Hi Travis,
thanks for the detailed info on the BSL key. For all the other guys here
who didn't follow your link to SLAA089:
"The password itself consists of the 16 interrupt vectors located at
addresses FFE0h to FFFFh (256 bits), starting with the first byte at
address FFE0h. After mass erase and with unprogrammed devices, all
password bits are logical high (1)."
The note in the MSP430F248 datasheet (below the interrupt vector table
assignment) is somewhat misleading:
"The address 0xFFDE is used as bootstrap loader security key (BSLSKEY).
A 0xAA55 at this location disables the BSL completely.
A zero disables the erasure of the flash if an invalid password is
supplied."
This seems to be the register that's not always located at the same
address. MSP430FG461x devices have their DMA interrupt vector at 0xFFDE.
Do you know anything about that flash erasure on invalid passwords? I
guess not, cause otherwise you would've seen it while disassembling the
BSL code. So what does TI mean with that note?
Gunther
Travis Goodspeed schrieb:
Howdy y'all,
I've been doing a bit of work with the BSL, mostly Version 2.12 which I
dumped from an MSP430FG4618, disassembled, and annotated.
--The BSL password isn't beneath the IVT, it *is* the IVT.
--There is an unprotected command, Mass Erase, which erases all of
memory. The idea is that you should be able to replace the firmware,
but not to extract the firmware, as you could always replace the whole
chip on any board. Once memory is erased, every bit of the IVT--and
thus the password--becomes 1.
--In very recent versions of the BSL, you can set a flag in flash to
password-protect the Mass Erase command.
--Versions 1.60 and 1.61 are the best candidates for brute-forcing, as
they have an unprotected command, Change Baud Rate, for writing directly
to the clock registers. Earlier versions have no such command, while
later versions require the password to be sent before the baud rate is
changed. Supposing only 40 bits of the password are random and you are
attacking a chip which is clocked to 16mhz, it will still take 32 years
to guarantee a break. It can be made a bit faster, but not so much as
to make brute forcing practical.
Gotchas:
--Version 2.12 is vulnerable to a side-channel timing attack. 2.01 and
earlier are not.
--If you are blowing JTAG and expect the BSL to protect cryptographic
keys, realize that the key is not part of the IVT and therefore it is
not part of the password.
--rand_int.pl, attached, will randomize the interrupts by making them
point to branch instructions that direct back to the real address.
For more details BSL brute forcing, see
http://travisgoodspeed.blogspot.com/2008/06/msp430-bsl-passwords-brute-force.html
For the official docco,
http://www.google.com/search?q=slaa089
Cheers,
--Travis Goodspeed
Gunther Lemm wrote:
There was a discussion about the security fuses and some enhancements of
the BSL password protection on the MSP430 day 2008 in berlin. I only
remember some basic infos:
- you can only blow the JTAG security fuse once because it's a physical
fuse. so there's no way to reset these fuses.
- the BSL password is stored at a memory address just before the
interrupt vector table (take a look at the device specific datasheets
because the location depends on 32/64 byte vector table size)
- AFAIR there is some brute force password cracking protection in
msp430f2xxx devices
- there is a way to reset the BSL password, but this also deletes the
complete flash contents (don't ask me how to do it)
------------------------------------------------------------------------
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
------------------------------------------------------------------------
_______________________________________________
Mspgcc-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mspgcc-users
--
***************************
Dipl.Ing. (FH) Gunther Lemm
Daqtix GbR
-+- Robert Dallmann
+- Gunther Lemm
+- Oliver Niekrenz
Alte Dorfstraße 16
D-29588 Oetzen (OT Süttorf)
Germany
Tel: +49 5805 979 5 797
Fax: +49 5805 9 795 795
***************************
