HaD Remoticon 2021: Buddha Flower Chip
Sprite_tm
Note: This is a 2d presentation. Use left and right to move between chapters, use up and down to go to the next slide in a chapter. Space forwards linearily through all slides and chapters.
Intro
The Question
Flash dump is available... can we replace the songs?
Getting Wiser
buddha.bin (2097152 bytes)
file
binwalk
strings
Yer Olde Eyeball Mark I
Yer Olde Eyeball Mark I
Yer Olde Eyeball Mark I
What's that smell?
What's that smell?
What's that smell?
What's that smell?
Shitty Encryption
Levels Of Encryption
Levels Of Encryption
Levels Of Encryption
- 1. Take it down
- 2. Flip it
- 3. Reverse it
'Hello' -> 47 64 6c 6b 6e -> b8 9b 93 94 91 -> 91 94 93 9b b8
Levels Of Encryption
Isthay ouldway beay anyay exampleyay ofyay obfuscationyay.
Shitty encryption
Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that they themselves can’t break.
Bruce Schneier
XOR encryption
hello, remoticon people
SUPERSECRETKEYMATERIALS
;0<)=e17(;?,:"/t57&1 6
hello, hackaday people
SUPERSECRETKEYMATERIALS
;0<)=e+3&?*!84at57&1 6
Data = 00 00 00 00 00 00 00 00 00 00
Key = 19 28 38 45 91 73 AB 6E 43 F0
Res = 19 28 38 45 91 73 AB 6E 43 F0
TL;DR
- Data XOR key = gibberish
- gibberish XOR key = data
- Both data and key 'leak' into gibberish
- If data is clear, you can see the key
Hmm...
Hmmmmm...
Hmmmmmmmmmm...
The Keystream
0xEF, 0xFF, 0xDF, 0x9F, 0x1F, 0x3E, 0x7C, 0xF8, 0xF0, 0xC1, 0xA3, 0x67, 0xEF, 0xFF, 0xDF, 0x9F, 0x3E, 0x7C, 0xF8, 0xF0, 0xE0, 0xE1, 0xE3, 0xE7, 0xEF, 0xFF, 0xDF, 0xBE, 0x7C, 0xF8, 0xF0, 0xC1, ...
0xEF 0xFF 0xDF 0x9F 0x1F 0x3E 0x7C 0xF8 0xF0 0xC1 0xA3 0x67 0xEF 0xFF 0xDF 0x9F 0x3E 0x7C 0xF8 0xF0 0xE0 0xE1 0xE3 0xE7 0xEF 0xFF 0xDF 0xBE 0x7C 0xF8 0xF0 0xC1
- 0xEF -> 0xFF
- 0x9F -> 0x1F OR 0x3E
- 0xF0 -> 0xC1 OR 0xE0
- x -> (x<<1) OR ((x<<1)^0x21)
0xEF 0xFF 0xDF 0x9F 0x1F 0x3E 0x7C 0xF8 0xF0 0xC1 0xA3 0x67 0xEF 0xFF 0xDF 0x9F 0x3E 0x7C 0xF8 0xF0 0xE0 0xE1 0xE3 0xE7 0xEF 0xFF 0xDF 0xBE 0x7C 0xF8 0xF0 0xC1
carry = (xorval & 0x80); xorval_next = xorval << 1; if (carry ^ some_generated_bit()) \ xorval_next = xorval_next ^ 0x21
Some_generated_bit() = 110011011000001000000101100011100010110000001100...
110011011000001000000101100011100010110000001100...
- Must be generated
- Pseudo-random number generator?
- LFSR!
uint16_t state=0x1234;
int lfsr() {
int carry=(state&1);
state=state>>1;
if (carry) state=state ^ 0x8408;
return carry;
}
LFSR: Unknowns
- Length of the LFSR
- Position of the taps
- Initial state
LFSR specs
- 16 bit
- 2^16 possible tap positions
- 2^16 possible start states
- 2^32, or 4,294,967,296 options
- 5-year-old laptop, unoptimized code: 60 seconds
- Side-effect: Buddha chip encryption bruteforcer!
Fully cracked!
Flash contents
- code.app
- overlay 0 <- Machine code!
- overlay 1
- overlay 2
- ....
- n01.f1a<- Audio?
- n02.f1a
- ...
And the CPU...
About that CPU...
The rest of the code
Not all in flash...
- code.app: 9K of actual code
- What loads code.app?
- Code.app has calls/jumps to ROM?
How to get data out?
- No UART detected...
- Button GPIO is input
- SPI?
Read all the memory!
- Unpack flash
- Replace overlay with dumper
- Repack flash
- Program & resolder flash, attach LA
- Power on!
- Dump SPI traffic, convert to .bin
- Profit!
Reading the secret ROM
GBA: Read-protected BIOS
GBA: Read-protected BIOS
GBA: Read-protected BIOS
GBA: Read-protected BIOS
How did the GBA do it?
int MidiKey2Freq(WaveData *d, u8 mk, u8 fp);
Need to find similar fn in secret ROM!
Hope they don't check ptr...
Maybe this function?
Yes! Side-effect: acc=mem[dptr+3]
Function actually does: memcpy(ptr, dst, 4);
(facepalming_buddha.jpg)
'Secret' routines
Chip is still unknown...
No Appotech, no GeneralPlus, no Winchip, no...
Another PCB pops up!
"JL AB20CM9K17.1"
JieLie, located in Zhuhai, China
Known from: Cheapo BT audio
It's one of our chips!
'AB20CM9K17' Googled...
Hunt for the AC1082D SDK...
SDK: The Good
- Some code matches binary
- Hardware register definitions
- Some peripheral drivers
- Some hardware docs
SDK: The Bad
- Proprietary Keil 8051 compiler
- Most logic in binary libs
- Audio HW undocumented
SDK: The ugly
- No .f1a mention
- Some peripheral regs inaccurate?
- No banking / encryption info
- Peripherals don't match our chip
We can replace songs!
Now What?
We have:
- En/decryptor
- Some SoC info
- .f1a info
Open-source encoder?
- WMA is proprietary
- No FOSS low-BR WMA encoder
- F1A not 100% understood
- Can't be arsed.
Open-source SDK?
- Arch is meh
- Needs way more RE'ing
- Chip is unobtainium
- Can't be arsed.
Buddha chip hackers
AlexGuo1998, Piet Skiet, Prehistoricman, bsekisser, ThreeMetreJim, Malvineous, hjalfi, ruben_balea, neil555, uzlonewolf, bsekisser, me
Thanks for listening!
Jeroen Domburg / Sprite_tm
jeroen@spritesmods.com
https://spritesmods.com