Should we discontinue EVMs?

[ArmenT]

ArmenT,

Pls read the Atmel chip manual Dilip posted. The manual mentions that some cheaper models dont have lockbits. So if a manufacturer wants to save costs and is no worried about protecting code, he would use such chips and so you may read the code. Also, very initial chips may not have had such lockbits.

Yes I know perfectly well that certain low-end chips may not have lockbits and stuff. I don't care about those at all. I posted how to extract stuff from the ROM even when the chips have lock bits.

-----

Raja Bose,

The hacking tools give a "guess" of what possibly goes in ROM. There is no tool to read ROM. Or else, if I send you a ROM, can you read it? If yes, pls post the list the equipment used with URLs. And pls mention name of people in India who have these equipment. Pls mention exact process steps, not mention some name of hackers and pass the buck to them.

I have a feeling you haven't read my post at all. Your claim that there is no tool to read ROM is total hogwash. I mentioned the EXACT STEP-BY-STEP process used to figure out what is in the ROM, including companies that offer this service, in case you don't feel like doing the steps yourself. Before you start going off on a tangent about them all being CIA fronts, one is Canadian/Chinese, one is British, one is American. There are quite a few other companies all around the world that offer this service as well -- I just happened to mention three of them. If you don't trust any of them, you can do the whole job yourself or hire someone to do it for you. If you go to those URLs that I mentioned, you'll even see the equipment that the companies use to do this, so feel free to get your hands on some test equipment.

I'll answer for Raja Bose and say, "Yes I can read what is in the ROM" using the process I outlined above. EVERY BIT of memory if you want.

[ArmenT]

Step 3. Put the chip in a probing station and check the charge on the memory cells. The lock bits usually sit outside the main area of the ROM storage, so they can be easily located since they're the only ones with a charge. This tells you where chips of this type store their lock bits.

This step can be subverted by implementing lockbits as "multiple lockbits" and combining locking code with Chip ID.

Now chipID will be unique. And corresponding to each chipID, I will have a different lockbit combination for unlocking. So you will never be able to guess the unlocking combination for a given chipID, unless you know the exact function.

For a chip that is mass produced??? You must be out of your mind. First I'm not aware of any chips that do what you claim. Also what makes you think that BEL has indeed selected such a chip for their design.

Even if someone were to use such a chip, the game would be up the moment someone decided to examine 2 chips. It would ruin the company that designed such a backdoor immediately, as no one else in the world would ever buy anything they manufactured ever again. There's a big factor in business called TRUST.

----

ArmenT,

Unless you have a tool to DIRECTLY read EVERY bit separately at every given memory address, you have a case. Otherwise, you can assume that Hitachi has implemented cure to every known hacking tool and technique.

In any case, you can ask BEL to give a demo of how they read the binaries when chips came from Hitachi. Otherwise, you cant say that EVM chips have same binary as one claimed.

Well I'm not in possession of such a tool personally, but I know people who do and yes they can DIRECTLY read EVERY bit, so I do have a case. Besides, why should I ask BEL for a demo, when (1) I have no personal interest in Indian elections whatsoever (I'm an American citizen, old pal) and (2) you're the one making the accusations, so you do it and prove that the EVM chips indeed don't have the binary that is claimed.

[Raja Bose]

(2) you're the one making the accusations, so you do it and prove that the EVM chips indeed don't have the binary that is claimed.

aaah....you will soon learn that Mehta ji only believes in making accusations and spinning tales - he feels that it is other people's responsibility to prove that his accusations are false - God forbid if he will lift a finger to prove his own accusations or even educate himself about what he is talking about!

Added Later: BTW ArmenT, Welcome to the BRF Oldie-in-the-making Party!

[Raja Bose]

But the hash can still be read to verify the integrity of the program.

I have dealt with hash part before, how chip maker can rig it. As per reading ROM, it is impossible these days as per Dileep.

OK time for some re-education for RM ji: What Dileep refers to above is reading of the hash through external pins of the MCU. What I am talking about is literally taking off the package from the chip and scanning it (Thats where SEM and FIB come in). They are two totally different things - the 1st one is non-destructive testing, the 2nd one is destructive testing (due to the decapping) and done on randomly chosen units coming off the line.

