log
239 entries in 0.532s
a111: Logged on 2018-08-07 16:39 asciilifeform: ^ maker of cr50, lel
asciilifeform: ^ maker of cr50, lel
a111: Logged on 2018-06-25 21:45 asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png
asciilifeform: even outside of coloism -- e.g. google kept the troo cr50 sores 'seekrit' ; didn't prevent http://btcbase.org/log/2018-06-25#1829533☝︎
asciilifeform: in other lulz, https://archive.li/mt8rj << google, just as i expected, working on using cr50 to abolish the 'at least can boot own linux' 'hole' entirely
asciilifeform: mircea_popescu: i did describe a theoretical 'bake pad-for-pad replacement for cr50' variant.
asciilifeform: phf: what plug hole. thing charges from the usbc jacks, cr50 actually drives the charger logic.
phf: asciilifeform: right, and as far as we know right now cr50 doesn't have a remote/wifi access component. if it can't be wholly removed, maybe it can be "cut" (not necessarily by literally cutting the wire, but the direction of closing the plug hole)
phf: tbh i assumed it was a lost cause around when cr50 was discovered. it's overall a worthwhile direction of exploration since i assume we're still gravitating towards an arm gentoo
asciilifeform: re: cr50, fwiw i have pretty much whole thing multiply massaged in ida, code/data mapped, got good % of the functions 'usefully' named. but so far no dice in finding a usable hole.
asciilifeform: mircea_popescu: last week i did a brief hand-cranked version of this experiment, with similar result ( e.g. cr50 , several other subjs dead to google, reliably finds asciilifeform's www )
asciilifeform: at least google fwiw didn't try to advertise cr50, similar 'feature'.
asciilifeform: they run on trooly vertically-integrated arse-mouth system, verily; asciilifeform to this day has not succeeded in building any of their 'open' sores of e.g. cr50
deedbot: http://www.dianacoman.com/2018/06/26/euloras-own-cr50/ << Ossasepia - Euloras Own CR50
mircea_popescu: it's a cr50!
asciilifeform: and meanwhile , ftr, all three cr50 pubkeyz withstood phuctoring
asciilifeform: this completes the set of extant (afaik) cr50 fritz keys , on phuctor .
asciilifeform: the runner-up prizes are #1 and #2, leakage of ~these~ would allow liberation of the existing cr50's, but the boojum of 'box in airport luggage can get reflashed via usb by enemy troops' would remain just as nao
asciilifeform: going in order: (1) is the sig header tested by the boot maskrom ( contents not known, but can be guessed at, it has 1 hard-wired pubkey ). this we will call cr50 hitler key #0 . it cannot be changed by fw updater.
asciilifeform: (1) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_ro_sig.png (2) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcer.png (3) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_hitler_enforcement_businessend.png (4) http://www.loper-os.org/pub/c101pa/ida/cr50_fritz_pinned_pubs.png
lobbesbot: phf: Sent 2 hours and 54 minutes ago: <asciilifeform> other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .
asciilifeform: !Q later tell phf other interesting observations: 1) loader is not the same as what appears in the src, in either 3.3 or 3.4 fw bin; not only key differs, but eggog strings, and possibly the rsa per se. 2) seems like : nowhere else in the fw is there any other routine which checksums/rsaverifies the cr50 fw , or references the rsa keyz at all other than to print keyid .
asciilifeform: phf: https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/chip/g/build.mk#10 << see
asciilifeform: oh , for compleeetness, http://loper-os.org/pub/c101pa/cr50.bin.prod << the 0.3.4 cr50 fw currently installed in my box. ( the offsets above, are valid for it)
asciilifeform: 2) the RW key, corresponding to 'RW keyid: 0xde88588d(prod)' , appears , and is identical to what lives in https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/util/signer/cr50_RW-prod.pem.pub
asciilifeform: 1) the pubs thrown earlier in phuctor ( seen in e.g. https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_v3.4/chip/g/loader/verify.c#17 ) dun appear anywhere in fw 3.4
asciilifeform: mircea_popescu: in other twists, not only is neither key in the cr50 fw image i have, but the verification routine does not correspond to the 'open' sores.
