you handed over
your findings to NXP and have they acknowledged the receipt of them? If so
then I guess all we can do is wait to hear from them either directly or via
yourself.

Assuming you have managed to get in contact with NXP and explain the process
I would expect they have a much larger scope of parts to test out your
concerns rather than us trying to mail you a board in the post. Hopefully
we'll hear back soon.

Andy

-----Original Message-----
From: l... [mailto:l...]On Behalf Of
jayasooriah
Sent: 19 March 2007 05:54
To: l...
Subject: [lpc2000] Re: CRP on other than LPC2292 please substantiate your
"believe"
--- In l..., "lpc2100_fan" wrote:
> Jaya,
>
> while I would really like you to get a chip and board LPC2292 from
> somebody and then publish that protected code,

Please organise one for me. Meanwhile it is best not to speculate and
get things wrong.

> I wonder how you arrive
> at the conclusion that the same CRP issues, is they exist, also exist
> for other devices.
> Quote from your posting:
> "I BELIEVE this vulnerability that exists on LPC2292 is generic to
> most, if not not all, variants."

I was responding to a question as to my opinion. I was NOT making a
statement.

> Do you consider such as statement without having investigated the
> facts being scientific? You are working at an university, could you
> publish any scientific report with an "I believe.." statement when you
> have the opportunity to check whether or not your statement is correct?
> You posted a few comments to the LPC2378. Could you please confirm
> that you were (not?) able to do the same procedure you did for the
> LPC2292?

Your imputation is based on false premises.

Although I have looked into, and have copies of, Boot Loaders from
2103, 2105, 2148, 2212, 2292, and 2378, ANYONE could have replaced
Boot Loader on these parts before SILL was used extract the images.

The ONLY Boot Loader that I am satisfied came direct from the
manufacturer is that on my LPC2292.

I DO NOT have any other part with me at the moment, with or without
validated Boot Loaders, on which to carry out experiments assuming I
have the time to do this.

For the above reasons, I restricted my claim to LPC2292/1.64 only.

> So, to substantiate your claim that you can read out protected
> customer code from other LPC2000 devices as well and as you have
> obviously worked with the LPC2378, that would be an interesting
> candidate.

I did not make the "claims" you attribute to me.

If NXP already knew of this vulnerability, and fixed it in subsequent
version of Boot Loaders, it is quite obvious the method is not likely
to work on these "other" parts.

If NXP does not know of this vulnerability, what I was able to do on
my LPC2292 is likely to work on any of the "other" parts. It is quite
unlikely that a defect of this nature is accidentally fixed.

> Bob

Regards,

Jaya

PS: As to the insinuation by a another poster that I was exploiting
the situation for commercial benefit, let me make two points:

1/ I do not run a business selling SILL that breaks CRP.

[The version of SILL that alluded me to this vulnerability has been
withdrawn and NDA/SLA renders its distribution, whatever the purpose,
unlawful.]

2/ No version of SILL that breaks CRP is available for sale.
--- In l..., "Andrew Berney" wrote:
>
> Jaya,
>
> personally I thought the original post wasn't too clear, but you
then
> cleared up what you meant in subsequent posts from what I can see.
Some of
> the assumptions various people have made seem a little off the wall
however
> the underlying issue still appears to remain. If you have managed
to gain
> access to the bootloader such that you can replace it without
having to
> erase the contents of flash then all I want to know is have you
handed over
> your findings to NXP and have they acknowledged the receipt of
them? If so
> then I guess all we can do is wait to hear from them either
directly or via
> yourself.
>
> Assuming you have managed to get in contact with NXP and explain
the process
> I would expect they have a much larger scope of parts to test out
your
> concerns rather than us trying to mail you a board in the post.
Hopefully
> we'll hear back soon.
>
> Andy
>

Andy,

I'd very much agree with what you said. The idea I floated of sending
a unit to see if it could be done was just an idea to clarify the
original post.

Jaya has made many claims in the past, and to my mind the only way to
substantiate a claim "CRP is broken" is to prove you can do it. There
are two ways to prove something like this (a) describe how it's done
so others can confirm or (b) get someone to supply a protected unit
and tell them what's on it (the only way to do so being if CRP is
indeed broken). Clearly, the first option is a bad idea in this case:
it's in nobody's interest to see the details of how CRP might be
compromised is published.

