Should we discontinue EVMs?

Dileep · Post by **Dileep** » 08 Aug 2009 07:28

Raja Bose, I learned that with RM, it is futile to:

1. Ask to read, learn, figure out, or god forbid, SEARCH for information.
2. Ask to Think
3. Ask to make logical conclusions
4. Ask to consider the alternate.

The ONLY way to get into his thick skull is to provide details and logic that can convince my 2nd standard son.

There is no point in telling him about decapping, or providing any link. I gave him the datasheet of the ATMEL chip, and he is not able to find the information about the code verification feature. That figures. Imagine you are talking to a 5 year old and make your points.

Rahul Mehta · Post by **Rahul Mehta** » 08 Aug 2009 07:34

Raja Bose wrote:Assuming you go to the meeting, stand up and publicly ask tough questions about the chip manufacture and validation process, what do you expect the corrupt BEL engineers to do....fly away or vanish???

The EC has so far not answered many questions submitted by biggies under RTI. So it is waste of hopes to expect them to answer the question in meeting. Also, EC's stand has been

1. We wont give you EVM
2. We wont let you touch EVM
3. We wont give you source code
4. We wont give you empty chip

Now show us how you can rig EVM !!

Thats worse than asking a person to invert 300 * 300 Matrix without even paper pencil. forget calculator or PC.

The EVM rigging cant be outside job, but claims are that it can be inside job. And by inside I mean, person who has full knowledge of source code and has access to factories and chip maker. This method of rigging is not something one can give a demo in conference room.

If EC has ANY shame left, it should ask Talati's (Patwari) to allow citizens to register YES/NO on EVM issue for Rs 3 fee, put the YES/NO on website with their names. Now EC cant order Talaties legally, but EC can surely request PM to order Talaties to do so.If EC has any shame left, it should post the affidavits of anti-EVM people on EC's website and let citizens decide for themselves. Has EC done this? So whats the point in talking to such shameless officials. Besides, you know what a crook Chawala is. If juniors in EC had any sense of ethics, they would have went on 1 day strike against Chawala and asked PM to remove this crook. But so far, no junior in EC has even registered protest against open and corrupt action of Chawala. This alone speaks volumes about how ethical they are.

Rahul Mehta: Machine is rigged untill proven unrigged.

Raja Bose: How convenient and what impeccable logic to supports bogus claims. You are the one making allegations - the burden is upon You to back up your allegations.[/b] You want to have the luxury of making whatever allegations catch your fancy and expect other people to jump up and down to disprove them, while you don't even want to lift a finger. If that is not elitist thinking, I don't know what is, frankly.

Raja Bose,

1. "Innocent till proven guilty" is for humans ONLY. The laws, procedures, methods and machines are not humans. They dont have "innocent till proven guilty" rights.

2. And yeah, would you give 10 randomly chosen EVMs? NO. Would you give me an empty chip with datasheet? NO. Would you give me source code of existing EVMs? NO. And then you ask me to "prove" that EVMs are riggable !! Be logical before you resort to arguments

==============

If Indersen or whoever has actually used such a dubious way to conclude that EVM cannot be hacked, I would consider him equally ill-informed.

1. Indirsen's report does not say how many EVMs they ripped apart to see if EVMs had any radio antenna in PCB. As far as I think, they made no attempt to reverse engineer even one EVM

2. Indirsen made no attempt to analyze the chip and establish that chip does not have extra 2k ROM with some code inside it . At least report does not say so.

3. Did they compile the source code, took hash and compared the hash from the chip in existing EVM? I bet they did not.So they made no attempt to ensure that source code in EVM is same as what is promised. And did they made sure that chip did not have functionality to report a fake planted hash and not the real one?

So what all did "experts" do? They looked at presentation and demo. Surely, presentation and demo were not tempered !! Big deal !! And we have people who have faith in such "experts". Sometimes I laugh at commons who put faith in astrologers and assorted tantrik. But when I see educated people putting faith in "experts", I laugh twice of that.

----

Dileep,

Coming back to reverse engineering the chip. Chips do have some built in functions (like calculating hash). Some of these functions will go in microcode. But to implement some functions, manufacture may have to put some factory programmed ROM which has code to implement those functions.

Now say thee chip was supposed to have 64k OTP ROM and 16k of its factory programmed ROM to do its own functions. Say Hitachi sends you a chip with 64k OTP ROM and 18k of its factory programmed ROM, i.e. 2k extra.

Which tools and techniques exist to detect this extra 2k of ROM?

Lets confine to documented and KNOWN techniques currently used in India.

Rahul Mehta · Post by **Rahul Mehta** » 08 Aug 2009 07:36

Dileep wrote: I gave him the datasheet of the ATMEL chip, and he is not able to find the information about the code verification feature. That figures. Imagine you are talking to a 5 year old and make your points.

You did NOT give page, section numbers to get hash after lockbits are set.

And yes, I did not find time to read while data sheet.

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 07:48

Dileep wrote:Imagine you are talking to a 5 year old and make your points.

I have had more intelligent conversations with my 5 year old niece so that may not do the trick, as suggested!

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 08:07

Rahul Mehta wrote: The EC has so far not answered many questions submitted by biggies under RTI. So it is waste of hopes to expect them to answer the question in meeting.

There is a big difference between a faceless RTI and a face-to-face confrontation and talk with the people involved. You still have not answered my question: "What do you expect the BEL engineers to do if you ask them point-blank, face-to-face, in public, the questions you have been repeating here?". Please answer this question - how will someone try to evade a question asked to their face. If they try to BS or be evasive (like claiming it is all confidential etc.), it will be at their peril - don't forget the media is going to be there in full force.

Rahul Mehta wrote: 1. "Innocent till proven guilty" is for humans ONLY. The laws, procedures, methods and machines are not humans. They dont have "innocent till proven guilty" rights.

The question is not of rights. The question is of you backing up your allegations with proof otherwise they are simply empty words. Tomorrow morning I will claim that all SU-30MKI jets have their avionics rigged.....does that mean IAF needs to rush in and stop flying?? There has to be a sane scientific reason behind any allegation - something which you have time and again failed to provide on this thread. All I can see originating from you are fancy ideas based on half-baked assumptions, lack of knowledge about the science involved and a refusal to get educated.

Rahul Mehta wrote: And then you ask me to "prove" that EVMs are riggable !!

You make the allegations it is your responsibility to back them up, period. It is nobody else's responsibility to provide you everything on a platter before you condescend to back up your words with facts.

Rahul Mehta wrote: Be logical before you resort to arguments.

Coming from you, this statement is nothing less than hilarious.

Rahul Mehta wrote: Now say thee chip was supposed to have 64k OTP ROM and 16k of its factory programmed ROM to do its own functions. Say Hitachi sends you a chip with 64k OTP ROM and 18k of its factory programmed ROM, i.e. 2k extra.

Which tools and techniques exist to detect this extra 2k of ROM?

Lets confine to documented and KNOWN techniques currently used in India.

