Personal tools


From Wij vertrouwen stemcomputers niet


Both the reader-writer and the voting machine run the same software (ES3B) just different versions (version 2.12 on the voting computer, version 2.11 on the reader/writer). We took out the ROMs and read them on Job's reader. Andreas is currently working in IDA to make sense of it.

ROMs voting computer

the software is stored in 2 eproms, one for the odd, one for the even addresses which combined make: ES3B_V02_12.bin

For reading itsme's disass, try The Niederlaendisch-Deutsch Woerterbuch

ROMs reader-writer unit

ROM printer

Various things we have learned


Where is the software ?

This section only deals with analysis. If you want to have a look at the software and original documentation itself then look here.

ISS observations

Pascal and Rop have sucessfully done an entire election. ISS is a little complicated, and includes a complete election workflow manager that needs to be fooled by setting system date at one point. But it is all workable and we can run any election we like. Operation of machine itself is doable even without manual.

ISS has a special "maintenance mode" for which it wants a password which has been "cracked" already (see addendum below). Moehahaha. All its own data is in DBF files in plaintext.

Module read/write commands via serial port are seen on serial monitor, but look not overly trivial. We played with the empty module. The other module does indeed contain votes of the previous election, 962 in total. We're careful about not ever writing anything to this module: it goes in the read-only slot only. Not the entire contents of a module are transferred every time anything is read or written. We're looking into obtaining raw binary data from the module, which this box and/or software may or may not be capable of delivering.

We will need a something that reads modules, either through this box or through our own hardware.

Can we learn on the ES3B side of things (the programmer runs the same software as the voting machine after all) how the serial commands work?

Addendum: The password for the maintenance mode is "GEHEIM" (really!) and that offers, among other things, a binary dump of the module. We used that to create the TCL script that currently reads the modules.

In maintenance mode, entering after the module serial number and clicking on send (versturen) will crash/exit ISS without any warning. On that same screen there are two invisble buttons, block and unblock. They can be seen when using VNC, which is slow enough so you can see them before the update removes them from the screen.

Looking at the binary, it looks like borland delphi code.