Archive for May, 2013

PostHeaderIcon Attack DSP IC chip encrypted system

The acid is normally applied in small portions with a pipette into a pre-milled hole in a chip preheated to 50–70˚C (Figure 51). After 10–30 seconds the chip is sprayed with dry acetone from a washing bottle to remove the reaction products. This process has to be repeated several times until the die is sufficiently exposed. To speed up the process, the chip can be placed in a sand bath and the acid can be preheated in a glass beaker. see below picture

PostHeaderIcon Attack DSP MCU chip flash content

The acid is normally applied in small portions with a pipette into a pre-milled hole in a chip preheated to 50–70˚C (Figure 51). After 10–30 seconds the chip is sprayed with dry acetone from a washing bottle to remove the reaction products. This process has to be repeated several times until the die is sufficiently exposed. To speed up the process, the chip can be placed in a sand bath and the acid can be preheated in a glass beaker.

PostHeaderIcon Attack CPLD Chip Encrypted Code

The process of manual decapsulation usually starts with milling a hole in the package so that the acid will affect only the desired area above the chip die (Figure 50). The tools necessary for this operation are available from any DIY shop for less than £10.

The commonly used etching agent for plastic packages is fuming nitric acid (>95 %), which is a solution of nitrogen dioxide NO2 in concentrated nitric acid HNO3. It is very strong nitrifying and oxidizing agent; it causes plastic to carbonise, and it also affects copper and silver in the chip carrier island and pins. Sometime a mixture of fuming nitric acid and concentrated sulphuric acid H2SO4 is used. This speeds up the reaction with some types of packages and also prevents the silver used in bonding pads and chip carrier from reacting.

PostHeaderIcon Attack CPLD IC Microcontroller Source Code

When attack CPLD IC microcontroller file, it is a common opinion that decapsulation is a complicated process which requires a lot of experience. In fact it is not and anyone capable of carrying out chemical or biological work in the context of a standard high-school program can do this. All the necessary experience could be obtained by decapping a dozen different samples. Some precautions should be taken as the acids used in this process are very corrosive and dangerous; ideally, the work should be performed in a fume cupboard to prevent inhalation of the fumes from acids and solvents. Eyes should be protected with safety goggles and appropriate acid-resistant gloves should be worn as the acid will cause severe burns if it accidentally comes into contact with the skin. Protective clothing should be worn as well.

PostHeaderIcon Attack CPLD MCU microcontroller Firmware File

When attack cpld mcu microcontroller, To undertake further work under a FIB or a SEM the chip surface has to be coated with a thin gold layer making it conductive, otherwise it will very quickly accumulate charge and the picture become dark. We used an Emitech K550 gold sputter coater to coat samples prior to the FIB work. Some modern FIB machines have a built-in video camera for optical navigation, eliminating the need for the special coating.

PostHeaderIcon Read AVR chip embed firmware

Invasive attacks start with partial or full removal of the chip package in order to expose the silicon die. There are several methods, depending upon the package type and the requirements for further analysis. For microcontrollers, partial decapsulation is normally used, so that the device can be placed in a standard programmer unit and tested. Some devices cannot be decapsulated and still maintain their electrical integrity. In this case the chip die has to be bonded to a chip carrier using a bonding machine which connects to the bonding pads on the die with thin aluminium or gold wire (Figure 49). Such bonding machines are available from different manufacturers and can be bought second-hand for less than £5,000. The contacts to the die can be also established using microprobing needles on a probing station.

PostHeaderIcon Read AVR IC mcu chip firmware

Some operations such as depackaging and chemical etching can still be performed by almost anyone with a small investment and minimal knowledge. There are also some attacks, for example optical reading of an old Mask ROM memory, or reverse engineering of a chip built with 1 µm technology and two metal layers, where gaining the access to the chip surface is enough to succeed. The necessary chemicals and tools are relatively cheap, and a suitable optical microscope could be bought second-hand for less than £1,000. Normally invasive attacks are used as an initial step to understand the chip functionality and then develop cheaper and faster non-invasive attacks.

PostHeaderIcon Read AVR Atmel MCU Firmware

These read avr mcu attacks require direct access to the internal components of the device. If it is a security module or a USB dongle, then it has to be opened to get access to the internal memory chips. In the case of a smartcard or a microcontroller, the packaging should be removed followed by FIB or laser depassivation to get access to the internal wires buried deep under the passivation layer of the chip. Such attacks normally require a well equipped and knowledgeable attacker to succeed. Meanwhile, invasive attacks are becoming constantly more demanding and expensive, as feature sizes shrink and device complexity increases.

PostHeaderIcon Read PLD Chip Binary Source Code

Using encryption, where applicable, also helps make the data recovery from erased memory more difficult. Ideally, for secure applications, each semiconductor memory device should be evaluated against all possible outcomes of data remanence on its security protection.

PostHeaderIcon Read PLD IC Binary Source Code

Cycle EEPROM/Flash cells 10–100 times with random data before writing anything sensitive to them to eliminate any noticeable effects arising from the use of fresh cells.

Program all EEPROM/Flash cells before erasing them to eliminate detectable effects of the residual charge.

Remember that some non-volatile memories are too intelligent, and may leave copies of sensitive data in mapped-out memory blocks after the active copy has been erased. That also applies to file systems which normally remove the pointer to the file rather than erasing the file itself.

Use the latest highest-density storage devices as the newest technologies generally make data recovery more difficult.