I'm sorry that there's no direct article for this submission, and I'm not certain who submitted it, but as an employee of CRI and one of the designers of the demo, I'd like to give you some details about what's going on.

At CRI we have a lab full of what I consider to be cool equipment, and what's more, some spare time to look at things. We specialize in side-channel analysis and we asked ourselves: what sort of side-channel leaks might be present in consumer PDAs? We took a USRP(1) interface that we had lying around and started investigating the RF emanations of a few of the devices we had easily on hand. We coded some simple cryptographic applications and were surprised at how quickly we were able to find ways to demodulate the various signals in the device in a way that revealed the bits of the secret keys being used.

We are indeed using GNURadio for the demo. It's been very helpful because it makes rapid prototyping very easy. We use gnuradio-companion to set up the signal processing blocks (mostly AM demodulation) and to set up a simple UI that helps us tune into the right carrier frequencies in real-time during the demo. The rest of the demo involves using our own custom waveform viewer to look at the demodulated signal and show visitors how we can analyze the signal on the screen and extract the key bits that were used during the encryption/decryption process on the device.

I've been studying SD cards for the last few months and I've managed to dig up some heretofore "secret" leaked documents about SD Digital Rights Management mechanism and I think I know how such a permanent modification could be performed.

One of the things that all SD cards support is the ability to designate a certain portion (which can include ALL) of the card's block storage as "secure". Once designated as secure, the blocks in question cannot be read, written to, or the area resized without performing an authentication step with the card. This authentication step is known as "AKE".

I'm willing to bet that the phone is using this "secure" facility and marking the entire card, or some significant portion thereof, as a secure storage area.