The first step in an invasive attack is to remove the chip package (referred to as "open cover" sometimes called "open seal", in English as "DECAP", "decapsulation"). Decapsulation). There are two ways to accomplish this: the first is to completely dissolve the chip package, exposing the metal wires. The second is to remove only the plastic package on top of the silicon core. The first method requires the chip to be bound to a test fixture and operated with the help of a binding station. The second method requires personal wisdom and patience in addition to having certain knowledge and necessary skills of the attacker, but it is relatively easy to operate and completely home in the operation.
The plastic on top of the chip can be removed with a knife, and the epoxy around the chip can be corroded away with concentrated nitric acid. The hot concentrated nitric acid will dissolve the chip package without affecting the chip or the connecting wires. This process is generally done under very dry conditions, as the presence of water can erode the exposed aluminum connections (which can cause decryption failure).
The chip is then washed with acetone in an ultrasonic bath to remove residual nitric acid and soaked.
The final step is to locate the protective fuse and expose it to UV light. A microscope with at least 100x magnification is typically used to find the protective fuse by tracing in the wires from the programmed voltage input pin. If a microscope is not available, a simple search is performed by exposing different parts of the chip to UV light and observing the results. An opaque sheet of paper should be used to cover the chip during the operation to protect the program memory from being erased by UV light. Exposing the protection fuse to UV light for 5 to 10 minutes destroys the protection of the protection bits, after which the contents of the program memory can be read out directly using a simple programmer.
Ultraviolet reset protection circuitry is not feasible for microcontrollers that use a shield to protect the EEPROM unit. For this type of microcontroller, a microprobe technique is generally used to read the memory contents. The data bus from the memory to the rest of the circuit can be easily located by placing the chip under a microscope after the chip package has been opened. For some reason, the chip lock bit does not lock access to the memory in programming mode. By taking advantage of this shortcoming and placing a probe on top of the data lines you can read all the data you want. In programming mode, restarting the read process and connecting the probe to another data line will read all the information in program and data memory.
Another possible attack is to use equipment such as microscopes and laser cutters to find the protective fuses and thus all the signal lines connected to this part of the circuit. Because of the flawed design, it is possible to disable the entire protection function by simply cutting one of the signal wires from the protection fuse to the rest of the circuit (or by cutting out the entire encryption circuit) or by connecting one to three gold wires (often referred to as a FIB: focused ion beam), so that the contents of the program memory can be read directly using a simple programmer.
While most common microcontrollers have a blown fuse to protect the code inside the microcontroller, general-purpose, low-grade microcontrollers are not designed to be safe, so they often do not provide targeted precautions and have a low level of security. Coupled with the wide range of applications, sales of microcontrollers, vendors commissioned processing and technology transfer between the frequent, a large number of technical information diarrhea, making the use of such chip design loopholes and manufacturers of test interfaces, and through the modification of fuse protection bits and other invasive or non-intrusive attacks to read the internal program of the microcontroller has become relatively easy.