Once again your questions expose 2 glaring facts:

(1) Unqualified people cannot judge the nuances.
(2) You are least bothered about trying to learn. Instead you believe more in rumour mongering.

Pls read following para

BEL's websire: Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, it is 100% code protected from either altering or decoding the contents.

Once again, they are referring to reading the ROM without destroying the MCU.

The hacking tools give a "guess" of what possibly goes in ROM.

Wow! You really outdid yourself on this one. What is this "guess" can you please elaborate? We are talking digital electronics - 0 and 1 - discrete states. Please explain to me what is this guess - is it some probability, are we talking about some PDF here. Answer this question - Don't run away. It seems you just invented a whole new era of computing (clearly boolean algebra will be replaced by Rahul algebra)! And BTW these tools don't give a "guess" of what goes in the ROM - they literally read the bits OFF the ROM after it has been burnt (just in case you think they mean the same thing).

Remember I said that half-baked knowledge is a dangerous thing - as is evident from your statements, it is.

There is no tool to read ROM.

Or else, if I send you a ROM, can you read it? If yes, pls post the list the equipment used with URLs. And pls mention name of people in India who have these equipment. Pls mention exact process steps, not mention some name of hackers and pass the buck to them.

I already posted the tools used: Decapping, SEM, FIB (this is the 4th time I am posting it, so either you don't read or you are unable to understand what they are). If you are really interested to educate yourself and want someone's live account on how ROM is read and decoy code detected, go buy this book: (click) and learn. I am not going to spoon-feed you especially since you seem to be at least a decade older than me. Any semi-conductor company/hardware security consultancy will have these equipment - heck Electronics Niketan in Delhi used to have it when I was a student. And as for mentioning hacker's names, the simple aim is to get it into your head that these tools are in widespread use even by individuals. Ofcourse you would rather put your head in the sand and claim they don't exist but that is your delusion. Go read the book I suggested (I even dug out the link for you) and then come back and tell us if "there is no tool to read a ROM and the best labs in the world can't do it". A mere PhD student single-handedly used them to hack the XBox and even detected decoy code which MSFT had put in.

Like I said, for you as well as for most people whose exposure to computers is high-level software (so-called ITvity), they have no idea that there is a whole science and associated engineering for the silicon that the fat software stacks run on. The least you can do is get educated. I am not going to spoon feed you. If you are interested, use Google, search those terms and spend time learning. But do not claim that you know something when you don't even have the faintest idea about basic fundamentals. This is not some BS-based neta giri, this is hardcore science and engineering. Frankly, I am surprised you are so ignorant (and so lazy to do research) given your IIT background, that too in CSE.

[Rahul M]

Added Later: BTW ArmenT, Welcome to the BRF Oldie-in-the-making Party!

don't give him false hopes, he has a loooooong way to go !

the number is 2k btw.

[Pranav]

From a previous post, this is a description of the kind of testing the EC does:

ix. During production, functional testing is done by production group as per the laid down quality plan and performance test procedures.
x. Samples of EVMs from production batches are regularly checked for functionality by Quality Assurance Group, which is an independent group within the organizations.

It's only functional testing. No scanning electron microscopes or focussed ion beams or lasers or anything fancy.

[Raja Bose]

the number is 2k btw.

Ah! Insh'allah RM (gujarat wale) will stick around....only 700 more to go for me!!

[negi]

^ We have to be careful and pepper more dhagas with bakwaas as Nukkad and now EVM are prone to WMD testing by admins .

[Raja Bose]

From a previous post, this is a description of the kind of testing the EC does:

ix. During production, functional testing is done by production group as per the laid down quality plan and performance test procedures.
x. Samples of EVMs from production batches are regularly checked for functionality by Quality Assurance Group, which is an independent group within the organizations.

It's only functional testing. No scanning electron microscopes or focussed ion beams or lasers or anything fancy.

