Archive for October, 2012

PostHeaderIcon PCB Reverse Engineering Analysis and Instruction Process

PCB Reverse Engineering analysis and instruction process can help to ensure the PCB board drawing documents correctiveness, the extracted schematic diagram and PCB gerber file can be used to reproduce the circuit board;

PCB Reverse Engineering Analysis and Instruction Process

PCB Reverse Engineering’s Analysis and Instruction Process

a Functional/economic analysis should be completed to collect available documentation, determine missing data requirements, determine testing requirements, and develop the PCB Reverse Engineering service cost-Estimates and Schedules;

b. A disassembly procedure should be completed for each candidate to ensure functional integrity is maintained to allow for a viable analysis and documentation;

c. A PCB cloning service management plan should be completed for each candidate to ensure a logical sequence of events to prevent delays or misinterpretations in the overall program objectives;

d. A hardware analysis should be performed to develop the missing data required for Level 3 drawings which can be restored from embeded microcontroller memory;

e. Level 3 drawings are the result of the PCB reverse engineering service process and contain the documented parameters necessary to reproduce the selected candidate;

f. A quality control study should be performed and documented on the Level 3 drawings and prototypes of candidates to certify their compliance with original candidate specifications;

g. A production review should be performed to determine the economics of production of the electronic card reverse engineering service item;

h. Prototype production involves the manufacture and testing of prototypes to determine if they meet all required specifications; and

i. A finalized TDP should be formulated and delivered to the government/Tasking Agency requesting the PCB board copying service of the candidate item.

PostHeaderIcon Break Chip ATmega1280 Flash

Break Chip ATmega1280 Flash memory normally is in the status of reading protective model, through our Microcontroller unlocking technique, flash memory and eeprom memory from ATmega1280 MCU can be readout;

Break Chip ATmega1280 Flash memory normally is in the status of reading protective model, through our Microcontroller unlocking technique, flash memory and eeprom memory from ATmega1280 MCU can be readout

Break Chip ATmega1280 Flash memory normally is in the status of reading protective model, through our Microcontroller unlocking technique, flash memory and eeprom memory from ATmega1280 MCU can be readout

Please view the chip ATMEGA1280 features for your reference:
The ATMEGA1280 has three lock bits that can be left unprogrammed (U) or can be programmed (P) to obtain the additional features listed in the following table.

When lock bit 1 is programmed, the logic level at the EA pin is sampled and latched during reset. If the device is powered up without a reset, the latch initializes to a random value and holds that value until reset is activated.

The latched value of EA must agree with the current logic level at that pin in order for the device to function properly. Once programmed, the lock bits can only be unprogrammed with the Chip Erase operations in either the parallel or serial modes before MCU PIC16F887 flash program attacking.

Atmel’s ATMEGA1280 Flash chip offers 12K bytes of in-system reprogrammable Flash Code memory. The ATMEGA1280 is normally shipped with the on-chip Flash Code memory array in the erased state (i.e. contents = FFH) and ready to be programmed.
This device supports a High-Voltage (12V) Parallel programming mode and a Low-Voltage (5V) Serial programming mode. The serial programming mode provides a convenient way to download the ATMEGA1280 inside the user’s system same as chip PIC18F66K90 flash attacking .

The parallel programming mode is compatible with conventional third party Flash or EPROM programmers. The Code memory array occupies one contiguous address space from 0000H to 2FFFH if break chip flash.

The Code array on the ATMEGA1280 is programmed byte-by-byte in either programming mode. An auto-erase cycle is provided with the self-timed programming operation in the serial programming mode before break chip flash.
There is no need to perform the Chip Erase operation to reprogram any memory location in the serial programming mode unless any of the lock bits have been programmed.

In the parallel programming mode, there is no auto-erase cycle. To reprogram any non-blank byte, the user needs to use the Chip Erase operation first to erase the entire Code memory array.

PostHeaderIcon IC Flash Recovery

IC Flash Recovery is a process to extract code of MCU memory content, and copy the firmware to new Microcontroller for IC cloning;

IC Flash Recovery is a process to extract code of MCU memory content, and copy the firmware to new Microcontroller for IC cloning

IC Flash Recovery is a process to extract code of MCU memory content, and copy the firmware to new Microcontroller for IC cloning

Semi-invasive IC Flash Recovery, like invasive ic attack, require depackaging the chip to get access to the chip surface. But the passivation layer of the chip remains intact – semi-invasive ic break methods do not require electrical contact to the metal surface, so there is no mechanical damage to the silicon.

