Archive for March, 2013

PostHeaderIcon MC68HC05B6 microcontroller ic extract code

One example is the attack on the MC68HC05B6 microcontroller discussed above. If the power supply voltage is reduced by 50–70% for the period of time that the “AND $0100” instruction is executed, the CPU fetches an FFh value from the EEPROM memory rather than the actual value and this corresponds to the unsecured state of the fuse. The trick is to carefully calculate the exact time to reduce the supply voltage, otherwise the CPU will stop functioning or go into the reset mode. This is not a difficult task, as the target instruction is executed within the first hundred cycles after the reset. Again, the attacker could use a pattern generator or build his own glitch device.

PostHeaderIcon Power glitches of IC Crack

Power supply voltage fluctuations can shift the threshold level of the transistors. As a result some flip-flops will sample their input at different time or the state of the security fuse will be read incorrectly. This is usually achieved by either increasing the power supply voltage or dropping it for a short period of time, normally from one to ten clock cycles. Power glitches can be applied to a microcontroller with any programming interface as they could affect both the CPU operation and the hardware security circuit. In general, they are harder to find and exploit than clock glitches because in addition to the timing parameters, the amplitude and rising/falling times are variables.

PostHeaderIcon Clock Glitches Application

Applying clock glitches to some microcontrollers could be difficult. For example, the Texas Instruments MSP430 microcontroller family operates from an internal RC generator in bootloader mode and it is difficult to synchronise to the internal clock and estimate the exact time of the attack. Some smartcards benefit from having randomly inserted delays in the CPU instruction flow, which makes applying the attacks even more difficult. Using power analysis could help, but requires very sophisticated and expensive equipment to extract the reference signal in real time.

PostHeaderIcon Crack Motorola MC68HC05B6 microcontroller

the Motorola MC68HC05B6 microcontroller has a Mask ROM bootloader which prevents user code upload if the security bit is set. The part of the code responsible for the security. It checks the contents of the first byte in the EEPROM and if the bit 0, assigned as a security fuse, is programmed then the CPU goes into endless loop.

That sort of protection could be relatively easy defeated. As the CPU performs only one instruction in the loop, all the attacker has to do is apply different clock glitches to cause CPU malfunction. He does not even have to carefully synchronise the attack to the CPU clock signal, as doing glitches at a random time will give a success in a short number of attempts. Glitches could be inserted relatively easy without the use of any external generators by short circuiting the crystal resonator for a short time. When the resonator starts it produces oscillations at different harmonics which cause many glitches. In most cases the attack has to be applied at a certain clock cycle to cause the desired result. In this case it is better to use either a signal pattern generator which can supply all the necessary signals to the chip or built such a generator using an FPGA prototyping board.

PostHeaderIcon Clock glitches, one of the most important way of IC attack

Clock-signal glitches are currently the simplest and most practical ones. In real application glitches are normally used to replace conditional jump instructions and test instructions preceding them. They create a window of vulnerability in the processing stages of many security cryptographic barriers by simply preventing the execution of the code that detects an unsuccessful authentication attempt. Instruction glitches can also be used to extend the runtime of loops, for example, in serial port output routines to see more of the memory after the output buffer, or to reduce the number of loops in cryptographic operation to transform the cipher into a weak one.

To perform a glitch, the clock frequency should be temporarily increased for one or more half cycles so that some flip-flops sample their input before the new state has reached them. As clock glitches are normally aimed at CPU instruction flow, they are not very effective for devices with hardware implementations of security protection. Therefore it is practical to use clock glitches only when attacking microcontrollers with software programming interfaces or some smartcards.