Well then go and suggest to the EC to have such testing done on random samples pulled off the EVM line - the ways and means are already there in India to do it. Many people have made suggestions to EC during past week even if they failed to show a live hack.

My issue is not with whether EC follows a certain process or not or even whether EVM is hackable or not - in fact, I believe all systems (electronic and otherwise) are hackable, it is the practicality which differs. My issue is when someone like RM comes and makes ridiculous claims and spins spurious tales based on half-baked knowledge and totally unscientific thoughts and then proceeds to portray them as well established facts.

Just to clarify, there is nothing fancy - these equipment have been used for ages and it is pretty standard fare. It only looks like rocket science to people who don't work in embedded systems - it is just painstaking science, nothing more.

[Dileep]

I am away from a fast internet right now. I will respond to the new developments in the evening when I get back home.

(The reliance data card SUCKS at this location, and I am just outside the city )

[Raja Bose]

Rahul M (bangal-wale),

A humble request. Can this EVM thread be at least put in the Technology and Economic Forum? I know it was moved here from the Strat forum but given the large amount of very relevant information on this thread and debunking of numerous technical "scenarios", it might be useful for the general public to come across this info (via the services of Google/etc. bots). It is useful to have analysis of technical allegations such as those made by people like RM, publicly available so that people realize what's true and what's not. Right now if one searches, one only comes across allegations made by all and sundry and no analysis of those allegations (as has been done here). Right now all the info on this thread is locked from outside view and it helps no one.

[Dileep]

OK, I am back to DSL world.

The disclosure by the EC that the hex file is given to Hitachi does in fact IMPROVE the security. I will explain why.

What the fab provides is the MASK ROM service, not a programming service. See this link for details about this service from Hitachi (the business is spun off and is now named Renesas). This is the common practice for large volume products.

The ROM bits are formed by making fixed metal connections along with the other interconnections being made on the chip at the time of silicon fabrication. These interconnections are clearly visible on the chip. So, a mask ROM can be easily read and compared visually.

OTOH, an OTP ROM, ie ROM programmed in the factory, depends upon charges stored in the device. These can not be read visually. You need probing to read the bits.

See this link for some actual projects: http://guru.mameworld.info/decap/index.html

When a MASK ROM device is shipped from the factory, its lockbits are never set. The customer is expected to verify the ROM integrity by reading the stored binary image, and comparing with a master. The lockbits are then set as part of the manufacturing process.

After the lockbits are set, it is not possible to read the binary image using a reader equipment. You need to decap the chip to do the reading.

So, let me summarize:

1. The ROM contents created by the MASK operation is verified at BEL.
2. Decapping and inspection can recover 100% of the ROM data.

The MASK ROM eliminates a lot of security steps in production, hence it is more secure. It also permits better forensic analysis, as you can visually read the ROM, unlike the programmed ROM.

Now, let me clarify that it is NOT possible to place serial numbers on the chip. ALL the devices made using one mask set will be IDENTICAL. There is no technology available to put per device information on integrated circuits.

So, this disclosure by EC buries the argument of Rigged Chip sixteen feet under.

[Dileep]

Pro-EVM folks are rejoicing and they cant even notice that things have blown on their faces.

In fact this disclosure improves the security by an order of magnitude!! Read my post above.

The code was burned into chip by Hitachi, not by BEL technicians. . And chip was made by Hitachi and so they can do every minor changes that are technologically possible and undetectable post-facto. So it it is factory programmed ROM for all practical purposes, different from OTP ROM where in equipment maker puts the code in his premises.

It is MASK ROM, which could be easily read by decapping. Also, any additional circuitry to the rest of the chip could be found by decapping as well.

So if a mole in BEL (top 3-4 guys) give out the source code to someone, that someone can add the modulo-5 logic to the code and get a new binary. And then Hitachi can put the tempered binary in chip instead of real one. And to hide it for good, Hitachi has to change the "GetHashCode" function in the chip so that it gives the hashcode of untempered code instead of hashcode of the tempered code sitting in the ROM.

BEL production verifies the image on the received chips. Also, at any time in the coming years, someone can do a forensic evaluation on the chips by decapping, and find it all out.

