Which is close to one we already saw:
- We've been able to develop attacks against similar chips fairly reliably
- A replacement chip (board) would be about $60
Given this we decided to try to develop the attack on the actual target without practicing first. We found the structure used in the previous article and found shining a laser on it gave a stable read out! We probed around a little more though and got a second binary that was also stable. There should only be one correct binary coming out. So how did we get two distinct binaries?
Often we run binaries through checker scripts that look for common errors like stuck address or data lines. When we ran these two binaries through they flagged some issues:
- Binary 1 has bits 7 and 8 stuck high
- Binary 2 has bit 8 stuck high
Now with all bits toggling and strings visible we have a plausible dump! One early concern was a relatively unusual reset vector, but analysis shows it's fine.