[Ifor1]

Quote:

Originally Posted by tweety

Bah. Thats almost all garbage.

- The core runs at 3v not 5v.

The rsm runs at 3vdc. you can't get atr at 3vdc.

Quote:

Originally Posted by tweety

- The circuit that "turns on the core" is significantly more complicated than a "FET and a Cap"

The GD is external to the rsm and "does" have the ability to disconnect the cores power supply.

Quote:

Originally Posted by tweety

- The GD triggers much much higher than 1.7v
- The GD does not shut down power to the core

The BOD triggers at a higher level. The GD (in my tests) has a threshold around 1.7vdc.
But I would accept any proof to the contrary with open arms...

[tweety]

Quote:

Originally Posted by Smallfry

Remember also that BOD's reset the core, and GD's will usally disconnect the core or halt it.

I disagree - they both reset

[tweety]

Quote:

Originally Posted by Ifor1

The rsm runs at 3vdc. you can't get atr at 3vdc.

The reason you cant get ATR at 3v has nothing to do with hardware.

Quote:

Originally Posted by Ifor1

The GD is external to the rsm and "does" have the ability to disconnect the cores power supply.

BOD is also external to RSM I'd say. I've seen plenty of circumstances that you are reporting about apparant power supply disconnect. But no concrete proof that it is GD.

Quote:

Originally Posted by Ifor1

The BOD triggers at a higher level. The GD (in my tests) has a threshold around 1.7vdc.
But I would accept any proof to the contrary with open arms...

What then causes the fairly hard floor at 3v? Not the BOD certainly - the BOD gives you well over 300ns before it complains.

And I also see no proof of so called dv/dt detection. You can come down to 3v as fast as you want with no complaint, but try to slip under 3v and it gets real real tricky. So if you suggest that GD is dv/dt then I respond that it must start in the 3v range (although I think dv/dt is not so simple an explanation). Regardless, If it were only 1.7, then most would have dumped the cam already with unmodded loaders.

[Smallfry]

Tweety,

Once again let me add that this is not specific to any one secure core. This is more a general idea of how to get around things. You are specifically targetting one manufacture so your results might not be in line with the secure core IFOR1 is testing. So please keep that in mind. If you would like to get provider specific please go start your own thread.

Now depending on the BOD it can detect as fast as 80ns a dip in voltage. This is the fastest I have seen. Also the BOD needs a reference voltage, so if the core startup voltage is say 4.5v than your BOD would detect -.5v below it's standard.

Keep the ideas coming, good work guys.

[Ifor1]

Quote:

Originally Posted by tweety

Regardless, If it were only 1.7, then most would have dumped the cam already with unmodded loaders.

The placement of the cap that drives the GD, has it being depleted prior to any other internal capacitance.

The core has several means of harvesting current that you would have to address in-order to get down to the fault range (which would be lower than the logic level of the GD's mux...they aren't that stupid)

The 3vdc floor you are referring to can actually be brought down to 2.2'ish vdc quite easily.

The BOD reacts one hell of alot faster than 300nS. It takes around 540nS for it to complete its reset and hang activation, but only takes several clocks to be triggered via dt/dv or a flag.

The reason you don't see an atr at 3vdc is because the rsm won't allow bootup until certain conditions are met. It is just speculation why the rsm won't allow the handshake until >4.x vdc but once you achieve handshake and the core fires up, you can then lower your values quite a bit.

[cornfounded]

I'm not sure what the "RSM" or what it does...if someone would care to explain, I would be appreciative.

If it works the way I'm reading here, you should be able to power up the card at a normal 5V, get through the start up process until the "RSM checks" pass, then lower Vcc to something.

Then, based on the first post in this thread, step down the voltage (I'm using the same 1V/nS example from the original post...is that accurate?)...then step it back up.

Code:

        4.5 ---------------                      --------------------
                           |                    |
        3.5                |--                --| 
                              |              |
        2.5                   |--          --|
                                 |        |
        1.5                      |--------|

                           |  |  |  |  |  |  |  |
                           0  10 20 30 40 50 60 70ns  

The entire glitch is under the 80nS BOD limit and passes the theoretical "1V/nS" GD rule.

Surely I am missing something...

[tweety]

Ah well, this will be my last try - purely for the benefit of others I expect:

Quote:

Originally Posted by Ifor1

The placement of the cap that drives the GD, has it being depleted prior to any other internal capacitance.

I see no evidence of this cap - if it were situated as you "guess" then it would be discernable from the outside. My suggestion to you is to try ANY glitch you can imagine on both the S0x and then the 24x. I assure you that you will see IDENTICAL scope signatures in all cases. There is no additional capacitance. We are merely dealing with improved detection circuits - period.

Quote:

Originally Posted by Ifor1

The core has several means of harvesting current that you would have to address

easily done

Quote:

Originally Posted by Ifor1

The BOD reacts one hell of alot faster than 300nS. It takes around 540nS for it to complete its reset and hang activation, but only takes several clocks to be triggered via dt/dv or a flag.

This is the crux of your disillusionment. I suggest you try a very very simple test. Why dont you simply float Vcc for awhile and watch it. It will of course, exhibit a drain as the CAM's capacitance discharges (identical drain as the S01 i might add - again) While you are at it, why dont you see how long it takes your BOD to decide to reset with Vcc floating? I promise you it is longer than 300ns. Next, dial down your "impedance matching" resistor as far as it will let you without triggering a reset during the Vcc float. Watch the scope. You now have a perfect view of the parameters of the BOD and the upper boundaries of the GD - which kicks in at 3v (depending on some other factors - but for purposes of this discussion should suffice)

Quote:

Originally Posted by Ifor1

The reason you don't see an atr at 3vdc is because the rsm won't allow bootup until certain conditions are met. It is just speculation why the rsm won't allow the handshake until >4.x vdc but once you achieve handshake and the core fires up, you can then lower your values quite a bit.

I am not going to explain this one to you. But you are absolutely incorrect. I suggest you consider for a moment that your need for "specualtion" suggests that you may not completely understand something invovled here.


Happy testing.

[Ifor1]

Quote:

Originally Posted by tweety

This is the crux of your disillusionment. I suggest you try a very very simple test. Why dont you simply float Vcc for awhile and watch it. It will of course, exhibit a drain as the CAM's capacitance discharges (identical drain as the S01 i might add - again) While you are at it, why dont you see how long it takes your BOD to decide to reset with Vcc floating? I promise you it is longer than 300ns. Next, dial down your "impedance matching" resistor as far as it will let you without triggering a reset during the Vcc float. Watch the scope. You now have a perfect view of the parameters of the BOD and the upper boundaries of the GD - which kicks in at 3v (depending on some other factors - but for purposes of this discussion should suffice)

Happy testing.

This "method" of detecting the BOD's threshold, will only trigger the BOD once the sample vcc level drops below the pre-set parameters, which then sets an interrupt flag, which gets checked every few clocks, then the BOD fires. The reason it takes >300nS, is the (T)ime it takes to drain the current.

The captures I have of the GD firing are unique to the rom 24x.

Quote:

Originally Posted by tweety

I am not going to explain this one to you. But you are absolutely incorrect. I suggest you consider for a moment that your need for "specualtion" suggests that you may not completely understand something invovled here.
Happy testing.

You won't...or can't?
Either way, it doesn't matter to me. And, you are correct! I am 99% sure I don't know whats going on with the rsm, at this point! But I will figure it out eventually...
P.S.
REMOVED!!

[ed12]

i have been watching this with a egal eye
so take it from there

atr can olny happen under 2 conditions
1=full ground
2=full vcc ie 3.2/3.5/3.7 to 5vdc
so-x will fault out at 3.5

glitch away

ed

[tweety]

Quote:

Originally Posted by Ifor1

This "method" of detecting the BOD's threshold, will only trigger the BOD once the sample vcc level drops below the pre-set parameters,

Correct

Quote:

Originally Posted by Ifor1

which then sets an interrupt flag,

Incorrect - BOD does not fire an interupt

Quote:

Originally Posted by Ifor1

which gets checked every few clocks,

Incorrect - superfulous, but incorrect regardless - interupts by definition do not get checked every few cycles

Quote:

Originally Posted by Ifor1

The reason it takes >300nS, is the (T)ime it takes to drain the current.

Watch it on the scope instead of assuming you know what you will find. I promise it will be worth your while.

Quote:

Originally Posted by Ifor1

The captures I have of the GD firing are unique to the rom 24x.

I absolutely believe you and agree - my comments regarding "scope signatures" were regarding capacitance. There is no argument that the GD on the 24x behaves differently than the S0x.