So my theory that you can temper 100000 EVMs with 10-12 people by putting module-5 logic in EVM code got better. You need co-operation from only top 3 guys in BEL. You dont need co-operation of any software coder, any QE guy, any QI guy etc of BEL. You do need co-operation of Hitachi CEO , but given the financial trouble Hitachi is facing, a phone call from Sonia with promise of buying $100 million worth of Hitachi share will convince him. And if that is not enough, another phone call from senior USG official will suffice. Hitachi wont risk losing US business for stupid 100,000 EVM chips' integrity.So any changes which cant be post-facto detected will be welcome.

All can be done, but everything blown out of the sky by a simple forensic analysis on the chip anytime in the coming decades.

So attn All pro-EVM folks,
1. Say you got a chip from Hitachi with some code in its ROM and lockbits set
2. Pls give exact steps you will follow to ensure that code in ROM is not tempered code, but promised code.

The lockbits are NOT set from the factory, but that notwithstanding,

You need EXACT steps? Try this:

1. Use a small grinder to remove bulk of the chip package
2. Use nitric acid, sodium hydroxide and acetone to expose the chip
3. Take magnified photographs of the chip. I would use the facility at my workplace.
4. Mark 1's and 0's on the photograph, and form them into bytes.
5. Copy the bytes into an ordered array.
6. Type it into the computer and convert into binary

You got the binary file.

If you see a discrepancy, you can go back to that particular bit on the photos and check. If you have doubt, you can use further magnification to take a decision.

There is no tech to read code of the ROM. Perhaps microscopic examination will reveal that it has few more gates. But even X-ray analysis wont tell you whether a bit at given address in ROM is 0 or 1. So you cant read the ROM. Now you are dependent on hashcode that processor gave you. So if Hitachi has modified the chip to give hashcode of promised code, then getting hashcode is useless and waste of time.

A simple microscope can do it. In fact I got an 800X microscope at home. It has very small FOV, but in a crunch, even that can be used!

I will write more after self-certified experts tell me how to verify ROM contents (and throw more insults, sarcasms, comments on incompetence and other assorted nonsenses they have been throwing in past 30 pages).

Oh, I am not self certified. I made my living dealing with bare silicon and GaAs chips and their packaging for a few years in last decade. Right now I make my living by design and programming of microcontroller based systems. I sit above a plant that produces thousands of products using bare silicon and GaAs chips in a day.

I would claim that you deserve every insult, merit every sarcasm, and every comment about your incompetence is glaringly true.

And I guarantee to dish more of them out as and when you shows a need of it.

[Dileep]

My first post on this thread (no plans of becoming an oldie yet!)

Election Commission: Press Note - Subject- Electronic Voting Machines- regarding

vi. After successful completion of such evaluation, machine code of the source programme code known as hex-code (not the source code itself) is given to the micro controller manufacturer for fusing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group.

Please excuse if this is a dumb question, but why not publish the source code outside the software group. That way, doubting thomases can compile the code for themselves and verify that the binaries are indeed built from the sources.

ArmenT, there are two reasons for that.

1. We are a paranoiac society where the "official secrets act" ruled for a very long time.
2. If you publish the source, the next second, a thousand Rahul Mehtas will jump up and down saying that the EC "sold the country off. Now anyone can hack the EVM, since they have the source."

The source code control, as far as I could gather from the EC disclosure, is that two small teams writes it, independently at BEL and ECIL, and another team does the review and verification. That is good enough security IMO.

[Dileep]

The details of my "tempered code in EVM" theory are on http://rahulmehta.com/evm1.pdf

You have conveniently ignored a number of gaping holes in your argument. That's all.

And they were written some 4 days ago, and things just got better after ECI had to admit that code was burned by Hitachi (or who-soever who makes the chip in Japan or US) and not by BEL people. IOW, putting tempered code in chip is EASIER than I said.

No. It became tougher by an order of magnitude!! Tough luck there.

