I decided to open up the stick: I wasn't planning on fiddling with the software as long as it could fry my stick as soon as it decided it didn't like me tinkering with it anymore. I still ran a risk: some high-security-devices self-destruct as soon as they notice their housing is damaged or missing, and most devices have at least something like epoxy to keep people from tinkering with signals on the PCB. To my surprise, the Secustick has none of these measures: there's a screw and if you remove it, the PCB slides out of its housing. It's simple as that.

The PCB contains the usual USB-stick-stuff: a flash controller (a NT2033) and a piece of NAND-flash (an Hynix HY27UU088G5M). The Internet didn't seem to have a datasheet to any of the two chips, but I did find some important info: first of all the flash controller isn't specific to encryption or password-protection, it's just a cheap controller as you would find in many other, non-secure, USB sticks. Secondly, while a datasheet of the flashchip itself wasn't locatable, the Hynix-site did contain a datasheet of a cousin, so I could at least do an educated guess to the pinout.

While browsing the datasheet of the flash-chip, it struck me the bugger had a write protect-line. The stick itself has a write-protect switch too, but the switch seemed to be connected to the controller while the line on the flash-chip was connected to a pull-up-resistor, so the chip was continuously write-enabled. Hmmm... I got an idea and soldered a wire between the write-protect-line and the ground, so the chip couldn't be written to anymore:

Plug in stick, run password program, enter random password, 'You have 6 tries left.'. Enter another random password: 'You have 6 tries left'. Nice: the stick couldn't write the number of tries remaining back to the flash, so I could try passwords over and over again. If I wanted, I could script some kind of brute force against the program and get my password that way. It also meant the program most probably wasn't capable of frying my stick anymore if I decided to do some tinkering with a debugger.

« Prev 2 Next »

© 2006-2022 Sprite_tm - Contact