Toshiba challenge response code generator download
So, before having to redesign the makeshift probe into something more useful, I figured it might be easier to try a simpler timing attack first. I at first tried power trace side-channel analysis attack (since I had a ChipWhisperer laying around gathering dust) when the bootloader checks the password, but my makeshift shunt probe was just too noisy. To unlock the flash, the programmer sends 12 bytes: a command prefix (0xF5), the address of the ID code (?, 0x0FFFDF), the length of the ID code (?! 7) and 7 bytes of ID code.Īfter the programmer sends the ID code check function, another command (0x70) can be used to check whether the ID code verification succeeded. The clock comes from the programmer, and the EC exposes a Busy line used to synchronize whether its' ready to receive commands. If the programmer does not provide the code, no flash dump/write access is allowed.
#TOSHIBA CHALLENGE RESPONSE CODE GENERATOR DOWNLOAD SERIAL#
This code is used by the built-in bootrom to allow/deny access to the flash via the 'Standard Serial I/O' protocol for programming (selectable via M0/M1 straps). The EC has a 7-byte ID code that it keeps in flash.
![toshiba challenge response code generator download toshiba challenge response code generator download](https://cdn.hackaday.io/images/2929461523531869398.png)
And finally, I added an oscilloscope to the voltage shunt and a logic analyzer to serial lines, for good measure.Īfter checking connectivity to the bootrom and that I was getting power traces, it was time to dive in. I also attached a ChipWhisperer with a shunt sensor board to the EC's power line.
![toshiba challenge response code generator download toshiba challenge response code generator download](http://www.whatsmypass.com/wp-content/uploads/2009/04/dongle1.jpg)
I've then attached an STM32F303RE on a Nucleo board as a general interface board to the EC's serial and reset. I've etched a new board that lets me access important pins (serial TX, RX, CLK, BUSY RST and power lines) without having to fiddle with the previous hacky breakout board. After another long hiatus, I've come back to this project.