RSS
 
 

Archive for the ‘Reverse Engineering’ Category

Xyratex Autodesk Kit. 54XX

29 Nov

Seems there is STILL some interest in this kit & getting it working with non autodesk drives.
There is a multitude of “badge engineered” Xyratex products not just Autodesk , but it is all locked down in the software.
Other than that the underlying hardware is identical.

I’ve been asked “ Why don’t you post a firmware file to allow conversion”

An Anecdote:
Many moons ago I used to work at a very large company..
One day…
I was speaking to the owner and he asked me a question:

A: “Do you have any legal problems… personal… company?”
B: “No”
A: “Pity.. I employ a team of lawyers and they have nothing to do at the moment.. if anything comes to mind give me a call”
B: “Ok will do”
So there you go… If there’s potential for a lightning storm .. you don’t stand under a tree.

Where do I go from here
The first action is to get the SERIAL console connected on the back of the device, it is the USB type connection.
This is SERIAL to SERIAL, just someone stupidly decided it was a good idea to use a USB type connection….
you know….. so that people can shove the WRONG cable & release the magic smoke trapped inside.

Once you get your serial connection, the first thing to do it get the equipment version strings & firmware data.
If you don’t do this.. the chance of getting help is limited.

Generally (what I’ve seen so far)
1. ADnn firmware (this is Autodesk, and they have their own firmware which is based around Xyratex FW with extras.

Those extras include:
Hidden factory options
Special checksums for firmware, ensures only Autodesk firmware can be loaded.
Locked down Disk drives
Extra debugging features for their engineers… (thanks guys…)
Code to ensure you cannot get off the AD firmware track
Different software feature unlock keytable… for the controller FW & “Stone Direct”
The latest Autodesk monitor FW Is AD24

  • ‘nnnn’ firmware, this is Xyratex firmware, it has it’s own drive markers, but later versions also allow non branded drives to be used, note however there is a performance IMPACT to using non-banded drives.
    This is becasue the buffer and caching paramiters in the disk drive firmware have been optimized for the yxratex kit
  • The latest Xyratex monitor FW is 0025 (2.5.6)

    Getting all worked up
    There are some points to note before getting all worked up.

    1.On this older kit, it is HARDWARE FIXED at using drives that are 2TB or LESS
    This is NOT something you can hack or bypass and is due to the embedded silicon.
    LSI62042E1
    LSISASX12A which gets you 3GB/s tops

    (nope.. you cannot drop in new chips.. later chips are not pin compatible)

    2.If you use a drive >2TB the total capacity of the drive is NOT 2TB it is a logical ‘AND’ of the addressable space bits, so if you install a 3TB drive you will only get ~1TB.
    This limits your disk drive options unless you are prepared to use the disk drives embedded command codes to limit the drives reported address space( “logical drive capacity” ), before putting them into the storage system.

    1. There is zero support for this old kit & zero updates.
    2. If you use it in a production environment… then you are very very stupid and deserve EVERYTHING you get…. (see point above)
    3. Ensure there is NOTHING on the drives before you start working, each manufacturers product has different software options and the SOFTWARE KEYS ARE DIFFERENT!!!!!, if you do a conversion your licence keys are no longer valid and the options that worked before will stop working. So if you have advanced snapshot enabled, after a conversion you will loose that function & plus any data you had associated with it.

    Hahaha no way people write code this way….
    Both sets of Firmware (Xyratex/Autodesk) are full of bugs, this may be due to the fact that the Software is clearly Xyratex with patches on top.
    Layer upon layer upon layer of patches & fixes…. and more FLAGS than an American Ticker-tape parade…….

    Lot’s and lots of hard coded shit….
    Yep… why code things like dates ,firmware revisions & code check-sums in a separate Data section… just inline it all into the code…

    Since it was easier to flash the chips I never got round to decoding the checksum routine for the roms….
    so no I don’t have a direct up-loadable firmware file to take an AutoDesk->Xyratex.. I could make one. but it’s all about motivation.

