Kai was using an 8 decimal digit password "12345678"
and so up to 100.000.000 different passwords would have to
be checked (or 50.000.000 on average).

Using a timing based password attack this _can_ reduce
to 80 different tries (or 40 tries on average).
Within reach of a human operator:)


Assume Kai's device uses a keyboard with a 4 columns 4 rows
scan matrix and as he posted he has external LCD.

You connect one probe of a digital scope to one of the
scan lines (preferably the last), connect another
probe to the chip select of the LCD. These are peripheral
signals so will likely be easily accessible.

Then you set the scope screen display to persist, and the
scope to trigger on the column (you may need to improve
the trigger condition) then you input 11111111, 22222222, ...
and note the time difference between the last scan line
access and the chip select.

One of the timings should really stick out - you just
found out the first digit.


The strncmp routine will at least have to use two
(generic) pointer increments, two loads from (generic)
pointers, one compare to zero, one compare to equality
and one (16 bit) compare to maximum string length per
iteration of its compare loop. Lots of cycles so
there is a distinct signature of the correct digit.

You can also use a 8051 with a PCA unit
instead of a scope. (8051 should be much faster than
the target or synchronous to the target)
Even with that cheap hardware you could
be able to detect the much more subtle difference
whether a branch like
if (password[cnt2] != passINP[cnt2]) flag = 0;
is taken or not...

Eventually (search for the term tempest) similar
stuff can be done remotely, SO:

Electronic Voting Machines should be Open Source!
(or paper please!)