tmsr - Search: cr50

asciilifeform: seems like erry summer asciilifeform does a jet-powered flight into brick wall. last time it was the cr50 thing.

asciilifeform recalls the ' cr50 bounty ' thrd. mircea_popescu made very persuasive arg re 'takes >= work to adjudicate contest as to do the actual job' .

asciilifeform: to add to this already tall pile o'lulz, per crapple, epoxy aint enuff , power switch (deliberately flimsy) nao includes a cr50-style rsa ic, and not replaceable w/out Official Blessing from vendor (and for good measure, epoxied into the lump)

asciilifeform: serious $mil+ sem, even, not '80s museum piece. could just as easily photo e.g. cr50 as bolix.

diana_coman: ugh; I hate rats as it is, no need for bigger ones; that being said, I can already picture the euloran "stan's layr" complete with lumber-electronics a la http://ossasepia.com/2018/06/26/euloras-own-cr50/ and weird rats/trash pandas to fight for resources.

a111: Logged on 2018-12-03 10:39 spyked: http://btcbase.org/log/2018-11-29#1875947 <-- hm. so I'm seeing a few distinct problems here. 1. de-googlifying the bootloader (and getting rid of the cr50 mess); 2. using a non-googlistic kernel; and 3. replacing the rootfs with a cuntoo userspace. if I understood correctly, then 2 depends on googlistic signing software because of 1, but 3 should be doable either way (if anything, ave1's compiler is a more immediate requirement to get

spyked: http://btcbase.org/log/2018-11-29#1875947 <-- hm. so I'm seeing a few distinct problems here. 1. de-googlifying the bootloader (and getting rid of the cr50 mess); 2. using a non-googlistic kernel; and 3. replacing the rootfs with a cuntoo userspace. if I understood correctly, then 2 depends on googlistic signing software because of 1, but 3 should be doable either way (if anything, ave1's compiler is a more immediate requirement to get ☝︎☟︎

a111: Logged on 2018-07-16 15:50 a111: Logged on 2018-06-25 21:45 asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png

asciilifeform: other item, is that a main bootloader built for this thing, theoretically will also work on the c100pa, which has no cr50.

asciilifeform: ( for those who did not follow the orig c101pa threads : the box has ~three~ firmware turds: 1) main (8MB) bootloader 2) EC (little arm thingie, has own console , controls all of kbd but the power and reset lines, as well as various voltages, and battery charger) 3) cr50 -- controls power/reset lines, inits the charging brick, and 'god mode' debug over the other 2 chips, i.e. cpu and EC )

asciilifeform: what i have not found a way to do, is to neuter cr50 in the sense originally wanted , where it turns into simply battery controller and nobody can rewrite from snake.

asciilifeform: diana_coman: to be very specific, i did not properly break cr50. what i found instead was an apparently-Official (albeit undocumented) knob in the most recent fw release, which does equiv of rma unlock ( sets all of the permission bits for console ) and enables spi bus access, through which can r/w the main and ec fw turds.

a111: Logged on 2018-08-07 16:39 asciilifeform: ^ maker of cr50, lel

a111: Logged on 2018-06-25 21:45 asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png ☟︎

asciilifeform: even outside of coloism -- e.g. google kept the troo cr50 sores 'seekrit' ; didn't prevent http://btcbase.org/log/2018-06-25#1829533 ☝︎

asciilifeform: in other lulz, https://archive.li/mt8rj << google, just as i expected, working on using cr50 to abolish the 'at least can boot own linux' 'hole' entirely

asciilifeform: mircea_popescu: i did describe a theoretical 'bake pad-for-pad replacement for cr50' variant.

asciilifeform: phf: what plug hole. thing charges from the usbc jacks, cr50 actually drives the charger logic.

phf: asciilifeform: right, and as far as we know right now cr50 doesn't have a remote/wifi access component. if it can't be wholly removed, maybe it can be "cut" (not necessarily by literally cutting the wire, but the direction of closing the plug hole)

phf: tbh i assumed it was a lost cause around when cr50 was discovered. it's overall a worthwhile direction of exploration since i assume we're still gravitating towards an arm gentoo

asciilifeform: re: cr50, fwiw i have pretty much whole thing multiply massaged in ida, code/data mapped, got good % of the functions 'usefully' named. but so far no dice in finding a usable hole.