I request you to go thru posts of pro-EVM people like Tanaji, Dileep and Raja Bose. For every 1 line of contents, they have 9 lines of insults, sarcasms and general philosophical comments and declaration of their victories.

PROVE that ratio. 9 lines of insult for one line content please.

If you got insult, that is because you insult the human intelligence and logic.

Why? Because they have run out of contents, and as usual, are using insults etc to cover it up. This does give an impression that "anti-EVM people have lost the debate". But each one is scared to death in allowing citizens to register YES/NO if EVMs should continue. Why? You can ask them, but this alone is proof that they have nothing to show that EVMs cant be tempered at manufacturing stage.

Take your "register with talati" argument somewhere else. It doesn't belong here.

Your argument of rigged chip is buried sixteen feet under, by the disclosure of the EC.

The way media is covering this story, it is clear that someone is paying mediamen huge buck to project EVM as good and anti-EVM people as bad. That someone needs to be found and guessed. Because why is he paying to mediamen to support EVMs?

OK, now you got it on the media too. Who else left I wonder!!

[Dileep]

Once the code is inside ROM and lockbits are set, there is NO technology in world to read that binary. So if I give one EVM to the best lab in world, and give them two binary codes A and B, they cannot tell whether chip's ROM has A or B.

WRONG. You don't need the best lab. I myself can read the mask ROM.

At best, one can get hashcode of contents inside ROM. But if the chip manufacturer has rigged the GetHashCode function to report hashcode(A), then even if ROM has code B, the chip would report hashcode(A).

This is no more levent, but still, reporting wrong hashcode is not possible, as repeatedly shown in the past.

Further, if this hashcode is some function like simple checksum (add the numbers, ignore overflow), then getting hashcode(A) is waste of time. Because anyone who has written B will be smart enough to write it in a way that checksum(A) and checksum(B) are same. If chip is reporting MD5 hash, then also, it is not point as chip maker can rig the chip to report wrong MD5 Hash

The simple technique used by the ATMEL defests the whole premise of hash faking.

In any case, it doesn't apply anymore. The EC disclosure makes it unnecessary. A simple decapping and inspection can retrieve the ROM code.

[Dileep]

What kind of lunacy is this? EC refuses to provide an unprogrammed machine and then claims that the machine cannot be tampered with. I guess what this means is that once the trojan has been installed, nobody can tamper with it!

What kind of lunacy is your argument? We are discussing the security measures that prevent someone from putting compromised code in the EVM in the first place. Giving a blank EVM nullifies that whole mechanism.

I can write code that displays "Pranav is the WINNER" on the EVM's screen. What does that prove?

Note that none of the security measures outined below can guard against the attack vector I have described in previous posts:

Jog our collective memories. Please outline your attack vector again, and I will be glad to tear them down again. Thanks.

[Dileep]

Pranav, please read mine and Dileep's posts regarding how such things can be detected even after chip is packaged and sealed. RM ji just wants to ignore any such uncomfortable facts since they don't jive with his theories.

Here is some technical information on lock bits (source: http://korea.maxim-ic.com/appnotes.cfm/an_pk/2033):

Some implementations use one or more internal lock bits, set as a final step at the end of programming. When set, these bits prevent the microcontroller from revealing its contents if unsoldered from the PC board and placed in a device programmer, such as the widely used BP Microsystems Model BP-1700 Universal Engineering Programmer. In practice, the only way to erase the lock bits is by erasing all memory, which allows the device to be reprogrammed but destroys the program memory contents in the process.

Also, as per EC, the only testing that is done on the microcontroller chips is functional testing. So that would not detect a trojan, even if there were a way to access the code after the lock bits were set.

It is standard procedure NOT to set lockbits upon shipment, and the customer to verify the programmed code on every lot that shipped.

[Dileep]

I have dealt with hash part before, how chip maker can rig it. As per reading ROM, it is impossible these days as per Dileep.

Also, BEL's own website also says that ROM can only be accessed and executed but not read.

http://www.bel-india.com/BELWebsite/ima ... atures.pdf

Pls read following para

BEL's websire: Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, it is 100% code protected from either altering or decoding the contents.

