Howdy y'all, I've been doing a bit of work with the BSL, mostly Version 2.12 which I dumped from an MSP430FG4618, disassembled, and annotated.
--The BSL password isn't beneath the IVT, it *is* the IVT. --There is an unprotected command, Mass Erase, which erases all of memory. The idea is that you should be able to replace the firmware, but not to extract the firmware, as you could always replace the whole chip on any board. Once memory is erased, every bit of the IVT--and thus the password--becomes 1. --In very recent versions of the BSL, you can set a flag in flash to password-protect the Mass Erase command. --Versions 1.60 and 1.61 are the best candidates for brute-forcing, as they have an unprotected command, Change Baud Rate, for writing directly to the clock registers. Earlier versions have no such command, while later versions require the password to be sent before the baud rate is changed. Supposing only 40 bits of the password are random and you are attacking a chip which is clocked to 16mhz, it will still take 32 years to guarantee a break. It can be made a bit faster, but not so much as to make brute forcing practical. Gotchas: --Version 2.12 is vulnerable to a side-channel timing attack. 2.01 and earlier are not. --If you are blowing JTAG and expect the BSL to protect cryptographic keys, realize that the key is not part of the IVT and therefore it is not part of the password. --rand_int.pl, attached, will randomize the interrupts by making them point to branch instructions that direct back to the real address. For more details BSL brute forcing, see http://travisgoodspeed.blogspot.com/2008/06/msp430-bsl-passwords-brute-force.html For the official docco, http://www.google.com/search?q=slaa089 Cheers, --Travis Goodspeed Gunther Lemm wrote: > There was a discussion about the security fuses and some enhancements of > the BSL password protection on the MSP430 day 2008 in berlin. I only > remember some basic infos: > > - you can only blow the JTAG security fuse once because it's a physical > fuse. so there's no way to reset these fuses. > > - the BSL password is stored at a memory address just before the > interrupt vector table (take a look at the device specific datasheets > because the location depends on 32/64 byte vector table size) > > - AFAIR there is some brute force password cracking protection in > msp430f2xxx devices > > - there is a way to reset the BSL password, but this also deletes the > complete flash contents (don't ask me how to do it) > >
rand_int.pl
Description: Perl program
