Previously, we have analyzed security devices regarding medical printer media (armbands), printer cartridges, flash drive memory, batteries, and smart cards, but this is the first secure cable we have seen. We are planning a full systems analysis on this device to further understand what exactly is going on. In this case not only related to securing their revenue stream for cables or ensuring reliable and high quality (licensed) peripherals, but in delivering useful product features that are not necessarily in the consumers top of mind. It is actually very interesting that we may have found a chip with (likely) some modest security in this cable. Both Apple and Texas Instruments (separately) have documented this security technology in a number of related patents (applied and issued) wherein they describe the passing of information from the host through to the accessory. It has additional application in smart battery applications. This has useful application by allowing "handshake" access to only certain function necessary for the functioning of a peripheral (such as a speaker docking station) without allowing access to the full functionality of the phone. Additionally, Apple has a number of patents related to authentication and security between devices. This means that Apple needs to apply some intelligence to what wire is sending and receiving the signals because there are fewer connections, but just as much data. Part of the magic going on is that the Lightning connector features fewer direct connections than the prior generation connector. This is certainly all consistent with a serial communication chip including some simple security features. There are also some large driver transistors, quite a bit of analog circuitry, and a fair amount of capacitance. Also on the chip is the EPROM, with likely 64 or 128 bits of storage (visual inspection only, full RE not completed). This block includes about 5K gates of logic. There is a digital logic block occupying the top left portion of the chip. On this sample, we have been able to see some further details of this chip. We continued our lab work on the BQ2025 and now have a lower metal sample to view (and purchase in the TechInsights store). It would also seem likely that it includes an SDQ interface. So, it is certainly likely that the BQ2025 does have some security implemented on it. All use a single wire SDQ interface (TI’s proprietary serial communications protocol). However, all four do have some common characteristics. These four chips are cataloged on TI’s website as battery fuel gauges, but they are not identical, with three of them being serial EPROMs and one of them being a battery monitor IC. However, TI does have published datasheets on the BQ2022, BQ2023, BQ2024, and BQ2026. Once we stripped away the cable housing (easier said than done), and took the die out of the package, we found die markings of “BQ2025”. The side image shows the location of the TI chip on the lightning connector.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |