Neil Hopcroft

A digital misfit

Unwrapping the Chrysalis

“We used the commercial tool IDA (the Interactive DisAssembler) [4] to reverse-engineer the binary. About 300KiB of the binary was 32-bit ARM code, 500KiB high-entropy data with some fairly regular structure visible, and the remainder was blank.”


Categories: Memories.

/ 4 Comments

4 comments

    • neilh

      And having considered a similar process with a module from another manufacturer, its interesting to see what is possible. Seems crazy to not do any obfuscation of either chip core or rom address lines.

      Reply
      • crazyscot

        Depends. I thought that the FIPS 140 certification (which I believe Chrysalis has) requires the manufacturer to make it hard to get anything out of the exposed lines on the board within a certain attack timescale. Obfuscating would appear to serve that purpose, though one can alternatively “pot” the relevant innards of the module in epoxy to make it hard to get probes there. (A certain manufacturer close to here pots their high-security boards.)

        Reply
        • neilh

          Potting isn’t too much of a trial if you’ve got the right solvents…I’d’ve expected at least a bit of track switching too, perhaps programatically controlled, then you can’t just drop the rom into a socket and disassemble the who lot. I hear there are some which have a light sensitivity to them too, which self distruct if you manage to get the epoxy off. Not sure how comprehensive that destruction is though, if its just blowing a fuse or two then that should be easy enough to reverse.

          Reply

Leave a Reply

Your email address will not be published.