Great post! I find the quote from Bunnie in the blog pretty relevant:
“The JTAG boundary scan approach was rejected on the grounds that the TRST# pin, used to hold the JTAG chain in reset, was tied active in a manner that was difficult to modify without removing the processor.”
Gives me flashbacks to simpler times where disk based systems lacked any real form of DRM because of the assumption that a consumer wouldn't be able to afford to press their own CD-ROMS.
Maybe still not as easy as burning a CD-R, but BGA rework stations have come down in price and utility enough that they are practical for the semi-serious tinkerer. Most modern designs account for this, but I wonder if other techniques, maybe like decaping or some future unknown, will start to open new, simple, vectors of attacks on our hardware today.
I don't really have a point to make here I guess, just that most assumptions made today tend to not quite work out as expected, and that's kinda neat.
Decapping is well within the realm of hobbyists, I have thought about putting together an open source equivalent of the JetEtch, which can sometimes be found on eBay for fairly cheap. My main concern is that the chemicals used are really dangerous.
Things like laser glitching are feasible in the $thousands range and power or RF glitching is in the $hundreds range.
With low cost fiber laser cutters and etchers, lots of techniques can be applied. I imagine with the high resolution X-ray stuff starting to come onto the used market, lots of things for hardware hacking will become extremely affordable.
Yes. Decapping and laser glitching is all exploited today in amateur settings. Here are dudes working on old Arcade machines http://caps0ff.blogspot.com in fact most recent post is about laser glitching :)
Its not the cost of BGA rework hardware alone that was the main barrier back then, it was knowledge and experience. BGA was seen as something very difficult to the point of not being worth even attempting. In early 2000 even basic SMD was an insurmountable barrier to most amateurs, today its trivial despite using same equipment. Op author Markus Gaasedelen identifies himself as a software researcher by trade, but casually replaces BGA CPUs on the side :) all thanks to easier access to information. Merely knowing something is possible pushes humans forward, thousands of available tutorial pages/videos helps too :)
It is a wild coincidence to read this today. This past week, I got my OG 1.6 modded Xbox out, my friend sent me a rip of a "Ultimate Halo" disk I made in high school, and I read a deep dive on the evolution of Xbox soft mods.
Fascinating read, thank you so much for doing it, documenting it and sharing it!
“The JTAG boundary scan approach was rejected on the grounds that the TRST# pin, used to hold the JTAG chain in reset, was tied active in a manner that was difficult to modify without removing the processor.”
Gives me flashbacks to simpler times where disk based systems lacked any real form of DRM because of the assumption that a consumer wouldn't be able to afford to press their own CD-ROMS.
Maybe still not as easy as burning a CD-R, but BGA rework stations have come down in price and utility enough that they are practical for the semi-serious tinkerer. Most modern designs account for this, but I wonder if other techniques, maybe like decaping or some future unknown, will start to open new, simple, vectors of attacks on our hardware today.
I don't really have a point to make here I guess, just that most assumptions made today tend to not quite work out as expected, and that's kinda neat.