    There is a way to modify a Xyratex FW file so that it can be loaded over an AD firmware, bu if anything goes wrong you end up with dead kit and need to flash the onboard chips, it is non software recoverable…….

    How to get an upgrade?
    1. Own a chip programmer
    2. get the info from the monitor
    3. get a picture INSIDE the controller (yep.. there are different versions)
    4. Read out the Binary image on the chip
    5. zip it up
    6. send it to me to take a look

     

    Xyratex Autodesk branded RS-1200 5412E hard drives (Using most drives)

    07 Feb

    Well we picked up a “few” Xyratex RS-1220-F4-5412E Autodesk systems a few years ago, you know the ones with the AD22 firmware that is locked.
    Total cost was $40usd for 4 including a shed load of spare controllers & drive sleds
    The controllers are generally marked:
    RS-LRC-F4-5412E-1024-ADSK 08 Mar-31 (happy decade!!)
    RS-LRC-F4-5402E-1024-ADSK 06 21 (almost a teenager)

    Unfortunately no drives were included.

    Had a quick look on the internet to see if we could find anything on “non Autodesk” drives, mostly just people saying that the devices were locked to drives with a special FW AD02 or AD03
    Others were saying there was a magic firmware AD20 or something…….

    Breakthrough
    I had a few hours to throw at it the other day, since I was waiting for some new PCB’s to assist in a hack of the new Seagate F3 drives with locked down firmware.
    We burnt some drives with a drive sig of XR36 & XR38 inserted them into the array but nothing was showing up , other than the drives were “unsupported”

    I cannae change the laws of physics Captain
    But it’s in here some place

    Read the rest of this entry »

     

    Allwinner (SUNXI) A20 getting two CPU up

    30 Dec

    In my real work, I need a pre-boxed computer at a throwaway price, something I can walk into a server-room covertly stick inside a server cabinet, power-up and then use as a secured ‘base’ from where I can find out ‘what the hell is going on’ (all with the approval of ‘upper management’)

    I have been playing about with the various versions of the TV box ‘construct’, what I need is a cheap secure (relatively speaking)
    throwaway computer that contains in-bulit WIFI/Ethernet/Bluetooth USB and in a nice sealed case I can fill with epoxy……

    Currently I use two units
    840A (A20 – dualcore) & 809 III (3188-quadcore)

    Enter the 840A TV box

    Looking about on the internet you will see the A20 being hacked all over the place ( even at wrt), however when you look a little bit closer you will see that in many of the Kernel startup logs that ONLY ONE CPU is actually enabled and active.

    Indeed if you use the ‘released’ SUN-XI code… guess what…. yep only one CPU comes up or you have to start using their ‘closed binary blobs’ for the functionality.(Having worked with some Chinese software developers… I would NEVER allow any Chinese built closed source on my network).

    What happened

    The Result
    Whilst this is still a work in progress we have gotten this far.

    [ 0.000000] Booting Linux on physical CPU 0x0
    [ 0.000000] Linux version 3.19.0-rc1-00011-g53262d1-dirty (bob@my-virtual-machine) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #14 SMP Sat Dec 27 13:53:26 HKT 2014
    ..........
    [ 0.000000] CPU: ARMv7 Processor [410fc074] revision 4 (ARMv7), cr=10c5387d
    [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
    [ 0.000000] Machine model: I12 / Q5 / QT840A A20 tvbox
    ...........
    ......
    [ 0.001489] CPU: Testing write buffer coherency: ok
    [ 0.001836] CPU0: update cpu_capacity 1024
    [ 0.001853] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
    [ 0.001928] Setting up static identity map for 0x403d4b80 - 0x403d4bd8
    [ 0.003335] CPU1: update cpu_capacity 1024
    [ 0.003341] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
    [ 0.003428] Brought up 2 CPUs
    [ 0.003449] CPU: All CPU(s) started in HYP mode.
    [ 0.003455] CPU: Virtualization extensions available.

