Navigation
Topics
Log In
Log Out
:
Special Search
New Today
New This Week
Advanced Search
Tree View
Your Account
Edit Profile
Register
Forgot Password
Tools
Help/Instructions
Policies
...
|
| Wireless Boundary Scan: The Perfect T... |
|
| Author |
Message |
    
Tom Borawski
Voting Rights Forum Participant
Username: Tomb
Post Number: 4
Registered: 5-2008
Best of Black Box? 
Votes: 1 (A keeper?) | | Posted on Friday, May 23, 2008 - 7:05 pm: | 
|
Boundary Scan technology allows a microprocessor pin to be manipulated outside of the actual program loaded in the processor itself. It is commonly used to program processor memory.
Boundary Scan usually works through a electrical connection to the processor. The IEEE paper cited below discusses Wireless Boundary Scan.
A covert Wireless Boundary Scan interface would be an undetectable tool for DRE Vote Fraud.
Since the majority of microprocessors are imported into the United States it is not beyond imagination that a foreign government would seek to implement a proprietary wireless boundary scan interface to processors known to be used in voting equipment.
In short, with Wireless Boundary Scan, Benedict Arnold's crooked hardware can overwrite Boss Tweed's crooked software.
----------- IEEE Citation Follows ----------
A Boundary-Scan Solution for Remote System Monitoring, Testing and Configuration Via Inherent Secure Wired or Wireless Communication Protocols
Sparks, A.; van Houcke, M.; Ilkka Reis
Systems Readiness Technology Conference, IEEE
Volume , Issue , Sept. 2006 Page(s):704 - 712
Digital Object Identifier 10.1109/AUTEST.2006.283752
Summary:The IEEE 1149.1 Boundary-Scan standard has become an invaluable tool for testing today's complex, high density digital designs. Although typically used to detect structural faults at board level test, access to the Boundary-Scan infrastructure at the system level enables such capabilities as system monitoring, system test after final assembly and system reconfiguration.
To exploit these capabilities, one must have access to the internal Boundary-Scan infrastructure, which is becoming increasingly difficult with the miniaturization of products, shielding requirements and security concerns that prevent external access via the edge connector to the necessary test signals. Subsequently, it has become imperative that an alternative solution be found to gain access to the internal Boundary-Scan infrastructure.
This paper will describe a solution to overcome these obstacles by providing remote access to a target system's internal Boundary-Scan infrastructure utilizing the existing, secure, wired or wireless communication protocol. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 5042
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, May 24, 2008 - 3:50 am: |
|
Interesting. Thanks for the summary of the paper. |
Tom Borawski
Voting Rights Forum Participant
Username: Tomb
Post Number: 5
Registered: 5-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, May 24, 2008 - 8:35 am: |
|
Here is a very useful FAQ regarding Boundary Scan.
It has many links to the many boundary scan tools used to debug, load and manipulate electronic hardware.
JTAG capability is built into many chips-- a lovely convenience for officials engaged in vote rigging.
Here's the link:
http://hri.sourceforge.net/tools/jtag_faq_org.html |
Mike LaBonte
Frequent Voting Rights Forum Participant
Username: Mike_labonte
Post Number: 240
Registered: 12-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, May 27, 2008 - 11:50 am: |
|
The stuff I have seen about wireless JTAG is simply a tiny circuit board that plugs onto a "standard" JTAG connector. It then allows JTAG commands without a cable from some distance. Someone would have to install one of these to use it. But any inspection later will find the "bug" hanging off the mother board.
I suppose it would be interesting to get a summary of JTAG use in voting machines. Which ones have it, and for which chips? So far I have read only about JTAG on Accuvote TSx. That's no suprise, since it is built from fairly modern standard hardware to run WinCE. I would be surprised if any of the older custom machines had JTAG wiring on the board at all, although they might have some chips with JTAG. Just speculating.
Now, if someone has sufficient access to alter a machine with JTAG, why not just change the PROM? Admittedly if the PROMs can be programmed on-board with JTAG, that would be the least detectable way to do it. |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 2492
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, May 27, 2008 - 12:33 pm: |
|
Mike,
The AVS WinVote had wireless capability all over it - they sold it as a "feature". It was designed as a way to load a whole warehouse full of ballot definition files from the wireless equipped server without having to use hardware memory cards or cartridges.
It was outlawed in PA from the beginning. No wireless capability is allowed in any voting device used in PA. Even AVS, when they were a PA certified machine, had to completely disable their wireless capability in all their PA machines.
By asking his pointed questions, Mr. Borawski, whether he realizes it or not, is suggesting widespread crime in Pennsylvania's elections. Wireless capability would, in and of itself, be a crime in PA.
Any machine that has it is inherently illegal.
==========================================
http://kurtspeak.blogspot.com
(some relevant to subjects here, most not)
|
Tom Borawski
Voting Rights Forum Participant
Username: Tomb
Post Number: 8
Registered: 5-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, May 27, 2008 - 3:49 pm: |
|
Kurt-- I'm in the tech section, not the PA section. I bring the point up as a technological proposition not a specific accusation.
I am glad that covert wireless capability in voting machines is illegal. I wouldn't have it any other way !
I'm just looking into what exists now and what a system tailored towards DRE Vote Rigging would look like. I'm sure it would have a smaller footprint than this !
http://www.atmel.com/dyn/resources/prod_documents/doc8095.pdf |
V. Kurt Bellman
Frequent Voting Rights Forum Participant
Username: Formerelecdir
Post Number: 2499
Registered: 4-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, May 28, 2008 - 12:15 pm: |
|
Tom,
What makes our state uncommon is that both covert AND overt "in your face" wireless is illegal.
==========================================
http://kurtspeak.blogspot.com
(some relevant to subjects here, most not)
|
Tom Borawski
Voting Rights Forum Participant
Username: Tomb
Post Number: 9
Registered: 5-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, May 28, 2008 - 5:08 pm: |
|
Here is a very interesting paper on hacked up hardware (not boundary scan-specific, but very interesting)
http://www.usenix.org/event/leet08/tech/full_papers/king/king_html/
I found the link on Matt Blaze's fantastic blog
http://www.crypto.com/blog |
Tom Borawski
Voting Rights Forum Participant
Username: Tomb
Post Number: 15
Registered: 5-2008
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, June 8, 2008 - 8:13 am: |
|
Wireless hardware debugging USPTO Application #: 20060179374
http://www.freshpatents.com/Wireless-hardware-debugging-dt20060810ptan2006017937 4.php?type=description
The Patent Description & Claims data below is from USPTO Patent Application 20060179374.
USPTO Application #: 20060179374
Title: Wireless hardware debugging
Abstract: Embodiments disclosed relate to wireless debugging of digital circuitry. A boundary scan system for debugging a digital circuit includes a boundary scan interface configured to couple to the digital circuit. The system further includes a first wireless port coupled to the boundary scan interface. The system further includes a second wireless port in wireless communication with the first wireless port for allowing bidirectional communication between the first and second wireless ports. The system further includes a boundary scan debugging device coupled to the second wireless port. The boundary scan debugging device includes a processor configured to conduct a boundary scan analysis of the digital circuit across the wireless connection between the first and second wireless ports. Suitable boundary scan techniques and instructions for testing a digital circuit are set forth in IEEE 1149. (end of abstract)
Agent: Workman Nydegger (f/k/a Workman Nydegger & Seeley) - Salt Lake City, UT, US
Inventor: Gayle Noble
USPTO Applicaton #: 20060179374 - Class: 714727000 (USPTO)
Related Patent Categories: Error Detection/correction And Fault Detection/recovery, Pulse Or Data Error Handling, Digital Logic Testing, Scan Path Testing (e.g., Level Sensitive Scan Design (lssd)), Boundary Scan |
Charles Christopher
Frequent Voting Rights Forum Participant
Username: Ilikeinfo
Post Number: 102
Registered: 11-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, October 17, 2008 - 6:05 pm: |
|
Wow! [as my jaw hits the floor over this thread]
In general boundary scan can't run at "full speed", and so the designer would have to go through heroic efforts to have a system that could be manipulated *WHILE OPERATING* without causing undersired effects on the system while operating.
No sane engineer, that gaves a damn about their reputation, would *EVER* design a system this way, period. If I put wireless access into a box I *WILL* "connect" it through the normal operating sofware and *NOT* "hack it in" the way suggested here.
I find it personally offensive that *ANY* company would consider this as an accetable design. It's true that current manufacturing practice *IS* to use this very design concept to load the initial embedded program into the device, as well as inexpensively recover a device that fails for any reason during a firware upgrade. But to consider this programming method to be other than "Rube Goldberg" after shipment is just unacceptable. And in the scope of those products intended usage it just *SCREAMS TO ME* as a *EVERY* effective way to undetectable *TAMPER* with a device *AT ANY TIME* == The full operation of the device has been split out so the true operation of *THE SYSTEM* is *NOT* completely embodied in it's software and can't possibly be reviewed by reviewing the software / firmware ....
As for the above mentioned patent for *REMOTE DEBUGGING*, that's very different. That is in effect moving the test and QC system of the production line out to the customer site. That is a very novel and brilliant insight, however it bares no resemblance to the idea of using boundary scan as any part of *NORMAL DEVICE OPERATIONS* *BY THE ENDUSER*! In fact just the act of giving the enduser such software actually gives away proprietary information: The device's schematic! Again, this is totally none sensical, the only reason for placing such device operations into boundary scan is the split the design into a peice that can be distected and scrutinized, and a piece that can't be ....
The reason it's ok to program the firmware this way before shipment is simple, all the devices are *THE SAME* except likely serialization fields (which have static / unchanging locations) to uniquely mark each device.
Again you just don't design systems this way, you connect the wireless device to the main code and have the preload layer exist that way *NOT* as proposed.
Problem defintion *FIRST*, solution formulation *SECOND*.
|
|
|
