-
PI Camera Driver Makes Deal With The Devil
02/12/2017 at 01:16 • 0 commentsSo I have confirmed the nefarious purpose of the ATSHA204A. When you switch sensors between camera boards they continue to function. But when you remove the ATSHA204A the board stops working. Which means it is meant to make sure the Pi Camera Drivers will not work with cloned boards unless they have a ATSHA204A with the correct secrets programmed in! As if it wasn't bad enough we had to deal with a close sourced blob for the video core!
I have a PiCamera I thought the sensor was broken on, but it turns out the ATSHA204A was borked, the sensor works on another board and now there is no way for me to use that sensor because I don't have a matching crypto chip for the driver!!!
I have also confirmed my schematic and PCB layout are good, transferred over all the components to my OSH Park boards and the sensors function.
-
I2C Logic Analyzer Trace
01/28/2017 at 04:02 • 0 commentsI just uploaded a file PI2_I2C_Test_1.txt which contains the I2C decode from running a logic analyzer on the PI Cameras I2C bus while running Raspi Still. Based on the messages it looks like the I2C device is a ATSHA204A. Why on earth do they need a crypto IC on the raspberry PI camera I wonder. Does the sensor require some special keys to communicate with it? I'm a bit short on time lately so if someone wants to dig into it and figure out whats going on that would be awesome, if not I'll get around to it eventually.
You can see this bytes being read from the device which match the sequence on page 24 of the datasheet of the ATSHA204A.
0.516076750000000,5,d (0x64),'4' (0x04),Read,NAK
0.516295000000000,6,d (0x64),'17' (0x11),Read,ACK
0.516385000000000,6,d (0x64),3 (0x33),Read,ACK
0.516475000000000,6,d (0x64),C (0x43),Read,NAK
I also found a forum post mentioning this device with address 0x64. The camera sensor is at I2C address 0x10 it would appear. Oddly enough running a eeprom dump on the camera sensor did produce information, not sure if its anything valid but it was consistent.
Getting some boards from OSH park tommorow so hopefully I'll be able to let you know if I successfuly transfer a camera sensor to them or not. Looks like I may have to use the same U4 from the old board if that crypto IC is used in any meaningfull way.
Update:
Turns out I'm a liar and I did have time to figure out what the I2C data was. It gets the devices serial number. Then it gets a Nonce and HMAC digest from it. Not sure what it does with it though:
Command Length: 0x07 Opcode: 0x02 Read 4 bytes from device Param 1: Zone Config 4 Bytes Param 2: Address 0x0000 Serial Number [0:3] Checksum: 0x2D1E Response Length: 0x07 Data: SN[0:3] 01230B59 Checksum: 0x413F Command Length: 0x07 Opcode: 0x02 Read 4 bytes from device Param 1: Zone Config 4 Bytes Param 2: Address 0x0002 Serial Number [4:7] Checksum: 0xAD18 Response Length: 0x07 Data: SN[4:7] 8C196D83 Checksum: 0xC465 Command Length: 0x07 Opcode: 0x02 Read 4 bytes from device Param 1: Zone Config 4 Bytes Param 2: Address 0x0003 SN[8] Res I2CEN Res Checksum: 0x112D Response Length: 0x07 Data: SN[8] 0xEE Res 0x13 I2CON 0x01 Res 0x00 Command Length: 0x1B Command: 0x16 Generate a 32-byte random number and an internally stored nonce Param 1: Mode combine the new random number with NumIn, store in TempKey. Automatically update EEPROM seed only if necessary prior to random number generation Param 2: ZEROS Input Value: 5805F3C898C3133154498E082F2E703516F2DBD1 Checksum: 0x2C82 Response Length: 0x23 Nonce Response: B66B48272C80EA2D2E778162FD300728E2E7E8F04CB0C645BFD0206CC0E7E772 Checksum: 0x4574 Command Length: 0x07 Opcode: 0x11 Calculate response from key and other internal data using HMAC/SHA-256 Param 1: Mode include the 48 bits SN[2:3] and SN[4:7] in the message Param 2: SlotID 0 Checksum: 0x8D14 Resonse Length: 0x23 HMAC Digest: 283AE84222422456DEB86CA33D2DFB3A9443E59F2828ABFA71037E34AAA27B2D Checksum: 0x445B
-
Board Overview
01/17/2017 at 06:43 • 0 commentsJust a quick video about the board showing off the interactive viewers on my website. If you know what the I2C chip is or if the dual indcutors are more than they seem let me know in the comments.