IC Unlock is also known as IC Crack, IC Attack or IC Decryption. Normally, the IC of the final products are encrypted. IC unlock services is to decrypt the IC through the semiconductor reverse engineering approaches. The program of ICs will be readable by programmer after IC unlocking.
There are mainly 8 approaches we using to attack an IC.
1. Software attacking
The technology typically attacking ICs by using the processor communication interfaces and exploits protocols, cryptographic algorithms, or security holes in these algorithms. A typical
example of software attack was the attack on the early ATMELAT89C family of microcontrollers. The attacker took advantage of the loopholes in the timing design of the erasing operation of the series of microcontrollers: by using a self designed program, stopped the next step of erasing the program memory data, after erasing the encryption locking bit. The program became non encrypted and then just read out the on-chip program by programmer.
It also possible to utilize the encryption methods to attack IC, based on the development of new attacking devices, with some software to do software attacks. Recently, there has been attacking device in China named Kai Ke Di Technology 51 chip decryption equipment ( Developed by an IC attacking Pro from Chengdu, China), this device unlock IC mainly through SyncMos.Winbond, due to the loopholes in the IC production process. The method is to use some programmers to locate inserted bytes , Through this method to find whether the chip has a continuous slot (find the chip continuous FFFF bytes). The bytes inserted is able to to perform the instruction to send the internal program out, and then use the decryption device to intercrypt, to obtain the program.
2. Electronic detection attacks
The technology typically monitors the processor's analog characteristics of all power and interface connections during normal operation with high temporal resolution and attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, the corresponding power consumption changes as it executes different instructions. This allows the attacker to acquire specific critical information in the microcontroller by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistics. As for the RF programmer can directly read the old model of the encryption MCU program is to use this principle.
3. Error Generation Attack Technology
The technology uses abnormal operating conditions to cause processor errors and then processor provides additional access to enable the attacks. The most widely used errors generation technologies include voltage and clock strikes. Low-voltage and high-voltage attacks can be used to disable the protection to circuit or force the processor to perform incorrect operations. A clock transition may reset the protection circuitry without disrupting the protected information. Power and clock transitions can affect the decoding and execution of a single instruction in some processors.
4. probe technology
The technology is to directly expose the chip internal connections, and then observe, manipulate, interfere with the microcontroller to achieve the purpose of attack.
5. UV attack method
UV attack, is to apply ultraviolet radiation on chip, and convert the encrypted chip into a non-encrypted chip, and then use the programmer to read the program directly. This method is suitable for OTP chips, engineers who designing microcontrollers know that OTP chips can only be erased by UV light. So to wipe off encryption need to use UV. At present, most OTP chips produced in Taiwan can be decrypted using this method. Half of the OTP chip ceramic package will have quartz window. This kind of IC can be directly irradiated with ultraviolet light. If it is plastic package, we need to open the chip first, the wafer can be exposed to ultraviolet light exposure . Because of this chip encryption is relatively poor, the basic decryption does not require any cost, so the market price of the chip decryption is very cheap, e.g SONIX SN8P2511 decryption, Infineon SCM decryption.
6. Chip loopholes
Many chips have cryptographic vulnerabilities at design time. Such chips can exploit vulnerabilities to attack the chip to read out the code in memory, such as the exploit of the chip code mentioned in our another article: If we can find the continuous FF code that can be inserted bytes, we could reverse out the program. Or if some search code contains a special byte, if there is such a byte, we can use this byte to reverse the program out. The chips such as Winbond or Shimao MCU chips, for example, W78E516 decryption, N79E825 decryption, ATMEL 51 series AT89C51 decryption is to use the byte loopholes in the code to attack.
In addition there are some obvious loopholes in the chip, such as a pin in the encryption will become a non-encrypted chip, when adding the electronic signal. Because the attacking technology involves a Chinese MCU manufacturer, we will not listed the models out at here. Chip decryption devices that can be seen on the market today all utilize the loopholes in the chip or the program to realize IC unlock. However, the approaches that can be bought / shared outside is basically only able to unlock very limited number of models, as the detailed attacking approaches are highly confidential to each lab or companies. At Fast PCB Studio, we developed our own decryption equipment for internal uses only. We have the technology with our developed tools whick is able to unlock e.g. MS9S09AW32, or the device that can specifically unlock LPC2119LPC2368 and other similar ARM IC. The outcomes will be very reliable by using the specialized approaches & tools for specific IC catalog.
