chip decryption process

Posted by

Uncovering chip package
The first step in invasive attack is to unwrap chip packages (for short, “open” sometimes called “Kaifeng”, English as “DECAP”, decapsulation).
There are two ways to achieve this goal:
The first is to completely dissolve the chip package and expose the metal connection.
The second one is to remove the plastic package on the silicon core only.
The first method needs to bind the chip to the test fixture and operate with the binding table; the second methods need personal intelligence and patience in addition to the knowledge and the necessary skills of the attacker, but it is relatively convenient to operate in a complete family.
The plastic on the chip can be opened with a knife, and the epoxy resin around the chip can be corroded with concentrated nitric acid. Hot concentrated nitric acid will dissolve the chip package without affecting the chip and wiring. This process is usually carried out under very dry conditions, because the presence of water may corrode exposed aluminum connections (which may result in decryption failure).
Cleaning chip
1. then wash the chip with acetone to remove residual nitric acid and immerse it in the ultrasonic tank.
2. find the position of protective fuse and destroy
3. the last step is to find the location of the fuse protection and expose the protective fuse to ultraviolet light. A microscope with a magnification of at least 100 times is usually used to track the protection fuse from the input line of the programmed voltage input. Without a microscope, a simple search is carried out by exposing different parts of the chip to ultraviolet light and observing the results. Opaque sheets are used to cover the chip during operation to protect program memory from ultraviolet light. The protection of protective fuse can be destroyed by exposing the protective fuse to the ultraviolet light for 5~10 minutes. After that, the content of the program memory can be read directly by a simple programmer.
It is not feasible to use ultraviolet light reset protection circuit to protect the EEPROM unit using a protective layer. For this type of MCU, micro probe technology is usually used to read memory contents. After the chip package is opened, the chip can be placed under the microscope, and it is easy to find the data bus connected to other parts of the circuit. For some reason, chip lock positioning does not lock access to memory in programming mode. With this defect, the probe can be placed on the data line to read all the desired data. In programming mode, restart the read process and connect the probe to another data line, you can read all the information in the program and data storage.
Destruction of protective fuse with microscope and laser cutting machine
Another possible means of attack is to find protective fuse by means of a microscope and laser cutting machine, so as to find all the signal lines associated with this part of the circuit. Because the design is defective, the whole protection function can be prohibited by cutting off a signal line from protective fuse to other circuits (or cutting out the entire encryption circuit) or connecting 1~3 gold lines (usually called FIB:focused ion beam), so that a simple compiler can be used directly to read the inside of the program memory. Yes.
Although most common singlechip has the function of fuse burning to protect the internal code of the single chip microcomputer, the single chip microcomputer is not located in the production of safety products. Therefore, they often do not provide targeted precautions and low security level. With a wide range of applications, large sales volume, large volume of sales, frequent entrustment and technology transfer among manufacturers, a large number of technical data have gone out, making use of the design vulnerabilities of this type of chip and the testing interface of the manufacturers, and reading the internal programs of the single chip computer by modifying the fuse protection bit and other intrusive attack or non intrusive attack batter. It becomes easier.

Leave a Reply

Your email address will not be published. Required fields are marked *