Any single chip, attackers can break?

In fact, such protection measures are fragile and can easily be cracked. A single-chip attacker can use the special equipment or self-made equipment to exploit the loopholes or software defects in the design of the single-chip chip. Through various technical means, key information can be extracted from the chip and the program in the single-chip microcomputer can be obtained.

Therefore, as the design engineer of electronic products, it is very necessary to understand the latest technology of the current single-chip attack, to know ourselves and know what to do, in order to effectively prevent the products that have been spent a lot of money and time hardly designed by others to be counterfeited overnight. occur.

Single chip attack technology

At present, there are four main technologies for attacking single-chip microcomputers, namely:

1, software attack

This technique typically uses a processor communication interface and exploits protocols, encryption algorithms, or security vulnerabilities in these algorithms to attack. A typical example of a successful software attack is an attack on earlier ATMELAT89C series microcontrollers. The attacker exploited the vulnerability of the series of single-chip erasing operation timing design, and used the self-programming program to stop the next step of erasing the on-chip program memory data after erasing the encryption lock bit, thereby turning the over-encrypted MCU into The unencrypted MCU is then used to read the on-chip program using the programmer.

2, electronic detection attack

This technique typically monitors the analog characteristics of all power and interface connections of the processor during normal operation with high temporal resolution and performs attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, when it executes different instructions, the corresponding power consumption of the power supply changes accordingly. In this way, by using special electronic measuring instruments and mathematical statistical methods to analyze and detect these changes, specific key information in the microcontroller can be obtained.

3, fault production technology

This technique uses abnormal working conditions to make the processor go wrong and then provides additional access to the attack. Attacks that use the widest range of faults include voltage surges and clock surges. Low voltage and high voltage attacks can be used to disable the protection circuit or force the processor to perform erroneous operations. Clock transients may reset the protection circuit without destroying the protected information. Power and clock transients can affect the decoding and execution of a single instruction in some processors.

4, probe technology

The technology directly exposes the internal wiring of the chip, and then observes, manipulates, and interferes with the single-chip microcomputer to achieve the purpose of attack. For the sake of convenience, the above four attack technologies are divided into two categories, one is intrusive attack (physical attack), which needs to destroy the package, and then in the specialized laboratory by means of semiconductor test equipment, microscope and micro locator It takes hours or even weeks to complete. All microprobe technologies are intrusive attacks. The other three methods are non-intrusive attacks, and the attacked microcontroller will not be physically damaged. Non-intrusive attacks are particularly dangerous in some cases because the equipment required for non-intrusive attacks can usually be self-made and upgraded, so it is very cheap.

Most non-intrusive attacks require an attacker with good processor knowledge and software knowledge. In contrast, invasive probe attacks do not require much initial knowledge, and a wide range of similar techniques can often be used to deal with a wide range of products. As a result, attacks on microcontrollers often start with intrusive reverse engineering, and the accumulated experience helps to develop cheaper and faster non-intrusive attack techniques.

General process of intrusive attacks

The first step in an intrusive attack is to remove the chip package. There are two ways to do this: the first is to completely dissolve the chip package and expose the metal wires. The second is to remove only the plastic package on the silicon core. The first method requires binding the chip to the test fixture and operating it with the binding station. In addition to the knowledge and necessary skills of the attacker, the second method requires personal wisdom and patience, but it is relatively convenient to operate. The plastic on the chip can be uncovered with a knife, and the epoxy resin around the chip can be etched away with concentrated nitric acid. Hot concentrated nitric acid dissolves the chip package without affecting the chip and wiring. This process is generally carried out under very dry conditions, as the presence of water may attack the exposed aluminum wire connections. The chip was then first washed with acetone in an ultrasonic bath to remove residual nitric acid, then rinsed with water to remove salts and dried.

Without an ultrasound pool, this step is generally skipped. In this case, the surface of the chip will be a bit dirty, but it does not affect the operation of the UV light on the chip. The final step is to find the location of the protective fuse and expose the protective fuse to ultraviolet light. Generally, a microscope with a magnification of at least 100 times is used to track the connection from the programming voltage input pin to find the protection fuse. If there is no microscope, a simple search is performed by exposing different parts of the chip to ultraviolet light and observing the results. An opaque sheet of paper is applied over the chip to protect the program memory from UV light. Exposing the protective fuse to UV light for 5 to 10 minutes can destroy the protection of the protection bit, and then the program memory can be read directly using a simple programmer.