As invasive ic hacks are becoming constantly more demanding and expensive, with shrinking feature sizes and increasing device complexity, semi-invasive ic flash recovery become more attractive as they do not require very expensive tools and give results in a shorter time. Also, being applied to a whole transistor or even a group of transistors they are less critical to the small feature size of modern chips.

PostHeaderIcon Decrypt IC Flash

Decrypt IC Flash memory, reset the Microcontroller security fuse bit when crack microcontroller using focus ion beam, and extract IC flash memory code in the format of heximal;

Decrypt IC Flash memory, reset the Microcontroller security fuse bit when crack microcontroller using focus ion beam, and extract IC flash memory code in the format of heximal

Decrypt IC Flash memory, reset the Microcontroller security fuse bit when crack microcontroller using focus ion beam, and extract IC flash memory code in the format of heximal

Invasive MCU breaking start with partial or full removal of the chip package in order to expose the silicon die. There are several methods, depending upon the package type and the requirements for further analysis. For microcontrollers, partial decapsulation is normally used, so that the device can be placed in a standard programmer unit and tested.

Some devices cannot be decapsulated and still maintain their electrical integrity. In this case the chip die has to be bonded to a chip carrier using a bonding machine which connects to the bonding pads on the die with thin aluminium or gold wire. Such bonding machines are available from different manufacturers and can be bought second-hand for less than £5,000. The contacts to the die can be also established using microprobing needles on a probing station.

To undertake further work under a FIB or a SEM the chip surface has to be coated with a thin gold layer making it conductive, otherwise it will very quickly accumulate charge and the picture become dark. We used an Emitech K550 gold sputter coater to coat samples prior to the FIB work. Some modern FIB machines have a built-in video camera for optical navigation, eliminating the need for the special coating.

PostHeaderIcon PCB Reverse Engineering Primary Objective

PCB Reverse Engineering primary objective is the development of unrestricted technical data, adequate for competitive procurement, through engineering evaluations of existing hardware.

PCB Reverse Engineering primary objective is the development of unrestricted technical data, adequate for competitive procurement, through engineering evaluations of existing hardware
PCB Reverse Engineering primary objective is the development of unrestricted technical data, adequate for competitive procurement, through engineering evaluations of existing hardware

In Process Reviews (IPRs) should be performed at the end of each principal phase of the PCB card cloning process to assure compliance to the process and to evaluate the need for continuing reverse engineering on the item.

a. Functional/economic analysis should be completed to collect available documentation, determine missing data requirements, determine testing requirements, and develop the PCB board Reverse Engineering Cost-Estimates and Schedules;

b. A disassembly procedure should be completed for each candidate to ensure functional integrity is maintained to allow for a viable analysis and documentation;

c. A reverse engineering management plan should be completed for each candidate to ensure a logical sequence of events to prevent delays or misinterpretations in the overall program objectives;

d. A hardware analysis should be performed to develop the missing data required for Level 3 drawings by restoring schematic diagram of circuit board;

e. Level 3 drawings are the result of the reverse engineering process and contain the documented parameters necessary to reproduce the selected candidate;

f. A quality control study should be performed and documented on the Level 3 drawings and prototypes of candidates to certify their compliance with original candidate specifications;

g. A production review should be performed to determine the economics of production of the reverse engineered item;

h. Prototype production involves the manufacture and testing of prototypes to determine if they meet all required specifications; and

i. A finalized TDP should be formulated and delivered to the Government/Tasking Agency requesting the reverse engineering of the candidate item.

