Break IC, Recover MCU, Microcontroller Reverse Engineering

Reduce Electro-magnetic interference can affect the process of Break Nuvoton W78E62 Flash Memory, Because of on-chip Flash EPROM, when a program is running in internal ROM space, the ALE will be unused. The transition of ALE will cause noise, so it can be turned off to reduce the EMI emission if it is useless.

Turning off the ALE signal transition only requires setting the bit 0 of the AUXR SFR, which   is located at 08Eh. When ALE is turned off, it will be reactivated when the program accesses external ROM/RAM data or jumps to execute an external ROM code. The ALE signal will turn off again after it has been completely accessed or the program returns to internal ROM code space.

The AO bit in the AUXR register, when set, disables the ALE output. In order to reduce EMI emission from oscillation circuitry, W78E62 allows user to diminish the gain of on-chip oscillator amplifiers by using programmer to clear the B7 bit of security register.

Once B7 is set to 0, a half of gain will be decreased. Care must be taken if user attempts to diminish the gain of oscillator amplifier, reducing a half of gain may affect the external crystal operating improperly at high frequency above 24 MHz. The value of R  and C1, C2 may need some adjustment while running at lower gain.

POF: Power off flag. Bit is set by hardware when power on reset. It can be cleared by software to determine chip reset is a warm boot or cold boot before Break Nuvoton W78E62 Flash Memory.

GF1, GF0: These two bits are general-purpose flag bits for the user. PD: Power down mode bit. Set it to enter power down mode. IDL: Idle mode bit. Set it to enter idle mode.

The power-off flag is located at PCON.4. This bit is set when VDD has been applied to the part. It can be used to determine if a reset is a warm boot or a cold boot if it is subsequently reset by software.

When Attack Winbond W78E051A Protected Eeprom, we need to have some general idea about its architecture. The W78E051A architecture consists of a core controller surrounded by various registers, five general purpose I/O ports, 256 bytes of RAM, three timer/counters, and a serial port. The processor supports 111 different opcodes and references both a 64K program address space and a 64K data storage space.

Timers 0, 1, and 2

Timers 0, 1, and 2 each consist of two 8-bit data registers. These are called TL0 and TH0 for Timer 0, TL1 and TH1 for Timer 1, and TL2 and TH2 for Timer 2. The TCON and TMOD registers  provide  control functions for timers 0 and 1. The T2CON register provides control functions for Timer  2. RCAP2H and RCAP2L are used as reload/capture registers for Timer 2.

The operations of Timer 0 and Timer 1 are the same as in the W78E051A. Timer 2 is a special feature of the W78E051A: it is a 16-bit timer/counter that is configured and controlled by the T2CON register. Like Timers 0 and 1, Timer 2 can operate as either an external event counter or as an internal timer after Attack Winbond W78E051A Protected Eeprom, depending on the setting of bit C/T2 in T2CON. Timer 2 has three operating modes: capture, auto- reload, and baud rate generator. The clock speed at capture or auto-reload mode is the same as that of Timers 0 and 1.

New Defined Peripheral
In order to be more suitable for I/O, an extra 4-bit bit-addressable port P4 and two external interrupt INT2 , INT3 has been added to either the PLCC or QFP 44-pin package. And description follows:

1. INT2 / INT3

Two additional external interrupts, INT2 and INT3 , whose functions are similar to those of external interrupt 0 and 1 in the standard 80C52. The functions/status of these interrupts are determined/shown by the bits in the XICON (External Interrupt Control) register. The XICON register is bit-addressable but is not a standard register in the standard 80C52. Its address is at 0C0H. To set/clear bits in the XICON register, one can use the “SETB (/CLR) bit” instruction. For example, “SETB 0C2H” sets the EX2 bit of XICON.

Reverse Engineering Winbond W78E54B Eeprom Heximal need to decapsulate the polysilicon package and get access to the chip die which will help hacker read out the heximal from its eeprom area directly.

Hereby we would like to introduce the main features of W78E54B, The W78E54B is an 8-bit microcontroller which can accommodate a wider frequency range with low power consumption. The instruction set for the W78E54B is fully compatible with the standard 8051.

The W78E54B contains an 16K bytes Flash EPROM; a 256 bytes RAM; four 8-bit bi-directional and bit- addressable I/O ports; an additional 4-bit I/O port P4; three 16-bit timer/counters; a hardware watchdog timer and a serial port. These peripherals are supported by eight sources two-level interrupt capability.

To facilitate programming and verification, the Flash EPROM inside the W78E54B allows the program memory to be programmed and read electronically after Reverse Engineering Winbond W78E54B Eeprom Heximal. Once the code is confirmed, the user can protect   the code for security.

The W78E54B microcontroller has two power reduction modes, idle mode and power-down mode,    both of which are software selectable. The idle mode turns off the processor clock but allows for continued peripheral operation. The power-down mode stops the crystal oscillator for minimum power consumption. The external clock can be stopped at any time and in any state without affecting the processor.

