Any microcontroller, FPGA, secure memory, smartcard, ASIC or custom chip can be successfully attacked given enough time and resources. Those chips were from the following manufacturers: Motorola, Microchip, Atmel,Hitachi, NEC, Xilinx, Lattice, Actel,Cypress, Zilog,Dallas, Mitsubishi, Freescale, Renesas,Altera,TexasInstruments, Intel, Scenix, Fujitsu, STMicroelectronics, Winbond, Holtek, Philips, Temic, Cygnal, Toshiba, Samsung, Ubicom, Siemens, Macronix, Elan, National Semiconductor, NXP.
The list of chips vulnerable to low-cost attacks is very long, here are just some of them: 68HC05xx, 68HC705xx, 68HC08xx, 68HC908xx, 68HC11xx, PIC12Cxx, PIC12Fxx, PIC16Cxx, PIC16Fxx, PIC17Cxx, PIC18Cxx, PIC18Fxx, PIC24HJxx, dsPIC30Fxx, dsPIC33FJxx, AT89Cxx, AT89Sxx, AT90Sxx, ATtinyxx, ATmegaxx, H8/3xx, D78xx, D78Fxx, XC95xx, XCR3xx, XC2Cxx, A500Kxx, A3Pxx, CY7C6xx, Z867xx, Z86Exx, DS2432, M306xx, EPM3xx, EPM7xx, EPM9xx, MSP430Fxx, N87Cxx, SXxx, ST62Txx, ST72Fxx, W921Exx, HT48Rxx, P87LPCxx, T89Cxx, SAB-Cxx, MX10xx, EL78Pxx, LPC3xx.
There are two ways of attacks on microcontrollers – invasive and non-invasive. The first one involves depackaging of the chip followed by exposing certain part of the chip to laser or ion beam, or/and probing under microscope on probing station. Non-invasive attacks include playing around the signals applied to the chip to obtain all necessary information.
If microcontroller has a Mask ROM then as a rule any access is denied by the manufacturer at the stage of production. Meanwhile there might be the way to overcome it if there is some kind of test monitor program on the chip to test the Mask ROM after production. Generally it is very difficult to find it and the fastest way to extract the program is to depackage the chip and read out memory contents optically. Sometimes to increase security manufacturers use transistors with different threshold voltage instead of using presence or absence of a transistor to create cells with 0′s and 1′s. This kind of ROM cannot be read optically. In this case memory contents could be read using microprobing techniques or using selective chemical etching.
If microcontroller has an OTP ROM then end-user can select code protection facility during programming. If it was enabled then it is still possible to apply both invasive and non-invasive attacks. Invasive attacks as a rule include exposing certain part of the chip into Ultra-Violet light, cutting lock lines by laser or restoring security fuses on probing station. Non-Invasive attacks include applying different signals to make internal protection scheme “forget” about protection.
In case of microcontrollers with UV EPROM situation is the same as with OTP ones, because usually they have absolutely the same structure and difference is only in their package.
If microcontroller has an EEPROM memory it is more stable for invasive attacks, because it is very difficult to handle with electrical charge rather than with transistors. Although the same attacks as for OTP microcontrollers could be applied. It is still possible to probe bus lines inside the chip but it requires high skill of attacker. In the same time, non-invasive attacks could be applied very easily. It takes place because EEPROM cell has very specific behavior and very sensible to control signals and to timings of the control signals. That allows the attacker to find ways of overcoming security protection either by selective erasing of the security fuses or by causing the security control scheme get wrong state of the security fuses.
Situation with Flash EPROM microcontrollers practically the same as with EEPROM microcontrollers. Sometimes their security could be easily broken, sometimes harder but the situation still bad. So, there are ways to break the security in almost any Flash and EEPROM microcontroller.
Recently introduced FRAM microcontrollers seems to be more secure due to specific structure of the memory. Although it is still possible to apply microprobing in order to obtain contents of the memory.
Microcontrollers with SRAM quite stable to invasive attacks because any tampering into the device will cause disconnection of the power supply from SRAM with following vanishing of the information. But due to some bugs in hardware and software implementation there is possibility to apply non-invasive attacks on such microcontrollers.
If you’d like to know which MCU we can crack and which MCU we can not crack, please contact me.
If you have a protected MCU to attack, please contact me.