For a microcontroller that uses a guard layer to protect the EEPROM cell, it is not feasible to use a UV reset protection circuit. For this type of microcontroller, microprobe technology is typically used to read the memory contents. After the chip package is opened, placing the chip under the microscope makes it easy to find the data bus that is connected from the memory to the rest of the circuit.

For some reason, the chip lock bit does not lock access to the memory in programming mode. With this defect, the probe can be placed on top of the data line to read all the desired data. In programming mode, all information in the program and data memory can be read by restarting the read process and connecting the probe to another data line.

Another possible attack is to find a protective fuse with equipment such as a microscope and a laser cutter to find all the signal lines associated with this part of the circuit. Due to the design flaws, the entire protection function can be disabled by cutting off a certain signal line from the protection fuse to other circuits. For some reason, this line is very far from the other lines, so using a laser cutter can completely cut the line without affecting the adjacent line. In this way, the contents of the program memory can be read directly using a simple programmer.

Although most common single-chip microcomputers have the function of fuse-breaking to protect the code in the single-chip microcomputer, since the general-purpose low-end single-chip microcomputers are not positioned to make security products, they often do not provide targeted preventive measures and have a low security level. In addition, the application of MCU is extensive, the sales volume is large, the commissioning of processing and technology transfer between manufacturers is frequent, and a large amount of technical data is leaked, which makes use of the design holes of the chip and the test interface of the manufacturer, and the intrusion type by modifying the fuse protection position. It is easier to use an attack or non-intrusive attack to read the internal program of the microcontroller.

Suggestions on dealing with single chip cracking

In any case, in theory, an attacker can use enough of the investment and time to break through the above methods. Therefore, when using a single-chip microcomputer for encryption authentication or designing a system, the attacker's attack cost and time spent should be increased as much as possible. This is the basic principle that system designers should always keep in mind. In addition to this, you should also pay attention to the following points:

(1) Before selecting the encryption chip, it is necessary to fully investigate and understand the new progress of the single-chip cracking technology, including which ones have been confirmed to be crackable. Try not to use chips that can be cracked or the same series and the same model.

(2) Try not to use MCS51 series MCU, because the MCU has the highest popularity in China and is the most thoroughly studied.

(3) The original creator of the product generally has the characteristics of large output, so it is possible to use a relatively simple and unpopular single-chip microcomputer to increase the difficulty of purchasing by counterfeiters.

(4) Select a new technology, a new structure, a short time to market microcontroller, such as ATMELAVR series microcontroller.

(5) Under the condition that the design cost is allowed, the smart card chip with hardware self-destruction function should be selected to effectively deal with physical attacks.

(6) If the conditions permit, two different types of single-chip microcomputers can be used for backup and mutual verification, thereby increasing the cost of cracking.

(7) Polish the chip model and other information or reprint other models to make a real mess. Of course, in order to fundamentally prevent the MCU from being decrypted, the program is pirated and other infringements can only be guaranteed by legal means.

Common method of anti-interference of single-chip hardware

The main factors affecting the reliable and safe operation of the single-chip system mainly come from various electrical interferences inside and outside the system, and are affected by the system structure design, component selection, installation and manufacturing process. These all constitute the interference factors of the single-chip system, which often leads to the malfunction of the single-chip system, which affects the quality and output of the product, and will lead to accidents and major economic losses.

There are three basic elements that form interference:

(1) Source of interference. Refers to the component, device, or signal that caused the interference. Such as: lightning, relays, thyristors, motors, high-frequency clocks, etc. may become sources of interference.


(2) Propagation path. Refers to the path or medium that interferes with the propagation from the source of interference to the sensitive device. Typical interference propagation paths are conduction through the wires and radiation from the space.


(3) Sensitive devices. Refers to objects that are easily disturbed. Such as: A / D, D / A converter, microcontroller, digital IC, weak signal amplifier.

Interference coupling

(1) Direct coupling:
This is the most direct way and one of the most common ways in the system. For example, the interference signal enters the system through the power line. The most effective way to do this is to add a decoupling circuit.

