Break IC, Recover MCU, Microcontroller Reverse Engineering

Archive for January, 2012

We can attack Atmel Chip ATMEGA2561V secure code, please view the Atmel Chip ATMEGA2561V features for your reference:
· Analog MUX can be turned off when setting ACME bit
· TWI Data setup time can be too short
1. Analog MUX can be turned off when setting ACME bit
If the ACME (Analog Comparator Multiplexer Enabled) bit in ADCSRB is set while MUX3 in ADMUX is ‘1’ (ADMUX[3:0]=1xxx), all MUX’es are turned off until the ACME bit is cleared.
Problem Fix/Workaround
Clear the MUX3 bit before setting the ACME bit.
2. TWI Data setup time can be too short
When running the device as a TWI slave with a system clock above 2MHz, the data setup time for the first bit after ACK may in some cases be too short. This may cause a false start or stop condition on the TWI line before Attack Atmel Chip ATmega2561V Secure Code.
Problem Fix/Workaround
Insert a delay between setting TWDR and TWCR.
· Analog MUX can be turned off when setting ACME bit
· TWI Data setup time can be too short
Typical values contained in this data sheet are based on simulations and characterization of other AVR Atmel Chips manufactured on the same process technology when Attack Atmel Chip ATmega2561V Secure Code.
Min and Max values will be available after the device is characterized. The ATmega64 is a low-power CMOS 8-bit Atmel Chip based on the AVR enhanced RISC architecture.
By executing powerful instructions in a single clock cycle, the ATmega64 achieves throughputs approaching 1 MIPS per MHz, allowing the system designer to optimize power consumption versus processing speed.
The AVR core combines a rich instruction set with 32 general purpose working registers.
All the 32 registers are directly connected to the Arithmetic Logic Unit (ALU), allowing two independent registers to be accessed in one single instruction executed in one clock cycle before BREAK IC.
The resulting architecture is more code efficient while achieving throughputs up to ten times faster than conventional CISC Atmel Chips.

We can reverse engineering Atmel MCU ATTINY48 heximal, please view the Atmel MCU ATTINY48 features for your reference:
· High-performance, Low-power AVR® 8-bit Atmel MCU
· Advanced RISC Architecture
– 90 Powerful Instructions – Most Single Clock Cycle Execution
– 32 x 8 General Purpose Working Registers
– Fully Static Operation
Nonvolatile Program and Data Memories
– 1K Byte In-System Programmable Flash Program Memory
Endurance: 1,000 Write/Erase Cycles
– 64 Bytes EEPROM
Endurance: 100,000 Write/Erase Cycles
– Programming Lock for Flash Program Data Security before Reverse Engineering Atmel MCU ATtiny48 Heximal
Peripheral Features
– Interrupt and Wake-up on Pin Change
– Two 8-bit Timer/Counters with Separate Prescalers
– One 150 kHz, 8-bit High-speed PWM Output
– 4-channel 10-bit ADC
One Differential Voltage Input with Optional Gain of 20x
– On-chip Analog Comparator
– Programmable Watchdog Timer with On-chip Oscillator
Special Atmel MCU Features
– In-System Programmable via SPI Port
– Enhanced Power-on Reset Circuit
– Programmable Brown-out Detection Circuit if Reverse Engineering Atmel MCU ATtiny48 Heximal
– Internal, Calibrated 1.6 MHz Tunable Oscillator
– Internal 25.6 MHz Clock Generator for Timer/Counter
– External and Internal Interrupt Sources
– Low-power Idle and Power-down Modes
Power Consumption at 1.6 MHz, 3V, 25°C
– Active: 3.0 mA
– Idle Mode: 1.0 mA
– Power-down: < 1 µA
I/O and Packages
– 8-lead PDIP and 8-lead SOIC: 6 Programmable I/O Lines
Operating Voltages
– 2.7V – 5.5V
Internal 1.6 MHz System Clock
The ATtiny15L is a low-power CMOS 8-bit Atmel MCU based on the AVR RISC architecture if reverse engineering microcontroller.
By executing powerful instructions in a single clock cycle, the ATTINY48 achieves throughputs approaching 1 MIPS per MHz allowing the system designer to optimize power consumption versus processing speed.