The techniques I listed in my previous post (Decapping, SEM, FIB) are well known and currently used all over the world. This is no exotic rocket science (it may seem that way to you but then you don't have any experience in this area) and the equipment cost is low enough even for individuals (leave alone any govt. lab and that too in a country like India). Just because this answer punctures your theory, as usual you are trying to willfully ignore it.

Dileep · Post by **Dileep** » 08 Aug 2009 09:04

Rahul Mehta wrote: Coming back to reverse engineering the chip. Chips do have some built in functions (like calculating hash). Some of these functions will go in microcode. But to implement some functions, manufacture may have to put some factory programmed ROM which has code to implement those functions.

The microcode, and ROM are circuitry on the chip, and it readily shows up on it. I have explained time and again that the "microcode" is not really code executing like a program. It is a piece of circuitry that implements the sequential events.

Even ROM, which is sometimes made on chip, is realized using circuitry. There is no facility to "program" a bit in silicon manufacturing.

For the N th time,

Any piece of information that gets on a chip at the time of manufacturing, will be in the form of a circuit, which will be clearly visible on the chip. There is no technology to avoid this

Now say thee chip was supposed to have 64k OTP ROM and 16k of its factory programmed ROM to do its own functions. Say Hitachi sends you a chip with 64k OTP ROM and 18k of its factory programmed ROM, i.e. 2k extra.

Which tools and techniques exist to detect this extra 2k of ROM?

Lets confine to documented and KNOWN techniques currently used in India.

The 2K ROM will add 2K Gates in the circuit, and will be clearly visible.

My company have everything, except the de-cap machine for big ASICs. We don't use molded packages, so a mold decapper is not available. SCL will definitely have the full capability, because they are a fab.

Raju · Post by **Raju** » 08 Aug 2009 11:32

http://ibnlive.in.com/videos/98748/ec-u ... proof.html

EC under scanner, critics to show EVMs not foolproof

Prarthna Gahilote / CNN-IBN

Published on Fri, Aug 07, 2009 at 10:24, Updated on Fri, Aug 07, 2009 at 11:49 in Politics section

New Delhi: Under fire from political parties and NGOs over the credibility of electronic voting machines, the Election Commission on Friday will allow its critics to demonstrate that the EVMs can be tampered with.

The Commission will meet political; leaders and technical experts who claim they have developed software that can manipulate EVMs.

But the Commission is still cagey with information on the EVMs, refusing to answer many details asked for in an RTI application.

Former Bharatiya Janata Party MP Kirit Somaiya will represent political parties to provide proof for their claim.

"Neither Election Commission nor state authorities nor companies BEL and ECIL can check the chip whether it is hacked or not," Somaiya claims.

Then on Saturday, Omesh Saigal, a retired bureaucrat, who first spoke about how EVMs can be manipulated, will display his new software to the Election Commission.

Based on a source code like the EVM, Saigal claims that the software can ensure that EVMs can be manipulated even after the election is over and the machine locked.

"I can tell the EVM that I want the manipulation done in any fashion at the any stage - during mock poll and during actual polling, says software expert Anil Lall.

"We will prove this within the premises of Election Commission," adds Saigal.

While it may have agreed to meet, the Election Commission has refused to answer many questions that Saigal had put up to the Commission through an RTI application.

The Commission so far has been claiming that EVMs cannot be tampered without knowing the source code of the machine. Yet crucial questions about the source code and the assembling of the EVM are what it has decided to duck in the RTI.

What's unanswered includse:

Names of companies involved in assembly of EVMs?
Who prepared source code and when? Is it exclusive to the Election Commission?
Did they itself check the software including the programming code of the machines at the time of delivery?
How does the EC satisfy itself that the program was the same as the program in the source code?
Who are the manufacturers of the chip placed in the EVMs?
Name of the companies apart from Election Commission with whom the source code is available?
How is the source code burnt into the chip/printed circuit of the EVM and the company doing it?

"By withholding this information they are enabling me to raise my finger at them," says Saigal.

However, another critic VV Rao feels the Commission is dodging the issue. Rao who had filed a case against the EVMs in the Supreme Court is still waiting to meet the Commission. His technical team had made a dummy EVM to test the tamper software.

"It is the holding the country to ransom. They have to look into this," says Rao.

The demonstrations will be a a test of fire for the Election Commission and its much talked about EVMs.

While the Commission has said that it will videograph the demonstrations and make it public later but its reluctance to divulge details will only fuel rumours.

http://ibnlive.in.com/news/ec-under-sca ... 48-37.html

Dileep · Post by **Dileep** » 08 Aug 2009 11:47

Well, the meet was yesterday. Is there any report on that?

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 12:09

Well if one goes by the article, hopefully some of these folks who are attending will ask the tough direct questions, which RM is scared of asking in public. I hope it gets uploaded on YouTube/NDTV etc. The question of whether EVMs are hackable or not can be decided after that, first basic facts must be known. What people like RM do OTOH is form a rigid judgement/claim and then try to find ways to twist and fit theories around it to justify their claims; whereas the proper way should be to collect facts, find evidence (not assumptions) and finally decide impartially.

Rahul M · Post by **Rahul M** » 08 Aug 2009 12:29

I'm not up to date with this rapidly moving thread.

did rahul mehta attend the EC meet ?

Dileep · Post by **Dileep** » 08 Aug 2009 12:37

Rahul M wrote:I'm not up to date with this rapidly moving thread.

did rahul mehta attend the EC meet ?

Rahul_the_nice,

Rahul_the_naughty didn't go. He knows that his arguments have no chance of surviving in an open forum, so he hid behind the contention that EC, BEL, ECIL and everyone else is corrupt.

He also claimed that he, being a commoner, would have to spend Rs 20,000 for the trip (while a real commoner can do it within 2,000.)

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 12:38

^^^ Nah, he got cold feet and started making ridiculous excuses. From a high point of claiming he had a trojan to even refusing to ask direct questions at a public meet.....rapid downhill skiing it looks like

Dileep · Post by **Dileep** » 08 Aug 2009 12:42

Hmm, that reminds me. Where is the trojan code? He was supposed to post it here right?

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 12:45

Dileep wrote:Hmm, that reminds me. Where is the trojan code? He was supposed to post it here right?

Aren't you the eternal optimist!

Dileep · Post by **Dileep** » 08 Aug 2009 13:00

Raja Bose wrote:
Dileep wrote:Hmm, that reminds me. Where is the trojan code? He was supposed to post it here right?
Aren't you the eternal optimist!

No, I am the eternal pain-in-the-ass.

I am not going to leave him till he posts SOMETHING.

Raja Bose · Post by **Raja Bose** » 08 Aug 2009 13:15

^^^ He will. He will post half-baked VB junk!

Rahul M · Post by **Rahul M** » 08 Aug 2009 13:45

IMHO with that decision mehta ji has lost whatever ground he had for his tirade against EVM.
in my eyes he no longer has *any* moral authority left on this issue.

so this would be a good time to lock and archive this thread ?

Dileep · Post by **Dileep** » 08 Aug 2009 13:52

Rahul M wrote:IMHO with that decision mehta ji has lost whatever ground he had for his tirade against EVM.
in my eyes he no longer has *any* moral authority left on this issue.

so this would be a good time to lock and archive this thread ?

