How to bypass the crypto chip in my raspberry pi camera (v2)


5 posts
by titusece » Tue Mar 21, 2017 5:31 am
Hello,
I want to bypass the crypto chip stuff in my raspberry pi camera (v2) as that crypto chip is burned.
I removed that chip from my board and now the camera board is stopped working.
It seems that crypto chip has camera information stored (brightness and gain etc.,), I want to bypass it, where/how can I do this ?
Any firmware or driver changes needed ?

Also is it possible if I buy new chip and mount it, will it work ?
How can I program that chip if I do this ?

Thanks for reading this post and much appreciate for your help.
I'm new to this camera stuff and crypto chip.

Regards,
Titus S.
Posts: 8
Joined: Sat Sep 10, 2016 3:24 pm
by jamesh » Tue Mar 21, 2017 6:47 am
The chip is required to make the camera work so you are out of luck, you have to have the chip there.

How did you burn it or are you really just trying to get round the security? As far as I know breaking the chip is practically impossible.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 17092
Joined: Sat Jul 30, 2011 7:41 pm
by titusece » Fri Mar 24, 2017 12:55 pm
Not sure how its gone, continuously capturing and done some kind of torture testing with the camera for my project.
And it stopped working, checked with HW guy, he said that crypto chip is not functioning....
1) How can I unbrick the board ? :(
If anything change the code or firmware so that I can bypass the crypto functionality...

2) If I mount the new crypto chip, anything I need to do with SW like programming that chip etc.,

Any help to get out of this security crypto check ?

Thanks for the help.
Posts: 8
Joined: Sat Sep 10, 2016 3:24 pm
by jamesh » Fri Mar 24, 2017 1:20 pm
You need to buy a new camera. If the cryto chip is dead (and I still cannot see how that can possibly happen) then the board is useless.

No amount of torture test is likely the break either the camera or the crypto chip.

Also asking how to bypass the crypto chip, on the official Raspberry Pi forums, isn't likely to get a lot of helpful responses.

However, since it is very unlikely to be the crypto chip, we are more than happy to try and diagnose the problem which is almost certainly elsewhere.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 17092
Joined: Sat Jul 30, 2011 7:41 pm
by RareHare » Sat Mar 25, 2017 1:22 am
titusece wrote:I removed that chip from my board and now the camera board is stopped working.
From what I have read in this forum, the purpose of the crypto chip is to prevent other vendors from making V2 cameras that will work with the RPi. If that is the purpose, then, naturally, if you remove it, you can expect that the camera will cease to work. :o Otherwise, it would not be a very effective block-out mechanism, as another vendor could simply copy the design, minus the crypto chip, and sell that. That said, one might infer that the mechanism that is being employed is one where the RPi, at time of camera usage, queries the crypto chip, first, to determine if the chip is one that is authorized by RPT (given that anyone can buy the chip on the open-market), before interacting with the IMX219. Given that chips, themselves, are commodities, and the crypto chip, in this case, is being sold by Atmel, one realizes that authorize implies that the chip was somehow touched at time of camera-module manufacture, and touched means written.

There are numerous cryptographic algorithms for determining authenticity of an integrated circuit, and this particular chip apparently uses SHA-256. This chip also has the ability to store sixteen 256-bit cryptographic keys. Knowing this, a possibility of operation might be as follows:
  1. When camera module is manufactured, crypto chip is written with a master secret 256-bit key known only to RPT.
  2. By design, such keys are write-only, and cannot be read by by a chip-sniffer.
  3. User attempts to use camera module.
  4. RPi code computes a random string.
  5. RPi code knows of master secret key that it wrote to all manufactured camera modules' crypto chips.
  6. RPi code computes message digest of random string using the doled-out master secret key as SHA-256 key.
  7. RPi code challenges crypto chip, over its I2C interface, with random string.
  8. Crypto chip computes message digest of random string using its internalized secret key as SHA-256 key.
  9. Crypto chip reponds to RPi code with message digest.
  10. RPi code compares its own computed message digest with message digest received from crypto chip.
  11. If the two message digests match, proceed to interact with IMX219. If not, do nothing and error-out.
This algorithm would work because it would be exceptionally unlikely that non-RPT camera module is able to generate the correct message digest from the random string using a bogus SHA-256 master key. If you are wondering just how long it would it would take to circumvent this block-out mechanism, consider: If someone were to buy a dummy chip from Atmel, write it with different bogus master SHA-256 keys, over and over (if that is even possible), and have a script on the RPi try to use the camera, each time, hoping to get lucky on choice of master secret key, you're looking at several billion trillion quadrillion times the age of the Universe, at least.

But this explanation is probably wrong, so please do not conclude that this is what is happening!
Posts: 82
Joined: Thu Jun 20, 2013 7:17 pm