Break IC, Recover MCU, Microcontroller Reverse Engineering

Archive for November, 2012

To conduct the attack one needs to collect a set of messages, together with their processing time, e.g. question-answer delay. Many cryptographic algorithms were found to be vulnerable to timing attacks. The main reason why this happens is in the software implementation of each algorithm. That includes performance optimisation to bypass unnecessary branching and conditional operations, cache memory usage, non-fixed time processor instructions such as multiplication and division, and a wide variety of other causes. As a result performance characteristics typically depend on both the encryption key and the input data.

We can break secured mcu ATMEGA88PA program, please view the secured mcu ATMEGA88PA features for your reference:
When writing serial data to the ATtiny15L, data is clocked on the rising edge of SCK. When reading data from the ATtiny15L, data is clocked on the falling edge of SCK. See Figure 34, Figure 35, and Table 28 for timing details.
To program and verify the ATtiny15L in the Serial Programming mode, the following sequence is recommended (See 4-byte instruction formats in Table 27):
Power-up sequence:
Apply power between VCC and GND while RESET and SCK are set to “0 ”. If the programmer cannot guarantee that SCK is held low during Power-up, RESET must be given a positive pulse of at least two MCU cycles duration after SCK has been set to “0” if Break Secured MCU ATmega88PA Program.
Wait for at least 20 ms and enable serial programming by sending the Programming Enable serial instruction to the MOSI (PB0) pin. Refer to the above section for minimum low and high periods for the serial clock input SCK.
The serial programming instructions will not work if the communication is out of synchronization. When in sync, the second byte ($53) will echo back when issuing the third byte of the Programming Enable instruction.
Whether the echo is correct or not, all four bytes of the instruction must be transmitted. If the $53 did not echo back, give SCK a positive pulse and issue a new Programming Enable instruction. If the $53 is not seen within 32 attempts, there is no functional device connected when Break Secured MCU ATmega88PA Program.
If a Chip Erase is performed (must be done to erase the Flash), wait tWD_ERASE after the instruction, give RESET a positive pulse, and start over from step 2. See Table 29 on page 63 for tWD_ERASE value.

The Flash or program array is programmed one byte at a time by supplying the address and data together with the appropriate write instruction. An program memory location is first automatically erased before new data is written. Use data polling to detect when the next byte in the Flash or program can be written before Break Secured MCU ATmega88PA Program.
If polling is not used, wait tWD_PROG_FL or tWD_PROG_EE, respectively, before transmitting the next instruction. See Table 30 on page 63 for the tWD_PROG_FL and tWD_PROG_EE values. In an erased device, no $FFs in the data file(s) need to be programmed after BREAK IC.

Any memory location can be verified by using the Read instruction, which returns the content at the selected address at the serial output MISO (PB1) pin.
At the end of the programming session, RESET can be set high to commence normal operation.
Power-off sequence (if needed):
Set RESET to “1”.
Turn VCC power off.

Some security-related operations a semiconductor chip performs can take a different time to compete depending on the values of the input data and the secret key. Careful timing measurement and analysis may allow recovery of the system’s secret key. This idea was first published in the scientific literature in 1996. Then later these attacks were successfully performed on an actual smartcard implementation of the RSA signature.

Another simple trick many semiconductor manufacturers use is restricting access to information on memory programming. This is normally used for smartcards, but on some microcontrollers such information is not publicly available as well. This is not a reliable and practical way of making the design secure. Of course it works well with smartcards where all the customers are obliged to sign a non-disclosure agreement with the chip manufacturer. But microcontrollers, with very few exceptions, can be programmed with universal programmers that are widely available from different companies around the world. Even if the programming specification is not documented, all the necessary waveforms can be easily extracted in a few hours with using any low cost oscilloscope, because all the signals are normally applied with less than 1 MHz frequency. If the microcontroller is not supported by a particular universal programmer, it is always possible to buy the development kit directly from the manufacturer and obtain all the necessary protocols from it directly.

We can reverse engineering IC ATMEGA88PV locked flash, please view the IC ATMEGA88PV features for your reference:

When a byte is being programmed into the Flash or EEPROM, reading the address location being programmed will give the value $FF. At the time the device is ready for a new byte, the programmed value will read correctly.
This is used to determine when the next byte can be written.

This will not work for the value $FF so when programming this value, the user will have to wait for at least tWD_PROG_FL before programming the next Flash byte, or tWD_PROG_EE before the next EEPROM byte if Reverse Engineering IC ATMEGA88PV Locked Flash.
As a chip-erased device contains $FF in all locations, programming of addresses that are meant to contain $FF can be skipped. This does not apply if the EEPROM is reprogrammed without chip-erasing the device.

In that case, data polling cannot be used for the value $FF and the user will have to wait at least tWD_PROG_EE before programming the next byte. See Table 30 for tWD_PROG_FL and tWD_PROG_EE values.

Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or other conditions beyond those indicated in the operational sections of this specification is not implied when Reverse Engineering IC ATMEGA88PV Locked Flash.

