(1) Software Attacks
This technique typically uses processor communication interfaces and exploits protocols, encryption algorithms, or security holes in these algorithms to carry out attacks. A classic example of a successful software attack is the attack on the early ATMEL AT89C family of microcontrollers. The attacker took advantage of the loopholes in the design of the timing of the erase operation of this series of microcontrollers, using a self-programmed program to stop the next step in the operation of erasing the data of the on-chip program memory after erasing the encryption lock locus, thus making the encrypted microcontroller into an unencrypted microcontroller, and then using the programmer to read out the on-chip program.
Currently, on the basis of other encryption methods, some devices can be researched with certain software to do software attacks.
Recently, there has been a 51 chip cracking equipment (Chengdu, a master to get out), this decryptor mainly for SyncMos. Winbond, the vulnerability of the production process, the use of some programmers to locate the insertion of bytes, through a certain method to find out if there is a continuous empty space in the chip, that is to say, look for the chip in the consecutive FF FF bytes, the insertion of bytes, the program can be executed to send the program to the chip to the byte, then use the programmer to read out the on-chip programs. Can execute the program on the chip to the off-chip instructions, and then use the decryption device to intercept, so that the program inside the chip is decrypted to complete.
(2) Electronic Detection Attack
This technique usually monitors the analog characteristics of all power and interface connections of the processor during normal operation with high temporal resolution, and implements the attack by monitoring its electromagnetic radiation characteristics. Because a microcontroller is an active electronic device, when it executes different instructions, the corresponding power consumption of the power supply changes accordingly. This allows specific critical information in the microcontroller to be accessed by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistical methods.
This is the principle behind the current RF programmer's ability to directly read out programs from older models of encrypted MCUs.
(3) Fault Generation Techniques
This technique uses abnormal operating conditions to fault the processor and then provides additional access to carry out the attack. The most widely used means of error generation attacks include voltage shocks and clock shocks. Low and high voltage attacks can be used to disable protective circuitry or force the processor to perform an erroneous operation. Clock transients may reset the protection circuitry without destroying the protected information. Power and clock transient jumps can affect the decoding and execution of a single instruction in some processors.
(4) Probing Techniques
This technique involves directly exposing the internal connectivity of a chip and then observing, manipulating, and interfering with the microcontroller for the purpose of attack.
For the sake of convenience, people divide the above four attack techniques into two categories, one is the invasive attack (physical attack), this type of attack needs to destroy the package, and then with the help of semiconductor test equipment, microscopes and microlocators, in a specialized laboratory to spend hours or even weeks to complete. All microprobe techniques are invasive attacks. The other three methods are non-intrusive attacks where the attacked microcontroller is not physically damaged. Non-intrusive attacks are particularly dangerous in some situations because the equipment required for a non-intrusive attack can often be homemade and upgraded, and is therefore very cheap.
Most non-intrusive attacks require the attacker to have good processor knowledge and software knowledge. In contrast, intrusive probing attacks do not require much initial knowledge, and a whole range of similar techniques can often be used against a wide range of products. As a result, attacks on microcontrollers often start with intrusive reverse engineering, and the experience gained helps to develop cheaper and faster non-intrusive attack techniques.
Editorial
Invasive chip cracking process
The first step in an invasive attack is to remove the chip package (referred to as "open cover" or sometimes called "open seal", in English ""). DECAP", decapsulation). There are two ways to achieve this: the first is to completely dissolve the chip package, exposing the metal wires. The second is to remove only the plastic package on top of the silicon core. The first method requires the chip to be bound to a test fixture and operated with the help of a binding station. The second method requires personal wisdom and patience in addition to having certain knowledge and necessary skills of the attacker, but it is relatively easy to operate and completely home in the operation.
The plastic on top of the chip can be removed with a knife, and the epoxy around the chip can be corroded away with concentrated nitric acid. The hot concentrated nitric acid will dissolve the chip package without affecting the chip or the connecting wires. This process is generally done in very dry conditions, as the presence of water can erode the exposed aluminum connections (which can cause decryption failure).
The chip is then washed with acetone in an ultrasonic bath to remove residual nitric acid and soaked.
The final step is to locate the protective fuse and expose it to UV light. A microscope with at least 100x magnification is typically used to find the protective fuse by tracing in the wires from the programmed voltage input pin. If a microscope is not available, a simple search is performed by exposing different parts of the chip to UV light and observing the results. An opaque sheet of paper should be used to cover the chip during the operation to protect the program memory from being erased by UV light. Exposing the protection fuse to UV light for 5 to 10 minutes destroys the protection of the protection bits, after which the contents of the program memory can be read out directly using a simple programmer.
Ultraviolet reset protection circuitry is not feasible for microcontrollers that use a shield to protect the EEPROM unit. For this type of microcontroller, a microprobe technique is generally used to read the memory contents. The data bus from the memory to the rest of the circuit can be easily located by placing the chip under a microscope after the chip package has been opened. For some reason, the chip lock bit does not lock access to the memory in programming mode. By taking advantage of this shortcoming and placing a probe on top of the data lines you can read all the data you want. In programming mode, restarting the read process and connecting the probe to another data line will read all the information in program and data memory.
Another possible attack is to use equipment such as microscopes and laser cutters to find the protective fuses and thus all the signal lines connected to this part of the circuit. Because of the flawed design, it is possible to disable the entire protection function by simply cutting one of the signal wires from the protection fuse to the rest of the circuit (or by cutting out the entire encryption circuit) or by connecting one to three gold wires (often referred to as a FIB: focused ion beam), so that the contents of the program memory can be read directly with the use of a simple programmer.
While most common microcontrollers have a blown fuse to protect the code inside the microcontroller, general-purpose, low-grade microcontrollers are not designed to be safe, so they often do not provide targeted precautions and have a low level of security. Coupled with the wide range of applications, sales of microcontrollers, manufacturers commissioned processing and technology transfer between the frequent, a large number of technical information diarrhea, so that the use of such chip design loopholes and manufacturers of test interfaces, and through the modification of fuse protection bits and other invasive or non-intrusive attacks to read the internal program of the microcontroller has become relatively easy.
Currently, the more famous chip cracking companies in China are Husheng Electronics, Yuyang Electronics, Star Microcontroller, Hengfeng Microcontroller and Longren Technology.
Editorial
Suggestions for dealing with chip cracking
Any microcontroller can theoretically be broken by an attacker using enough investment and time using the above methods. This is a basic principle that system designers should always keep in mind. Therefore, as an electronic product design engineers are very necessary to understand the current microcontroller attack on the latest technology, know your enemy and know what you know, in order to effectively prevent themselves from spending a lot of money and time to design out of the hard work of the product by the people overnight counterfeiting things happen. We put forward the following suggestions based on Husheng's decryption practice:
(1) Before selecting the encryption chip, we should fully investigate and understand the new progress of chip cracking technology, including which microcontrollers have been confirmed to be cracked. Try not to use has been cracked or the same series, the same type of chip selection using a new process, new structure, shorter time-to-market microcontroller, such as the use of ATMEGA88/ATMEGA88V, this domestic cracking the cost of a need to be 6K or so, in addition to the current relatively difficult to decrypt the ST12 series, DSPPIC, etc.; other can also be combined with the CPLD encryption, such as Decryption costs are very high, decryption of the general CPLD also need about 10,000 yuan.
(2) Try not to use the MCS51 series microcontroller, because the microcontroller in the country's highest degree of popularity, has been studied most thoroughly.
(3) the original product, generally has the characteristics of large production, so you can choose a more out-of-the-way, cold microcontroller to increase the difficulty of purchasing counterfeiters, the use of some out-of-the-way microcontroller, such as ATTINY2313, AT89C51RD2, AT89C51RC2, motorola microcontroller and other difficult to decrypt the chip, the current domestic will be Development and use of familiar motorola microcontroller is very few people, so the cost of cracking is also quite high, from 3000 ~ 30,000 or so.
(4) in the design of the cost permit conditions, should be selected with hardware self-destruct function of the smart card chip, in order to effectively deal with physical attacks; in addition to the program design, adding time to time function, such as the use of 1 year, automatically stop all the functions of the operation, which will increase the cost of crackers.
(5) If the conditions permit, two different models of microcontroller can be used as a backup for each other, mutual verification, thus increasing the cost of cracking.
(6) Polishing off the chip model and other information or reprinting other models to fake the real (note that the reverse side of the LOGO should also be erased, many chips, the decryptor can be judged from the reverse side of the model, such as 51, WINBOND, MDT, etc.).
(7) You can use the undisclosed, unutilized flag bits or units of the microcontroller as software flag bits.
(8) the use of MCS-51 in the A5 instruction encryption, in fact, all the information in the world, including the English data are not talking about this instruction, in fact, this is a very good encryption instruction, A5 function is a two-byte null instruction encryption method in the A5 after a two-byte or three-byte operation code, because all disassembly software will not be disassembled A5 instruction, resulting in the normal disassembly of the program disassembly, no problem with the execution of the program imitators. The program will be executed without any problem, and the imitators will not be able to change your source program.
(9) you should write your name in the program area unit development time and imitation must be investigated, in order to obtain legal protection; in addition to write your name, can be random, that is to say, the use of a certain algorithm, the external different conditions, your name is different, such as wwwhusooncom1011, wwwwhusooncn1012, etc., so that It's harder to disassemble and modify.
(10) the use of high-grade programmers, burn off some of the internal pins, you can also use homemade equipment to burn off the gold wire, this is almost impossible to decrypt the current domestic, even if the decryption, but also need to be tens of thousands of dollars in costs, the need for more than one master piece.
(11) the use of confidential silicone (epoxy resin potting adhesive) to seal the entire circuit board, PCB more than some of the pads without the purpose, in the silicone can also be mixed with some of the components without the purpose, while the electronic components of the circuit around the MCU as far as possible to erase the model.
(12) SyncMos, Winbond microcontroller, the file to be burned into a HEX file, so that the program burned into the chip inside the empty space automatically add 00, if you are accustomed to the BIN file, you can also use the programmer to the blank area in the FF to 00, so that the general decryptor can not be found in the chip in the empty space, will not be able to perform the decryption of the future! The programmer can change FF to 00 in the blank area.
Of course, to fundamentally prevent the microcontroller to be decrypted, it is impossible, encryption technology continues to develop, decryption technology also continues to develop, now no matter which microcontroller, as long as someone is willing to pay money to do, basically can be done, only the cost of the problem of high and low and the cycle time, the programmer can also be from the legal way to protect their own development (such as patents). Just happened to have this document on my computer I hope it can help you