• Fully static design 8-bit CMOS microcontroller
• Wide supply voltage of 4.5V to 5.5V
• 256 bytes of on-chip scratchpad RAM
• 16 KB electrically erasable/programmable Flash EPROM
• 64 KB program memory address space
• 64 KB data memory address space
• Four 8-bit bi-directional ports
• One extra 4-bit bit-addressable I/O port, additional INT2 / INT3
(available on 44-pin PLCC/QFP package)
• Three 16-bit timer/counters
• One full duplex serial port(UART)
• Watchdog Timer
• Eight sources, two-level interrupt capability
• EMI reduction mode
• Built-in power management
• Code protection mechanism
• Packages:
DIP 40: W78E54B-24/40
PLCC 44: W78E54BP-24/40
PQFP 44: W78E54BF-24/40

MC68HC05B6 microcontroller ic extract code

One example is MC68HC05B6 microcontroller ic extract code discussed above. If the power supply voltage is reduced by 50–70% for the period of time that the “AND $0100” instruction is executed, the CPU fetches an FFh value from the EEPROM memory rather than the actual value and this corresponds to the unsecured state of the fuse.

MC68HC05B6 microcontroller ic extract code

The trick is to carefully calculate the exact time to reduce the supply voltage, otherwise the CPU will stop functioning or go into the reset mode. This is not a difficult task, as the target instruction is executed within the first hundred cycles after the reset. Again, the attacker could use a pattern generator or build his own glitch device.

First step to proceed with Reverse Engineering W78E52B Chip Data is to understand its main features and general description:

The W78E51B is an 8-bit microcontroller which can accommodate a wider frequency range with low power consumption. The instruction set for the W78E52B is fully compatible with the standard 8051. The W78E52B contains an 4K bytes Flash EPROM; a 128 bytes RAM; four 8-bit bi-directional and bit- addressable I/O ports; an additional 4-bit I/O port P4; two 16-bit timer/counters; a hardware watchdog timer and a serial port. These peripherals are supported by seven sources two-level interrupt capability. To facilitate programming and verification, the Flash EPROM inside the W78E52B allows the program memory to be programmed and read electronically. Once the code is confirmed, the user can protect the code for security.
The W78E51B microcontroller has two power reduction modes, idle mode and power-down mode, both of which are software selectable. The idle mode turns off the processor clock but allows for continued peripheral operation. The power-down mode stops the crystal oscillator for minimum power consumption. The external clock can be stopped at any time and in any state without affecting the processor.

Fully static design 8-bit CMOS microcontroller
Wide supply voltage of 4.5V to 5.5V
128 bytes of on-chip scratchpad RAM
4 KB On-chip Flash EPROM
64 KB program memory address space
64 KB data memory address space
Four 8-bit bi-directional ports

One extra 4-bit bit-addressable I/O port, additional INT2 / INT3 (available on 44-pin PLCC/QFP package)
Two 16-bit timer/counters
One full duplex serial port(UART)
Watchdog Timer
Seven sources, two-level interrupt capability
EMI reduction mode
Built-in power management
Code protection mechanism

Power supply voltage fluctuations can shift the threshold level of the transistors. As a result some flip-flops will sample their input at different time or the state of the security fuse will be read incorrectly. This is usually achieved by either increasing the power supply voltage or dropping it for a short period of time, normally from one to ten clock cycles. Power glitches can be applied to a microcontroller with any programming interface as they could affect both the CPU operation and the hardware security circuit. In general, they are harder to find and exploit than clock glitches because in addition to the timing parameters, the amplitude and rising/falling times are variables.

When we try to carry out the Nuvoton Microcontroller W77E058A Flash Memory Breaking, the electro-magnetic interference effect could be a problem for this process, Because of on-chip Flash EPROM, when a program is running in internal ROM space, the ALE will be unused.

The transition of ALE will cause noise, so it can be turned off to reduce the EMI emission if it is useless. Turning off the ALE signal transition only requires setting the bit 0 of the AUXR SFR, which is located at 08Eh. When ALE is turned off, it will be reactivated when the program accesses external ROM/RAM data or jumps to execute an external ROM code.

The ALE signal will turn off again after it has been completely accessed or the program returns to internal ROM code space. The AO bit in the AUXR register, when set, disables the ALE output. In order to reduce EMI emission from oscillation circuitry, W77E058A allows user to diminish the gain of on-chip oscillator amplifiers by using programmer to clear the B7 bit of security register from Nuvoton Microcontroller W77E058A Flash Memory Breaking.

Once B7 is set to 0, a half of gain will be decreased. Care must be taken if user attempts to diminish the gain of oscillator amplifier, reducing a half of gain may effect to external crystal operating improperly at high frequency above 24 MHz. The value of R and C1, C2 may need adjustment while running at lower gain.

POF:

Power off flag. Bit is set by hardware when power on reset. It can be cleared by software to determine chip reset is a warm boot or cold boot.

GF1, GF0: These two bits are general-purpose flag bits for the user. PD:   Power down mode bit. Set it to enter power down mode. IDL:   Idle mode bit. Set it to enter idle mode.

