I think I found some flaws with this, now I think I am rather experienced but I haven't seen everything.<p>1) He didn't demonstrate it in real hardware without outside power and ground, while he says an arm core is very small, capacitors are large unless you change the laws of physics. Also I never saw a reliable clock generator the size of a 0402 (or even 1208 now that I think about it) passive. Like I said I haven't seen everything, if there are answers to these I'd love to see them.<p>2) He faked in some addition to unprogrammed memory, he theorizes the change can only work one way (change a high to low) so an obvious countermeasure is to fill empty memory with random bit patterns.<p>3) IIRC he intercepts an spi flash in series on the data (MISO) wire. Not only does this assume the spi clock is regular, I think it's totally wrong because he says he turns high to low. Usually the quiescent state of a net like this is high, due to pullup on one or both sides to Vdd (high state.) The mark on the data wire is a short to ground against this pullup to get a low state. Now I haven't seen everything, nor have I looked at any datasheets of parts used in any real system, of course the pullup can be anywhere along the wire, or in one or many integrated circuits along the net, but it really strikes me as incomplete because he says he turns high to low and I didn't notice him mentioning anything about any pullup and how to deal with it.<p>So until I see something better than this talk I am writing this off as feeding the FUD.
not all chip functions are documented or even acknoledged by the OEM.
white paper doesnt document all the functions of the chip.
look around at various whitepapers and you will see voids in the documentation, or referals so the user agreement and lisencing to access info and use of proprietary tech.
If you are into low level programming and IDE design you will see mnemonic instructions laid out ina table with gaps in the address mapping and an explanation that they are reserved, or unavailable, same with expected bit inputs or outputs- reserved "unmaped" or "unused"
BMCs are <i>"typically unsecure with no protection, no detection and no recovery"</i><p>What are the economic forces behind this, and would it be feasible to change this state of affairs?