When did he EVER have a moral ground on anything here on BR?

My humble request is to let the thread continue, till either RM stops bringing any new twists (very unlikely) or moi and Raja Bose attain BRF Oldie tag (likely). I just need 500+ posts to that goal.

Seriously, it is not really about RM's lame arguments. We need to monitor how the issue develops and how EC fights back. We need to see the end of at least the current controversy. It can end only in two ways:

1. EC relents and go back to ballots (extremely unlikely)
2. After the current crowd of accusers sent back, EC will move the SC to give a positive verdict, so that the issue stays dead (likely)

Meanwhile, let us have some fun at the expense of RM.

Rahul M · Post by **Rahul M** » 08 Aug 2009 13:56

or moi and Raja Bose attain BRF Oldie tag (likely).

fine by me.

just a request to keep an eye open for non-RM anti/pro EVM news reports as well.

Rahul M · Post by **Rahul M** » 08 Aug 2009 20:12

The EVM controversy: old allegations revisited

by Ajai Shukla
Business Standard, 7th Aug 09

=================

nice summary of the history of EVMs and anti-EVM people in India.

On 15th October 1989, at a dramatic press conference in New Delhi, Janata Dal chief, Vishwanath Pratap Singh and George Fernandes produced a “computer consultant” to prove that EVMs could easily be rigged.

and he went on to become the PM. could this be the inspiration behind rahul mehta's jehad ?

Muppalla · Post by **Muppalla** » 09 Aug 2009 00:16

EVMs are tamper-proof, poll panel reiterates

NEW DELHI: The Election Commission on Saturday reasserted that electronic voting machines (EVMs) were impervious to tampering and said none of the political parties or others who had raised doubts about their reliability could prove they could be fudged.

The poll panel had this week called all those who had raised objections about the EVMs for a demonstration that ended Saturday. The meeting was called "to set at rest any misgiving" about the use of EVMs in general elections, a statement issued here said.

"The outcome of this exercise is that none of the persons, who were given the opportunity, could actually demonstrate any tamperability of the ECI-EVM, in any of the hundred machines put on display. They either failed or chose not to demonstrate," it said.

Those invited included political parties, petitioners before various courts and some individuals who had been writing to the commission on this issue.

L.K. Advani of the Bharatiya Janata Party (BJP) was the first to express doubt about EVMs after the May-April Lok Sabha elections. Taking a cue, other opposition leaders also voiced their doubts.

The poll panel said the demonstration was undertaken to ensure that not "even a small shade of doubt about any aspect of its operation" remained. "Today, the commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever," the statement added.

For the demonstration, 100 EVM samples were obtained on random basis from 10 states. These were kept at the commission's office here for scrutiny and for any application to establish its alleged fallibility. The demonstration was held in the presence of a technical expert group as well as engineers representing the EVM manufacturers.

"The Election Commission would like to underline that it always had a firm conviction and complete satisfaction that EVMs could not be tampered with.

"Its faith on the machine has never wavered through the conduct of elections in the last many years including the nationwide general elections in 2004 and 2009 and over 30 general elections in state assemblies during the last five years," the statement said. In the past, no one has been able to actually demonstrate that EVMs can be tampered with or manipulated, the commission said. "What has been demonstrated or claimed to have been demonstrated is on a privately assembled 'look-alike of ECI-EVMs' and not the actual ECI-EVM," it said.

Among those who attended the meet were Kirit Somaiya, vice-president of the BJP in Maharashtra. "He categorically stated that he was not opposed to the use of EVMs and he had never wanted to do any demonstration about the tamperability of EVMs," the commission said, adding that he had made some suggestions for the panel to consider.

The panel said Satinath Chaudhury, a petitioner in the Supreme Court in 2004 on this issue, came to the commission's headquarters Saturday. But after making some attempts, he failed to demonstrate that the EVM could be tampered with.

The panel also said that former bureaucrat Omesh Saigal, who was among those who had raised objections against it, refused to demonstrate the points he had raised.

It said others who had petitioned before the various other courts did not turn up.

"EVMs have served the country's elections well. These were introduced after long ranging political, technical and administrative consultations since 1979," the statement added.

It also said that these EVMs are not comparable with ones used abroad.

Muppalla · Post by **Muppalla** » 09 Aug 2009 00:20

Election Commission: Press Note - Subject- Electronic Voting Machines- regarding

The Election Commission had, in an extraordinary measure, invited those who have recently expressed reservations about the Electronic Voting Machine (EVM) to come and demonstrate the points made in their allegations from 3rd to 8th August 2009. Those invited included political parties, petitioners before various courts and some individuals who had been writing to the Commission on this issue. One hundred EVM samples were obtained on random basis from ten states namely, Andhra Pradesh, Delhi, Gujarat, Karnataka, Madhya Pradesh, Maharashtra, Punjab, Rajasthan, Tamil Nadu and Uttar Pradesh. These were kept at the Commission’s office in readiness for scrutiny and for any application to establish its alleged fallibility. The EVMs were offered for such demonstration in the presence of a technical experts group as well as engineers representing the EVM manufacturers, BEL and ECIL. These engineers were especially called from Hyderabad and Bangalore and stationed in ECI’s office for a whole week for this specific purpose. The outcome of this exercise is that none of the persons, who were given the opportunity, could actually demonstrate any tamperability of the ECI-EVM, in any of the hundred machines put on display. They either failed or chose not to demonstrate.

The Election Commission would like to underline that it always had a firm conviction and complete satisfaction that EVMs could not be tampered with. Its faith on the machine has never wavered through the conduct of elections in the last many years including the nation-wide general elections in 2004 and 2009 and over 30 general elections to state assemblies during the last five years. In the past, no one has been able to actually demonstrate that EVMs used by the Election Commission can be tampered with or manipulated. What has been demonstrated or claimed to have been demonstrated is on a privately assembled “look-alike of ECI-EVMs” and not the actual ECI-EVM. However, the aforesaid extraordinary measure was undertaken by the Election Commission in fulfillment of its responsibility not to allow even a small shade of doubt about any aspect of its operation and in order to set at rest any misgiving anywhere. Today, the Commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever.

Dr. Kirit Somaiya, Vice-President, BJP, Maharashtra, accompanied by some others, visited the Commission on 7 August 2009 responding to the Commission’s invitation. He categorically stated that he was not opposed to the use of EVMs and he had never wanted to do any demonstration about the tamperability of EVMs. He however made certain suggestions for consideration of the Commission in line with his earlier correspondence with ECI. Ms. Veena Singh, a candidate in recent Parliamentary election in Madhya Pradesh also visited the Commission and made certain general points regarding physical handling of EVMs. It was explained to her that there are sufficient safeguards to take care of such problems. Shri Satinath Chaudhury, a petitioner in the Supreme Court in 2004 on the EVM issue, came on 8th August 2009 and after making some attempts, failed to demonstrate that the EVM could be tampered with.