Exposure to absolute maximum rating conditions for extended periods may affect device reliability.

Note:
“Max” means the highest value where the pin is guaranteed to be read as low if reverse engineering IC locked flash.
“Min” means the lowest value where the pin is guaranteed to be read as high.
Although each I/O port can sink more than the test conditions (20 mA at VCC = 5V, 10 mA at VCC = 3V) under steady state conditions (non-transient), the following must be observed before reverse engineering IC locked flash:
1] The sum of all IOL, for all ports, should not exceed 100 mA. If IOL exceeds the test condition, VOL may exceed the related specification. Pins are not guaranteed to sink current greater than the listed test conditions.
Although each I/O port can source more than the test conditions (3 mA at VCC = 5V, 1.5 mA at VCC = 3V) under steady state conditions (non-transient), the following must be observed when reverse engineering IC locked flash:
1] The sum of all IOH, for all ports, should not exceed 100 mA. If IOH exceeds the test condition, VOH may exceed the related specification. Pins are not guaranteed to source current greater than the listed test condition if Reverse Engineering IC ATMEGA88PV Locked Flash.

A determined IC attacker could try an easy way to check whether this chip was actually an ASIC. The easy way is to note which pins are connected to power supply, ground, clock, reset, serial, and other interfaces, and to compare all this information with the database of suspect microcontrollers or other mcus. This works very reliably, as each microcontroller family has its own characteristic pinout. Once similarities are found the suspected microcontroller could be verified by placing it into a programming device or universal programmer and trying to read it.

Attack Custom IC which has specific memory structure and system different from standard Microchip, ATMEL microcontroller to extract code from MCU memory, reverse engineering custom IC can help to figure out the internal structure of custom IC;

Attack Custom IC which has specific memory structure and system different from standard Microchip, ATMEL microcontroller to extract code from MCU memory, reverse engineering custom IC can help to figure out the internal structure of custom IC

Semiconductor manufacturers offer valuable customers an easy way to increase the protection of their products: chips with custom marking on the packages instead of standard chip names. That gives the impression that the final product was designed using ASICs or full custom ICs. ‘Everyone knows’ that ASICs offer very good protection against different sorts of attacks and only well equipped and highly skilled attackers could succeed with breaking them. This may stop many potential attackers fiddling with the product.

We can decrypt secured MCU ATMEGA128P code, please view the secured MCU ATMEGA128P features for your reference:
The following charts show typical behavior. These data are characterized but not tested. All current consumption measurements are performed with all I/O pins configured as inputs and with internal pull-ups enabled.

The current consumption is a function of several factors such as: Operating voltage, operating frequency, loading of I/O pins, switching rate of I/O pins, code executed and ambient temperature. The dominating factors are operating voltage and frequency if Decrypt Secured MCU ATMEGA128P Code.

The current drawn from capacitive loaded pins may be estimated (for one pin) as CL·VCC·f where CL = load capacitance, VCC = operating voltage and f = average switching frequency of I/O pin.

The difference between current consumption in Power-down mode with Watchdog Timer enabled and Power-down mode with Watchdog Timer disabled represents the differential current drawn by the Watchdog Timer after Decrypt Secured MCU ATMEGA128P Code.
The ATMEGA128P is a low-power, high-performance CMOS 8-bit microcomputer with 12K bytes of Downloadable Flash codemable and erasable read only memory.

The device is manufactured using Atmel’s high density nonvolatile memory technology and is compatible with the industry standard 80C51 instruction set and pinout.

The onsecured MCU Downloadable Flash allows the code memory to be recodemed in-system through an SPI serial interface or by a conventional nonvolatile memory codemer before Decrypt Secured MCU ATMEGA128P Code.

Smartcard attack will not be so expensive, because pirate devices are normally based on standard microcontrollers which have much lower security protection than pay-TV smartcards. Very likely the device will be cracked in a few weeks, and the secondary attackers will flood the market with their clones. Fairly soon, the information on how to build pirate devices becomes available on the Internet and anyone can build pirate devices at almost no cost. So the pay-TV service provider loses millions of dollars; sometimes the original attacker is sued or prosecuted. But because the lost profit was distributed among all the pirates and dishonest subscribers, the service provider hardly gets any money back. The only effect of such actions is to threaten the hacker community with punishment. In addition the service provider will have to spend a fortune on redesigning his access control system, choosing and developing software for the new smartcard, and distributing cards to the subscribers

Another example is when the smartcard attacker invests a huge amount of money to reverse engineer a pay-TV access card. Then he disassembles the internal code from the card, learning everything that happens during authorisation and operation. Very likely he would be able to find vulnerabilities which give unlimited access to the subscription channels, for example, by applying a power glitch at just the right moment to cause a malfunction of the CPU. Once he succeeded he could either offer the subscription service at a very competitive price, or sell equipment for counterfeiting the card to malicious people. Obviously such an attacker needs to invest some capital to do this. But once he launches a pirate device on the market, it will be attacked by others.