asciilifeform: mircea_popescu: last week i did a brief hand-cranked version of this experiment, with similar result ( e.g. cr50 , several other subjs dead to google, reliably finds asciilifeform's www )

asciilifeform: they run on trooly vertically-integrated arse-mouth system, verily; asciilifeform to this day has not succeeded in building any of their 'open' sores of e.g. cr50

deedbot: http://www.dianacoman.com/2018/06/26/euloras-own-cr50/ << Ossasepia - Euloras Own CR50

asciilifeform: the runner-up prizes are #1 and #2, leakage of ~these~ would allow liberation of the existing cr50's, but the boojum of 'box in airport luggage can get reflashed via usb by enemy troops' would remain just as nao

asciilifeform: going in order: (1) is the sig header tested by the boot maskrom ( contents not known, but can be guessed at, it has 1 hard-wired pubkey ). this we will call cr50 hitler key #0 . it cannot be changed by fw updater.

lobbesbot: phf: Sent 2 hours and 54 minutes ago: <asciilifeform> other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .

asciilifeform: !Q later tell phf other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .

asciilifeform: oh , for compleeetness, http://loper-os.org/pub/c101pa/cr50.bin.prod << the 0.3.4 cr50 fw currently installed in my box. ( the offsets above, are valid for it)

asciilifeform: mircea_popescu: in other twists, not only is neither key in the cr50 fw image i have, but the verification routine does not correspond to the 'open' sores.

a111: Logged on 2018-06-22 18:03 asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size...

asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size... ☟︎

a111: Logged on 2018-06-18 17:51 asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres )

a111: Logged on 2018-06-13 16:48 asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50.

asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres ) ☟︎

BingoBoingo: Wikipedia before alf published his cr50 expose had an article on Fritzchips. Now it doesn't

asciilifeform: i find it interesting that google's approach to building cr50 ( 'hardcopy fpga' ) is actually ~moar~ diddleable, via this method, than if they had shipped ordinary fpga

asciilifeform: this worked in the past, but cr50 seems to include boobytrap for voltage glitching

deedbot: loper_os_cr50 voiced for 30 minutes.

a111: Logged on 2018-06-15 14:52 asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 )

asciilifeform: for cr50 in particular, a continuous (e.g. xray) rather than intermittent (emp shooter) glitcher might be preferable, as the thing has a convenient unlock command that you can fire via the uart continuously, then , theoretically, irradiate until it happens to skip the right instruction

asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 ) ☟︎

asciilifeform: can also glitch by manipulating clock, but it is not presently known whether cr50 has external clocking ( my current understanding is that it does not, but has internal oscillator )

asciilifeform: dun in the literature last night re chip 'glitching' . for some reason everybody, to date, focuses on glitching ~specific~ instruction, rather than scrambling sram bluntly. ( to be fair, the blunt approach is only of any conceivable use if you can pre-emplace the nop slide, as is apparently possible on cr50 ) ; state of the open lit art seems to be the 'xbox 360' pill demonstrated in 2015

asciilifeform: ( and i suspect that there won't be much said re cr50 for a while, currently it is in dead waters )

a111: 190 results for "cr50", http://btcbase.org/log-search?q=cr50

asciilifeform: re tpmism : i predict many great lulz of the fyootoor , when google et al roll 'bitcoin' support into cr50 etc

deedbot: loper_os_cr50 voiced for 30 minutes.

asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50. ☟︎

a111: Logged on 2018-06-13 15:15 asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing

asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing ☟︎

deedbot: loper_os_cr50_ voiced for 30 minutes.

deedbot: loper_os_cr50 voiced for 30 minutes.

a111: Logged on 2018-06-13 01:49 asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans'

asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans' ☟︎

phf: also contest starts around the time that ascii publishes articles on subj, conceivable that someone else decides to look at the cr50, white hats a vulnerability to google.

asciilifeform: meaningful. i either get a pile of c101pa with rewritable cr50 256kB firmwares, or not.

deedbot: loper_os_cr50 voiced for 30 minutes.

a111: Logged on 2018-06-12 23:39 asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement.

asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement. ☟︎

asciilifeform: phf: the way i'm thinking of doing it: i'ma write up and sign a statement describing the competition; you will create a special-occasion key, e.g. 'cr50contest', rate it e.g. +1 cr50 , and i will drop a coin into it.

asciilifeform: i put the spi bootrom in the pic, to make clear the fact that it is connected ~through~ cr50

asciilifeform: well currently i'm out of ideas in re cr50; thought i'd try the 1 tool in the box i haven't unsheathed.

asciilifeform: ( i can dpa right here, dun need help even. but it isn't particularly useful for cr50. )

a111: Logged on 2018-06-12 18:48 asciilifeform considers idea of proclaiming a 1 btc prize for a working break of cr50 . any l1 folk interested in contributing to the prize chest , and/or overseeing the refereeing ?

asciilifeform: cnomad: main form of glitch hardening in cr50, going by the src, is the tactic of repeating the various crypto checks N times

asciilifeform: the expense of decapping ~each~ cr50 in each box, is prohibitive, and makes whole proposition uninteresting