8 Common approaches for IC Unlock
Published by Fast PCB Studio on
8 Common Approaches for IC Unlock
IC Unlock is also known as IC Crack, IC Attack or IC Decryption. Normally, the IC of the final products are encrypted. IC unlock services is to decrypt the IC through the semiconductor reverse engineering approaches. The program of ICs will be readable by programmer after IC unlocking.
There are mainly 8 approaches we using to attack an IC.
1. Software attacking
The technology typically attacking ICs by using the processor communication interfaces and exploits protocols, cryptographic algorithms, or security holes in these algorithms. A typical
example of software attack was the attack on the early ATMELAT89C family of microcontrollers. The attacker took advantage of the loopholes in the timing design of the erasing operation of the series of microcontrollers: by using a self designed program, stopped the next step of erasing the program memory data, after erasing the encryption locking bit. The program became non encrypted and then just read out the on-chip program by programmer.
It also possible to utilize the encryption methods to attack IC, based on the development of new attacking devices, with some software to do software attacks. Recently, there has been attacking device in China named Kai Ke Di Technology 51 chip decryption equipment ( Developed by an IC attacking Pro from Chengdu, China), this device unlock IC mainly through SyncMos.Winbond, due to the loopholes in the IC production process. The method is to use some programmers to locate inserted bytes , Through this method to find whether the chip has a continuous slot (find the chip continuous FFFF bytes). The bytes inserted is able to to perform the instruction to send the internal program out, and then use the decryption device to intercrypt, to obtain the program.
2. Electronic detection attacks
The technology typically monitors the processor’s analog characteristics of all power and interface connections during normal operation with high temporal resolution and attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, the corresponding power consumption changes as it executes different instructions. This allows the attacker to acquire specific critical information in the microcontroller by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistics. As for the RF programmer can directly read the old model of the encryption MCU program is to use this principle.
3. Error Generation Attack Technology
The technology uses abnormal operating conditions to cause processor errors and then processor provides additional access to enable the attacks. The most widely used errors generation technologies include voltage and clock strikes. Low-voltage and high-voltage attacks can be used to disable the protection to circuit or force the processor to perform incorrect operations. A clock transition may reset the protection circuitry without disrupting the protected information. Power and clock transitions can affect the decoding and execution of a single instruction in some processors.
4. probe technology
The technology is to directly expose the chip internal connections, and then observe, manipulate, interfere with the microcontroller to achieve the purpose of attack.
5. UV attack method
UV attack, is to apply ultraviolet radiation on chip, and convert the encrypted chip into a non-encrypted chip, and then use the programmer to read the program directly. This method is suitable for OTP chips, engineers who designing microcontrollers know that OTP chips can only be erased by UV light. So to wipe off encryption need to use UV. At present, most OTP chips produced in Taiwan can be decrypted using this method. Half of the OTP chip ceramic package will have quartz window. This kind of IC can be directly irradiated with ultraviolet light. If it is plastic package, we need to open the chip first, the wafer can be exposed to ultraviolet light exposure . Because of this chip encryption is relatively poor, the basic decryption does not require any cost, so the market price of the chip decryption is very cheap, e.g SONIX SN8P2511 decryption, Infineon SCM decryption.
6. Chip loopholes
Many chips have cryptographic vulnerabilities at design time. Such chips can exploit vulnerabilities to attack the chip to read out the code in memory, such as the exploit of the chip code mentioned in our another article: If we can find the continuous FF code that can be inserted bytes, we could reverse out the program. Or if some search code contains a special byte, if there is such a byte, we can use this byte to reverse the program out. The chips such as Winbond or Shimao MCU chips, for example, W78E516 decryption, N79E825 decryption, ATMEL 51 series AT89C51 decryption is to use the byte loopholes in the code to attack.
In addition there are some obvious loopholes in the chip, such as a pin in the encryption will become a non-encrypted chip, when adding the electronic signal. Because the attacking technology involves a Chinese MCU manufacturer, we will not listed the models out at here. Chip decryption devices that can be seen on the market today all utilize the loopholes in the chip or the program to realize IC unlock. However, the approaches that can be bought / shared outside is basically only able to unlock very limited number of models, as the detailed attacking approaches are highly confidential to each lab or companies. At Fast PCB Studio, we developed our own decryption equipment for internal uses only. We have the technology with our developed tools whick is able to unlock e.g. MS9S09AW32, or the device that can specifically unlock LPC2119LPC2368 and other similar ARM IC. The outcomes will be very reliable by using the specialized approaches & tools for specific IC catalog.
7. FIB recovery encryption fuse method
This method is suitable for many chips with fuse encryption, the most typical example is TI’s MSP430 unlocking. Because the MSP430 encryption is to burn fuse, as long as the fuse can be restored, then the IC changes to non-encrypted chips. More models such as MSP430F1101A, MSP430F149, MSP430F425 and so on. We normally use the probe to achieve the fuse re-connection. If there is no equipment, it’s still achievable by modifying lines contracting to semiconductor modification companies. General it could use the FIB (focused ion beam) Equipment to connect the line, or with a dedicated laser modification of equipment to restore the line. This approach is not a preferred solution because of the needs for equipment and consumables which increases the customers’ cost for IC unlock work. We will use the technology if there is no a better method.
8. Modifying the Encryption Circuit
Currently on the market, CPLD and DSP chip design is complex, with high encryption performance, using the above method is difficult to do decryption. Then we need to make the previously mentioned analysis for the chip’s structure, and then find the encryption circuit, and use the chip circuit modifying equipment to make some changes, and to make the encryption circuit fails. The encrypted DSP or CPLD then will be into a non-encrypted status which the codes can be read out. We use the technology for TMS320LF2407A, TMS320F28335, TMS320F2812 & etc.
We are keep researching the new attacking methods. Currently we have been able to unlock a lot of IC Models. Would be glad to share more if we have new findings on IC Unlocking.
Source From Fast PCB Studio
www.chinapcbcopy.com