Shri Omesh Saigal, who visited the Commission on the same day, accompanied by some others, refused to demonstrate the points earlier raised by him, using any of the 100 actual ECI-EVMs, he was offered to choose from. In a letter, addressed to the Chief Election Commissioner and handed over to EC officials, he in turn wanted certain arrangements for him and his team of hardware and software professionals from a private company before coming to demonstrate about the tamperability of the EVM. He also offered to show what he claimed as possibility of tampering using his personal computer and a ‘look alike’ of the ECI-EVM, that was privately manufactured, and is also seen on several TV channels. It was pointed out to Shri Saigal that the ECI-EVM was not at all comparable with what he had brought. Based on this, the EC officials declined to deal with, what appeared to be an imitation machine, so as to avoid creating any confusion in public mind. Shri Saigal made also a request to the Commission to consider pre-poll audit of the EVMs.

The Supreme Court of India, while disposing of a petition filed by Shri V. V. Rao and three others belonging to the Jan Chaitanya Vedika, raising questions about use of Electronic Voting Machines in the elections, on 27 July 2009 observed that the petitioners could approach the Election Commission in the matter. Similar petitions were filed before three High Courts in the country. These are the Madras High Court, the Bombay High Court and the High Court of Madhya Pradesh (Jabalpur bench). These petitions also raise allegations about the possibility of tampering with the EVMs. The Mumbai High Court has since dismissed the petition asking the petitioner to approach the Election Commission. The Election Commission has invited all these petitioners to come and demonstrate their points before the Commission. But none of them turned up for making a demonstration from 3rd August 2009 to 8th August 2009. {chickened out}

EVMs have served the country’s elections well. These were introduced after long ranging political, technical and administrative consultations since 1979. The use of machines has helped prevent several electoral malpractices and resulted in more efficient conduct of elections. Judgments from various courts have upheld the use of EVMs and technical experts have endorsed the machines from time to time. In fact, the Karnataka High Court has hailed the EVM as ‘a national pride’. Similarly, the Madras High Court, after elaborate consideration of the issue in a batch of petitions in 2001, rejected allegations that the EVMs could be tampered. The issues recently raised by petitioners in the Courts and by some others, broadly allege the possibility of tampering with the machine during the manufacturing process or while operating the machine. The following facts about ECI-EVMs conclusively rule out any such possibility.

Facts about EVMs used by ECI

i. ECI-EVMs are manufactured only by Electronics Corporation of India Limited (Department of Atomic Energy) and Bharat Electronics Limited (Ministry of Defence), both Central Public Sector Undertakings, which are entrusted with development of very high security product/equipment development.
ii. The ECI-EVMs cannot be reprogrammed.
iii. The software for this chip is developed in-house by a select group of engineers in the two PSUs independently from each other. A select software development group of 2-3 engineers designs the source code and this work is not sub-contracted.
iv. The source code is so designed that it allows a voter to cast the vote only once. The next vote can be recorded only after the Presiding Officer enables the ballot on the Control Unit. In between the machine becomes dead to any signal from outside (except from the Control Unit).
v. After completion of software design, testing and evaluation of the software is carried out by an independent testing group as per the software requirements specifications (SRS). This ensures that the software has really been written as per the requirements laid down for its intended use only.
vi. After successful completion of such evaluation, machine code of the source programme code known as hex-code (not the source code itself) is given to the micro controller manufacturer for fusing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group.
vii. Micro controller manufacturer initially provides engineering samples for evaluation. These samples are assembled into the EVM, evaluated and verified for functionality at great length. Bulk production clearance is given to micro controller manufacturer only after successful completion of this verification.
viii. The source code for the EVM is stored under controlled conditions at all times. Checks and balances are in place to ensure that it is accessible to authorized personnel only.
ix. During production, functional testing is done by production group as per the laid down quality plan and performance test procedures.
x. Samples of EVMs from production batches are regularly checked for functionality by Quality Assurance Group, which is an independent group within the organizations.
xi. Certain additional features were introduced in 2006 in ECI-EVMs such as dynamic coding between Ballot Unit and Control Unit, installation of real time clock, installation of full display system and date and time stamping of every key pressing in EVM. It is important to note that there was no modification of any type done at this stage in the basic functions of the machine. {what are these and does people with expertise (Dileep et al) explain in lay-man terms regarding the use of these new features}

Not comparable with EVMs Abroad

The Commission has come across some comparisons between ECI-EVM and EVMs used by foreign countries. Such comparisons are both misplaced and misguided. Most of the systems used in other countries are PC based and running on operating Systems. Hence, these could be vulnerable to hacking. The EVM in India on the other hand is a fully standalone machine without being part of any network and with no provision for any input. As already stated, the software in the EVM chip is one time programmable and is burnt into the chip at the time of manufacture. Nothing can be written on the chip after manufacture. Thus the ECI-EVMs are fundamentally different from the voting machines and processes adopted in various foreign countries. Any surmise based on foreign studies or operating system based EVMs used elsewhere would be completely erroneous. The ECI-EVMs cannot be compared with those EVMs.

Complete Procedural Security

The Commission has in place elaborate administrative measures and procedural checks-and-balances aimed at prevention of any possible misuse or procedural lapses. These measures include rigorous pre-election test and inspection of each EVM by the technicians, two level randomization with the involvement of candidates and their agents, for the random allotment of the EVMs to various constituencies and their subsequent dispatch to various polling stations. Preparation of the EVMs for elections is done in the presence of the candidates/their agents and sealing of the prepared EVMs is also done in candidate’s or their agent’s presence. Thread seal are fixed on the EVM where again, the candidates or their representatives put their own signature and seals. Paper seals guards against any unauthorized access to the EVMs after preparation. EVMs are then kept in sealed strong rooms with provision for the candidates to put their individual seals on the strong rooms. The EVMs are randomized twice over. The list of EVMs going to individual polling stations is given to the candidates for them to check, on the poll day the actual machine, that is used in that polling station. Furthermore a mock poll is conducted in the presence of polling agents, when the polling agents can verify, inter-alia, the EVM numbers. A mock poll certificate is taken before the commencement of poll. After the mock poll the machine is set back to zero and green paper seal printed at Government Security Press is put in, where once again every polling agent is allowed to put his/her signature. After the polls, the EVM are also sealed in such a manner that there is no physical access to any of the buttons on the EVMs. Indeed there is no access to the EVMs itself since the carrying case is sealed completely. The machines are put in the strong room again in presence of the candidates, observer of the commission under video camera surveillance. The strong room is allowed to be guarded by the supporters of the candidates besides the police protection provided to strong rooms. At every step, the EVM is very well protected and elaborate arrangements are in place for the same.

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 05:31

Rahul M wrote:IMHO with that decision mehta ji has lost whatever ground he had for his tirade against EVM.
in my eyes he no longer has *any* moral authority left on this issue.

so this would be a good time to lock and archive this thread ?

What?!

May your rossogollas have ants in them for the next 20 days, for suggesting such a thing! This is our chance to become BRF Oldies - no way I am giving up that chance, jee nahin!

BTW how many posts (exact number) makes one a BRF oldie??

