Putting the video in a modal window that disappears and resets playtime when you click anywhere has got to be the worst UX decision ever. Can't even resize the tiny little viewport.
Just "Inspected" the page with Chrome Developer Tools (built into Chrome). If you haven't tried it before, you can do a lot of fun stuff with it, on any site!
Like another commenter said, I found that the video is contained in an <iframe> so I grabbed its URL and found it works nicely to watch the video in a separate window or browser tab. :)
I searched around to see if the video host ("Wistia") displays videos in some more YouTube-like layout, but it seems not.
I hate this and the trend of videos that stop when you scroll down or change tabs and then restart from the beginning when you go back. What are they even thinking? Fraudulently inflating the view count?
The idea is that you can reset just the config bits. So the bits that keep the JTAG/SWD/ICSP from reading out the flash.
So imagine your flash is over here, and your SRAM is over here, and over on this other side is the SFRs and inside those are bits that once set disable the debug interface. Reset just those and you can dump the firmware.
Interesting. I did not realize that you could still erase such chips using UV light, and that this would also wipe out the 'fuses' used to protect readout. I always figured that blowing those fuses actually physically destroyed a conductor in the chip. But once you have things opened up to this degree even that could probably be repaired using a pantograph and a very steady hand.
In the old days, EPROM parts and OTP (one-time-programmable) parts were often the exact same die. The only difference was the window in the package. Hardware security measures are never absolute; but no one who has thought more than briefly about it would use a UV-erasable bit to protect an important secret.
"Direct" tampering with hardware is always possible, but for a recent design it will be extraordinarily expensive--electron microscopes, FIB, and so on. The interesting exploits are usually mistakes in the logic, the power supply sequencing, etc., not direct attacks on the memory cell. There's maybe some analogy with software security, where practical attacks on a (well-known) crypto algorithm are incredibly rare, and practical attacks on everything around it are incredibly common.
The fuses I have experience with are indeed "blown" -- actual metal traces are physically opened with a large current -- and can't be intentionally reset.
Often you blow fuses in multiples and take a vote, because the fuses can occasionally re-connect or have awkward leakage due to how the metal bits behaved during the over-current, and that's embarrassing for a fuse controlling a security feature.
I know what EPROM is. I just did not realize that under the hood these devices were still UV erasable, especially not for those particular bits. This makes me wonder if you could not apply the same techniques against a large number of ECUs from that era. I'd be very interested in rooting around in those.
The flash in new devices is still erasable with UV (sometimes) but you’ll notice every single chip shown in the video, is a dip package, quite old school.
More modern chips just have metal layers over the flash. You can decap and have a layer of transistors or a layer of metal or some other impediment to the UV light.
Well this guy may have figured out another way to decap chips, this is not a (great) way to hack chips anymore.
I saw an article about some guy that was able to UV erase the metal covered fuses by masking the flash area and lighting the chip at an angle, that allegedly creates a reflection in the metal cover enough to to erase them.
Edit: I found it, http://www.bunniestudios.com/blog/?page_id=40, it's done on a PIC18f1320 which is DIP, it would be interesting to see if there are any changes in the design to mitigate this method.
Believe me, or not. Inside the carding scene, mass decapping is now a thing. That includes decapping of chips that were specifically designed to be decapping-proof. I remember that began at around 2010-2011, when first mass wave of chip and pin cards began to hit carding networks.
Chip cards have some private key burned into them that makes them unique, depending on the chip they may just use this to witness a transaction (so the issuer knows this card was used) or something more involved so that the issuer can verify the card was really told the correct PIN and transaction amount.
In principle you can uncap the chip and get that key back out. You could then clone it, or bypass any restrictions built into the chip like "I won't authorise more than £200 total spend without going online". I'm not sure how that would be worth doing unless it's surprisingly easy and quick.
Unlike with cloning magstripe cards though this would trash the original, take substantially more than a couple of minutes and be readily detectable by the issuing bank if they are paying attention. So it seems crazy to me and my default position would be to believe it's not actually being done, certainly on an "industrial" scale.
How they prime majority of such cards get to carders is through bought post workers that steal replacement credit cards sent by post.
So, even when a card is does not arrive, most people will assume that the post simply lost it, and call for another replacement.
As I understand, a great lot of banks still ship fully active cards that require no "activation" by phone or online, assuming that nobody can recover the pin.
Is the actual pin on the chip though? I would have assumed only a hash of it was stored, enough that it can verify the right pin has been supplied without having to store the actual code?
Whereas I don't have criminal contacts who'd know whether anybody actually is stealing chip cards and de-capping them, I do know plenty about algorithms and data structures.
Rainbow tables make no sense here, the rainbow table is a clever optimisation of the normal time-space tradeoff where we don't want to pay the full space cost, and will accept a time penalty (and usually in practice an accuracy penalty) to avoid using so much space.
For a four digit PIN there is no concern about space, storing and indexing 10 000 possible hashes is trivial, (whereas storing and indexing say three trillion password hashes is kind of a pain so that's why you have rainbow tables)
In case you are wondering, this technique probably doesn't work against security-hardened chips. But other might, like what nation-states can afford.
"More security-focused mircocontrollers like the ones used in hardware security modules (HSM) to store encryption keys, trusted platform modules (TPM), and SIM-cards have have hardened chipsets to make these invasive attacks more challenging, Davidov said. They have countermeasures such as protective shielding and an active mesh layer to detect when a trace has been cut. Light sensors, when tripped, could automatically destroy all stored secrets if the chip powered on after the molding component was removed. While there are ways to bypass these features, they require extremely specialized equipment and 'significant investment.'"[1]
The problem with that is, there are fewer people capable of attacking their countermeasures and so they don't get a strong test before being deployed. I'll always remember Christopher Tarnovsky's talks at DEFCON.
