rohitksingh_work has quit [Ping timeout: 268 seconds]
ondrej3 has joined ##openfpga
m4ssi has joined ##openfpga
GuzTech has joined ##openfpga
Laksen has joined ##openfpga
rohitksingh_wor1 has quit [Quit: Leaving.]
rohitksingh_work has joined ##openfpga
s_frit has quit [Remote host closed the connection]
s_frit has joined ##openfpga
keesj has quit [Quit: leaving]
keesj has joined ##openfpga
hackkitten has quit [Read error: Connection reset by peer]
hackkitten has joined ##openfpga
TAL has quit [Ping timeout: 252 seconds]
rohitksingh_work has quit [Read error: Connection reset by peer]
TAL has joined ##openfpga
Bike has joined ##openfpga
balrog has quit [Ping timeout: 252 seconds]
balrog has joined ##openfpga
rohitksingh has joined ##openfpga
ym has joined ##openfpga
s_frit has quit [Remote host closed the connection]
s_frit has joined ##openfpga
GuzTech has quit [Quit: Leaving]
rohitksingh1 has joined ##openfpga
rohitksingh has quit [Ping timeout: 244 seconds]
emeb has joined ##openfpga
flaviusb has quit [Remote host closed the connection]
m4ssi has quit [Remote host closed the connection]
rohitksingh has joined ##openfpga
rohitksingh1 has quit [Ping timeout: 252 seconds]
rohitksingh has quit [Quit: Leaving.]
<felix_>
whitequark: did you have time to look at the logic analyzer trace i sent you maybe half a week ago? it's not the sigrok file format, but the saleae one. when sampling with 16 mhz, some part of the signal showed with 8mhz toggle rate, so i'm not very confident, that the signal is good though :/
azonenberg_work has quit [Ping timeout: 268 seconds]
azonenberg_work has joined ##openfpga
Laksen2 has quit [Ping timeout: 245 seconds]
uovo is now known as oeuf
X-Scale has quit [Ping timeout: 244 seconds]
[X-Scale] has joined ##openfpga
[X-Scale] is now known as X-Scale
pie__ has quit [Ping timeout: 256 seconds]
oeuf is now known as unbot
unbot is now known as unbot__
unbot__ is now known as oeuf
s_frit has quit [Remote host closed the connection]
s_frit has joined ##openfpga
Kamots has joined ##openfpga
<Kamots>
tinyfpga: I'm messing with a TinyFPGA BX recently purchased from SparkFun. It seems like the diagram included with it doesn't properly match the schematic on GitHub. I'm trying to figure out if the MEMs Oscillator is connected to any of the global buffer pins or if it is only B2. Can you help?
<tinyfpga>
Kamots: I don’t believe it is connected to a global buffer in the BX revision
<tinyfpga>
Kamots: what’s wrong with the diagram?
<tinyfpga>
Kamots: are you looking at the B2 or BX GitHub repo?
<Kamots>
BX, the filename is TinyFPGA-BX-Schematic.pdf
<Kamots>
I may just be reading it wrong, I'm trying to match up things to the iCEcube2 Package View screen
<Kamots>
this is the iCE40 LP8K CM81 right?
<Kamots>
pin27 on the bottom says it is connected to J4 and claims it is GBIN4 but the Package View doesn't show J4 as a GBIN pin
<tinyfpga>
Kamots: that’s the right part...hmmm...Ill have to double check the schematic. I changed the names of the SPI interface pins from numbers to names
<tinyfpga>
Kamots: and I can’t remember if I updated the schematic to reflect the naming on the silkscreen
<Kamots>
the silkscreen and the included reference card seem to match
<Kamots>
with the SPI pins named instead of numbers
<Kamots>
tinyfpga: do you have a high resolution PNG or something of the board layout someplace? I can just follow the traces :)
<Kamots>
it seems like I could run a short jumper from the CLK pad on the bottom of the board to the 30 pad (E8) which is a global buffer input
<Kamots>
I just want to examine the board layout and make sure I'm not screwing up
<Kamots>
According to the schematic, G4 is connected to "81_GBIN5" but I can't find that anywhere else in the schematic. However, it would be the perfect pin to use for the clock input since the same IO block connects to the PLL.
<pie__>
sooo...people are talking about this being a ploy to get supermicro to crash and burn financially
<pie__>
maybe thats a ploy to get people to believe there isnt a backdoor! :P
<pie__>
well, anyway,
<azonenberg_work>
pie__: great time to deploy an actual bmc rootkit
<azonenberg_work>
nobody will believe you when you say you found one :p
<pie__>
azonenberg_work: yeah?
<pie__>
oh
<pie__>
azonenberg_work: well, if you can provide evidence i guess? :P
<prpplague>
pie__: i can't comment on it in details, but i have personally seen a number of devices that were fake components. one was actually a uart level shifter that was a mcu programmed to sniff and insert commands to a serial console
<prpplague>
pie__: another was hidden as a EMI/ESD filter for USB interfaces
<pie__>
prpplague: huuuh.
<pie__>
wait im confused about how to parse what you said
<prpplague>
pie__: which part
<pie__>
so the uart level shifter was actually an mcu, right?