Having said that, I didn't actually think it necessary to go through
the procedure: just to get a simple yes/no answer to the question if
someone were to send a unit, could it be read. The answer came back
as "yes". I see no reason to doubt Jaya on this point. To do
otherwise woiuld be to call him a liar or fool, which I certainly
won't do. As an aside I'd ask others to back off on such abuse as
well: you know who you are).

My experience of Philips/NXP is that they are very interested in
hearing about problems with their devices, will work closely with
outside parties in tracking down potential problems and are in
general both responsive and interested in resolving issues.

Although they monitor and occasionally contribute to this forum, it
is by no means an "official" suppoirt channel. For example, there's
no knowing whether anyone in NXP has even seen any of the recent
posts.

My own recommendation would be for Jaya to engage with Philips/NXP
directly using official support channels and both parties to report
back with findings.

Brendan.
Aye, in the past the issue was that Jaya had conjectured there were ways
that the CRP could be compromised but didn't appear to have physically done
so, this lead to a rather unfortunate thread. It would appear now however
he's found a different bug on the same theme that he's physically proved to
be a problem on his 2292 based board, that's a completely different
situation and one that's rather concerning for those of us in markets where
our Korean competition takes great delight in ignoring such things as
patents and copyright...

I'd hope Jaya has managed to get in touch with NXP directly as his findings
are definately very sensitive and I guess we'll just have to wait to hear
from either him or NXP themselves on the outcome. I'm pretty sure if this
isn't an isolated case then NXP will be very interested / concerned so we
should hear from them. I'll certainly await any developments Jaya reports
with interest.

Andy

-----Original Message-----
From: l... [mailto:l...]On Behalf Of
Brendan Murphy
Sent: 19 March 2007 11:44
To: l...
Subject: [lpc2000] Re: CRP on other than LPC2292 please substantiate your
"believe"
--- In l..., "Andrew Berney" wrote:
>
> Jaya,
>
> personally I thought the original post wasn't too clear, but you
then
> cleared up what you meant in subsequent posts from what I can see.
Some of
> the assumptions various people have made seem a little off the wall
however
> the underlying issue still appears to remain. If you have managed
to gain
> access to the bootloader such that you can replace it without
having to
> erase the contents of flash then all I want to know is have you
handed over
> your findings to NXP and have they acknowledged the receipt of
them? If so
> then I guess all we can do is wait to hear from them either
directly or via
> yourself.
>
> Assuming you have managed to get in contact with NXP and explain
the process
> I would expect they have a much larger scope of parts to test out
your
> concerns rather than us trying to mail you a board in the post.
Hopefully
> we'll hear back soon.
>
> Andy
>

Andy,

I'd very much agree with what you said. The idea I floated of sending
a unit to see if it could be done was just an idea to clarify the
original post.

Jaya has made many claims in the past, and to my mind the only way to
substantiate a claim "CRP is broken" is to prove you can do it. There
are two ways to prove something like this (a) describe how it's done
so others can confirm or (b) get someone to supply a protected unit
and tell them what's on it (the only way to do so being if CRP is
indeed broken). Clearly, the first option is a bad idea in this case:
it's in nobody's interest to see the details of how CRP might be
compromised is published.

Having said that, I didn't actually think it necessary to go through
the procedure: just to get a simple yes/no answer to the question if
someone were to send a unit, could it be read. The answer came back
as "yes". I see no reason to doubt Jaya on this point. To do
otherwise woiuld be to call him a liar or fool, which I certainly
won't do. As an aside I'd ask others to back off on such abuse as
well: you know who you are).

My experience of Philips/NXP is that they are very interested in
hearing about problems with their devices, will work closely with
outside parties in tracking down potential problems and are in
general both responsive and interested in resolving issues.

Although they monitor and occasionally contribute to this forum, it
is by no means an "official" suppoirt channel. For example, there's
no knowing whether anyone in NXP has even seen any of the recent
posts.

My own recommendation would be for Jaya to engage with Philips/NXP
directly using official support channels and both parties to report
back with findings.

Brendan.