Chinmayanand · Post by **Chinmayanand** » 09 Aug 2009 05:39

BJP team fails to prove its point on EVMs

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 05:48

Muppalla wrote:Election Commission: Press Note - Subject- Electronic Voting Machines- regarding

Dr. Kirit Somaiya, Vice-President, BJP, Maharashtra, accompanied by some others, visited the Commission on 7 August 2009 responding to the Commission’s invitation. He categorically stated that he was not opposed to the use of EVMs and he had never wanted to do any demonstration about the tamperability of EVMs.

Wasn't this Somaiya quoted as saying he has proof that EVMs were actually tampered with? Why this sudden downhill skiing??

Shri Satinath Chaudhury, a petitioner in the Supreme Court in 2004 on the EVM issue, came on 8th August 2009 and after making some attempts, failed to demonstrate that the EVM could be tampered with.

My feeling is that most of these people who came to "demonstrate" are amateurs - If they do have the funds they can invite some of the security folks who regularly attend BlackHat and Defcon to come and try out attacks (or our very own Dileep

) - it will be costly but is also an independent review from people who do this for a living (and some who used to do it for kicks before getting caught).

Shri Omesh Saigal, who visited the Commission on the same day, accompanied by some others, refused to demonstrate the points earlier raised by him, using any of the 100 actual ECI-EVMs, he was offered to choose from. In a letter, addressed to the Chief Election Commissioner and handed over to EC officials, he in turn wanted certain arrangements for him and his team of hardware and software professionals from a private company before coming to demonstrate about the tamperability of the EVM. He also offered to show what he claimed as possibility of tampering using his personal computer and a ‘look alike’ of the ECI-EVM, that was privately manufactured, and is also seen on several TV channels. It was pointed out to Shri Saigal that the ECI-EVM was not at all comparable with what he had brought.

I was hoping for something useful from Omesh Saigal but unfortunately he seems to have borrowed RM's elitist attitude before condescending to prove his claims. However, Mr. Saigal can still help a lot by revealing the design of his mock-EVM, its BOM and what are the assumptions he made for making it simulate the EC EVM?? Ofcourse if he just had a VB program with push buttons and claimed it was an EVM 'look alike' then he falls into the pinhead category too. Does he have a blog or e-mail, I have no problems asking him. RM (gujrat-wale not bangal-wale), do you have his contact?

In fact, the Karnataka High Court has hailed the EVM as ‘a national pride’.

The question is EVMs are tamperable or not...not whether they are a national pride or not - it is useless BS like this which creates even more trouble in the minds of the public.

Rahul Mehta · Post by **Rahul Mehta** » 09 Aug 2009 06:31

.... vi. After successful completion of such evaluation, machine code of the source programme code known as hex-code (not the source code itself) is given to the micro controller manufacturer for fusing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group. ....

OMG.

Pro-EVM folks are rejoicing and they cant even notice that things have blown on their faces.

The code was burned into chip by Hitachi, not by BEL technicians. . And chip was made by Hitachi and so they can do every minor changes that are technologically possible and undetectable post-facto. So it it is factory programmed ROM for all practical purposes, different from OTP ROM where in equipment maker puts the code in his premises.

So if a mole in BEL (top 3-4 guys) give out the source code to someone, that someone can add the modulo-5 logic to the code and get a new binary. And then Hitachi can put the tempered binary in chip instead of real one. And to hide it for good, Hitachi has to change the "GetHashCode" function in the chip so that it gives the hashcode of untempered code instead of hashcode of the tempered code sitting in the ROM.

So my theory that you can temper 100000 EVMs with 10-12 people by putting module-5 logic in EVM code got better. You need co-operation from only top 3 guys in BEL. You dont need co-operation of any software coder, any QE guy, any QI guy etc of BEL. You do need co-operation of Hitachi CEO , but given the financial trouble Hitachi is facing, a phone call from Sonia with promise of buying $100 million worth of Hitachi share will convince him. And if that is not enough, another phone call from senior USG official will suffice. Hitachi wont risk losing US business for stupid 100,000 EVM chips' integrity.So any changes which cant be post-facto detected will be welcome.

---

So attn All pro-EVM folks,

1. Say you got a chip from Hitachi with some code in its ROM and lockbits set

2. Pls give exact steps you will follow to ensure that code in ROM is not tempered code, but promised code.

There is no tech to read code of the ROM. Perhaps microscopic examination will reveal that it has few more gates. But even X-ray analysis wont tell you whether a bit at given address in ROM is 0 or 1. So you cant read the ROM. Now you are dependent on hashcode that processor gave you. So if Hitachi has modified the chip to give hashcode of promised code, then getting hashcode is useless and waste of time.

----

I will write more after self-certified experts tell me how to verify ROM contents (and throw more insults, sarcasms, comments on incompetence and other assorted nonsenses they have been throwing in past 30 pages).

ArmenT · Post by **ArmenT** » 09 Aug 2009 06:37

My first post on this thread (no plans of becoming an oldie yet!)

Muppalla wrote:Election Commission: Press Note - Subject- Electronic Voting Machines- regarding

vi. After successful completion of such evaluation, machine code of the source programme code known as hex-code (not the source code itself) is given to the micro controller manufacturer for fusing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group.

Please excuse if this is a dumb question, but why not publish the source code outside the software group. That way, doubting thomases can compile the code for themselves and verify that the binaries are indeed built from the sources.

Rahul Mehta · Post by **Rahul Mehta** » 09 Aug 2009 06:42

Rahul M wrote:IMHO with that decision mehta ji has lost whatever ground he had for his tirade against EVM.
in my eyes he no longer has *any* moral authority left on this issue.

so this would be a good time to lock and archive this thread ?

Rahul M,

The details of my "tempered code in EVM" theory are on http://rahulmehta.com/evm1.pdf

And they were written some 4 days ago, and things just got better after ECI had to admit that code was burned by Hitachi (or who-soever who makes the chip in Japan or US) and not by BEL people. IOW, putting tempered code in chip is EASIER than I said.

I request you to go thru posts of pro-EVM people like Tanaji, Dileep and Raja Bose. For every 1 line of contents, they have 9 lines of insults, sarcasms and general philosophical comments and declaration of their victories. Why? Because they have run out of contents, and as usual, are using insults etc to cover it up. This does give an impression that "anti-EVM people have lost the debate". But each one is scared to death in allowing citizens to register YES/NO if EVMs should continue. Why? You can ask them, but this alone is proof that they have nothing to show that EVMs cant be tempered at manufacturing stage.

================

Aside,

The way media is covering this story, it is clear that someone is paying mediamen huge buck to project EVM as good and anti-EVM people as bad. That someone needs to be found and guessed. Because why is he paying to mediamen to support EVMs?

Rahul Mehta · Post by **Rahul Mehta** » 09 Aug 2009 06:51

ArmenT wrote:Please excuse if this is a dumb question, but why not publish the source code outside the software group. That way, doubting thomases can compile the code for themselves and verify that the binaries are indeed built from the sources.

ArmenT,

Once the code is inside ROM and lockbits are set, there is NO technology in world to read that binary. So if I give one EVM to the best lab in world, and give them two binary codes A and B, they cannot tell whether chip's ROM has A or B.

At best, one can get hashcode of contents inside ROM. But if the chip manufacturer has rigged the GetHashCode function to report hashcode(A), then even if ROM has code B, the chip would report hashcode(A).

