why flash manufacturers encrypt chips?

[pepe]

the xor key is an output of an lsfr most of the cases, with params chosen so that it has large period.
It would be nice to write code to find out parameters of the lsfr for an actual pattern, then we could generate it without the need of recovering the whole pattern from the target device, probably a small part would be sufficient...

pepe

[okton]

the xor key is an output of an lsfr most of the cases, with params chosen so that it has large period.
It would be nice to write code to find out parameters of the lsfr for an actual pattern, then we could generate it without the need of recovering the whole pattern from the target device, probably a small part would be sufficient...

I understand that "seed" for LFSR takes much more less space then actual pattern, but anyway if there will be unique "seeds" per sector, they itself will consume a lots of flash space (in total). How many unique patterns are used per example disk? I am assuming they are reused, can anyone share example pattern of key reuse?

[HaQue]

Yes these sorts of 'tricks' are often used in small devices, as you can have a very simple algo to create blocks of XOR... which takes up minimal firmware memory, or CPU instructions. I would have thought the algo could be figured out if you have the XOR block to reverse, but with my limited knowledge I couldn't find a way to generate the patterns.

I spent a while trying to decompile firmware to attempt to figure out this exact thing, plus others but did not have much success. The main problem in flash is the sheer number of different devices, each with their own way of doing things.

Best Practices? Manuals? Public Documentation? Core CPU support in IDA? Good IC Quality? Similarity between Vendors? Return on investment of research? NOPE, forget all that.

[pepe]

it might be done in hw...

[sourcerer]

I agree, it is definitely done in hardware, doing the LSFR/XOR in firmware would be far too slow and wasteful.

[fzabkar]

Would it make sense to use the LBA as the seed? Then you wouldn't need to store it.

[Arch Stanton]

Would it make sense to use the LBA as the seed? Then you wouldn't need to store it.

Wouldn't that result in different XOR for each LBA?

[fzabkar]

Would it make sense to use the LBA as the seed? Then you wouldn't need to store it.

Wouldn't that result in different XOR for each LBA?

I was addressing "okton's" point about unique seeds for each LBA. I have no idea whether this is really the case, or why it would be necessary.

BTW, a hardware implementation of LSFR is surprisingly trivial. For a 16-bit implementation, you just need a 16-bit shift register (4 x 4-bit) plus a quad XOR gate.

https://en.wikipedia.org/wiki/LSFR

https://upload.wikimedia.org/wikipedia/commons/a/a8/31_bit_Fibonacci_linear_feedback_shift_register.webm

[Arch Stanton]

Would it make sense to use the LBA as the seed? Then you wouldn't need to store it.

Wouldn't that result in different XOR for each LBA?

I was addressing "okton's" point about unique seeds for each LBA. I have no idea whether this is really the case, or why it would be necessary.

BTW, a hardware implementation of LSFR is surprisingly trivial. For a 16-bit implementation, you just need a 16-bit shift register (4 x 4-bit) plus a quad XOR gate.

https://en.wikipedia.org/wiki/LSFR

https://upload.wikimedia.org/wikipedia/commons/a/a8/31_bit_Fibonacci_linear_feedback_shift_register.webm

Thanks Franc, that makes a nice idea for a X-mas decoration

[Arch Stanton]

Maybe for same reason hard drive manufacturers do this.

Also I have been wondering if encryption accomplishes the same as XOR scrambling.. XOR scrambling serves a purpose, say increase of entropy. Could encryption do the same?

I don't understand why a XOR operation increases entropy. Could you explain?

As for your encryption question the answer is yes if you use the right mode, see here:
https://github.com/pakesson/diy-ecb-penguin

Maybe I should have avoided that word, but if we XOR block of zeros with XOR key or block, do we not increase entropy? AIUI storing very similar data close is more prone to corruption and to avoid this XOR is applied to introduce noise and avoid worst case patterns. I assumed this increase in noise leve translates to high Shannon entropy. But I am no expert on the matter, it's what I read everywhere (NAND Flash Data Recovery Cook Book and other places / documents). If we look at typical XOR-ed block of repeating bytes in VNR we see

xor-block.png

Which seems to me higher entropy data than a repeating pattern. If the same is already accomplished by some form of encryption XOR scrambling seems like an un-needed extra step. So maybe reasoning is, encryption gives us required noise AND we can position/market encryption as a feature. I do not know, I am simply guessing, thinking out loud.

In answer to my own question, it now seems to me the advantage of encryption is two-fold:

1. Encryption
2. Scrambling

So with encryption the requirement for for scrambling' or 'whitening' is met as it is. Cells in modern flash memory are so small that there is crosstalk between them. Because of this, if too many adjacent bits are set the same way, it can cause more bit errors than if the bits were more random. Because of this, 'scrambling' or 'whitening' techniques are used to balance the number of 1s and 0s. This could be done with a simple linear feedback shift register (XOR). Or it could be done with an algorithm like AES that effectively scrambles the bits while also providing some nice security and fast secure erase benefits.

For reference see for example:

https://www.jstage.jst.go.jp/article/el ... 5/_article
http://soc.yonsei.ac.kr/Abstract/Intern ... evices.pdf
https://patents.google.com/patent/US8261159
https://patents.google.com/patent/US8713330

[SWM]

It looks like HDD encoding at intervals of 1T, 1.5T, 2T.
There are also no consecutive zeros and ones on the plates.
And there are also preliminary distortions up to 0.25T.
Also from averaging...

[Arch Stanton]

SWM, if you say so.