7. FIB recovery encryption fuse method
This method is suitable for many chips with fuse encryption, the most typical example is TI's MSP430 unlocking. Because the MSP430 encryption is to burn fuse, as long as the fuse can be restored, then the IC changes to non-encrypted chips. More models such as MSP430F1101A, MSP430F149, MSP430F425 and so on. We normally use the probe to achieve the fuse re-connection. If there is no equipment, it's still achievable by modifying lines contracting to semiconductor modification companies. General it could use the FIB (focused ion beam) Equipment to connect the line, or with a dedicated laser modification of equipment to restore the line. This approach is not a preferred solution because of the needs for equipment and consumables which increases the customers' cost for IC unlock work. We will use the technology if there is no a better method.
8. Modifying the Encryption Circuit
Currently on the market, CPLD and DSP chip design is complex, with high encryption performance, using the above method is difficult to do decryption. Then we need to make the previously mentioned analysis for the chip's structure, and then find the encryption circuit, and use the chip circuit modifying equipment to make some changes, and to make the encryption circuit fails. The encrypted DSP or CPLD then will be into a non-encrypted status which the codes can be read out. We use the technology for TMS320LF2407A, TMS320F28335, TMS320F2812 & etc.
We are keep researching the new attacking methods. Currently we have been able to unlock a lot of IC Models. Would be glad to share more if we have new findings on IC Unlocking.
Source From Fast PCB Studio
The cost of the PCB Reverse Engineering is associated with the size and the layer of PCB mainly. The minimum PCB reverse engineering cost at Fast PCB Studio is USD100, for single layer PCB with 50mm by 50mm. However, the hole & trace intensity, the quantity of the components will affect the price as well.
We've received the IC unlock questions from a lot of customers that if the IC model has been grind off, is the IC still unlockable ? The answer is yes.
But how to unlock IC if it's model had been grind off? We could diagnose the IC model from the surrounding circuit design. If it's not identifiable, we will open the IC cover to check the wafer of the IC, and find the IC model. However, this working procedure relies on the rich experiences on hardware structure of the various IC, since there are so many IC types & brands.
With 10+ years experiences on IC unlock, and the Circuit & IC design professionals in team, Fast PCB Studio is ready to help on your project if you have the similar issue with your IC.
Circuit boards Reverse Engineering, also known as PCB cloning. Reversing a complex board needs to be familiar with the circuit design software, also required to have the hardware circuit background to resolve the possible problems whenever the reversing works encounter in the electromagnetic compatibility, electromagnetic interference issues. The reverse engineers must have a certain ability to resolve these issues.
For PCB reverse engineering, at present, as long as the copy software can directly open and save the PROTEL PCB file, all placed in the element properties fully supporting PROTEL format, including the placement function, it's possible to copy any type of boards, theoretically.
Today, we would like to share you the 3 common tools on reversing a simple PCB, so you may do it yourself by following tips:
1, Suitable Scanner
The accuracy of the copy board, depending on the two procedures, one is the accuracy of the software, one is the original image accuracy. The software used for precision 32-bit floating-point representation can be said that there is no accuracy limit, so the most important thing is depending on the accuracy of the original scan image. For example, if taking a 1-megapixel photo washable 5-inch photo, but if it's expected to wash into a 20-inch photo it simply can not see clearly. Similarly, for PCB scanning for high precision circuit board, it must choose a higher DPI (Dot per Inch) in the scanning. In other words, the distance between every two points on the scanned image is 1000 / DPI in mil. If the DPI is 400, the distance between two points on the image is 1000/400 = 2.5 mil, that is The accuracy at this moment is 2.5mil. The normal high intensive induction PCB line width/gap will be over 4 mil.
2, PCB copy software
Software copy board is mainly depends on whether the function is complete, it is best to copy all the work can be done in the software, so that efficiency is high, including the placement of components to support PROTEL99SE as the 99SE component library is very powerful, and can be downloaded from the Internet directly. The era of hand-made components is over because many components, like BGP components, have sealed with over hundreds of components, and it would be too costly to build manually.
For the stability of the circuits, the design of the circuit generally have a large copper area to connect with power line or ground line, this can reduce the circuit noise and interference. So it involves the issue of network copper laying. For complex circuit boards, there are a lot of copper laying to connect while there are many to be isolated. If the problem is not solved properly, copper laying can not be added correctly, so here must be defining the network to pave the area for copper ( e.g. "same network connection, different network isolation").
3, Layer Grinding
For multi-layer PCB reversing, the middle layer can not be scanned directly. To copy multi-layer board, it must be milled out, so the multi-layer PCB will be damaged anyhow after the reversing work.
The current common method is to use a fine grinding machine or hand grinding. Some PCBs require both methods to get into the mid-layers. The procedure requires very experienced technicians to operate as some samples are very fragile and the copper layer could be easily damaged during the process.