Further, if this hashcode is some function like simple checksum (add the numbers, ignore overflow), then getting hashcode(A) is waste of time. Because anyone who has written B will be smart enough to write it in a way that checksum(A) and checksum(B) are same. If chip is reporting MD5 hash, then also, it is not point as chip maker can rig the chip to report wrong MD5 Hash

Pranav · Post by **Pranav** » 09 Aug 2009 06:59

What kind of lunacy is this? EC refuses to provide an unprogrammed machine and then claims that the machine cannot be tampered with. I guess what this means is that once the trojan has been installed, nobody can tamper with it!

Muppalla wrote:Election Commission: Press Note - Subject- Electronic Voting Machines- regarding

The Election Commission had, in an extraordinary measure, invited those who have recently expressed reservations about the Electronic Voting Machine (EVM) to come and demonstrate the points made in their allegations from 3rd to 8th August 2009. Those invited included political parties, petitioners before various courts and some individuals who had been writing to the Commission on this issue. One hundred EVM samples were obtained on random basis from ten states namely, Andhra Pradesh, Delhi, Gujarat, Karnataka, Madhya Pradesh, Maharashtra, Punjab, Rajasthan, Tamil Nadu and Uttar Pradesh. These were kept at the Commission’s office in readiness for scrutiny and for any application to establish its alleged fallibility. The EVMs were offered for such demonstration in the presence of a technical experts group as well as engineers representing the EVM manufacturers, BEL and ECIL. These engineers were especially called from Hyderabad and Bangalore and stationed in ECI’s office for a whole week for this specific purpose. The outcome of this exercise is that none of the persons, who were given the opportunity, could actually demonstrate any tamperability of the ECI-EVM, in any of the hundred machines put on display. They either failed or chose not to demonstrate.

The Election Commission would like to underline that it always had a firm conviction and complete satisfaction that EVMs could not be tampered with. Its faith on the machine has never wavered through the conduct of elections in the last many years including the nation-wide general elections in 2004 and 2009 and over 30 general elections to state assemblies during the last five years. In the past, no one has been able to actually demonstrate that EVMs used by the Election Commission can be tampered with or manipulated. What has been demonstrated or claimed to have been demonstrated is on a privately assembled “look-alike of ECI-EVMs” and not the actual ECI-EVM. However, the aforesaid extraordinary measure was undertaken by the Election Commission in fulfillment of its responsibility not to allow even a small shade of doubt about any aspect of its operation and in order to set at rest any misgiving anywhere. Today, the Commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever.

Dr. Kirit Somaiya, Vice-President, BJP, Maharashtra, accompanied by some others, visited the Commission on 7 August 2009 responding to the Commission’s invitation. He categorically stated that he was not opposed to the use of EVMs and he had never wanted to do any demonstration about the tamperability of EVMs. He however made certain suggestions for consideration of the Commission in line with his earlier correspondence with ECI. Ms. Veena Singh, a candidate in recent Parliamentary election in Madhya Pradesh also visited the Commission and made certain general points regarding physical handling of EVMs. It was explained to her that there are sufficient safeguards to take care of such problems. Shri Satinath Chaudhury, a petitioner in the Supreme Court in 2004 on the EVM issue, came on 8th August 2009 and after making some attempts, failed to demonstrate that the EVM could be tampered with.

Shri Omesh Saigal, who visited the Commission on the same day, accompanied by some others, refused to demonstrate the points earlier raised by him, using any of the 100 actual ECI-EVMs, he was offered to choose from. In a letter, addressed to the Chief Election Commissioner and handed over to EC officials, he in turn wanted certain arrangements for him and his team of hardware and software professionals from a private company before coming to demonstrate about the tamperability of the EVM. He also offered to show what he claimed as possibility of tampering using his personal computer and a ‘look alike’ of the ECI-EVM, that was privately manufactured, and is also seen on several TV channels. It was pointed out to Shri Saigal that the ECI-EVM was not at all comparable with what he had brought. Based on this, the EC officials declined to deal with, what appeared to be an imitation machine, so as to avoid creating any confusion in public mind. Shri Saigal made also a request to the Commission to consider pre-poll audit of the EVMs.

The Supreme Court of India, while disposing of a petition filed by Shri V. V. Rao and three others belonging to the Jan Chaitanya Vedika, raising questions about use of Electronic Voting Machines in the elections, on 27 July 2009 observed that the petitioners could approach the Election Commission in the matter. Similar petitions were filed before three High Courts in the country. These are the Madras High Court, the Bombay High Court and the High Court of Madhya Pradesh (Jabalpur bench). These petitions also raise allegations about the possibility of tampering with the EVMs. The Mumbai High Court has since dismissed the petition asking the petitioner to approach the Election Commission. The Election Commission has invited all these petitioners to come and demonstrate their points before the Commission. But none of them turned up for making a demonstration from 3rd August 2009 to 8th August 2009. {chickened out}

EVMs have served the country’s elections well. These were introduced after long ranging political, technical and administrative consultations since 1979. The use of machines has helped prevent several electoral malpractices and resulted in more efficient conduct of elections. Judgments from various courts have upheld the use of EVMs and technical experts have endorsed the machines from time to time. In fact, the Karnataka High Court has hailed the EVM as ‘a national pride’. Similarly, the Madras High Court, after elaborate consideration of the issue in a batch of petitions in 2001, rejected allegations that the EVMs could be tampered. The issues recently raised by petitioners in the Courts and by some others, broadly allege the possibility of tampering with the machine during the manufacturing process or while operating the machine. The following facts about ECI-EVMs conclusively rule out any such possibility.

Note that none of the security measures outined below can guard against the attack vector I have described in previous posts:

Facts about EVMs used by ECI

i. ECI-EVMs are manufactured only by Electronics Corporation of India Limited (Department of Atomic Energy) and Bharat Electronics Limited (Ministry of Defence), both Central Public Sector Undertakings, which are entrusted with development of very high security product/equipment development.
ii. The ECI-EVMs cannot be reprogrammed.
iii. The software for this chip is developed in-house by a select group of engineers in the two PSUs independently from each other. A select software development group of 2-3 engineers designs the source code and this work is not sub-contracted.
iv. The source code is so designed that it allows a voter to cast the vote only once. The next vote can be recorded only after the Presiding Officer enables the ballot on the Control Unit. In between the machine becomes dead to any signal from outside (except from the Control Unit).
v. After completion of software design, testing and evaluation of the software is carried out by an independent testing group as per the software requirements specifications (SRS). This ensures that the software has really been written as per the requirements laid down for its intended use only.
vi. After successful completion of such evaluation, machine code of the source programme code known as hex-code (not the source code itself) is given to the micro controller manufacturer for fusing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group.
vii. Micro controller manufacturer initially provides engineering samples for evaluation. These samples are assembled into the EVM, evaluated and verified for functionality at great length. Bulk production clearance is given to micro controller manufacturer only after successful completion of this verification.
viii. The source code for the EVM is stored under controlled conditions at all times. Checks and balances are in place to ensure that it is accessible to authorized personnel only.
ix. During production, functional testing is done by production group as per the laid down quality plan and performance test procedures.
x. Samples of EVMs from production batches are regularly checked for functionality by Quality Assurance Group, which is an independent group within the organizations.
xi. Certain additional features were introduced in 2006 in ECI-EVMs such as dynamic coding between Ballot Unit and Control Unit, installation of real time clock, installation of full display system and date and time stamping of every key pressing in EVM. It is important to note that there was no modification of any type done at this stage in the basic functions of the machine. {what are these and does people with expertise (Dileep et al) explain in lay-man terms regarding the use of these new features}