The ROM can not be read by the normal reader, once the lockbits are set. In the case of an OTP ROM, it is needs speciallized equipment (chip prober) to read the programmed data. In case of MASK ROM, all you need is a microscope.

Pls read the Atmel chip manual Dilip posted. The manual mentions that some cheaper models dont have lockbits. So if a manufacturer wants to save costs and is no worried about protecting code, he would use such chips and so you may read the code. Also, very initial chips may not have had such lockbits.

There are chips without lockbits, and there are chips with them. There also chips with permanent lockbits, like the ones used in video games. Still, the MASK ROMS can be read visually.

The hacking tools give a "guess" of what possibly goes in ROM. There is no tool to read ROM. Or else, if I send you a ROM, can you read it? If yes, pls post the list the equipment used with URLs. And pls mention name of people in India who have these equipment. Pls mention exact process steps, not mention some name of hackers and pass the buck to them.

The MASK ROM can be accurately read visually. Yes, if you send me a ROM, I can read it. The only equipment I need is a mini grinder, a microscope, and some chemicals.

My company have the equipment, right downstairs of my office. The chemicals I can buy from the lab store in the city.

Clarification: Reading mask rom is visual, so it is OK to damage the functionality of the chip. Hence the decapping can be done using aggressive chemicals. If you want to keep functionality, and avoid damage, then you need a decapper machine, which we don't have at my company. For that we may have to approach SCL.

Many moons ago, you gave me a process listing with team lead, QI, QE blah blah and asked me how would I subvert it if I were BEL CEO? Do you have the answer now, how your beloved process can be subverted? If I were BEL CEO, I would just outsource ROM burning to Hitachi or any other CIA outfit. Now tell me, which "process" would you use to stop me? So much for "processes".

Of course I have the answer. That process does not exist, because the chips are MASK ROM. That process was for OTP ROM. The EC have kindly disclosed that the chips are MASK ROM.

[Dileep]

This step can be subverted by implementing lockbits as "multiple lockbits" and combining locking code with Chip ID.

Now chipID will be unique. And corresponding to each chipID, I will have a different lockbit combination for unlocking. So you will never be able to guess the unlocking combination for a given chipID, unless you know the exact function.

The lockbits don't matter anymore, but.

The lockbits are a published feature, and the programmer uses the published feature to lock the bits. How can be the algorithm changed for rigging purpose then?

Unless you have a tool to DIRECTLY read EVERY bit separately at every given memory address, you have a case. Otherwise, you can assume that Hitachi has implemented cure to every known hacking tool and technique.

In any case, you can ask BEL to give a demo of how they read the binaries when chips came from Hitachi. Otherwise, you cant say that EVM chips have same binary as one claimed.

The tool to READ is Eyeball Mk1. It just needs a magnifier device (aka microscope) to assist, that is all.

[Dileep]

For a chip that is mass produced??? You must be out of your mind.

Oh, Armen!! isn't that obvious!!

[Dileep]

And finally, folks, it is a 'strategically brilliant' move to reply to every post of EVM haters. No point gets unanswered, and the quest for 'oldie'ship proceeds 'ka-ching, ka-ching'. "Two b**bs in one grope onlee"*

*That is a parallel to the master parody of Arun_S. "One b**b in hand is better than two in the b*a"

[ArmenT]

Point of note: Since the EC has disclosed who they send the Mask ROM to, it is very likely that the EVMs are using SuperH chips, not Atmel. So that should end at least one bit of speculation.

[Raja Bose]

This disproving of RM's herbs-laden theories about EVMs is frankly getting boring (it may have been more exciting if cut-and-paste had not been invented). Maybe I should slip into the role of RM avatar #2 and do what RM is doing to EVM, except my target will be RM #1's video camera+stamping machine idea....might mean an even faster increase in our post count towards oldie-dom.

I, for example, want to start with how the firmware of the videocamera/webcam can be subverted since only a handful of large scale manufacturers make them in China/Taiwan/S.Korea and obviously they are infiltrated and subverted by CIA. Hence, it is trivial with the help of 5-10 people at the top to simply replace the camera firmware with one which just synthesizes fake images (by composing fake components with real images - pretty well known in special effects and computer vision/augmented reality) instead of reading only from the CCD. In fact, I say the there is NO tool in the world which can tell you for sure if the image is fake since there is no real image to compare it with - even the best labs in the world won't be able to do it and if they were, they are already subverted by CIA/Mossad (JPL is usually the best at these video processing stuff). RM ji, what do you think of that?

[ArmenT]

BTW I second the vote that we should move this to the Technology forum.

[Raja Bose]

^^^ In fact if adminullahs in all their wisdom decide to move this thread to Tech forum, I will abandon any plans of becoming RM avatar #2 and will post serious posts onlee.

[Dileep]

Point of note: Since the EC has disclosed who they send the Mask ROM to, it is very likely that the EVMs are using SuperH chips, not Atmel. So that should end at least one bit of speculation.

Armen, originally, no one has a clue which family the EVM chip belonged to. I know ATMEL very well, so I chose one from their offerings to serve as an example. Yes, that is no longer relevant.

I am not exactly sure about the SuperH family. This chip was selected a long time ago, so we need to consider that as well. Maybe I should take a comparative study and find possible candidates.

[Raja Bose]

^^ SuperH cores seem to be too TFTA for the use in something like the EVM. Sounds more like something one can use as an application processor in smartphones.

Edited: There seem to be some which might get used such as the SH/Tiny and some of the SH 74xx series. For reference, list is here: http://www.renesas.com/fmwk.jsp?cnt=sup ... erh_family

[Pranav]

What kind of lunacy is this? EC refuses to provide an unprogrammed machine and then claims that the machine cannot be tampered with. I guess what this means is that once the trojan has been installed, nobody can tamper with it!

What kind of lunacy is your argument? We are discussing the security measures that prevent someone from putting compromised code in the EVM in the first place. Giving a blank EVM nullifies that whole mechanism.

I can write code that displays "Pranav is the WINNER" on the EVM's screen. What does that prove?

Read the post I was responding to to understand what was being talked about.

Note that none of the security measures outined below can guard against the attack vector I have described in previous posts:

Jog our collective memories. Please outline your attack vector again, and I will be glad to tear them down again. Thanks.

Tear them down again? You have not torn it down even for the first time.

[Pranav]

BEL production verifies the image on the received chips. Also, at any time in the coming years, someone can do a forensic evaluation on the chips by decapping, and find it all out.

BEL does nothing of the sort. It does only functional testing. The compromised binary could be created either at BEL or at the foreign company. EC will provide sample machines for the kind of tamasha they staged recently, but obviously such "random" samples would not include any compromised machines.

If BEL starts doing real testing, then we could discuss the integrity of the testing personnel. But for now such issues do not arise.

[Muppalla]

^^^ In fact if adminullahs in all their wisdom decide to move this thread to Tech forum, I will abandon any plans of becoming RM avatar #2 and will post serious posts onlee.

Irrespective of Admins decision, please post seriously. It was a great learning experience from you guys. This thread is real material for archieve when it concludes, though it was little acrimonious. May be the first from this new forum.

EC has to be more transparent is very apparent from the dialouge since elections.

[Raju]

(1) I have no personal interest in Indian elections whatsoever (I'm an American citizen, old pal) and (2)

haan janaab, bewaqoof to hum log hain.

[Raja Bose]

Irrespective of Admins decision, please post seriously. It was a great learning experience from you guys. This thread is real material for archieve when it concludes, though it was little acrimonious. May be the first from this new forum.

Well even if I become RM avatar #2, I will post seriously only except that the seriousness would be in RM-mode. Unless ofcourse you are somehow implying that RM #1 was not being serious!

EC has to be more transparent is very apparent from the dialouge since elections.

EC has to be transparent, no doubt..they really dont do any favours by not revealing non-confidential details though the present meeting has revealed some hitherto unknown facts about the EVMs. However, one does have to keep in mind that transparency doesn't deter conspiracy theorists - if you give them 1 machine to test, they will claim that the remaining 999,999 have been compromised; if you give them all 100,000 machines to test, they will claim that all those machines will be mysteriously replaced before elections and re-replaced after elections, so on it goes.

