Decryption Methods for Microcontroller Units (MCUs)

Decryption Methods for Microcontroller Units (MCUs)

The conditions for chip decryption are as follows:

Firstly, you need to have certain knowledge and know how to turn an encrypted chip into an unencrypted one.

Secondly, you must have tools for reading programs. Some people may say that it's just a programmer. Yes, although it's a programmer, not all programmers have the function of reading. Therefore, sometimes we develop readable programmers for the purpose of decrypting chips. Since there are readable programmers, let's talk about the principles of cracking eight common IC chips.

1.Software Attack
This technique usually utilizes the communication interfaces of the processor and attacks by taking advantage of protocols, encryption algorithms, or security vulnerabilities in these algorithms. A typical example of a successful software attack is the attack on the early ATMEL AT89C series of microcontroller units. Attackers exploited the vulnerability in the erasure operation timing design of this series of microcontroller units. After using self-written programs to eliminate the encryption lock bits, they stopped the next operation of erasing the data in the program memory inside the microcontroller unit, turning the encrypted microcontroller unit into an unencrypted one, and then used a programmer to read the program inside the microcontroller unit.
On the basis of other encryption methods, some devices can be studied and combined with certain software to conduct software attacks. Recently, 51-chip decryption devices have emerged in China. This decryptor mainly targets the vulnerabilities in the production technology of SyncMos and Winbond. It uses a certain programmer to locate and insert bytes, and uses certain methods to search for continuous spaces in the chip, that is, to search for continuous FFF bytes in the chip. The inserted bytes can send the program inside the chip to instructions outside the chip, and then use the decryption device to cut it off, thus decrypting the program inside the chip.

2.Electronic Detection Attack
This technique usually monitors the analog characteristics of all power supplies and interface connections of the processor during normal operation with high time resolution, and launches attacks by monitoring its electromagnetic radiation characteristics. Since the microcontroller unit is an active electronic device, when different instructions are executed, the corresponding power consumption also changes accordingly. In this way, by using special electronic measuring instruments and mathematical statistical methods to detect these changes, specific important information in the microcontroller unit can be obtained. The principle is adopted for the RF programmer to directly read the programs of the encrypted MCU of old models.

3.Fault Generation Technique
This technique uses abnormal working conditions to make the processor malfunction and provides additional access for attacks. The most widely used fault generation attack means include voltage shock and clock shock. Low-voltage and high-voltage attacks can be used to disable the protection circuit or force the processor to operate incorrectly. A transient jump in the clock may reset the protection circuit without destroying the protection information. Transient jumps in power supply and clock can affect the decoding and execution of single instructions in some processors.

4.Probe Technique
This technique directly exposes the internal connections of the chip, observes, operates, and interferes with the microcontroller unit to achieve the purpose of attack.

5.Ultraviolet Attack Method
The ultraviolet attack, also known as the UV attack method, uses ultraviolet light to irradiate the chip, turning the encrypted chip into an unencrypted one, and then directly reading the program with a programmer. This method is applicable to One-Time Programmable (OTP) chips. Engineers who make microcontroller units know that OTP chips can only be erased with ultraviolet light. Encryption also requires ultraviolet light. At present, most of the OTP chips produced in Taiwan can be decrypted by this method. Those who are interested can conduct experiments or download technical materials. Half of the packages of OTP chips are ceramic packages with quartz windows, which can be directly irradiated with ultraviolet light. If it is in a plastic package, the chip must be uncovered first, and the wafer must be exposed before being irradiated with ultraviolet light. Due to the poor encryption of this kind of chip, decryption almost costs nothing, and the price of decrypting this kind of chip on the market is very cheap, such as the decryption of SONIX SN8P2511 and Feiling microcontroller units, etc., with very cheap prices.

6.Utilizing Chip Vulnerabilities
Many chips have encryption vulnerabilities in their design. Such chips can be attacked by exploiting these vulnerabilities to read the code in the memory. For example, if the vulnerability of chip code mentioned in our previous articles can be found, such as the code like continuous FF, bytes can be inserted for decryption. In addition, search whether the code contains special bytes. If there are such bytes, the program can be derived by using these bytes. Moreover, some chips have obvious vulnerabilities. For example, when an electrical signal is applied to a certain pin after encryption, the encrypted chip will become an unencrypted one. The chip decryptors currently available on the market decrypt by exploiting the vulnerabilities of chips and programs. However, the decryptors that can be bought outside can basically decrypt very few models, because general decryption companies will not disclose or transfer core things. Decryption companies themselves use the decryption tools they make for the convenience of decryption within their own organizations.

7.Method of Restoring Encryption Fuses by Focused Ion Beam (FIB)
This method is applicable to many chips with fuse encryption. The most representative chips are the decryption methods for TIMSP430. When MSP430 is encrypted, the fuses are burned. As long as the fuses can be restored, it will become an unencrypted chip, such as the decryption of MSP430F101A, MSP430F149, MSP430F425, etc. General decryption companies use probes to achieve this, connect to the fuse positions. Since they don't have too many decryption devices themselves, there are also people who need to ask other semiconductor circuit modification companies to modify the circuits. Generally, they use FIB (Focused Ion Beam) equipment to connect the circuits or use special laser modification equipment to restore the circuits. There are currently many second-hand devices of this kind in China, and the prices are also very cheap. Powerful decryption companies have configured their own equipment. Although this method requires equipment and consumables and is not an ideal method, for many chips, if there is no better method, this method is needed to achieve decryption.

8.Method of Modifying Encryption Circuits
Currently, the designs of CPLD and DSP chips on the market are complex, and their encryption performance is high. It is very difficult to decrypt them by using the above methods. Then it is necessary to analyze the chip structure in advance, find the encryption circuits, and then use the equipment for modifying chip circuits to make some modifications to the chip circuits, disable the encryption circuits, turn the encrypted DSP or CPLD into an unencrypted chip, and thus read the code.