The power-off flag is located at PCON.4. This bit is set when VDD has been applied to the part. It can be used to determine if a reset is a warm boot or a cold boot if it is subsequently reset by software.

If engineer has ever tried to execute Nuvoton Microcomputer W78E51B Encrypted Heximal Recovery, it is necessary to have a general idea about the Microcomputer W78E51B features:

• Fully static design 8-bit CMOS microcontroller
• Wide supply voltage of 4.5V to 5.5V
• 128 bytes of on-chip scratchpad RAM
• 4 KB On-chip Flash EPROM
• 64 KB program memory address space
• 64 KB data memory address space
• Four 8-bit bi-directional ports

• One extra 4-bit bit-addressable I/O port, additional INT2 / INT3
(available on 44-pin PLCC/QFP package)
• Two 16-bit timer/counters
• One full duplex serial port(UART)
• Watchdog Timer
• Seven sources, two-level interrupt capability
• EMI reduction mode
• Built-in power management
• Code protection mechanism

The W78E51B architecture consists of a core controller surrounded by various registers, five general purpose I/O ports, 128 bytes of RAM, two timer/counters, and a serial port. The processor supports 111 different opcodes and references both a 64K program address space and a 64K data storage space.

In order to be more suitable for I/O, an extra 4-bit bit-addressable port P4 and two external interrupt
INT2 , INT3 has been added to either the PLCC or QFP 44 pin package. And description follows:

INT2 / INT3

Two additional external interrupts, INT2 and INT3 , whose functions are similar to those of external interrupt 0 and 1 in the standard 80C52 after Nuvoton Microcomputer W78E51B Encrypted Heximal Recovery. The functions/status of these interrupts are determined/shown by the bits in the XICON (External Interrupt Control) register. The XICON register is bit-addressable but is not a standard register in the standard 80C52. Its address is at 0C0H. To set/clear bits in the XICON register, one can use the “SETB (/CLR) bit” instruction. For example, “SETB 0C2H” sets the EX2 bit of XICON.

XICON – external interrupt control (C0H)

PX3: External interrupt 3 priority high if set EX3: External interrupt 3 enable if set

IE3: If IT3 = 1, IE3 is set/cleared automatically by hardware when interrupt is detected/serviced IT3: External interrupt 3 is falling-edge/low-level triggered when this bit is set/cleared by software PX2: External interrupt 2 priority high if set

EX2: External interrupt 2 enable if set

IE2: If IT2 = 1, IE2 is set/cleared automatically by hardware when interrupt is detected/serviced IT2: External interrupt 2 is falling-edge/low-level triggered when this bit is set/cleared by software

Applying clock glitches to some microcontrollers could be difficult. For example, the Texas Instruments MSP430 microcontroller family operates from an internal RC generator in bootloader mode and it is difficult to synchronise to the internal clock and estimate the exact time of the attack. Some smartcards benefit from having randomly inserted delays in the CPU instruction flow, which makes applying the attacks even more difficult. Using power analysis could help, but requires very sophisticated and expensive equipment to extract the reference signal in real time.

When engineer encounter the PCB board which apply the microcontroller W77E58 which has been burned out, it needs to replace it with a fresh one, without the firmware the new MCU won’t work, in order to get Microcontroller W77E58 Embedded Firmware Restoration, we need to firstly understand the functional description of this microcontroller:

The W77E58 architecture consists of a core controller surrounded by various registers, five general purpose I/O ports, 128 bytes of RAM, two timer/counters, and a serial port. The processor supports 111 different opcodes and references both a 64K program address space and a 64K data storage space.

In order to be more suitable for I/O, an extra 4-bit bit-addressable port P4 and two external interrupt INT2 , INT3 has been added to either the PLCC or QFP 44 pin package when Microcontroller W77E58 Embedded Firmware Restoration. And description follows:

INT2 / INT3

Two additional external interrupts, INT2 and INT3, whose functions are similar to those of external interrupt 0 and 1 in the standard 80C52. The functions/status of these interrupts are determined/shown by the bits in the XICON (External Interrupt Control) register. The XICON register is bit-addressable but is not a standard register in the standard 80C52. Its address is at 0C0H. To set/clear bits in the XICON register, one can use the “SETB (/CLR) bit” instruction. For example, “SETB 0C2H” sets the EX2 bit of XICON.

XICON – external interrupt control (C0H)

XICON – external interrupt control (C0H)

PX3: External interrupt 3 priority high if set EX3: External interrupt 3 enable if set

IE3: If IT3 = 1, IE3 is set/cleared automatically by hardware when interrupt is detected/serviced IT3: External interrupt 3 is falling-edge/low-level triggered when this bit is set/cleared by software PX2: External interrupt 2 priority high if set after Microcontroller W77E58 Embedded Firmware Restoration

EX2: External interrupt 2 enable if set

IE2: If IT2 = 1, IE2 is set/cleared automatically by hardware when interrupt is detected/serviced IT2: External interrupt 2 is falling-edge/low-level triggered when this bit is set/cleared by software