asciilifeform: ( erry cr50 fw upgrade bin has no fewer than 2 such sigs )
a111: Logged on 2018-06-22 18:03 asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size...
asciilifeform: in other lulz, nobody noticed this puzzler, so i'ma put it in the l0gz : https://archive.li/i7BRf << cr50 magic rsa keys; the montgomery multiplier etc uses hardcoded constant, 96 word ( i.e. 3072 bit ) for the mults, but the keyblobs are 97 , for some strange reason, in size...
asciilifeform: same thrust as the fritz/cr50/etc nonsense.
a111: Logged on 2018-06-18 17:51 asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres )
a111: Logged on 2018-06-13 16:48 asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50.
asciilifeform: in re cr50 -- if anybody's puzzled re why they put this level of effort into locking down what is essentially a less-popular, bulkier ipnoje -- it's a beta test for bleeding edge of their pc fritz ( the latter, reportedly already in service in google-built serverz in datacentres )
asciilifeform: BingoBoingo: long prior to cr50
BingoBoingo: Wikipedia before alf published his cr50 expose had an article on Fritzchips. Now it doesn't
asciilifeform: i find it interesting that google's approach to building cr50 ( 'hardcopy fpga' ) is actually ~moar~ diddleable, via this method, than if they had shipped ordinary fpga
asciilifeform: this worked in the past, but cr50 seems to include boobytrap for voltage glitching
deedbot: loper_os_cr50 voiced for 30 minutes.
mod6: !!up loper_os_cr50
a111: Logged on 2018-06-15 14:52 asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 )
asciilifeform: for cr50 in particular, a continuous (e.g. xray) rather than intermittent (emp shooter) glitcher might be preferable, as the thing has a convenient unlock command that you can fire via the uart continuously, then , theoretically, irradiate until it happens to skip the right instruction
asciilifeform: once i get another coupla cr50 boards , will try above method with a small twist ( spoiler : chinese pulse welder as the current source! new!111 original!11 )
asciilifeform: can also glitch by manipulating clock, but it is not presently known whether cr50 has external clocking ( my current understanding is that it does not, but has internal oscillator )
asciilifeform: dun in the literature last night re chip 'glitching' . for some reason everybody, to date, focuses on glitching ~specific~ instruction, rather than scrambling sram bluntly. ( to be fair, the blunt approach is only of any conceivable use if you can pre-emplace the nop slide, as is apparently possible on cr50 ) ; state of the open lit art seems to be the 'xbox 360' pill demonstrated in 2015
asciilifeform: guestop: are you working on breaking cr50 yourself ?
asciilifeform: ( and i suspect that there won't be much said re cr50 for a while, currently it is in dead waters )
a111: 190 results for "cr50", http://btcbase.org/log-search?q=cr50
asciilifeform: !#s cr50
asciilifeform: re tpmism : i predict many great lulz of the fyootoor , when google et al roll 'bitcoin' support into cr50 etc
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
asciilifeform: but would need at least 1 actually popped cr50 chip, to tune the probe.
asciilifeform: and i'm still curious what an elephant-killing dose of gamma would do to the cr50.
a111: Logged on 2018-06-13 15:15 asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing
asciilifeform: meanwhile , in sad noose, cr50 apparently would be a 1st-class bitch to fully replace, it ( among errything else ) also does the power brick negotiation thing
asciilifeform: loper_os_cr50_: hello ?
deedbot: loper_os_cr50_ voiced for 30 minutes.