We can recovery IC ATTINY48V encrypted firmware, please view the IC ATTINY48V features for your reference:
The AVR core combines a rich instruction set with 32 general purpose working registers.
All the 32 registers are directly connected to the Arithmetic Logic Unit (ALU), allowing two independent registers to be accessed in one single instruction executed in one clock cycle.
The resulting architecture is more code efficient while achieving throughputs up to ten times faster than conventional CISC microcontrollers.
The ATTINY48V provides 1K byte of Flash, 64 bytes EEPROM, six general purpose I/O lines, 32 general purpose working registers, two 8-bit Timer/Counters, one with high speed PWM output, internal oscillators, internal and external interrupts, programmable Watchdog Timer after Recovery IC ATtiny48V Encrypted Firmware.
4-channel 10-bit Analog-to-Digital Converter with one differential voltage input with optional 20x gain, and three software-selectable Power-saving modes.
The Idle mode stops the CPU while allowing the ADC, analog comparator, Timer/Counters and interrupt system to continue functioning.
The ADC Noise Reduction mode facilitates high-accuracy ADC measurements by stopping the CPU while allowing the ADC to continue functioning when Recovery IC ATtiny48V Encrypted Firmware.
The Power-down mode saves the register contents but freezes the oscillators, disabling all other chip functions until the next interrupt or hardware reset.
The wake-up or interrupt on pin change features enable the ATtiny48V to be highly responsive to external events, still featuring the lowest power consumption while in the Power-saving modes.
The device is manufactured using Atmel’s high-density, nonvolatile memory technology. By combining a RISC 8-bit CPU with Flash on a monolithic chip, the ATtiny15L is a powerful microcontroller that provides a highly flexible and cost-efficient solution to many embedded control applications when Recovery IC ATtiny48V Encrypted Firmware.
The peripheral features make the ATTINY48V particularly suited for battery chargers, lighting ballasts and all kinds of intelligent sensor applications.
The ATTINY48V AVR is supported with a full suite of encrypted firmware and system development tools including macro assemblers, encrypted firmware debugger/simulators, In-circuit emulators and evaluation kits after Recover MCU.

We can Decrypt Encrypted Microcontroller ATmega16PA Code, please view the Encrypted Microcontroller ATmega16PA features for your reference:
Port B is a 6-bit I/O port. PB4..0 are I/O pins that can provide internal pull-ups (selected for each bit). PB5 is input or open-drain output.
The use of pin PB5 is defined by a fuse and the special function associated with this pin is external Reset. The port pins are tristated when a reset condition becomes active, even if the clock is not running if decrypt encrypted microcontroller.
The internal oscillator provides a clock rate of nominally 1.6 MHz for the system clock (CK). Due to large initial variation (0.8 -1.6 MHz) of the internal oscillator, a tuning capability is built in.
Through an 8-bit control register – OSCCAL – the system clock rate can be tuned with less than 1% steps of the nominal clock after decrypt encrypted microcontroller.
There is an internal PLL that provides a 16x clock rate locked to the system clock (CK) for the use of the Peripheral Timer/Counter1. The nominal frequency of this peripheral clock, PCK, is 25.6 MHz.
The fast-access register file concept contains 32 x 8-bit general purpose working registers with a single-clock-cycle access time. This means that during one single clock cycle, one ALU (Arithmetic Logic Unit) operation is executed if decrypt encrypted microcontroller.
Two operands are output from the register file, the operation is executed, and the result is stored back in the register file – in one clock cycle.
Two of the 32 registers can be used as a 16-bit pointer for indirect memory access. This pointer is called the Z-pointer, and can address the register file, IO file and the code program memory before decrypt encrypted microcontroller.
The ALU supports arithmetic and logic functions between registers or between a constant and a register. Single-register operations are also executed in the ALU.
Figure 2 shows the ATtiny15L AVR RISC microcontroller architecture. The AVR uses a Harvard architecture concept with separate memories and buses for program and data memories.
The program memory is accessed with a two-stage pipeline. While one instruction is being executed, the next instruction is pre-fetched from the program memory.
This concept enables instructions to be executed in every clock cycle. The program memory is In-System Programmable code memory if Reverse Engineering Microcontroller.

We can break Protected Microcontroller ATMEGA164 locked flash, please view Protected Microcontroller ATMEGA164 features for your reference:
The BOD circuit will only detect a drop in VCC if the voltage stays below the trigger level for longer than 3 µs for trigger level 4.0V, 7 µs for trigger level 2.7V (typical values).
When the Watchdog times out, it will generate a short reset pulse of 1 CK cycle duration. On the falling edge of this pulse, the delay timer starts counting the time-out period tTOUT. Refer to page 34 for details on operation of the Watchdog Timer if Break Protected Microcontroller ATmega164 Locked Flash.
To make use of the reset flags to identify a reset condition, the user should read and then reset the MCUSR as early as possible in the program.
If the register is cleared before another reset occurs, the source of the reset can be found by examining the reset flags. ATmega164 features an internal bandgap reference with a nominal voltage of 1.22V after Break Protected Microcontroller ATmega164 Locked Flash.
This reference is used for Brown-out Detection, and it can be used as an input to the Analog Comparator. The 2.56V reference to the ADC is generated from the internal bandgap reference.
The voltage reference has a start-up time that may influence the way it should be used. The maximum start-up time is TBD. To save power, the reference is not always turned on. The reference is on during the following situations:
1. When the BOD is enabled (by programming the BODEN fuse).
2. When the bandgap reference is connected to the Analog Comparator (by setting the AINBG bit in ACSR).
3. When the ADC is enabled before BREAK IC.