You mean confronting person responsible for holding elections is a waste of time because he is corrupt and in the payroll of CIA ?Rahul Mehta wrote:Talking to EC is waste of time. I am better off translating the pdf in Gujarati and distributing copies locally.
EC is corrupt and his being CIA agent is very much possible. The roots of US are not quite deep, SeS being one explicit example. But his being corrupt is enough. I have enough experience in field to conclude that speaking to corrupt people is waste of time.pgbhat wrote:You mean confronting person responsible for holding elections is a waste of time because he is corrupt and in the payroll of CIA ?Rahul Mehta wrote:Talking to EC is waste of time. I am better off translating the pdf in Gujarati and distributing copies locally.
The BEL and ECIL people are TOLD to speak only certain things. Thats how it always goes in all "public" meeting. If BEL and ECIL chiefs had any shame, they would have publicly disclosed many information without asking such as who makes the chip, who are the owners of the chip, what precautions they followed to ensure that chip doesn't have extra ROM with shadowcode in it to do the manipulation etc. If a person in Govt is interested in establishing truth, he would give answers WITHOUT waiting for questions to come. And based on the information they have revealed so far, which is almost zero, it is clear that they have no intention to give any information.Dileep wrote:Rahul,
1. It is not just the EC. The representatives of BEL and ECILs will be present. They are required to explain the security measures against definitive attacks.
2. You can very well ask the following questions, without disclosing your out of the world scenarios
3. What are the security measures adopted to prevent the insertion of a trojan at the time of the software development? Was the software developed in-house, or subcontracted?
4. What are the security measures adopted to prevent the insertion of a corrupted binary in the production area?
5. Let us see whether the answer relies upon "Activation of trojan is impossible". If so, tell them that it is no security measure, and there should be systems independent of that aspect. There is no need to drill holes in the system then and there. Once you get enough information, leave that subject.
6. What are the security measures in place to make sure that the chips itself are not corrupted?
7. Ask them what they have to offer in this case, assuming the "seemingly impossible" task of replacing the chips somewhere in the chain". No need to go into details and argument there.
8. This way, you can get all the information you want, and you will be in a position to make a better informed campaign.
And be a nice guy, and share the experience here.
That is a lame argument. You can very well use their responses to bolster your campaign.Rahul Mehta wrote: EC is corrupt and his being CIA agent is very much possible. The roots of US are not quite deep, SeS being one explicit example. But his being corrupt is enough. I have enough experience in field to conclude that speaking to corrupt people is waste of time.
You wouldn't know until you ask. What are you going to loose by asking? You can use the answers to bolster your campaign as well!!The BEL and ECIL people are TOLD to speak only certain things. Thats how it always goes in all "public" meeting. If BEL and ECIL chiefs had any shame, they would have publicly disclosed many information without asking such as who makes the chip, who are the owners of the chip, what precautions they followed to ensure that chip doesn't have extra ROM with shadowcode in it to do the manipulation etc. If a person in Govt is interested in establishing truth, he would give answers WITHOUT waiting for questions to come. And based on the information they have revealed so far, which is almost zero, it is clear that they have no intention to give any information.
Well, moving to Java programming from ASIC design gives a very good impression on the competencies of those friends. I would br glad to debate them here on BR. Let them back up their claim.I am communicating with my friends who had worked on ASIC design in past (they are all Java programmers now). Their stand is that once the chip is out, not even God can say what is inside it. If the chip has some functions missing, the client side testing will prove that. But if the chip manufacturer has put some additional functionalities, then there is no way to find them out. So putting a small number of extra functions in an additional ROM inside chip is possible and undetectable. Once that is cleared out, the modulo-5 tempered code theory is complete.
That is totally OT for this thread, and I have no dog in that race. No discussion on those shall be permitted on this thread.I explained why I dont want to see EC. Can YOU now explain why you oppose letting us commons register YES/NO on Section 61A of PRAI (and all other laws for that matter) in Govt books? Why do you insist that citizens opinions on Section 61A, PRAI (or any law) must not be registered inside Govt?
RM ji, none of us live under a rock or were born outside India/never lived in India during their adult lives. All of us have a pretty good amount of so-called experience on how things in India work so please spare us this "I have been to public meetings and know what goes on BS". Despite BEL and ECIL people having being tutored to "Speak only certain things", exactly how do you think they will dodge tough questions in a public meeting for a controversy which has massive national implications. This is not some local police meeting either. And tutoring only works when the flow of information is uni-directional....it has no meaning when the audience is free to ask whatever they want in public. Moreover, if the corrupt officials do try to dodge tough questions, were you planning to sit quietly in a public meeting? (unless you are hand-in-glove with them or just doing it for cheap publicity).Rahul Mehta wrote: The BEL and ECIL people are TOLD to speak only certain things. Thats how it always goes in all "public" meeting. If BEL and ECIL chiefs had any shame, they would have publicly disclosed many information without asking such as who makes the chip, who are the owners of the chip, what precautions they followed to ensure that chip doesn't have extra ROM with shadowcode in it to do the manipulation etc. If a person in Govt is interested in establishing truth, he would give answers WITHOUT waiting for questions to come. And based on the information they have revealed so far, which is almost zero, it is clear that they have no intention to give any information.
Sure! We can take your word it for I guess, given your impeccable habit of providing solid proof for your allegations.The whole conference is farce.
