IC decode and anti-decryption have always been in a state of mutual wrestling. There are new decode methods to decode complicated chips and more advanced anti-decode technology to prevent chips from being broken.
Anti-decryption means 1. Change the chip to identify external identification;
Do not print the chip model, change the index chip model, and re-package; this is a relatively simple primary anti-decryption method.
Apply the chip model;
Relatively good protection can achieve by using different safety features in the product. Using multiple fuses can increase the safety of the microcontroller compared to using a single wick. For example: in the PIC16F84, an individual safe fuse.
Wire control reads and writes programs and data. In the PIC16F628, two fuses determine access to the program memory, and the data memory uses a separate safety fuse. The positions of the fuses are far apart from each other, making the defects.
Injection attacks are complicated.
The circle in the upper right corner indicates the location of PIC16F84’s safety fuse.
The white circle on the right shows the location of the three safety fuses of the PIC16F628.
Anti-decryption means 3. Burning the read/write circuit and destroying the test;
Cooking some of the pins used in standard MCU programming is a highly effective way to increase the cost decode. Most microcontrollers are freely read and write memory after the IC decoder has shielded the safety fuse. After one of the pins blown, the external access memory can block even if the safety fuse s remove. Simultaneously, many flash-based microcontrollers can update programs through the boot module in the user code area, eliminating the need for an external parallel writer.
The method of blowing is straightforward. When the voltage is applied, whether positive or negative, it is about the maximum value that the pin can withstand, and about 1A will pass. It can cause permanent damage to the transistor connected to this pin: the PMOS damages the high-side positive voltage, and the NMOS damages the low-side negative voltage.
Since the blown causes damage to the internal structure and the passivation layer, it is not suitable for mass production. The chip parameters will change over time as water and air will slowly penetrate the chip from the damage, resulting in degradation of chip performance. If the power consumption is too large, the life is shortened, and the anti-ESD voltage lower.
High-temperature burned chips lead to wire solder joints. On the left is the photo after opening the package, and on the right is the photo after chemical etching. 200X. Black is the encapsulated tree vinegar after carbonization.
IC decode method complete reverse engineering of I/O using FIB; Use a microprobe to connect to the internal data bus to read the information in the memory; The high voltage burnt chip leads the wire solder joint;
The smart card provides various anti-attack protection for the chip, and the internal voltage sensing protects against overvoltage and Undervoltage from power supply noise attacks. The clock frequency sensor prevents reduced clock frequency attacks from static analysis. It also prevents clock noise from attacking the clock frequency. The random number generator on the chip makes it difficult to attack passwords. Top layer metal grid and internal bus hardware encryption. The light sensor functionally prevents the package of the chip from being opened. A password is required to access the internal memory. Multiple levels of protection make the chip difficult.
Anti-decryption means 5. Asynchronous logic: Self-synchronizing two-wire logic is a crack-proof technology that has only recently developed. Traditional digital logic uses a clock to synchronize operations. But the rise in clock speed makes it more complicated, which leads to an increase of self-synchronous or asynchronous circuit design without clocks. One approach is to use redundancy techniques on the data lines. In two-wire logic, signal 0 or 1 is no longer a high or low voltage on a single line but a combination of signals on a pair of lines. For example, 0 may be LH, and one may be HL. When using a self-synchronizing circuit, the LL signal indicates standstill. The main drawback of these simple arrangements is that they are fragile: circuit defects can lead to unwanted HH states, quickly spreading through the circuit and lock components. One innovation is to exploit this flaw and treat HH as an error signal. This signal can be obtained by tampering with the sensor, causing the component to lock. More interesting is the failure of parts to prevent the output of sensitive information, which may require details with high-security levels in the future. Another development in two-line coding is to reduce power consumption so that all states have the same weight. Two-line coding does not fully guarantee that the data is independent of the power signal. Different line loads will have different results.
Figure layout to control. The self-synchronizing design is resistant to clock noise attacks. If the serial port requires a clock, it is relatively easy to separate the clock with a sensitive circuit. Power supply noise attacks are rarely successful for asynchronous courses, but
EEPROM and the like cannot be protected and may decode. The two-wire design reliably receives alarm signals from tamper sensors and prevents components from running. The result can be to delete sensitive data and issue a global alarm, preventing defect injection attacks. Too successful, the decoder must simultaneously inject two failure states to switch the state of the transmission line from LH to HL, which causes the transmission line to instantaneously enter the HH state and immediately trigger the alarm circuit.