This needs to be decrypted by a single chip computer
Microcontroller decryption
Single-chip decryption is also called single-chip decryption, chip decryption, IC decryption, but strictly speaking, these names are not scientific, but it has become a customary name, we are used to CPLD decryption, DSP decryption is called single-chip decryption. The single chip computer is only one of the classes that can be loaded on the program chip. The chips that can burn programs and encrypt them are DSP, CPLD, PLD, AVR, ARM and so on. Of course, memory chips with storage function can also be encrypted, such as DS2401 DS2501 AT88S0104 DM2602 AT88SC0104D, etc., among which there are also chips specially designed with encryption algorithms for professional encryption or designed to verify the manufacturer's code work and other functional chips. This kind of chip industry can achieve the purpose of preventing the reproduction of electronic products.
With the help of special equipment or homemade equipment, using the vulnerabilities or software defects on the design of the single-chip microcomputer chip, through a variety of technical means, you can extract key information from the chip and obtain the program in the single-chip microcomputer, which is called single-chip decryption.
decryption process
Remove the chip package
The first step in an intrusive attack is to unpack the chip (sometimes referred to as \"opening\
There are two ways to achieve this:
The first is to dissolve the chip package completely, exposing the metal wiring.
The second is to remove only the plastic packaging on top of the silicon core.
The first method needs to bind the chip to the test fixture and operate with the help of the binding table; In addition to the attacker's knowledge and necessary skills, the second method also requires personal wisdom and patience, but it is relatively convenient to operate and completely operated in the family.
The plastic on the chip can be peeled off with a knife, and the epoxy around the chip can be corroded away with concentrated nitric acid. The hot concentrated nitric acid will dissolve the chip package without affecting the chip and the wiring. This process is generally performed in very dry conditions, as the presence of water may erode the exposed aluminum wire connections (which may cause decryption failure).
Cleaning chip
The chip is then cleaned with acetone to remove residual nitric acid in an ultrasonic tank and soaked.
Locate the protective fuse and destroy it
The final step is to find the location of the protective fuse and expose the protective fuse to UV light. A microscope with a magnification of at least 100 times is usually used to track the line of the programmed voltage input pin to find the protective fuse. Without a microscope, a simple search is performed by exposing different parts of the chip to ultraviolet light and observing the results. During operation, the chip is covered with opaque paper to protect the program memory from being erased by ultraviolet light. Exposing the protective fuse to ultraviolet light for 5 to 10 minutes can destroy the protective role of the protective bit, after which the contents of the program memory can be read directly with a simple programmer.
For a single chip computer that uses a protective layer to protect the EEPROM unit, it is not feasible to use UV reset protection circuit. For this type of microcontroller, microprobe technology is generally used to read the memory contents. After the chip package is opened, the data bus connecting the memory to the rest of the circuit can be easily found by placing the chip under a microscope. For some reason, the chip lock bit does not lock access to memory in programming mode. This flaw can be exploited by placing the probe on top of the data line and reading all the desired data. In programming mode, restart the reading process and connect the probe to another data line to read all the information in the program and data memory.
Destroy protective fuses with microscopes and laser cutters
Another possible means of attack is to use equipment such as microscopes and laser cutters to look for protective fuses, and thus search for all signal lines connected to this part of the circuit. Due to the design defect, as long as a signal line from the protection fuse to the other circuit (or cut off the entire encryption circuit) or connect 1 to 3 gold wires (usually called FIB: focused ion beam), the entire protection function can be disabled, so that the content of the program memory can be read directly with a simple programmer.
Although most ordinary microcontrollers have the function of fuse burning to protect the code in the microcontroller, because the general low-grade microcontrollers are not positioned to make security products, they often do not provide targeted preventive measures and a low level of security. In addition, the microcontroller has a wide range of applications, large sales, frequent processing and technology transfer between manufacturers, and a large number of technical data leaking out, which makes it easier to use the design loopholes of this kind of chip and the manufacturer's test interface, and to read the internal program of the microcontroller by modifying the fuse protection bit and other intrusive or non-intrusive attack means.
1 Connect the programmer and MCU, and open the STC-ISP software
2 Select the single chip computer model and serial port number.
3 Click the \"read\" button to read out the internal program of the single chip computer.