I am sorry but the first sentence and what follows tells me a lot about your friends' competencies. If thats the kind of technical "expertise" you are relying on, I can imagine where all those fantastic theories of yours are coming from.I am communicating with my friends who had worked on ASIC design in past (they are all Java programmers now). Their stand is that once the chip is out, not even God can say what is inside it. If the chip has some functions missing, the client side testing will prove that. But if the chip manufacturer has put some additional functionalities, then there is no way to find them out. So putting a small number of extra functions in an additional ROM inside chip is possible and undetectable. Once that is cleared out, the modulo-5 tempered code theory is complete.
Your explanation for not going to the EC meeting simply proves that all you are interested in is making noise and getting some publicity. You are not serious about the EVM issue and are simply using it for your own benefits.I explained why I dont want to see EC.
[/quote]Can YOU now explain why you oppose letting us commons register YES/NO on Section 61A of PRAI (and all other laws for that matter) in Govt books? Why do you insist that citizens opinions on Section 61A, PRAI (or any law) must not be registered inside Govt?
Your habit of insulting is never ending. Many people who came in India in early 1990s did not find ASIC jobs in cities like Ahmedabad etc. And so they had no option but to change career paths. Many wanted their own business, and ASIC business is hard to start compared to webs designing and Java coding. For that matter, many in physics move to finance. You can go around insulting them (which seems to be your only specialty these days), but it is pure career, monetary etc reasons.Well, moving to Java programming from ASIC design gives a very good impression on the competencies of those friends. I would br glad to debate them here on BR. Let them back up their claim.
I have gone thru innumerable code reviews including many in Fortune-100 companies who follow best practices blah blah. Leaving unused function is accepted to reduce number of builds. There are many functions which have value in debugging and development, are harmless and can be put in final build even though never called. In code review, the main person is team lead and person is a peer of senior level appointed by some very senior executive like CTO or CEO. So unless function is shown harmful, the peer will not object if team lead insists on keeping this function. And even if the peer person minds, the decision will be finally taken by CTO and not the peer.Rahul Mehta: The corrupt PL can change the source code to remove unused functions, add function to favor ((n + k) mod 5 + 1) and recompile the code. But he would prefer to ensure that size and checksum is same, so that if there is a way to extract checksum from 6 months old EVM, it would give same checksum as unrigged binary.
Dileep: The unused functions will not survive a code review, but of course in RahulWorld, everyone, including the code reviewer is corrupt.
I could not find how checksum or hash is obtained AFTER code is entered and lockbits are set, It only shows how checksum is obtained while ROM is being written. Pls show me the section number or the exact checksum computing function.You have claimed that you can drill holes on the actual EVM chip, then why can't you try drilling this chip?
Errr... HowTH is this OST? The topic of this thread is "Should EVMs be discontinued" and the topic means "Should citizens of India use EVMs anymore". So methods to resolve this debate in citizenry are very much part of OT. You perhaps insist that words of BEL, ECIL and ECI should be taken as final words. I am not sure how many believe that.Rahul Mehta: I explained why I dont want to see EC. Can YOU now explain why you oppose letting us commons register YES/NO on Section 61A of PRAI (and all other laws for that matter) in Govt books? Why do you insist that citizens opinions on Section 61A, PRAI (or any law) must not be registered inside Govt?
Dileep: That is totally OT for this thread, and I have no dog in that race. No discussion on those shall be permitted on this thread.
Deal with it!Rahul Mehta wrote: Your habit of insulting is never ending.
Lame explanation like many of your others.Many people who came in India in early 1990s did not find ASIC jobs in cities like Ahmedabad etc. And so they had no option but to change career paths. Many wanted their own business, and ASIC business is hard to start compared to webs designing and Java coding.
Not in a security sensitive application. You better go to the EC meet anf find out what BEL does.I have gone thru innumerable code reviews including many in Fortune-100 companies who follow best practices blah blah. Leaving unused function is accepted to reduce number of builds. There are many functions which have value in debugging and development, are harmless and can be put in final build even though never called. In code review, the main person is team lead and person is a peer of senior level appointed by some very senior executive like CTO or CEO. So unless function is shown harmful, the peer will not object if team lead insists on keeping this function. And even if the peer person minds, the decision will be finally taken by CTO and not the peer.
You are trying to put YOUR strategies on me here. It is YOU who passing your fantasies as facts, not me.Essentially, you are passing YOUR BELIEFS as facts.
I never said that. The EVM chip will have a 'suitable means' of binary verification, like every OTP chip has. That is an industry standard.You believe that chip in EVM supports MD5 hash - you pass it as fact.
Your old strawman again. The point is, the fabs work in a production system, which is impossible to modify for one run. No one here has forgotten your allegation that CIA has created their own modified fab line. Is that a fact?You believe that Japanese will not alter the chip and keep same part number, and you pass it as fact.
A team lead selling out will not do anything, because of the system in place. If someone is disguising here, it is you.You believe that team lead will not sell out, and you pass it as fact. And to cover this disguise, you throw insults and sarcasm ("RahulWorld" etc) hoping that these sarcasm and insults will hide your attempts to pass beliefs as facts.
Sure. They would have also agreed that CIA have made own semiconductor fabrication lines. No one has forgotten your cock-a-mamie schemes, like applying a sticker to the finger to defeat the ink mark.The technical parts are pretty much over. Enough people I have spoken to believe that it is possible for BEL to put altered code in chip.
People in IT are your "Java Coder" friends?They see no logistic hurdle here. And enough believe that Japanese company for cash will alter the chip without changing part number etc. And such believer includes many IT people. And with these two practical assumptions, the modulo-5 code can go in. Now you are welcome to hold YOUR beliefs. And you are welcome to state them as FACT. But even people in IT field will NOT accept your arguments that CEO in BEL cant get an altered code in chip and that Japanese company will never send an altered chip with same part number.
It is very much there in the data sheet. See if your "IT Friends" can read and understand it.I could not find how checksum or hash is obtained AFTER code is entered and lockbits are set, It only shows how checksum is obtained while ROM is being written. Pls show me the section number or the exact checksum computing function.
You want to bring your pet themes anywhere. I have no interest in debating that. The question in front of me is "Can the EVMs be corrupted". The answer is NO.Errr... HowTH is this OST? The topic of this thread is "Should EVMs be discontinued" and the topic means "Should citizens of India use EVMs anymore". So methods to resolve this debate in citizenry are very much part of OT. You perhaps insist that words of BEL, ECIL and ECI should be taken as final words. I am not sure how many believe that.
Add a hit counter to the page, so that anyone can see the counts.You asked me how people visit my blog. I dont know, and I couldn't care less at this time. But I searched on google on "Rahul Mehta"
http://www.google.co.in/search?hl=en&q= ... =&aq=f&oq=
I am not sure if google will show you URLs in same order as it showed to me. But this query showed my webpages on top.
And following query was for on "Rahul Mehta EVM"
http://www.google.co.in/search?hl=en&q= ... =&aq=f&oq=
Take it for whatever it is worth.
Btw, I am ONLY replying YOUR question. I do not put any value on all this. I believe that commons in India are wise and smart enough to separate wheat from chaff, and distinguish between lie and truth. I am only replying the question you asked.
Yes, I used the word "CIA". And whether it is CIA or US Military or NSA, it does not matter. Basically, US Gov owns enough manufacturing facilities where they will do whatever known technology allows to make a tempered or an altered chip if they want to and falls within say Rs 5000 cr of budget. You can try throwing your jargons ("production system") and process related tales. We will see how many believe your claim that CIA etc are simply incapable of making an altered version of chip such as 8051. Because people have officially made 100-200 mutants of 8051 like chips and thus anyone can make another mutant. As per putting same part number, that is some human decision somewhere in chain. If the fab-owner directly instructs technicians to alter it, they would alter it. All in all, we will see how many people accept your claim that "no one can make altered chips with same part number".The point is, the fabs work in a production system, which is impossible to modify for one run. No one here has forgotten your allegation that CIA has created their own modified fab line. Is that a fact?
Everyone does not know everything about the system. It is possible that only 2-4 persons in BEL have access to final build of the binary. Now if chip has MD5, then altering binary is difficult. But if the chip is only supporting ordinary checksum, then chip tempering is must. In case, chip tempering will be sufficient to install a tempered code in EVMsA team lead selling out will not do anything, because of the system in place.
They did not accept "sticker on finger". They also did not accept that passkeys based trojan can work because number of people needed would be too high. But they do believe that altered version of chip with same part number can be made. But they do believe that one can make "receive only" radio-enabled EVMs by adding a small antenna in PCB which will not be noticeable by naked eyes.Sure. They would have also agreed that CIA have made own semiconductor fabrication lines. No one has forgotten your cock-a-mamie schemes, like applying a sticker to the finger to defeat the ink mark.
Which section, page? I looked only at section 9.3 you had shown. That shows how checksums comes during ROM burning, not after lockbits are set.It is very much there in the data sheet. See if your "IT Friends" can read and understand it.
Did you tell them about the five different versions?Rahul Mehta wrote: Yes, I used the word "CIA".
<anip>
It is also highly probable that the systems (like the one I suggested) are in place at BEL. The only way to resolve that is to go to the EC meet. Why don't you do that?Everyone does not know everything about the system. It is possible that only 2-4 persons in BEL have access to final build of the binary. Now if chip has MD5, then altering binary is difficult. But if the chip is only supporting ordinary checksum, then chip tempering is must. In case, chip tempering will be sufficient to install a tempered code in EVMs
Who are THEY? What are their credentials? Bring them on here tpo present their arguments.They did not accept "sticker on finger". They also did not accept that passkeys based trojan can work because number of people needed would be too high. But they do believe that altered version of chip with same part number can be made. But they do believe that one can make "receive only" radio-enabled EVMs by adding a small antenna in PCB which will not be noticeable by naked eyes.
Which section, page? I looked only at section 9.3 you had shown. That shows how checksums comes during ROM burning, not after lockbits are set.It is very much there in the data sheet. See if your "IT Friends" can read and understand it.
The validation of technical parts may be over in your mind, but not as per any scientific norms used in the real world. And as usual you are back to your vague statements. Who are these so-called "enough people"? How many are they? Who are these so-called "IT people" - are they qualified to assess an embedded system or are they simply another bunch of Java coders?Rahul Mehta wrote: The technical parts are pretty much over. Enough people I have spoken to believe that it is possible for BEL to put altered code in chip. They see no logistic hurdle here. And enough believe that Japanese company for cash will alter the chip without changing part number etc. And such believer includes many IT people.
I also believe that there are martians hiding in my cupboard - that does not make it true! In science beliefs don't make something true, proofs do! But then, that is exactly what you want to conveniently avoid providing and therefore, keep resorting to evasive statements and vague insinuations.Rahul Mehta wrote: They did not accept "sticker on finger". They also did not accept that passkeys based trojan can work because number of people needed would be too high. But they do believe that altered version of chip with same part number can be made. But they do believe that one can make "receive only" radio-enabled EVMs by adding a small antenna in PCB which will not be noticeable by naked eyes.
