Path: utzoo!attcan!uunet!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!dogie.macc.wisc.edu!uwvax!tank!shamash!mpe
From: mpe@shamash.cdc.com (2375)
Newsgroups: comp.lsi
Subject: Re: A Truly Secure (tm) ROM access
Message-ID: <21908@shamash.cdc.com>
Date: 30 May 90 15:13:01 GMT
References: <39144@mips.mips.COM>
Reply-To: mpe@shamash.cdc.com
Organization: Control Data Corporation, Arden Hills, MN
Lines: 16

The simplest method to by-pass security shells on any computer (or in
this case an EPROM) would be to allow the target computer to present
itself to the EPROM at power-up and receive the necessary validation and 
later access the EPROM from the run-time evironment.  Some OS kernels will
even assist the process by copying the slower EPROM into faster SRAMS.

Another fact which an attaching user can use to gain access to the EPROM
would be the non-protected startup code which must contain the algorithm
to authorize the users.  The password and transformation functions must
be contained in a machine (and unfortunately user) readable area of the
machine (usually a ROM/PROM/PLA/EPROM etc).

All the new Intel chip family has done to protect the ROM code is to 
break the job of duplicating the code a two part task.  First hack the
password signature and transform function, than apply it to the protected
EPROM and read the contents into a temp buffer.