[Raja Bose]

(1) I have no personal interest in Indian elections whatsoever (I'm an American citizen, old pal) and (2)

haan janaab, bewaqoof to hum log hain.

mere bhai, aapke bewaqoof ya buddhiman honay ke saath ArmenT ke US citizenship ka kya sambandh hai?

[Raja Bose]

Note that none of the security measures outined below can guard against the attack vector I have described in previous posts:

Tear them down again? You have not torn it down even for the first time.

Then please post again since the thread has grown pretty long. Thanks.

Added: Hooray! 1300 complete, only 701 to go for Oldie status!!

[Dileep]

Read the post I was responding to to understand what was being talked about.

I always read the posts fully before replying.

Let me make it clear. There is no question that you can do whatever you want (activation notwithstanding) with the EVM once the rigged code gets into the machine. I agree that. I don't think there is anyone who would not.

The contention I am making is, that it is impossible to get a rigged program into the EVM. We can debate that to whatever extent you want.

But, giving a blank EVM totally and completely nullify that whole argument. That action proves only the first point that I have already agreed. Why bother to prove it when it is already agreed?

Then what is your problem?

Let me guess. If the EC gives a blank EVM, and it is shown to be riggable, you can make an RMesq level dishonest victory dance, and fool the people. You can very cleverly hide the real argument (that it is impossible to get the code in) and vanquish the strawman.

That is excellent strategy, but it ain't going to fly in this forum.

Note that none of the security measures outined below can guard against the attack vector I have described in previous posts:

Jog our collective memories. Please outline your attack vector again, and I will be glad to tear them down again. Thanks.

Tear them down again? You have not torn it down even for the first time.[/quote

OK, do me a favour. Please present it here once again. If you believe that it was not torn down already, you should be happy to prove that once again won't you.

And that is post # 1500.

[Dileep]

BEL production verifies the image on the received chips. Also, at any time in the coming years, someone can do a forensic evaluation on the chips by decapping, and find it all out.

BEL does nothing of the sort. It does only functional testing.

How do you know? It is standard procedure to verify the binary on mask ROMS. There will be first article approval by full testing, and then there will be sample testing from EVERY lot.

The compromised binary could be created either at BEL or at the foreign company. EC will provide sample machines for the kind of tamasha they staged recently, but obviously such "random" samples would not include any compromised machines.

If BEL starts doing real testing, then we could discuss the integrity of the testing personnel. But for now such issues do not arise.

If compromised binary was ever inserted, that will be with the help of a large number of people from BEL and ECIL. There is no question of the foreign company doing it without operator level involvement from BEL. If you have that kind of involvement from BEL, then you can make the binary in BEL itself, without involving the foreign company.

So, right now, the ONLY weak link in the chain is BEL and ECIL, and their system. The chip maker can be eliminated from the equation.

The silver bullet in this case is, the code can be recovered at any point in the future. Would anyone dare to do something when you very well know that?

[Raja Bose]

The silver bullet in this case is, the code can be recovered at any point in the future. Would anyone dare to do something when you very well know that?

You bet they would. You see the CIA has subverted those people who are supposed to recover the code and compare its authenticity (I think they are CTO level people close to Chawla).

[ArmenT]

(1) I have no personal interest in Indian elections whatsoever (I'm an American citizen, old pal) and (2)

haan janaab, bewaqoof to hum log hain.

That was in response to RM (El-Gujarati) who very cunningly suggested that I should ask BEL for a demo about how they read the binaries from the chips coming back from Hitachi. Note that he's the one that is claiming shenanigans, so why he suggests that I should do the querying is beyond me.

[Dileep]

Hmm, it won't be difficult to get one specimen of the chip. There will be failed chips in the plant, and if you have a trusted operator inside, he can get a few smuggled out.

Why don't the anti-EVM crowd try that? That will be the biggest scoop ever!!