log☇︎
253 entries in 0.627s
asciilifeform: seems like erry summer asciilifeform does a jet-powered flight into brick wall. last time it was the cr50 thing.
asciilifeform recalls the ' cr50 bounty ' thrd. mircea_popescu made very persuasive arg re 'takes >= work to adjudicate contest as to do the actual job' .
asciilifeform: illustrative case where ~not~ found : 'cr50'
asciilifeform: to add to this already tall pile o'lulz, per crapple, epoxy aint enuff , power switch (deliberately flimsy) nao includes a cr50-style rsa ic, and not replaceable w/out Official Blessing from vendor (and for good measure, epoxied into the lump)
asciilifeform: serious $mil+ sem, even, not '80s museum piece. could just as easily photo e.g. cr50 as bolix.
diana_coman: ugh; I hate rats as it is, no need for bigger ones; that being said, I can already picture the euloran "stan's layr" complete with lumber-electronics a la http://ossasepia.com/2018/06/26/euloras-own-cr50/ and weird rats/trash pandas to fight for resources.
a111: Logged on 2018-12-03 10:39 spyked: http://btcbase.org/log/2018-11-29#1875947 <-- hm. so I'm seeing a few distinct problems here. 1. de-googlifying the bootloader (and getting rid of the cr50 mess); 2. using a non-googlistic kernel; and 3. replacing the rootfs with a cuntoo userspace. if I understood correctly, then 2 depends on googlistic signing software because of 1, but 3 should be doable either way (if anything, ave1's compiler is a more immediate requirement to get
spyked: http://btcbase.org/log/2018-11-29#1875947 <-- hm. so I'm seeing a few distinct problems here. 1. de-googlifying the bootloader (and getting rid of the cr50 mess); 2. using a non-googlistic kernel; and 3. replacing the rootfs with a cuntoo userspace. if I understood correctly, then 2 depends on googlistic signing software because of 1, but 3 should be doable either way (if anything, ave1's compiler is a more immediate requirement to get ☝︎☟︎
a111: Logged on 2018-07-16 15:50 a111: Logged on 2018-06-25 21:45 asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png
asciilifeform: aah cr50 d00d
asciilifeform: other item, is that a main bootloader built for this thing, theoretically will also work on the c100pa, which has no cr50.
asciilifeform: ( for those who did not follow the orig c101pa threads : the box has ~three~ firmware turds: 1) main (8MB) bootloader 2) EC (little arm thingie, has own console , controls all of kbd but the power and reset lines, as well as various voltages, and battery charger) 3) cr50 -- controls power/reset lines, inits the charging brick, and 'god mode' debug over the other 2 chips, i.e. cpu and EC )
asciilifeform: what i have not found a way to do, is to neuter cr50 in the sense originally wanted , where it turns into simply battery controller and nobody can rewrite from snake.
asciilifeform: diana_coman: to be very specific, i did not properly break cr50. what i found instead was an apparently-Official (albeit undocumented) knob in the most recent fw release, which does equiv of rma unlock ( sets all of the permission bits for console ) and enables spi bus access, through which can r/w the main and ec fw turds.
a111: Logged on 2018-08-07 16:39 asciilifeform: ^ maker of cr50, lel
asciilifeform: ^ maker of cr50, lel ☟︎
a111: Logged on 2018-06-25 21:45 asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png ☟︎
asciilifeform: even outside of coloism -- e.g. google kept the troo cr50 sores 'seekrit' ; didn't prevent http://btcbase.org/log/2018-06-25#1829533 ☝︎
asciilifeform: in other lulz, https://archive.li/mt8rj << google, just as i expected, working on using cr50 to abolish the 'at least can boot own linux' 'hole' entirely
asciilifeform: mircea_popescu: i did describe a theoretical 'bake pad-for-pad replacement for cr50' variant.
asciilifeform: phf: what plug hole. thing charges from the usbc jacks, cr50 actually drives the charger logic.
phf: asciilifeform: right, and as far as we know right now cr50 doesn't have a remote/wifi access component. if it can't be wholly removed, maybe it can be "cut" (not necessarily by literally cutting the wire, but the direction of closing the plug hole)
phf: tbh i assumed it was a lost cause around when cr50 was discovered. it's overall a worthwhile direction of exploration since i assume we're still gravitating towards an arm gentoo
asciilifeform: re: cr50, fwiw i have pretty much whole thing multiply massaged in ida, code/data mapped, got good % of the functions 'usefully' named. but so far no dice in finding a usable hole.
asciilifeform: mircea_popescu: last week i did a brief hand-cranked version of this experiment, with similar result ( e.g. cr50 , several other subjs dead to google, reliably finds asciilifeform's www )
asciilifeform: at least google fwiw didn't try to advertise cr50, similar 'feature'.
asciilifeform: they run on trooly vertically-integrated arse-mouth system, verily; asciilifeform to this day has not succeeded in building any of their 'open' sores of e.g. cr50
deedbot: http://www.dianacoman.com/2018/06/26/euloras-own-cr50/ << Ossasepia - Euloras Own CR50
mircea_popescu: it's a cr50!
asciilifeform: and meanwhile , ftr, all three cr50 pubkeyz withstood phuctoring
asciilifeform: this completes the set of extant (afaik) cr50 fritz keys , on phuctor .
asciilifeform: the runner-up prizes are #1 and #2, leakage of ~these~ would allow liberation of the existing cr50's, but the boojum of 'box in airport luggage can get reflashed via usb by enemy troops' would remain just as nao
asciilifeform: going in order: (1) is the sig header tested by the boot maskrom ( contents not known, but can be guessed at, it has 1 hard-wired pubkey ). this we will call cr50 hitler key #0 . it cannot be changed by fw updater.
asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png ☟︎
lobbesbot: phf: Sent 2 hours and 54 minutes ago: <asciilifeform> other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .
asciilifeform: !Q later tell phf other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .
asciilifeform: phf: https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/chip/g/build.mk#10 << see
asciilifeform: oh , for compleeetness, http://loper-os.org/pub/c101pa/cr50.bin.prod << the 0.3.4 cr50 fw currently installed in my box. ( the offsets above, are valid for it)
asciilifeform: 2) the RW key, corresponding to 'RW keyid: 0xde88588d(prod)' , appears , and is identical to what lives in https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/util/signer/cr50_RW-prod.pem.pub
asciilifeform: 1) the pubs thrown earlier in phuctor ( seen in e.g. https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/chip/g/loader/verify.c#17 ) dun appear anywhere in fw 3.4
asciilifeform: mircea_popescu: in other twists, not only is neither key in the cr50 fw image i have, but the verification routine does not correspond to the 'open' sores.
asciilifeform: ( erry cr50 fw upgrade bin has no fewer than 2 such sigs )
a111: Logged on 2018-06-22 18:03 asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size...
asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size... ☟︎
asciilifeform: same thrust as the fritz/cr50/etc nonsense.
a111: Logged on 2018-06-18 17:51 asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres )
a111: Logged on 2018-06-13 16:48 asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50.
asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres ) ☟︎
asciilifeform: BingoBoingo: long prior to cr50
BingoBoingo: Wikipedia before alf published his cr50 expose had an article on Fritzchips. Now it doesn't
asciilifeform: i find it interesting that google's approach to building cr50 ( 'hardcopy fpga' ) is actually ~moar~ diddleable, via this method, than if they had shipped ordinary fpga
asciilifeform: this worked in the past, but cr50 seems to include boobytrap for voltage glitching
deedbot: loper_os_cr50 voiced for 30 minutes.
mod6: !!up loper_os_cr50
a111: Logged on 2018-06-15 14:52 asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 )
asciilifeform: for cr50 in particular, a continuous (e.g. xray) rather than intermittent (emp shooter) glitcher might be preferable, as the thing has a convenient unlock command that you can fire via the uart continuously, then , theoretically, irradiate until it happens to skip the right instruction
asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 ) ☟︎
asciilifeform: can also glitch by manipulating clock, but it is not presently known whether cr50 has external clocking ( my current understanding is that it does not, but has internal oscillator )
asciilifeform: dun in the literature last night re chip 'glitching' . for some reason everybody, to date, focuses on glitching ~specific~ instruction, rather than scrambling sram bluntly. ( to be fair, the blunt approach is only of any conceivable use if you can pre-emplace the nop slide, as is apparently possible on cr50 ) ; state of the open lit art seems to be the 'xbox 360' pill demonstrated in 2015
asciilifeform: guestop: are you working on breaking cr50 yourself ?
asciilifeform: ( and i suspect that there won't be much said re cr50 for a while, currently it is in dead waters )
a111: 190 results for "cr50", http://btcbase.org/log-search?q=cr50
asciilifeform: !#s cr50
asciilifeform: re tpmism : i predict many great lulz of the fyootoor , when google et al roll 'bitcoin' support into cr50 etc
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
asciilifeform: but would need at least 1 actually popped cr50 chip, to tune the probe.
asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50. ☟︎
a111: Logged on 2018-06-13 15:15 asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing
asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing ☟︎
asciilifeform: loper_os_cr50_: hello ?
deedbot: loper_os_cr50_ voiced for 30 minutes.
asciilifeform: !!up loper_os_cr50_
mircea_popescu: aand who might you be, loper_os_cr50
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
a111: Logged on 2018-06-13 01:49 asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans'
asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans' ☟︎
phf: also contest starts around the time that ascii publishes articles on subj, conceivable that someone else decides to look at the cr50, white hats a vulnerability to google.
asciilifeform: meaningful. i either get a pile of c101pa with rewritable cr50 256kB firmwares, or not.
asciilifeform: loper_os_cr50: hey
deedbot: loper_os_cr50 voiced for 30 minutes.
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
asciilifeform: !!up loper_os_cr50
a111: Logged on 2018-06-12 23:39 asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement.
asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement. ☟︎
asciilifeform: phf: the way i'm thinking of doing it: i'ma write up and sign a statement describing the competition; you will create a special-occasion key, e.g. 'cr50contest', rate it e.g. +1 cr50 , and i will drop a coin into it.
douchebag: My friend was also wondering who has access to cr50's
douchebag: I didn't even know what a cr50 was 10 minutes ago
asciilifeform: i put the spi bootrom in the pic, to make clear the fact that it is connected ~through~ cr50
asciilifeform: i'd junk google's crapola fw regardless, even if we break cr50
mircea_popescu: douchebag, cr50 is, by all appearances, an arm cortex fpga
asciilifeform: well currently i'm out of ideas in re cr50; thought i'd try the 1 tool in the box i haven't unsheathed.
asciilifeform: understand, a die photo would do me ~0 good re cr50.
asciilifeform: cnomad: interestingly, 0 discussion on ru net of cr50.
asciilifeform: ( i can dpa right here, dun need help even. but it isn't particularly useful for cr50. )
a111: Logged on 2018-06-12 18:48 asciilifeform considers idea of proclaiming a 1 btc prize for a working break of cr50 . any l1 folk interested in contributing to the prize chest , and/or overseeing the refereeing ?
asciilifeform: cnomad: main form of glitch hardening in cr50, going by the src, is the tactic of repeating the various crypto checks N times
asciilifeform: the expense of decapping ~each~ cr50 in each box, is prohibitive, and makes whole proposition uninteresting