Article quote from MLK-HDBK-115A(ARMY)

PostHeaderIcon Break MCU ATmega1280V Eeprom

Break MCU ATmega1280V Eeprom memory for its data, and flash memory for its program, then extract files from both Microcontroller memories, disable the fuse bit by Microprocessor cracking;

Break MCU ATmega1280V Eeprom memory for its data, and flash memory for its program, then extract files from both Microcontroller memories, disable the fuse bit by Microprocessor cracking

Break MCU ATmega1280V Eeprom memory for its data, and flash memory for its program, then extract files from both Microcontroller memories, disable the fuse bit by Microprocessor cracking

Please view the MCU ATMEGA1280V features for your reference:

To program and verify the AT89S53 in the parallel programming mode, the following sequence is recommended after break MCU eeprom:
Power-up sequence:
Apply power between VCC and GND pins.
Set RST pin to “H”.
Apply a 3 MHz to 24 MHz clock to XTAL1 pin and wait for at least 10 milliseconds to break MCU dsPIC30F4011 eeprom.
Set PSEN pin to “L”
ALE pin to “H”
EA pin to “H” and all other pins to “H”.
Apply the appropriate combination of “H” or “L” logic levels to pins P2.6, P2.7, P3.6, P3.7 to select one of the programming operations shown in the eeprom Programming Modes table.
Apply the desired byte address to pins P1.0 to P1.7 and P2.0 to P2.5.
Apply data to pins P0.0 to P0.7 for Write Code operation.
Raise EA/VPP to 12V to enable eeprom programming, erase or verification.
Pulse ALE/PROG once to program a byte in the Code memory array, or the lock bits. The byte-write cycle is self-timed and typically takes 1.5 ms.
To verify the byte just programmed, bring pin P2.7 to “L” and read the programmed data at pins P0.0 to P0.7.
Repeat steps 3 through 7 changing the address and data for the entire 12K-byte array or until the end of the object file is reached.
Power-off sequence will affect the process of break MCU SAF-C164CI-8EM firmware eeprom:
Set XTAL1 to “L”.
Set RST and EA pins to “L”.
Turn VCC power off.
The AT89S53 features DATA Polling to indicate the end of a write cycle. During a write cycle in the parallel or serial programming mode, an attempted read of the last byte written will result in the complement of the written datum on P0.7 (parallel mode), and on the MSB of the serial output byte on MISO (serial mode).
Once the write cycle has been completed, true data are valid on all outputs, and the next cycle may begin. DATA Polling may begin any time after a write cycle has been initiated.
The progress of byte programming in the parallel programming mode can also be monitored by the RDY/BSY output signal. Pin P3.4 is pulled Low after ALE goes High during programming to indicate BUSY. P3.4 is pulled High again when programming is done to indicate READY.

PostHeaderIcon PCB Reverse Engineering Rationale

PCB Reverse Engineering Rationale is to extract wiring diagram from existing printed circuit board which has been out of production or not easy to get access to the new purchasing due to various reasons;

PCB Reverse Engineering Rationale is to extract wiring diagram from existing printed circuit board which has been out of production or not easy to get access to the new purchasing due to various reasons
PCB Reverse Engineering Rationale is to extract wiring diagram from existing printed circuit board which has been out of production or not easy to get access to the new purchasing due to various reasons

One method of controlling the high costs of replenishment spares is by pcb reverse engineering.

PCB Reverse engineering is the process of duplicating an item, functionally and dimensionally, by physically examining and measuring existing parts to develop the technical data (physical and material characteristics) required for competitive procurement. 

The PCB reverse engineering process may be performed on specific items which are currently purchased sole-source. This may be due to limited data rights, in inadequate TDP, a diminished or non-existent source of supply, or as part of a Product Improvement Program (PIP).

Normally, PCB card cloning will not be cost effective unless the items under consideration are of a high dollar value or are procured in large quantities. Such items may be reverse engineered if an economical savings over their acquisition life cycle is demonstrated, and if other methods of acquiring the necessary technical data for competitive reprocurement are either more costly or not available.

Article quote from MLK-HDBK-115A(ARMY)

PostHeaderIcon Reverse Engineering Microcomputer ATmega2560 Program

Reverse Engineering Microcomputer ATmega2560 internal memory, and extract MCU ATmega2560 Program out from flash memory, crack Microcontroller ATmega2560 security fuse bit by focus ion beam technique;

Reverse Engineering Microcomputer ATmega2560 internal memory, and extract MCU ATmega2560 Program out from flash memory, crack Microcontroller ATmega2560 security fuse bit by focus ion beam technique

Reverse Engineering Microcomputer ATmega2560 internal memory, and extract MCU ATmega2560 Program out from flash memory, crack Microcontroller ATmega2560 security fuse bit by focus ion beam technique

If lock bits LB1 and LB2 have not been programmed, the programmed Code can be read back via the address and data lines for verification. The state of the lock bits can also be verified directly in the parallel programming mode when copying infineon saf-xc888cm-8ffi binary.