ALL FOURTEEN of them!!!Perhaps B-R admins need to move this EVM thread to the B-R Strat forum so that the commons (via Google bot) can also read what their self-proclaimed "dear leader" is propagating in the name of science and common sense!
There need not be five altered codes and five altered chips. eg The BEL chief can ask chip manufacture to follow a strict ChipUniqueID convention going from 1,000,001 to 1,100,000 . And deliver them in order so that chip in 1st lot have serial number 1,000,001 to 1,020,000, second lot as 1,020,001 to 1,040,000 etc. So the chip's number determine the type. OR there are too many read only registers in a chip for identification of chip, serial number, mask, vendor etc. One can create one more "hidden" register to put the type.Dileep wrote:Did you tell them about the five different versions?
YOU claim that EC, BEL etc are interested in revealing the truth. I dismiss this as naive assumption. If they wanted to disclose, they would have FIRST put names of chip manufacturer, chip details etc.It is also highly probable that the systems (like the one I suggested) are in place at BEL. The only way to resolve that is to go to the EC meet. Why don't you do that?
Will try, but due to lack of time, I can read whole manual. If you give me page number or section number, that would help. Basically, some code inside chip goes thru ROM and calculates checksum. So person who is writing this code inside chip has to write a different code, which instead of calculating real hash would calculate planted hash. I can tell more after I get how hash is extracted AFTER lockbits are set.If you know how to read english, you can find it in the data sheet. The entire security feature is explained there.
It is not clear, but it appears that ROM is burned in Japan itself. BEL, in the name of cost cutting has out-sourced code burning to Japan. We have many RTI-lovers here (and I am not one of them). Can an RTI-lover rise and ask BEL whether OTP-ROM is burned in their premises or burned in Japan?The Control unit contains a Micro-controller Integrated Circuit with the main program codes permanently fused into the device, which is manufactured as a proprietary item for
BEL and a Non Volatile Memory that stores the polled data. ....
.....
Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, it is 100% code protected from either altering or decoding the contents.
Well, Why don't YOU go to the EC meet and ask that?Rahul Mehta wrote:It is not clear, but it appears that ROM is burned in Japan itself. BEL, in the name of cost cutting has out-sourced code burning to Japan. We have many RTI-lovers here (and I am not one of them). Can an RTI-lover rise and ask BEL whether OTP-ROM is burned in their premises or burned in Japan?
Because RM is scared that if he asks point blank which company makes the chips etc., the Tutored Corrupt BEL engineers at the EC meet will grow horns and gore him to death!Dileep wrote:Well, Why don't YOU go to the EC meet and ask that?Rahul Mehta wrote:It is not clear, but it appears that ROM is burned in Japan itself. BEL, in the name of cost cutting has out-sourced code burning to Japan. We have many RTI-lovers here (and I am not one of them). Can an RTI-lover rise and ask BEL whether OTP-ROM is burned in their premises or burned in Japan?
You can not fabricate a serial number on a chip. The chip is just a circuit crated by a sequence of mask/etch operations, so any information you store on that will be the same for the whole lot.Rahul Mehta wrote: There need not be five altered codes and five altered chips. eg The BEL chief can ask chip manufacture to follow a strict ChipUniqueID convention going from 1,000,001 to 1,100,000 . And deliver them in order so that chip in 1st lot have serial number 1,000,001 to 1,020,000, second lot as 1,020,001 to 1,040,000 etc. So the chip's number determine the type. OR there are too many read only registers in a chip for identification of chip, serial number, mask, vendor etc. One can create one more "hidden" register to put the type.
And you assume that they will not, even in a public hearing. I think that is not naive, but malicious.YOU claim that EC, BEL etc are interested in revealing the truth. I dismiss this as naive assumption. If they wanted to disclose, they would have FIRST put names of chip manufacturer, chip details etc.
The mechanism is explained in the datasheet, and it is NOT code execution.Will try, but due to lack of time, I can read whole manual. If you give me page number or section number, that would help. Basically, some code inside chip goes thru ROM and calculates checksum. So person who is writing this code inside chip has to write a different code, which instead of calculating real hash would calculate planted hash. I can tell more after I get how hash is extracted AFTER lockbits are set.
Where does it say it is done in Japan. You are expert in reading what is not there. What it says is that the OTP ROM can't be modified even by the manufacturer. That is true. Once it is programmed, it can't be modified. Where does "programming in Japan" comes in there?Following is worth a read. Straight from BEL
http://www.bel-india.com/BELWebsite/ima ... atures.pdf
It is not clear, but it appears that ROM is burned in Japan itself. BEL, in the name of cost cutting has out-sourced code burning to Japan. We have many RTI-lovers here (and I am not one of them). Can an RTI-lover rise and ask BEL whether OTP-ROM is burned in their premises or burned in Japan?The Control unit contains a Micro-controller Integrated Circuit with the main program codes permanently fused into the device, which is manufactured as a proprietary item for
BEL and a Non Volatile Memory that stores the polled data. ....
.....
Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, it is 100% code protected from either altering or decoding the contents.
And it is also established that lockbits are set and hence code cant be read back. So now if the tempered chip supports planting fake hash and reporting fake hash, then we have NO way to know what code actually was sitting inside EVMs used in May-2009 elections.
I will skip general arguments.Rahul Mehta: The technical parts are pretty much over.[/b] Enough people I have spoken to believe that it is possible for BEL to put altered code in chip. They see no logistic hurdle here. And enough believe that Japanese company for cash will alter the chip without changing part number etc. And such believer includes many IT people.
Raja Bose : The validation of technical parts may be over in your mind, but not as per any scientific norms used in the real world. And as usual you are back to your vague statements. Who are these so-called "enough people"? How many are they? Who are these so-called "IT people" - are they qualified to assess an embedded system or are they simply another bunch of Java coders?
Once again you are back to twisting words and taking them out of context. The tech barrier is NOT in making mutants rather the barrier is in the practicality of the whole process and the impossibility of getting away with such subterfuge on a massive scale with nary a peep. In your mind you can keep creating all sorts of delusional strawman arguments but that doesn't mean that the question of tech barriers is solved. BTW IC design and fabrication is not your Java and VB programming that you can modify and mutate at will - Dileep has pointed that out to you numerous times but ofcourse since you consider everything trivial I guess practicality of the whole hair brained scheme is not your concern. Perhaps that is why you prefer not to publicly confront BEL or EC face-to-face in front of a knowledgable audience since you are afraid that your strawman arguments will get blown away in ridicule - maybe that is why you are so eager to run to the "commons" knowing fully well that they are not qualified to get the detailed nuances and will believe whatever you are peddling as an "Engineer".Rahul Mehta wrote: You claim that there are some tech barriers which will stop him. Now if you claim that there are some factors that PHYSICALLY stop manufacturer from doing so, pls mention them.
Ever heard of: Decapping, SEM and FIB? - These are standard tools used by hardware hackers. Maybe you can ask your Java programming friends.Rahul Mehta wrote: Btw, lets say you asked for ASIC with 64 kb OTP-ROM and manufacture gave ASIC with say 64 kb OTP-ROM and extra 1kb of factory programed ROM with trojan code in that factory programed ROM. Which tech exists to scan the chip and say that the chip is different from what you asked?
WRONG!! People have taken the published architecture of 8051 and made their own implementation of that architecture. You are implying that someone took the 'source code' and did some cut&paste job. That doesn't work in IC design. From a fab point of view, each type is a different build.Rahul Mehta wrote: Consider chip like 8051. There are many mutations - probably more than 100-200. IOW, people have officially altered 8051 chip and added functions, ROM, RAM, Flash memory etc as they pleased.
Absolutely not. You can not take an existing IC design and do a cut&paste job on it. If you want to add even a single register, you have to go to the source level code, do the modification, go through the entire process of simulation, place&route, verification and tape out. And the end result will be a chip that is entirely different from the one you begun with.IOW, alteration of chips is beyond dispute.
First of all, you don't order chips like you order a pizza. You provide the CAM files to the fab. Those files don't have any design information. They provide silicon and interconnect geometries of the chip. So, someone delivering something else is impossible.Now question is using different part number. eg say you asked for a chip A which is (8051 with 128 k ROM) and manufacturer gave you a chip-B with 256 k ROM but had part number, mask id etc of Chip-A .
No. Someone needs to get hold of the original design files, make the modification and pass through the full design cycle to get new CAM data, and of course that will be under a different mask set, hence a different mask id.Can manufacture make such a chip with different part number etc in its read only registers?
That claim is incorrect, and from your side, remains unsubstantiated. Bring your experts and debate it here if you can.I claim that manufacture can do so, if he wants.
That is incorrect. Nothing can be WRITTEN into the logic at fab stage. The mask id is assigned at the fab for handling and tracking in the production line, and they MUST be unique within the fab system.None My claim is because the read only registers which store chip ID, mask ID etc are "written" in fab and they can put any value they like.
Read above. The CAM data is generated from the design files, and the fabrication runs from the CAM data. The data is just silicon geometry information, and can not be modified in that form. That is the technical barrier.You claim that there are some tech barriers which will stop him. Now if you claim that there are some factors that PHYSICALLY stop manufacturer from doing so, pls mention them.
You need at least some basic idea on IC design and manufacturing flow even to imagine things.Btw, lets say you asked for ASIC with 64 kb OTP-ROM and manufacture gave ASIC with say 64 kb OTP-ROM and extra 1kb of factory programed ROM with trojan code in that factory programed ROM. Which tech exists to scan the chip and say that the chip is different from what you asked?
Professor S Sampath of the Defence R&D Organisation headed the committee, which included Dr P V Indiresan of IIT Delhi, and Dr C Rao Kasarabada, Director Electronic Research and Development Center, Trivandrum.
Dr Indiresan gathered four of his brightest research students and gave them five days to subvert the EVM's source code. Their only restriction: there should be no external damage to the EVM.
Colonel Shankar says that BEL gave Dr Indiresan's team all the EVM circuit diagrams and design drawings; only the encryption-coded software was withheld. "After five days of struggling, they admitted that the EVM was tamper-proof."
At the core of the EVM is a micro-controller chip, built by Hitachi of Japan, called an OTP-ROM (one-time programmable read-only memory).
Onto this, the Indian EVM contractors -- BEL and Electronics Corporation of India (ECIL) -- "burn" the algorithm that makes it record votes. The microprocessor's "non-volatile" memory ensures that, once the algorithm is written, it can
Yes, that is proof positive that EVMs are wrong... we should take DSK's family's word over anything....Exemplifying his argument, DSK said, “A total of 43 family members, including two of my bosom-friends, cast their votes at Sant Namdeo School. But the EVM showed that I received only 18 votes. And there are more such examples.”
