This is an entry level mini course that takes you through a series of IC related reverse engineering / security tasks. You will practice decapping some samples and then use them in later sections to execute attacks and try other techniques. There are options for both chemical based on chemical free decap/security analysis.

Suggested equipment:

Consumables:

Other:

Things to add:

Chip background

8751

Die photo

Bond wires: usually aluminum

No direct way to verify security set. Secure reads as FF

IIRC BP does not continuity check

These labs were written with 8751H in mind, although other 8751 variations should also work

Microchip PIC16C57

Die photo

PDIP bond wires: gold

These can also be bought as CDIPs for development

This lab was written with PIC16C57 in mind, although PIC16C57C may work just as well

Microchip PIC16F558

Die photo: TODO grab from flylogic blog

Bond wires: copper

Unit 1: decapsulation

U1L1: CERDIP glass frit

quick_before.jpg

  1. Select an Intel D8751H (glass frit)
  2. If necessary, UV erase
  3. Program with a counting test pattern
  4. Decap using procedure here
  5. Readback
    1. If applicable: verify no continuity errors
    2. Verify expected pattern

U1L2: CERDIP brazed

magnet.jpg

  1. Select an Intel C8751 (brazed lid)
  2. If necessary, UV erase
  3. Program with a counting test pattern
  4. Decap using procedure here
  5. Readback
    1. If applicable: verify no continuity errors
    2. Verify expected pattern

U1L3: PDIP gold bond

  1. Select a Microchip PIC16C57/P (PDIP)
  2. Program with a counting test pattern
    1. Note: “OTP” device (can be UV erased after decap)
  3. Decap using procedure here
  4. Readback
    1. If applicable: verify no continuity errors
    2. Verify expected pattern

U1L4: PDIP copper bond

  1. Select a Microchip PIC16F558
  2. Program with a counting test pattern
  3. Decap using procedure here
  4. Readback
    1. If applicable: verify no continuity errors
    2. Verify expected pattern

Unit 2: UV attacks

U2L1: basic UV attack

  1. Select either of the following:
    • Microchip PIC16C57
      • May be easier as it directly reports security status
    • Intel 8751
    • If needed, look at the solution below and then use the other as practice
  2. If not already done so, decap the chip
  3. Quick security evaluation
    1. Program with all 0's and secure it
    2. UV erase the chip (30 min?)
    3. Verify that the chip is no longer secure and is filled with FF
      • This means the chip should be trivially UV attackable
  4. Put the die under a microscope (inspection is fine) and identify the EPROM and SRAM regions
    1. SRAM has a rougher texture
    2. EPROM has a smoother texture
  5. Use techniques from this page to only mask the EPROM area
    1. TODO: this page needs polishing / cleanup
  6. UV erase for 30 minutes
  7. Readback pattern
  8. Verify security fuse is clear
    1. If not, use acetone to clean mask and try again
  9. Verify pattern was not corrupted
    1. If it is, consider making the mask larger

Extra credit: no corruption

  1. Use a pattern of all 0's and secure the device
  2. Execute above attack
  3. Read back the device
  4. Verify device still shows all 0's

Extra credit: find the fuse

  1. Experiment with different masks outside of the EPROM area to narrow down the fuse location
  2. Alternatively, look at the fuse under a microscope

Solutions:

U2L2: angled UV attack

  1. Select either of the following:
    • Microchip PIC18F1320
      • Classic choice
    • Microchip PIC16C74
  2. Quick security evaluation
    1. Program with all 0's and secure it
    2. UV erase the chip for 60 min
    3. Observe chip status. It should still be secure or maybe even bricked
  3. Place a chip at a 30 degree angle
  4. UV erase for 60 min
  5. Check security status
  6. If security fuse is not clear, try adjusting angle and re-erasing

Extra credit: dump the firmware

  1. Do above, but apply masks
  2. Verify no bits are erased despite erasing at an angle

Solutions:

U2L3: flash UV attack

TODO: what would be a good choice here?

Unit 3: optical glitching

U3L1: static glitch

  1. Select either of the following:
    • Microchip PIC16F84
    • Microchip 87C51I or 87C51FAD
    • PIC16F84 probably easier as 87C51 doesn't directly indicate protection status
  2. Select laser
    1. Green 5 mW laser pointer will likely work well
  3. Put programmer in a read loop
    1. Ex: using Linux minipro command line
  4. Shine randomly across the die and observe responses
    • You should see the read result get corrupted sometime
    • You will possibly see a firmware dump, but don't expect it
  5. Put programmer under microscope
  6. Aim laser pointer at exposed die using helping hands or similar
    • WARNING: do not look into microscope
    • Use a camera to observe laser
  7. Slowly move chip around (using hands or XY stage) and observe responses as you move it around
  8. Scan across the chip until you find a vulnerable area

Extra credit: automated XY scan

  1. Use a motorized XY scan to read out all chip locations and automatically find vulnerable locations
  2. Sample workflow using LinuxCNC

Solutions

U3L2: dynamic glitch

Unit 4: power glitching

Unit 5: microprobing

Start with basic probing in U3L1. Then find a way to remove passivation:

  • Use a microscope laser if you have one
  • Use chemical etching if you can

U3L1: pads

Probe pads / bond wires to get basic familiarity with your probe

TODO: is there a well known device we could activate a debug port on?

U3L2: laser remove passivation

Professional / recommended solution but may not be accessible to all students

U3L3: HF remove passivation

Untested, but I think I can make this work

U3L4: scratch remove passivation

Use needle to scratch off passivation as noted by…Sergei I think?

U3L5: ultrasonic remove passivation

If you have one or maybe build one

 
tutorial/mcu_security.txt · Last modified: 2018/05/04 03:53 by mcmaster
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki