[nkurz]

He didn't demonstrate it in real hardware without outside power and ground

Are you sure about this? The writeup says (emphasis added):

---

My FPGA proof of concept implant is a little larger than the passive resistor component we would want to hide it in, although that is not a significant limitation. Thanks to Moore's Law, an entire ARM Cortex M0+ CPU could fit in the space used by two transistors on the 6502 CPU". The 1.2mm^2 of a 0603 is significantly larger than necessary to fit a fairly complex CPU and ASIC, along with some of the passive components necessary to make it work in the difficult environment of this implant.

Normally the SPI bus requires six connections to function, but the implant has only part of a single one. It doesn't connect to power or ground, so it must be parasitically powered by the current flowing from the SPI flash to the BMC during normal operation (similar to the RFID CPUs that have enough capacitance to run even when they are shorting the antenna coil).

---

I'd like to think that you are wrong, and that the implant was (as described) a hardware proof of concept without outside power and ground. But if you are correct, this would seem to make the writeup so intentionally misleading as to not be worth further consideration.

[VectorLock]

I think his demo POC had outside power and ground. He believes the actual implant was powered parasitically from the SPI's bus current.

That would be pretty cool to see demoed itself. As he states we have RFID CPUs that can work with fantastically small amounts of power only from their antennas.

[nkurz]

I think his demo POC had outside power and ground.

I would hope this is not the case. If it was, I don't see how it can be legitimately called a hardware proof-of-concept. I agree, though, that the lack of outside power and ground doesn't seem to be explicitly stated in the writeup. The video comes a little closer, with one of the questions after the talk asking whether using more pins would make things easier: (from the automatic transcript of https://youtu.be/C7H3V7tkxeA?t=1868, punctuation added and some typos corrected):

"But do you see a way to actually get more power into your setup, maybe using other power sources other than the two pins?"

"So the question is about would there be some way to do more arbitrary changes through redesigning the implant? One of the goals was to fit with only those two pins so that a single piece on the motherboard could be replaced. You know, with a dual probe soldering iron you can pop it out and stick a new one down in a matter of seconds. So yes, if you have more pins where you can get more power from you can do much more interesting things, but that would require a different set of changes to the motherboard."

I'm pretty sure the author is claiming that their FPGA implant was working off of just two pins on the motherboard. If they are relying on some technicality (such as "all the other pins are from a source other than the motherboard") this would make me write off the entire article as untrustworthy. But until there is proof to the contrary, I'm inclined to believe that they used no outside power or ground, and that they indeed built a hardware POC.

Edit: I sent email to the author asking for clarification.

[VectorLock]

I don't think his proof of concept is trying to recreate the entire implant as it is seen in the wild. His POC is trying to answer "A) can i put something in the middle of this one wire on the SPI bus and twiddle it enough to exploit the BMC" which his demo seems to prove.

Did he prove that B) he can do it in the footprint of a surface mount resistor? No. His information on how small uCs can be is supposed to support that.

Did he prove that C) the implant can do it _with only one wire_ going to it with no power and ground? No. He makes references to RFID CPUs to show that it should be possible to power it parasitically.

Does not doing B or C invalidate A and make the whole A, B, C implant impossible? I don't think so.

I would really like to see a POC for C though. That would be super interesting to me. That would be the next logical step for this or another researcher.