Not comparable with EVMs Abroad

The Commission has come across some comparisons between ECI-EVM and EVMs used by foreign countries. Such comparisons are both misplaced and misguided. Most of the systems used in other countries are PC based and running on operating Systems. Hence, these could be vulnerable to hacking. The EVM in India on the other hand is a fully standalone machine without being part of any network and with no provision for any input. As already stated, the software in the EVM chip is one time programmable and is burnt into the chip at the time of manufacture. Nothing can be written on the chip after manufacture. Thus the ECI-EVMs are fundamentally different from the voting machines and processes adopted in various foreign countries. Any surmise based on foreign studies or operating system based EVMs used elsewhere would be completely erroneous. The ECI-EVMs cannot be compared with those EVMs.

Complete Procedural Security

The Commission has in place elaborate administrative measures and procedural checks-and-balances aimed at prevention of any possible misuse or procedural lapses. These measures include rigorous pre-election test and inspection of each EVM by the technicians, two level randomization with the involvement of candidates and their agents, for the random allotment of the EVMs to various constituencies and their subsequent dispatch to various polling stations. Preparation of the EVMs for elections is done in the presence of the candidates/their agents and sealing of the prepared EVMs is also done in candidate’s or their agent’s presence. Thread seal are fixed on the EVM where again, the candidates or their representatives put their own signature and seals. Paper seals guards against any unauthorized access to the EVMs after preparation. EVMs are then kept in sealed strong rooms with provision for the candidates to put their individual seals on the strong rooms. The EVMs are randomized twice over. The list of EVMs going to individual polling stations is given to the candidates for them to check, on the poll day the actual machine, that is used in that polling station. Furthermore a mock poll is conducted in the presence of polling agents, when the polling agents can verify, inter-alia, the EVM numbers. A mock poll certificate is taken before the commencement of poll. After the mock poll the machine is set back to zero and green paper seal printed at Government Security Press is put in, where once again every polling agent is allowed to put his/her signature. After the polls, the EVM are also sealed in such a manner that there is no physical access to any of the buttons on the EVMs. Indeed there is no access to the EVMs itself since the carrying case is sealed completely. The machines are put in the strong room again in presence of the candidates, observer of the commission under video camera surveillance. The strong room is allowed to be guarded by the supporters of the candidates besides the police protection provided to strong rooms. At every step, the EVM is very well protected and elaborate arrangements are in place for the same.

ArmenT · Post by **ArmenT** » 09 Aug 2009 07:20

Rahul Mehta wrote: So attn All pro-EVM folks,

1. Say you got a chip from Hitachi with some code in its ROM and lockbits set

2. Pls give exact steps you will follow to ensure that code in ROM is not tempered code, but promised code.

There is no tech to read code of the ROM. Perhaps microscopic examination will reveal that it has few more gates. But even X-ray analysis wont tell you whether a bit at given address in ROM is 0 or 1. So you cant read the ROM. Now you are dependent on hashcode that processor gave you. So if Hitachi has modified the chip to give hashcode of promised code, then getting hashcode is useless and waste of time.

Not an electronics engineer myself, but I can convincingly play one on TV. First, you're wrong about there being no tech to read code of the ROM.

Assuming an Atmel chip (like Dileep? mentioned a while ago) --- On older Atmel chips (8051, 8052 etc.), it is possible to hook the chip to external ROM and have a program in the external ROM that reads the internal ROM's contents and spits it out. Heard that some other manufacturer chips have this same feature as well. On newer chips, the process is different but it is easy enough to do as well.
Step 1. Obtain a new chip and put it in the programmer
Step 2. Completely erase any program (i.e.) set it to all 0s and ONLY set the lock bit(s)
Step 3. Put the chip in a probing station and check the charge on the memory cells. The lock bits usually sit outside the main area of the ROM storage, so they can be easily located since they're the only ones with a charge. This tells you where chips of this type store their lock bits.
Step 4. Now that you know where the lock bits are located, take the chip that you suspect is tampered with, decap it and then use a laser to reset the lock gate and discharge it.
If you're not sure about how to do this, you might want to talk to chaps like these guys, who'll do it for you for a small fee: http://www.rawscience.co.uk/, http://www.semiconductor.com/ or even my favourite geek Bunnie Studios run by Andrew "Bunnie" Huang!
Step 5: Now that the lock gates are turned off, you can stick your suspect chip into a normal programmer and read its ROM easily.
Step 6: Once you've got its ROM contents, you can either compare it with the hex codes that were sent to the manufacturer, or you can run your own hash algorithms on both and compare one to the other. BTW who in the world uses a modulo 5 algorithm for hashing anyway?? MD5 and/or SHA1 are much more likely and way more reliable -- better still, use both.

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 07:24

Rahul Mehta wrote: Once the code is inside ROM and lockbits are set, there is NO technology in world to read that binary. So if I give one EVM to the best lab in world, and give them two binary codes A and B, they cannot tell whether chip's ROM has A or B.

In response to this post of yours let me re-re-post my response after you keep conveniently ignoring it since it gives answers which are uncomfortable to you. Mehta ji, I am sure you are smart but I doubt you are that smart to claim that techniques (listed below in my quote) which routinely get used to inspect circuitry and read contents off packaged ICs. simply don't exist! What do you think companies like FIB International do,...make samosas and jalebis??

My answer Re-Re-Posted verbatim here after being conveniently ignored by Shri Rahul Mehta; This is what I wrote:The techniques I listed in my previous post (Decapping, SEM, FIB) are well known and currently used all over the world. This is no exotic rocket science (it may seem that way to you but then you don't have any experience in this area) and the equipment cost is low enough even for individuals (leave alone any govt. lab and that too in a country like India). Just because this answer punctures your theory, as usual you are trying to willfully ignore it.

I have already suggested you books to read (which have sufficiently laymen description of hardware hacking) including Andrew Huang's account of how he hacked the XBox by reading its sealed OTP ROM - something you claim cannot be even done (I bet Andrew who is a PhD in ECE is just making it all up and taking everybody for a ride, right?). If this was the 1st time you had claimed it cannot be done, I would put in down to lack to knowledge but what you are indulging in is plain subterfuge - you don't even want to learn what is out there before haughtily claiming that even the best lab in the world cannot do it! At least take the pains to learn about the subject before claiming "expertise".

Pranav wrote:What kind of lunacy is this? EC refuses to provide an unprogrammed machine and then claims that the machine cannot be tampered with. I guess what this means is that once the trojan has been installed, nobody can tamper with it!