<prpplague>
pie__: yea
<pie__>
ah ok
<prpplague>
pie__: but it was marked and sold as a level shifter
<pie__>
hm
<pie__>
prpplague: i have a hard time figuring out how to think about this stuff
<pie__>
do i just need experience or is it something one is born with? :P
<prpplague>
pie__: try this one, we found a set of CPU chips where a GPIO was specifically routed next to a security register, so that when the gpio was toggled as a specific frequency, it caused the security bit to flip
<pie__>
awesome..
<pie__>
what kind of hardware is this?
<pie__>
and how do you even find that?
<tinyfpga>
prpplague: that’s awesome! What package are you using? Can you share any more details of your prototype?
<prpplague>
pie__: i can't comment on any details, but i am sure you can find my linkedin profile and make some educated guesses
<pie__>
prpplague: yeah i didnt mean with any real specificity but ok
<pie__>
prpplague: can you comment in some super vague way about how?
<pie__>
do you just...have a big list of bad things, or fuzz it, or...???
<prpplague>
tinyfpga: 81 ball bga
<prpplague>
pie__: well we weren't specifically looking for the issue, i was doing some work on a 3D lcd panel that required us have the GPIO configured as a PWM
<prpplague>
pie__: but i kept getting some warning from the kernel that the security status had changed
<pie__>
oh lol huh
<prpplague>
pie__: so i reported it to some of the silicon developers
<prpplague>
pie__: they started looking into it
<prpplague>
pie__: and sure enough the layout was different than what it was suppose to be
<pie__>
huh.
<pie__>
feels weird, because stuff like that was always considered tinfoilhattery
GuzTech has quit [Ping timeout: 245 seconds]
<pie__>
id love to talk about this stuff more but i need to force myself to sleep, got a bad cold :(
<prpplague>
pie__: no worries
<prpplague>
tinyfpga: i kind of want to go with the 121 package
<tinyfpga>
prpplague: is that the same pitch, or larger?
<tinyfpga>
prpplague: I don’t think I looked at that package
<prpplague>
tinyfpga: yea it's the same 0.4mm spacing
<prpplague>
tinyfpga: it doesn't have as much I/O
<prpplague>
tinyfpga: the 81 ball version
<prpplague>
tinyfpga: of course
<prpplague>
tinyfpga: i think after we get the design solid, we probably can drop down to the ICE40LP1K
<prpplague>
tinyfpga: maybe go to the qfn package
<azonenberg_work>
prpplague: out of curiosity, were the fakes you found in authorized distribution channels?
<azonenberg_work>
i.e. was the actual chip being made wrong?
<azonenberg_work>
or were these totally fake chips that just were remarked to look like the legit one
<prpplague>
azonenberg_work: no they never made it outside the company, as we were in the process of chip bring-up and validation
<prpplague>
azonenberg_work: they were actual production chips where a third party contractor had made modifications to the actual silicon layout
<azonenberg_work>
So this was actually an edit to the mask somewhere in A0 silicon
<prpplague>
azonenberg_work: yea
<azonenberg_work>
That would have shipped if not caught
<prpplague>
yea
<azonenberg_work>
Wow
<azonenberg_work>
And the level shifters? were those outright fakes?
<azonenberg_work>
not pwned real chips?
<qu1j0t3>
that's all pretty impressive
<prpplague>
azonenberg_work: those were a little more conspiracy type deal
<prpplague>
azonenberg_work: apparently the "supplier" found out what they were going to be used for and specifically sent these to a specific company to be assembled in a specific motherboard
<prpplague>
azonenberg_work: so it was highly targeted
<azonenberg_work>
So a (presumably) intelligence agency sent a reel of pin compatible MCUs
<azonenberg_work>
labeled like your level shifter
<azonenberg_work>
to your contract manufacturer?
<azonenberg_work>
who had no idea?
<azonenberg_work>
Or did the CM tip off the agency that your board was being made and then coordinate the implant?
Bike_ has joined ##openfpga
Bike_ is now known as Bike
<mithro>
Does anyone have a footprint or know what it's called when you set up a set of resistors which let you swap the connections when you screw up MISO/MOSI on your board?
<prpplague>
azonenberg_work: sorry back, phone
<prpplague>
azonenberg_work: yea, so the CM let it slip to the supplier who the customer was
<azonenberg_work>
Ah, i see
<azonenberg_work>
Then the supplier did the swaap
<prpplague>
azonenberg_work: yea
<prpplague>
azonenberg_work: but the thing is, these were custom designed, they had to have had these waiting for a "customer"
<prpplague>
azonenberg_work: so they must have known that the customer was planning to use them
<azonenberg_work>
was the level shifter a bog-standard part?
<prpplague>
azonenberg_work: which starts to go down the rabbit hole
<azonenberg_work>
they may have done this for a lot of people
pie__ has quit [Ping timeout: 256 seconds]
<prpplague>
azonenberg_work: yea, it was basically a clone of the max2232
Miyu has quit [Ping timeout: 264 seconds]
<azonenberg_work>
Yeah that sounds like something they premade and had a little mcu they could program to screw with $TARGET's console
<azonenberg_work>
Then when they knew the target they just flashed the exploit and boom
<azonenberg_work>
How did you find them?
<prpplague>
azonenberg_work: i wasn't part of that discovery, so i am not sure how they found them, i was just "in the loop" for what to look for in the future
<azonenberg_work>
Ah, i isee
<prpplague>
the other one i have seen is a EMI/ESD filter that was actually a MCU that would wake up every so often, enumerate itself on the USB port as a HID device, open up a terminal window, issue a few commands and close the terminal