     

    Turning USB peripherals BadUSB (A confession……)

    08 Aug

    There is currently a ‘stink’ about this article:

    Turning USB peripherals into BadUSB

    These guys appear to have put a quite an amount of research into this subject and attack vector.
    However I’m disappointed about how little research and citations of prior work they seem to have included, even if it is not based around USB devices it is still relevant.
    Then there is the ‘case’ of the 3rd party publicly available code to reprogram the SAME USB device released BEFORE their presentation.

    For Example:
    On Hacking MicroSD Cards

    Read the rest of this entry »

     

    USB Storage devices – embedded Trojan analysis/implementation (USB Nand-Flash)

    04 Aug

    How we can build powerful analysis tools from Ebay crap….

    There is lots of cool scrap available on Ebay, specifically items from video processing companies/telecom companies that sold their scrap to clowns who were supposed to ‘destroy it’ ( you know the ones, who advertise ‘secure destruction’ of equipment).
    All you need is a JTAG pod, frequency generator (NE555), multi-tester and a little bit of time.

    Background
    Back In Jan I threw together a library for reading Nand-flash chips on the Arduino, part of the reason for this was to try to throw together a simple and highly cost-effective way to read Nand-flash chips.

    Unfortunately it was a failure due to the read speeds…. BUT….
    Read the rest of this entry »

     

    USB miners and the Dipo Electronic 19 port 20A USB Hub

    20 Nov

    This is a 19 port hub with an integral power supply that is capable of reliably supplying MORE than 700mA per port without overheating or becoming a fire hazard.

    Dipo  hub , with engineering modifications for reliability

    Dipo hub , with engineering modifications for reliability

    Some of the Basic specifications:

    – Fully 480mb/s at each port
    – 16 Front facing Standard A USB ports
    – 3 Side facing Standard A
    – 1 Master hub connection Standard B for connection to Computing Equipment or other hubs
    – Fully fused internally via multiple poly-fuse resettable fuses both on each individual port and on the main power feed to the Ports.
    – UK/European standard 3 pin power plug
    – Hub runs COOL

    Unlike cheaper USB ports that only implement links at USB 1.0 standard (12mb/s speeds but state they are ‘compatible’ with USB 2.0) this is a professional FULL 480 Mb/s port that complies and implements the full 2.0 USB standard. It may also be used to connect to generic USB 1.0 equipment.

    The good thing about these hubs is that you can load them up with 19 Bi-Fury miners (around 76 gh/s) and the miners would STILL run as intended.

    The supplier is a Chinese company we have been working with, each hub we sell is inspected both at the electrical and electronic levels to ensure the correct functionality of the product.

    It can be purchased here:
    Razorfishsolutions.com.hk

     
    Comments Off on USB miners and the Dipo Electronic 19 port 20A USB Hub

    Posted in Android, Arduino, BITCOIN, forensics, FPGA, Linux, PCB Design, Reverse Engineering

     

    Bit coin miner from Ebay scrap The Solar debateVIII)

    13 Jul

    It was not until the start of this year (2013) that there has been such a long run of exponential increases in the bitcoin difficulty.
    Current difficulty is 26162876 with a PPS share rate of 0.00000092 BTC (actually it is lower once you consider fees etc)

    After mining for a few years using various systems- CPU, GPU, FPGA.. The time has now come to reconsider the situation….
    B.F.L have continually failed to deliver what they promised they were experts in…. Power consumption does not match,shipping does not match, quality does not match.
    Back in January, they were saying delivery would be in Two months, they are still claiming that all back orders would be cleared before end of September 2013, personally I find this unlikely since they STILL have not shipped any of my orders, and for them to clear the backlog, they should at least have my orders in ‘production'(I’m in the top quarter of their estimated order book).
    Plus the number of people who have had new ASIC kit only for it to fail abysmally is rapidly increasing..
    I have decided to give them until the middle of August and then I’m pulling the plug on the orders.

    Read the rest of this entry »