Break IC, Recover MCU, Microcontroller Reverse Engineering

MCU Code Restoration can help engineer to recover mcu heximal from secured memory include flash and eeprom one after crack microcontroller;

Another big problem for EPROM, EEPROM and Flash memories that affects the hardware security of the MCU devices is data remanence. Many MCUs with these types of memory have a security fuse which, once activated, cannot be reset until the whole memory content is first erased. Manufacturers put a lot of effort into hardware design to ensure that the security fuse will not be deactivated by manipulation of external signals such as power glitches. They made very good progress, and very few of the modern MCUs can be broken using tricks such as applying power glitches during the chip erase operation to terminate the memory erase without affecting the erase of the security fuse, or exposing the chip to UV light for long enough to erase the security fuse but not long enough to destroy the memory source code contents.

But recent revisions of MCUs are not sensitive to such IC code extraction. In modern chips, an additional voltage monitoring circuit is usually implemented, causing a reset of the hardware programming interface or preventing any write/erase operations below or above certain voltages. What was wrongly assumed is that information must disappear from the memory after it was erased. In fact some traces of the data are still left after the erase operation, and to get the information back we just have to find the right method to measure the residual charge on a floating gate, or a threshold of a memory transistor.

This is not an easy task, but if the security fuse was deactivated during the chip erase operation, the memory can be accessed normally. That allows engineer to recover ic eeprom program and measure the response from each transistor inside the array by sequential reading of each memory location and microprobing the internal memory bus.

Of course it is not a trivial task, but a determined and experienced mcu program breaker can do this. In some MCUs the threshold level of each transistor can be measured in fully non-invasive mcu code restoration way by playing with the interface and power supply voltages. This is possible because very often the memory sense circuit uses the power supply voltage as a reference.