LeeGibling
06-29-2006, 04:15 PM
Recently I dug out 2 papers from Infineon shedding a little bit more
light on the issue, but of course no complete P4 h@ck yet :)
Right after reset, the card gets into the STS Init routine, from where it can
branch into 3 ways. Here is a possible scenario of a boot sequence: STS CIM (fka ATR_DM)
STS TM (most likely disabled after factory tests passed)
STS UM --> RMS --> CardOS M4 --> Vid***uard).
It has to be mentioned, that unlike for the H, the eqivalent of the former CMS
(STS + RMS) is located in 2 different ROM areas: STS(Init + UM) in an 8 KB protected test ROM.
RMS in a reserved area within the 64 KB user ROM
The entire firmware of the IC consists of routines for EEPROM programming,
RNG tamper testing (Resource Management System, RMS). The RMS routines
are stored in a reserved area of the normal user ROM whereas the STS routines
are in the especially protectet test ROM. The STS firmware is divided into:
routines for the chip initialisation after reset (STS Init Mode, STS-Init)
routines setting up the normal operation mode (STS User Mode, STS-UM)
routines used for chip identification (STS Chip Identifiction Mode, STS-CI) and
routines only used for the protected production testing (Test Mode, STS-TM)
In operation three operating modes are classified: TestMode (TM), UserMode (UM)
and Chip Indetification Mode (CI). The entry in the different modes is controlled by
an initialzation mode (STS-Init) as well as by a combination of different hardware
and software flags being under control of the STS firmware.
light on the issue, but of course no complete P4 h@ck yet :)
Right after reset, the card gets into the STS Init routine, from where it can
branch into 3 ways. Here is a possible scenario of a boot sequence: STS CIM (fka ATR_DM)
STS TM (most likely disabled after factory tests passed)
STS UM --> RMS --> CardOS M4 --> Vid***uard).
It has to be mentioned, that unlike for the H, the eqivalent of the former CMS
(STS + RMS) is located in 2 different ROM areas: STS(Init + UM) in an 8 KB protected test ROM.
RMS in a reserved area within the 64 KB user ROM
The entire firmware of the IC consists of routines for EEPROM programming,
RNG tamper testing (Resource Management System, RMS). The RMS routines
are stored in a reserved area of the normal user ROM whereas the STS routines
are in the especially protectet test ROM. The STS firmware is divided into:
routines for the chip initialisation after reset (STS Init Mode, STS-Init)
routines setting up the normal operation mode (STS User Mode, STS-UM)
routines used for chip identification (STS Chip Identifiction Mode, STS-CI) and
routines only used for the protected production testing (Test Mode, STS-TM)
In operation three operating modes are classified: TestMode (TM), UserMode (UM)
and Chip Indetification Mode (CI). The entry in the different modes is controlled by
an initialzation mode (STS-Init) as well as by a combination of different hardware
and software flags being under control of the STS firmware.