Inside the IOActive Silicon Lab: Interpreting Images
In the post “Reading CMOS layout,” we discussed understanding CMOS layout in order to reverse-engineer photographs of a circuit to a transistor-level schematic. This was all well and good, but I glossed over an important (and often overlooked) part of the process: using the photos to observe and understand the circuit’s actual geometry. Optical Microscopy Let’s start with brightfield optical microscope imagery. (Darkfield microscopy is rarely used for semiconductor work.) Although reading lower metal layers on modern deep-submicron processes does usually require electron microscopy, optical microscopes still have…
Inside the IOActive Silicon Lab: Reading CMOS layout
Ever wondered what happens inside the IOActive silicon lab? For the next few weeks we’ll be posting a series of blogs that highlight some of the equipment, tools, attacks, and all around interesting stuff that we do there. We’ll start off with Andrew Zonenberg explaining the basics of CMOS layout. Basics of CMOS Layout When describing layout, this series will use a simplified variant of Mead & Conway’s color scheme, which hides some of the complexity required for manufacturing. Material Color P doping N doping Polysilicon…
Atmel AT91SAM7S Overview
Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual… The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes. After decapsulating the die from…
Atmel CryptoMemory AT88SC153/1608 :: Security Alert
A “backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory. