Extracting a 3DES key from an IBM 4758

Part 8: Do It Yourself !

We have bundled up the various parts of our cracking system if you'd like to have a go yourself! You will need to purchase an Altera Excalibur NIOS Evaluation Board ($995). Then download http://www.cl.cam.ac.uk/~rnc1/descrack/cracker.zip

The files are:

  • sram.v
    Top level Verilog file for DES cracker
  • des.v
    Pipelined DES algorithm
  • ffunct.v
    Non-linear function for DES
  • sbox.v
    SBOX contents (specially arranged for minimum chip area)
  • lfsr.v
    Linear feedback shift register
  • keysched.v
    Key manipulation for DES pipeline stages

Compile these files. We used Exemplar Logic's LeonardoSpectrum v20001 for this. Ensure you enable pass 3 optimisation (this comes out best) and DISABLE automatic creation of ROMs and RAMs (otherwise the SBOXs are turned into RAMs and the design will not fit into the chip!).

You will need your own NIOS processor (sorry, but we cannot place the Verilog for this on the web). You get all the files required with the $995 Excalibur kit. You should create the NIOS processor as follows:

NameTypeBase AddressIRQ
processor 16-bit NIOS : 14-bit address bus
128 register file
shift 1 bit per clock		 N/A N/A
GERMS-ROM Read-only on-chip memory : 16 bits * 1K
Contains GERMS monitor		 0x0000 N/A
Program RAM Writeable on-chip memory : 16 bits * 8K
Set blank		 0x2000 N/A
uart RS232 serial port : 115200, 8, N, 1
fixed baudrate		 0x1000 26
pio_cmd Parallel I/O : 10 bits
Output only		 0x1010 N/A
pio_data Parallel I/O : 16 bits
Tri-state		 0x1018 N/A
pio_status Parallel I/O : 4 bits
Input only		 0x1020 N/A

You should now take the ".edf" file output by Leonardo and the NIOS files and combine them together using:

  • DESign.bdf
    Connections to NIOS design

We used Altera Quartus II v1.1 for this. It yielded a design with 8303 out of 8320 LUTs in use ! So, don't be tempted to add much to what we've provided.

You should then download the design into the evaluation board. To shortcut all of the above, the ZIP file also contains the ".sof" file that needs to be downloaded.

  • DESign.sof
    DES cracker design for APEX 20KE200EFX484-2X

Next step is compile the program to be run by the NIOS processor. We've provided the C source for this, and the evaluation board comes with a suitable version of GNU C that is targetted on the NIOS.

  • desmim.c
    DES cracker loading program
  • desmim.srec
    Loadable binary (for the NIOS design specced above)

Having compiled this program then load it into the NIOS (with nios-run).

The next component is the communications program that you run on your PC to talk to the NIOS program over a serial link. We've supplied not only the source for this but also the files needed to compile it with Microsoft's Visual C++ system.

  • destalk.dsw
    Visual Studio workspace file
  • destalk.dsp
    Visual Studio project file
  • stdafx.h
    standard includes
  • talk-desmim.cpp
    source for DES talker program

The final component is the program to be run on the IBM 4758. The source for this is also provided. Compile it as a WIN32 console application with Visual C++. You will need csunincl.h and csunsapi.lib, IBM's library for the CCA API.

  • harvest.dsw
    Visual Studio workspace file
  • harvest.dsp
    Visual Studio project file
  • harvest.c
    source for IBM 4758 program

If you're still waiting to get access to a real IBM 4758 then you can use these two sets of encrypted results that we used.

  • variant_data_harvest_09oct.tv
  • variant_exporter_harvest_09oct.tv

Have fun! and do let us know (perhaps a postcard from your hideaway on Bermuda?) how you got on.

Next part: Frequently Asked Questions
Previous part: Who are we ?

Back to main page

last modified 29 OCT 2001 -- http://www.cl.cam.ac.uk/~rnc1/descrack/diy.html