(2) Common impedance coupling:
This is also a common form of coupling, which often occurs when two circuit currents have a common path. In order to prevent this coupling, it is usually considered in circuit design. There is no common impedance between the interferer and the victim.

(3) Capacitive coupling:
Also known as electric field coupling or electrostatic coupling. It is the coupling due to the presence of distributed capacitance.

(4) Electromagnetic induction coupling:
Also known as magnetic field coupling. It is due to the coupling of distributed electromagnetic induction.

(5) Leakage coupling:
This coupling is purely resistive and can occur when insulation is not good.

Common hardware anti-jamming technology

For the three elements that form interference, the main measures taken are the following.

Suppression of interference sources

To suppress the interference source is to reduce the du/dt, di/dt of the interference source as much as possible. This is the most important and most important principle in anti-jamming design, and it often has a multiplier effect. Reducing the du/dt of the interference source is mainly achieved by connecting capacitors across the interference source. Reducing the di/dt of the interferer is achieved by connecting the inductor or resistor in series with the source loop and adding a freewheeling diode.

Common measures to suppress interference sources are as follows:

(1) The relay coil increases the freewheeling diode to eliminate the back EMF interference generated when the coil is disconnected. Adding a freewheeling diode will delay the turn-off time of the relay. After the Zener diode is added, the relay can move more times per unit time.

(2) Connect the spark suppression circuit at both ends of the relay contact (usually RC series circuit, the resistance is generally selected from a few K to tens of K, and the capacitor is selected as 0.01uF) to reduce the spark effect.

(3) Add a filter circuit to the motor, pay attention to the capacitor and inductor leads as short as possible.

(4) Each IC on the board should be connected with a high frequency capacitor of 0.01μF to 0.1μF to reduce the impact of the IC on the power supply. Pay attention to the wiring of high-frequency capacitors. The wiring should be close to the power supply terminal and be as short and as short as possible. Otherwise, it will increase the equivalent series resistance of the capacitor, which will affect the filtering effect.

(5) Avoid 90-degree fold lines during wiring and reduce high-frequency noise emissions.

(6) The RC suppression circuit is connected to both ends of the thyristor to reduce the noise generated by the thyristor (this thyristor may break down when this noise is severe).

Cut off the interference propagation path

According to the propagation path of interference, it can be divided into two types : conducted interference and radiated interference.

Conducted interference is the interference that propagates through a wire to a sensitive device. The high-frequency interference noise and the frequency band of the useful signal are different, and the propagation of the high-frequency interference noise can be cut off by adding a filter to the wire, and sometimes the isolation optocoupler can be added. Power supply noise is the most harmful, so pay special attention to handling.

Radiation interference refers to interference that propagates through a spatial radiation to a sensitive device. The general solution is to increase the distance between the interferer and the sensitive device, isolate them with a ground wire and add a shield to the sensitive device.

Common measures to cut off the interference propagation path are as follows:

(1) Fully consider the impact of the power supply on the microcontroller. The power supply is well done, and the anti-interference of the entire circuit is solved. Many single-chip microcomputers are very sensitive to power supply noise. It is necessary to add a filter circuit or a voltage regulator to the power supply of the single-chip microcomputer to reduce the interference of the power supply noise on the single-chip microcomputer. For example, a magnetic bead and a capacitor can be used to form a π-shaped filter circuit. Of course, a 100Ω resistor can be used instead of the magnetic bead when the condition is not high.

(2) If the I/O port of the MCU is used to control noise devices such as motors, isolation should be added between the I/O port and the noise source (increasing the π-shaped filter circuit).

(3) Pay attention to the crystal wiring. The crystal oscillator and the MCU pins are placed as close as possible, and the clock region is isolated by the ground wire. The crystal oscillator case is grounded and fixed.

(4) Reasonable division of the circuit board, such as strong and weak signals, digital and analog signals. Keep interference sources (such as motors, relays) and sensitive components (such as microcontrollers) as far as possible.

(5) Separate the digital area from the analog area with a ground wire. The digital ground is separated from the analog ground, and finally connected to the power ground at one point. A/D and D/A chip wiring are also based on this principle.

(6) The ground wire of the MCU and the high-power device should be grounded separately to reduce mutual interference. Place high-power devices on the edge of the board as much as possible.