No. What I meant was that many people made 8051 mutants from scratch and if the maskid, chipid and vendorid registers are made to have same data that intel 8051 had, then no one can distinguish between the too. By "altered chip" what I mean is that a chip with a different design which is superset of given chip.Dileep wrote:People have taken the published architecture of 8051 and made their own implementation of that architecture. You are implying that someone took the 'source code' and did some cut&paste job. That doesn't work in IC design. From a fab point of view, each type is a different build.
Yes, I know that small change in chip means re-design. And thats also often the case with PCB -- small change a new gurber file and too many changes. What I meant is that people have made 100-200 different types of 8051. The chip in EVM is similar to 8051 and so if someone wants to make chip with same pin layout, same size but additional functionalities (like accepting planted hash and reporting planted hash), it is do-able.You can not take an existing IC design and do a cut&paste job on it. If you want to add even a single register, you have to go to the source level code, do the modification, go through the entire process of simulation, place&route, verification and tape out. And the end result will be a chip that is entirely different from the one you begun with.
So the Japanese company makes the chip and they have the original design files. So for them making a chip which has same pin structure, same size, all same functions, PLUS 1-4 additional functions is piece of cake. eg if someone can make 8051 which calculates hash of ROM, they can also make 8051 which gives wrong hash of the ROM. No commercial value, but useful for EVM tempering.First of all, you don't order chips like you order a pizza. You provide the CAM files to the fab. Those files don't have any design information. They provide silicon and interconnect geometries of the chip. So, someone delivering something else is impossible.
.... No. Someone needs to get hold of the original design files, make the modification and pass through the full design cycle to get new CAM data, and of course that will be under a different mask set, hence a different mask id.
The chips come with values in these read only registers. So at some point, they are written. My point is : if a chip can have 5 read only registers, there is no tech barrier in putting one more register to support tempering type. There is no tech barrier in putting any value in any of these read only registers.Nothing can be WRITTEN into the logic at fab stage. The mask id is assigned at the fab for handling and tracking in the production line, and they MUST be unique within the fab system.
Why dont YOU answer the question? Say manufacture supplied you a chip which has 2 k of extra ROM with some hidden codes. What PHYSICAL tests now you have to say that chip has extra functionality? Would you do X-analysis? Would that reveal a proof that chip has 2k more ROM that it is supposed to have? Would that reveal that chip has some functions extrac which it is not supposed to have?Rahul Mehta: Btw, lets say you asked for ASIC with 64 kb OTP-ROM and manufacture gave ASIC with say 64 kb OTP-ROM and extra 1kb of factory programed ROM with trojan code in that factory programed ROM. Which tech exists to scan the chip and say that the chip is different from what you asked?
Dileep: You need at least some basic idea on IC design and manufacturing flow even to imagine things.
No. You have merely assumed that source code in EVM is same as what BEL claims to be.Dileep wrote:We have assumed that EVERY piece of design is stolen, no less. Still, we have shown that it is impossible to corrupt the program.
Sire there is a misunderstanding, it was you right from the start who had brought about the theory of soldering some chipRahul Mehta wrote:
in the fab system.
----
Tanaji,
What DRDO and Dr Indirsen have done is of now value. My point is that code was tempered at point of ROM burning or chip manufacturing. I never claimed that EVMs once made can be altered. YouNow burden of proof that chip does NOT have code I mentioned is on you. better find a technology to read the code in ROM with lockbits. Or else, you have NO proof that my proposed modulo-5 code is not inside the chip. And hash value is no good, as the chip maker could have made chip which reports planted hash and not real hash of the ROM code.
Can you, Dileep, Raja Bose, Indirsen etc prove that chip does not have function to report planted hash? Can you people prove that code is what BEL says and not what I say? Machine is rigged untill proven unrigged.
5 students cant rig the machine in 5 days and hence EVM is untemperable at factory level !! With logic like this, I can prove that over 99%L traffic constables in India are honest.
ajay pratap wrote:Sire there is a misunderstanding, it was you right from the start who had brought about the theory of soldering some chip tampering or hacking and re soldering it it some remote warehouse and then activating some code on election day all this by a measly 20 CIA agents. Sire what ever you may call it in politikal speak, "Al-Commons" call it lying.
Of course, it is possible to make an exact functional alternate. But the electrical and timing parameters are going to be different.Rahul Mehta wrote: No. What I meant was that many people made 8051 mutants from scratch and if the maskid, chipid and vendorid registers are made to have same data that intel 8051 had, then no one can distinguish between the too. By "altered chip" what I mean is that a chip with a different design which is superset of given chip.
Of course it is doable. Doing it without a chance of finding out is what is impossible.Yes, I know that small change in chip means re-design. And thats also often the case with PCB -- small change a new gurber file and too many changes. What I meant is that people have made 100-200 different types of 8051. The chip in EVM is similar to 8051 and so if someone wants to make chip with same pin layout, same size but additional functionalities (like accepting planted hash and reporting planted hash), it is do-able.
No. They don't. They only have the CAM output files.So the Japanese company makes the chip and they have the original design files.
It is not a piece of cake, because they don't have the original design.So for them making a chip which has same pin structure, same size, all same functions, PLUS 1-4 additional functions is piece of cake.
I told you time and again that you can't fake the hash.eg if someone can make 8051 which calculates hash of ROM, they can also make 8051 which gives wrong hash of the ROM. No commercial value, but useful for EVM tempering.