Pranav, please read mine and Dileep's posts regarding how such things can be detected even after chip is packaged and sealed. RM ji just wants to ignore any such uncomfortable facts since they don't jive with his theories.

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 07:30

ArmenT wrote: Step 4. Now that you know where the lock bits are located, take the chip that you suspect is tampered with, decap it and then use a laser to reset the lock gate and discharge it.
If you're not sure about how to do this, you might want to talk to chaps like these guys, who'll do it for you for a small fee: http://www.rawscience.co.uk/, http://www.semiconductor.com/ or even my favourite geek Bunnie Studios run by Andrew "Bunnie" Huang!
Step 5: Now that the lock gates are turned off, you can stick your suspect chip into a normal programmer and read its ROM easily.
Step 6: Once you've got its ROM contents, you can either compare it with the hex codes that were sent to the manufacturer, or you can run your own hash algorithms on both and compare one to the other. BTW who in the world uses a modulo 5 algorithm for hashing anyway?? MD5 and/or SHA1 are much more likely and way more reliable -- better still, use both.

ArmenT, I have informed Mehta ji about all the above stuff "n" times already but Mehta ji true to his form just wants conveniently ignore any inconvenient truths which puncture his theory. He is just hoping that we will get tired of repeating the same thing and go away - then he can claim he is right and go fool his beloved "commons". And God forbid if you ask him to educate himself about the topic at hand!

ArmenT · Post by **ArmenT** » 09 Aug 2009 07:37

Raja Bose wrote: I have already suggested you books to read (which have sufficiently laymen description of hardware hacking) including Andrew Huang's account of how he hacked the XBox by reading its sealed OTP ROM - something you claim cannot be even done (I bet Andrew who is a PhD in ECE is just making it all up and taking everybody for a ride, right?).

Bunnie's the man! Had the privilege to meet him a couple of years ago.

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 07:41

^^^ Yeah he is a master. IIRC he is settled in China now? Saw the pic of some unknown PCB on his blog the other day (part of his Identify-the-PCB game) - looked like some lab equipment stuff (with four large hollowed out squares to hold the PCB in place inside the enclosure).

ArmenT · Post by **ArmenT** » 09 Aug 2009 07:47

Raja Bose wrote:^^^ Yeah he is a master. IIRC he is settled in China now? Saw the pic of some unknown PCB on his blog the other day (part of his Identify-the-PCB game) - looked like some lab equipment stuff (with four large hollowed out squares to hold the PCB in place inside the enclosure).

Bunnie is still located state-side AFAIK. His company does manufacturing in China though, so he does go there before full fledged manufacturing takes place, to make sure that stuff is being built to his design. He has a blog on dealing with Chinese manufacturers from a first-hand perspective. I don't think Bunnie could live in China for too long. For one thing, he himself says that his spoken Chinese isn't the best.

Raja Bose · Post by **Raja Bose** » 09 Aug 2009 07:53

^^ You mean the Chumby stuff? Yeah Chini manufacturers are sneaky - they can turn a BOM into a Bill Of Misery, I have had 1st hand experience of it in another life. Luckily we learnt quick and for the low-volume high-value stuff, we even got the PCBs manufactured here esp. the RF stuff. For the high volume stuff, one person had to go to the factory where board assembly was done, every month or so to do quality checks on parts and assembly.

Pranav · Post by **Pranav** » 09 Aug 2009 08:43

Raja Bose wrote:
Pranav, please read mine and Dileep's posts regarding how such things can be detected even after chip is packaged and sealed. RM ji just wants to ignore any such uncomfortable facts since they don't jive with his theories.

Here is some technical information on lock bits (source: http://korea.maxim-ic.com/appnotes.cfm/an_pk/2033):

Some implementations use one or more internal lock bits, set as a final step at the end of programming. When set, these bits prevent the microcontroller from revealing its contents if unsoldered from the PC board and placed in a device programmer, such as the widely used BP Microsystems Model BP-1700 Universal Engineering Programmer. In practice, the only way to erase the lock bits is by erasing all memory, which allows the device to be reprogrammed but destroys the program memory contents in the process.

Also, as per EC, the only testing that is done on the microcontroller chips is functional testing. So that would not detect a trojan, even if there were a way to access the code after the lock bits were set.

Rahul Mehta · Post by **Rahul Mehta** » 09 Aug 2009 08:56

Raja Bose, ArmenT etc,

Here is what Dileep says

Dileep wrote:Rahul,

Programming, reading and verification are activities done on a daily basis by people like me who work on embedded systems. EVERY programmer reads the programmed bytes and verifies the programming. It is a fundamentally known fact, that you may not get URLs for that.

See this link to one of the Data-Io device programmer manual. The examples are given for PROMs, but exactly the same works for microcontrollers.

See this link to an ATMEL device that offers OTP ROM. The technical details of programming and verification is given in the datasheet.

Yes, there is a security bit to prevent reading. If that is 'set' you can no longer read the full content.

But the hash can still be read to verify the integrity of the program.

I have dealt with hash part before, how chip maker can rig it. As per reading ROM, it is impossible these days as per Dileep.

Also, BEL's own website also says that ROM can only be accessed and executed but not read.

http://www.bel-india.com/BELWebsite/ima ... atures.pdf

Pls read following para

BEL's websire: Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, it is 100% code protected from either altering or decoding the contents.

-----

ArmenT,

Pls read the Atmel chip manual Dilip posted. The manual mentions that some cheaper models dont have lockbits. So if a manufacturer wants to save costs and is no worried about protecting code, he would use such chips and so you may read the code. Also, very initial chips may not have had such lockbits.

-----

Raja Bose,

The hacking tools give a "guess" of what possibly goes in ROM. There is no tool to read ROM. Or else, if I send you a ROM, can you read it? If yes, pls post the list the equipment used with URLs. And pls mention name of people in India who have these equipment. Pls mention exact process steps, not mention some name of hackers and pass the buck to them.

----

Dileep,

Many moons ago, you gave me a process listing with team lead, QI, QE blah blah and asked me how would I subvert it if I were BEL CEO? Do you have the answer now, how your beloved process can be subverted? If I were BEL CEO, I would just outsource ROM burning to Hitachi or any other CIA outfit. Now tell me, which "process" would you use to stop me? So much for "processes".

Rahul Mehta · Post by **Rahul Mehta** » 09 Aug 2009 09:29

Step 3. Put the chip in a probing station and check the charge on the memory cells. The lock bits usually sit outside the main area of the ROM storage, so they can be easily located since they're the only ones with a charge. This tells you where chips of this type store their lock bits.

This step can be subverted by implementing lockbits as "multiple lockbits" and combining locking code with Chip ID.

Now chipID will be unique. And corresponding to each chipID, I will have a different lockbit combination for unlocking. So you will never be able to guess the unlocking combination for a given chipID, unless you know the exact function.

----

ArmenT,

Unless you have a tool to DIRECTLY read EVERY bit separately at every given memory address, you have a case. Otherwise, you can assume that Hitachi has implemented cure to every known hacking tool and technique.

In any case, you can ask BEL to give a demo of how they read the binaries when chips came from Hitachi. Otherwise, you cant say that EVM chips have same binary as one claimed.