(7) The use of anti-jamming components such as magnetic beads, magnetic rings, power filters, and shields in key areas such as I/O ports, power lines, and circuit board connectors can significantly improve the anti-jamming performance of the circuit.

Improve the anti-jamming performance of sensitive devices

Improving the anti-interference performance of sensitive devices refers to the method of minimizing the pickup of interference noise and recovering from an abnormal state as soon as possible from the sensitive device side.

Common measures to improve the anti-jamming performance of sensitive devices are as follows:

(1) Minimize the loop loop area during wiring to reduce induced noise.


(2) When wiring, the power and ground wires should be as thick as possible. In addition to reducing the voltage drop, it is more important to reduce the coupling noise.


(3) For the idle I/O port of the MCU, do not hang it, ground it or connect it to the power supply. The idle ends of other ICs are grounded or connected to the power supply without changing the system logic.


(4) The power supply monitoring and watchdog circuit for the single-chip microcomputer, such as: IMP809, IMP706, IMP813, X5043, X5045, etc., can greatly improve the anti-interference performance of the whole circuit.


(5) Under the premise that the speed can meet the requirements, try to reduce the crystal oscillator of the single-chip microcomputer and select the low-speed digital circuit.


(6) The IC device is soldered directly on the circuit board as much as possible, and the IC holder is used less.

Other common anti-jamming measures

(1) The AC terminal is filtered by the inductor capacitor: the high frequency low frequency interference pulse is removed.


(2) Double isolation of transformer: The primary input end of the transformer is connected in series with capacitors. The shield between the primary and secondary coils is connected to the center of the capacitor between the primary and secondary coils. The secondary outer shield is connected to the printed board. This is hardware anti-jamming. The key means. Secondary plus low pass filter: Absorbs the surge voltage generated by the transformer.


(3) Adopt integrated DC stabilized power supply: It has protection effects such as overcurrent, overvoltage and overheating.


(4) The I/O port is isolated by photoelectric, magnetoelectric, and relay, and the common ground is removed.


(5) Twisted pair for communication lines: Exclude parallel mutual inductance.


(6) Optical fiber isolation for lightning protection is most effective.


(7) A/D conversion isolation amplifier or field conversion: reduce error.


(8) The outer casing is connected to the earth: to solve personal safety and to prevent external electromagnetic field interference.


(9) Add a reset voltage detection circuit. To prevent the reset from being insufficient, the CPU will work. Especially for devices with EEPROM, the reset will not change the contents of the EEPROM.


(10) Printed board process anti-interference:

1 The power cable is thickened, properly routed, grounded, and the three buses are separated to reduce mutual inductance oscillation.


2 CPU, RAM, ROM and other main chips, between CCC and GND, connect electrolytic capacitors and ceramic capacitors to remove high and low frequency interference signals.


3 Independent system structure, reducing connectors and wiring, improving reliability and reducing failure rate.


4 The integrated block and the socket are in reliable contact. The double-spring socket is used, and the integrated block is directly soldered to the printed board to prevent the device from contacting the fault.


5 Conditionally, four or more printed boards are used, and the middle two layers are power and ground.

Electrolytic capacitor

The electrolyte material inside the electrolytic capacitor, which has charge storage, is divided into positive and negative polarity, similar to the battery, and cannot be connected backwards.A metal substrate having an oxide film attached to a positive electrode and a negative electrode connected to an electrolyte (solid and non-solid) through a metal plate.

Nonpolar (dual polarity) electrolytic capacitor adopts double oxide film structure, similar to the two polar electrolytic capacitor after two connected to the cathode, the two electrodes of two metal plates respectively (both with oxide film), two groups of oxide film as the electrolyte in the middle.Polar electrolytic capacitors usually play the role of power filter, decoupling (like u), signal coupling, time constant setting and dc isolation in power circuit, medium frequency and low frequency circuit.Non-polar electrolytic capacitors are usually used in audio frequency divider circuit, television S correction circuit and starting circuit of single-phase motor.

Electrolytic Capacitor,Aluminum Electrolytic Capacitor,High Voltage Electrolytic Capacitor,12V Electronic Components Capacitor

YANGZHOU POSITIONING TECH CO., LTD. , https://www.pst-thyristor.com