The read only data is put in at the design time, in the design source. They are never WRITTEN.The chips come with values in these read only registers. So at some point, they are written. My point is : if a chip can have 5 read only registers, there is no tech barrier in putting one more register to support tempering type. There is no tech barrier in putting any value in any of these read only registers.
OK, I will take it as a hypothetical question.Why dont YOU answer the question? Say manufacture supplied you a chip which has 2 k of extra ROM with some hidden codes. What PHYSICAL tests now you have to say that chip has extra functionality? Would you do X-analysis? Would that reveal a proof that chip has 2k more ROM that it is supposed to have? Would that reveal that chip has some functions extrac which it is not supposed to have?
You have lost the arguments, so you are calling names now. I can understand your desperation.Rahul Mehta wrote: You guys start looking for some PHYSICAL tests (X ray analysis or whatever) by which code inside chip and ROM can be read. Otherwise, you have NO proof that chip you have doesnt have a pro-Congress code. Your Hitachi-bhakti and process-bhakti will not get many followers in commons.
I am waiting for him to accuse ME of a CIA agent.Tanaji wrote:In RahulWorld the CIA owns
Anything else
- Sonia
- MMS
- Home Minister
- CM
- EC
- Hitachi fabs
- TV companies in India
- Miscellaneous BEL/ECIL elements
To rig EVM, you need a few people at EVM storing warehouse and support of CEC. Something that can be managed.
To rig even 5% of 700,000 booths i.e. 35000 booths, you need 3 criminals per booth i.e. 100,000 criminals at least. Not as easy as CEC bribing.
So paper ballot with camera at polling booths are safer than EVMs
TThe people who rigged EVMs are smart enough that they would have replaced the software now.
So audit will be buy NOTHING.
he EVM setup has two parts - EVM with 16 ballot buttons and Control unit. Control units are 1 per booths, where as EVMs can be 1-2 and rarely 3 per booth. There are about 11,00,000 EVMs and 800,000 control units.
With support of Chawla, CIA is capable of putting rigged 700,000 control units in warehouses before elections, and then replacing them by right non-rigged EVMs after counting is over and EVMs come back to warehouse.
So if EVMs were rigged, now they are all replaced by non-rigged EVMs.
they would just replace all unrigged Control Units with rigged ones before shipping from warehouse to District Collector, and then when CUs come back to warehouse after counting is over, they will replace it it original ones.
The units are randomized before agents ONLY at district level. When EVMs are sent from EC warehouse to district, there is no randomization. And randomization does not give any guarantee against following way of rigging : The CU is rigged to subtract 5% votes of all candidates and add them to say candidate no. 2 after 100 votes are cast.
Now EVMs arrive AFTER candidate number are assigned. So lets say in Gandhinagar Constituency, Congress candidate is no 2. Some 1500 EVMs were shipped from EC warehouse to Gandhinagar after candidate number was given. So before shipping EVMs, the EC guy replace the 1500 real Control Units with 1500 Control Units given agency which supplies rigged Control Units. And the Control Unit is rigged to give 5% more votes to No. 2 guy and 5% less votes to rest. And once counting is over and CUs come back to warehouse, they will replace back with original unrigged control units.
a person has pre-fabricated rigged CUs, with support of Chawala, he can replace actual 1500 CUs with rigged ones within few hours. EVMs dispatching is centralized --- everything in from CEC warehouse and everything under CEC Chawala, who is well known for his corruption. While in paper ballot, EVERYTHING is 100% decentralized -- printing is done at district level, boxes are made at Tahsil level, etc.
So Dileep, you say that I want paper ballots so that I can rig them at booth level.
And I say that you want EVMs so that CIA can rig them at warehouse level.
In the rigging mechanism I suggested, the EVMs are replaced BEFORE polling, right before they are dispatched to the Constituency.
Let me tell you the exact steps how EVMs are shipped today
1. Say polling in a Constituency is on April-30.
2. Then District Collector gives serial number to candidates on April-15th
3. Some 1500 EVMs and Control Units are shipped from warehouse to District Collector on April-18th, i.e. after candidate numbers are given. Say Congress is no. 4
So my claim is : at the warehouse, on 16th April CIA guys will replace 1500 good EVMs with 1500 pre-rigged EVMs which favor candidate no. 4.
Now in most cases, Congress candidate will be no. 1 to no 4, not below that. The reason is that recognized parties get top ranking spots. So CIA will keep say 100,000 EVMs which favor candidate no. 1, some 100,000 EVMs which favor no. 2 and so forth.
Now say poll is on April-30 and so EVM shipping date is 18th. Say 1500 EVMs are to go to constituency-A where Congress is no.2 . Then CIA guy, who has support of Chawala, will replace these 1500 EVMs with EVMs that favor candidate no. 2. And say 1500 EVMs are to go to constituency-B where Congress is no. 3. The CIA will replace these 1500 with EVMs that favor candidate no. 3.
Say one carton has 20 EVMs. So to replace 1500 EVMs, CIA guy needs to replace some 75 carton. How much time does it take to replace 75 cartons of real EVMs with 75 cartons of EVMs rigged in favor of candidate no. 2? Not even 1 hour, assuming that top IAS in CEC are co-operating with the CIA guys at the warehouse.
----
So please note - in the replacement scheme I suggest,
1. the EVMs are replaced by rigged EVMs somewhere between date when candidate numbers are decided and EVMs are shipped.