In the serial programming mode, the state of the lock bits can only be verified indirectly by observing that the lock bit features are enabled. In the parallel programming mode, Microcomputer erase is initiated by using the proper combination of control signals and by holding ALE/PROG low for 10 ms.
The Code array is written with all “1”s in the Microcomputer Erase operation. In the serial programming mode, a Microcomputer erase operation is initiated by issuing the Microcomputer Erase instruction. In this mode, Microcomputer erase is self-timed and takes about 16 ms.
During Microcomputer erase, a serial read from any address location will return 00H at the data outputs. A programmable fuse is available to disable Serial Programming if the user needs maximum system security after recover Microcomputer C8051F340 firmware.
The Serial Programming Fuse can only be programmed or erased in the Parallel Programming Mode. The AT89S53 is shipped with the Serial Programming Mode enabled.

Reading the Signature Bytes: The signature bytes are read by the same procedure as a normal verification of locations 030H and 031H, except that P3.6 and P3.7 must be pulled to a logic low. The values returned are as follows:
(030H) = 1EH indicates manufactured by Atmel
(031H) = 53H indicates 89S53
Every code byte in the program array can be written, and the entire array can be erased, by using the appropriate combination of control signals. The write operation cycle is self-timed and once initiated, will automatically time itself to completion.
All major programming vendors offer worldwide support for the Atmel microcontroller series. Please contact your local programming vendor for the appropriate software revision.

PostHeaderIcon PCB Reverse Engineering Background in the U.S. department of Defense

PCB Reverse Engineering Background has a profound effect over the past years which is helping the engineer to restore circuit board schematic diagram from original physical samples include the gerber file, layout drawing and BOM list;

PCB Reverse Engineering Background has a profound effect over the past years which is helping the engineer to restore circuit board schematic diagram from original physical samples include the gerber file, layout drawing and BOM list

Defense contractors who supply systems, equipment and spare parts during the initial production phase of a weapon system acquisition in which they have performed in the development, frequently become the “sole-source” for follow-on procurements.

The cost of items procured under these sole source conditions are sometimes inflated beyond their true value. Consequently, procurement costs for spare parts consume an increasingly larger share of the defense dollar. Recent emphasis on the prices paid for spare parts dictates the need for competition.

Congress and the Department of Defense (DOD) directed the military services to increase competition in an effort to reduce the cost of spare parts. The Defense Acquisition Regulation Supplement No. 6 (DAR-S6), dated 1 June 1983, titled: DOD Replenishment Parts Breakout Program, was promulgated to encourage competition and reduce restrictive features which limit competitive procurement.

Article quote from MLK-HDBK-115A(ARMY)

PostHeaderIcon Reverse Engineering IC Flash

Reverse Engineering IC Flash is starting point of Microcontroller reverse engineering, target MCU will be delayer one by one in the reverse order of Microprocessor manufacturing, the purpose is to figure out the security fuse bit and cut it off;

Reverse Engineering IC Flash is starting point of Microcontroller reverse engineering, target MCU will be delayer one by one in the reverse order of Microprocessor manufacturing, the purpose is to figure out the security fuse bit and cut it off

Reverse Engineering IC Flash is starting point of Microcontroller reverse engineering, target MCU will be delayer one by one in the reverse order of Microprocessor manufacturing, the purpose is to figure out the security fuse bit and cut it off

Read program and data out from Microcontroller memory requires direct access to the internal components of the device. If it is a security module or a USB dongle, then it has to be opened to get access to the internal memory chips. In the case of a smartcard or a microcontroller, the packaging should be removed followed by FIB or laser depassivation to get access to the internal wires buried deep under the passivation layer of the chip.

Such ic decryption method normally require a well equipped and knowledgeable ic attacker to succeed. Meanwhile, invasive ic extraction are becoming constantly more demanding and expensive, as feature sizes shrink and device complexity increases.