asciilifeform: !!up loper_os_cr50_
mircea_popescu: aand who might you be, loper_os_cr50
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
a111: Logged on 2018-06-13 01:49 asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans'
asciilifeform: revisiting upstack : i categorically refuse to pay for any cr50 related work that does not produce a working and practically applicable pill. because there is no way to ensure that 'paid to advance art' rather than 'paid 10 derps' mortgages and student loans'
phf: also contest starts around the time that ascii publishes articles on subj, conceivable that someone else decides to look at the cr50, white hats a vulnerability to google.
asciilifeform: meaningful. i either get a pile of c101pa with rewritable cr50 256kB firmwares, or not.
asciilifeform: loper_os_cr50: hey
deedbot: loper_os_cr50 voiced for 30 minutes.
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
asciilifeform: !!up loper_os_cr50
a111: Logged on 2018-06-12 23:39 asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement.
asciilifeform: phf: you will test using your c101pa. and so you will need the debug snake, i will need to put the output of sysinfo , ver , brd , etc cr50 console commands into the statement.
asciilifeform: phf: the way i'm thinking of doing it: i'ma write up and sign a statement describing the competition; you will create a special-occasion key, e.g. 'cr50contest', rate it e.g. +1 cr50 , and i will drop a coin into it.
douchebag: My friend was also wondering who has access to cr50's
douchebag: I didn't even know what a cr50 was 10 minutes ago
asciilifeform: i put the spi bootrom in the pic, to make clear the fact that it is connected ~through~ cr50
asciilifeform: i'd junk google's crapola fw regardless, even if we break cr50
mircea_popescu: douchebag, cr50 is, by all appearances, an arm cortex fpga
asciilifeform: well currently i'm out of ideas in re cr50; thought i'd try the 1 tool in the box i haven't unsheathed.
asciilifeform: understand, a die photo would do me ~0 good re cr50.
asciilifeform: cnomad: interestingly, 0 discussion on ru net of cr50.
asciilifeform: ( i can dpa right here, dun need help even. but it isn't particularly useful for cr50. )
a111: Logged on 2018-06-12 18:48 asciilifeform considers idea of proclaiming a 1 btc prize for a working break of cr50 . any l1 folk interested in contributing to the prize chest , and/or overseeing the refereeing ?
asciilifeform: cnomad: main form of glitch hardening in cr50, going by the src, is the tactic of repeating the various crypto checks N times
asciilifeform: the expense of decapping ~each~ cr50 in each box, is prohibitive, and makes whole proposition uninteresting
asciilifeform: re 'weeks of nonstop work', understand that the break must be mass-applicable, it is not useful to flip the bits with electron beam in ~one~ particular cr50
asciilifeform: into all currently available cr50 boards, but in particular the c101pa.
cnomad: how much are you offering for liberating a cr50? fyi, it'll be a _hard_ target
asciilifeform: so, for example, i am considering declaring a btc bounty for cr50 break. but it will only be available to folks in the wot, for the very obvious reason .
asciilifeform: are you interested in / familiar with cr50 in particular ? or heard of it for 1st time from the article
asciilifeform considers idea of proclaiming a 1 btc prize for a working break of cr50 . any l1 folk interested in contributing to the prize chest , and/or overseeing the refereeing ?
asciilifeform: in other negative results, small ra-226 isotope capsule had no measurable effect on cr50 .
ave1: as an aside, I've been readin the google code for the cr50 but I also did not find any obvious holes so far
asciilifeform: meanwhile, in the cr50 swine pits, https://archive.li/fftWm
asciilifeform: in re cr50 -- if we find which fpga was the basis, it may be possible to craft pad-for-pad replacement for the fritz.
mircea_popescu: and who might you be, 12th loper_os_cr50 ?
deedbot: loper_os_cr50 voiced for 30 minutes.
mircea_popescu: !!up loper_os_cr50
asciilifeform: revisiting upstack -- currently asciilifeform has 0 useful leads whatsoever on cr50 ( finished archaeological dig through the published src, found no obvious hole , yet )