2. All this needs just a few guys at warehouse which is under Chawala and few top IAS of CEC.
To make EXACT copy of 1400,000 EVMs and 700,000 CUs is child's play for CIA. They will make it in US and ship it to India at CEC warehouse just 2-3 days before dispatch from warehouse to Collector's office were to happen. Of course, I am assuming that top CEC officials are on CIA payroll. Without them, it cant happen.
Let me restate.Dileep wrote:Of course, it is possible to make an exact functional alternate. But the electrical and timing parameters are going to be different.
No one will bother Hitachi in Japan. Now tell us how do you find that out in India?Rahul Mehta: Yes, I know that small change in chip means re-design. And thats also often the case with PCB -- small change a new gurber file and too many changes. What I meant is that people have made 100-200 different types of 8051. The chip in EVM is similar to 8051 and so if someone wants to make chip with same pin layout, same size but additional functionalities (like accepting planted hash and reporting planted hash), it is do-able.
Dileep: Of course it is doable. Doing it without a chance of finding out is what is impossible.
Big deal. Then some mole will leak them the design files. Now is design file some un-steable secret? Somebody in BEL has the original design file for the chip. And we have assume dthat top 3-4 guys in BEL has colluded. So getting this design file is now trivial.No. They don't. They only have the CAM output files.
I will show you how hash can be faked AFTER you tell me how hash is obtained after lockbits are set.I told you time and again that you can't fake the hash.
Rahul Mehta: Say manufacture supplied you a chip which has 2 k of extra ROM with some hidden codes. What PHYSICAL tests now you have to say that chip has extra functionality? Would you do X-analysis? Would that reveal a proof that chip has 2k more ROM that it is supposed to have? Would that reveal that chip has some functions extrac which it is not supposed to have?
Dileep: OK, I will take it as a hypothetical question.
1. The electrical characteristics will be different. The added circuitry (it is not CODE. It is circuits on the chip) drains power, and it readily shows up in testing.
2. As part of failure analysis, chips are routinely de-packaged and the silicon visually inspected. ONE LOOK under a regular microscope (or most probably under naked eye) will show the difference in the circuit. Adding ONE BIT will show up on the chip, because that bit involve several transistors.
You say this because you have no clue about the circuits involved.Rahul Mehta wrote:1. If the chip has even twice the ROM, power consumption increase will be unnoticeable. The testing will be acceptance testing, and as long as it is within the range as per the contract and usability, BEL CEO will not raise any objection. And we have assumed that BEL CEO is mole in the game.
Get some background information on IC design and fabrication first.2. There are millions of transistors on a chip. No naked eye analysis or even examination under microscope will reveal anything. Poeple are making chips which microscope can barely see. And you claim that one can see the "internals" of chip under microscope. This is pure bluff. But in any case, show me URLs which claim that you can sniff additions in chips by examination under microscope with human eyes.
What is your definition of unnoticeable?? Do you have any idea how precisely voltages and signals are measured on ICs? - If not, please stop making ignorant statements. This is precisely one of the issues I have - people don't care to learn in-depth about a topic and consider themselves qualified to judge based on some casual internet browsing and wikipedia reading. Half-baked knowledge is dangerous indeed.Rahul Mehta wrote: 1. If the chip has even twice the ROM, power consumption increase will be unnoticeable. The testing will be acceptance testing, and as long as it is within the range as per the contract and usability, BEL CEO will not raise any objection. And we have assumed that BEL CEO is mole in the game.
I have already posted previously what equipment is used for such physical verification of ICs after it has been fabricated and packaged. Science has progressed enough to move away from eyeballing circuitry and claiming that "only God can unravel an IC's content after it has been sealed". For your benefit I will re-quote my original post:Rahul Mehta wrote: Say manufacture supplied you a chip which has 2 k of extra ROM with some hidden codes. What PHYSICAL tests now you have to say that chip has extra functionality? Would you do X-analysis? Would that reveal a proof that chip has 2k more ROM that it is supposed to have? Would that reveal that chip has some functions extrac which it is not supposed to have?
2. There are millions of transistors on a chip. No naked eye analysis or even examination under microscope will reveal anything. Poeple are making chips which microscope can barely see. And you claim that one can see the "internals" of chip under microscope. This is pure bluff. But in any case, show me URLs which claim that you can sniff additions in chips by examination under microscope with human eyes.
Perhaps before acting as a know-it-all you might want to take the pains to learn about existing methods. These tools have been available for a long time and are now used even by individual hobbyists and hackers. If you want a truly layman's introduction, read any of the well-know hardware hacking books - they cover all the aspects you are questioning (in fact if I remember correctly Andrew Huang's original hack of the XBox included reading off the console's OTP ROM and detection of decoy code).Ever heard of: Decapping, SEM and FIB? - These are standard tools used by hardware hackers.
Please answer the above question.Assuming you go to the meeting, stand up and publicly ask tough questions about the chip manufacture and validation process, what do you expect the corrupt BEL engineers to do....fly away or vanish???
How convenient and what impeccable logic to supports bogus claims. You are the one making allegations - the burden is upon You to back up your allegations. You want to have the luxury of making whatever allegations catch your fancy and expect other people to jump up and down to disprove them, while you don't even want to lift a finger. If that is not elitist thinking, I don't know what is, frankly.Rahul Mehta wrote:Machine is rigged untill proven unrigged.
If Indersen or whoever has actually used such a dubious way to conclude that EVM cannot be hacked, I would consider him equally ill-informed.Rahul Mehta wrote: 5 students cant rig the machine in 5 days and hence EVM is untemperable at factory level !!
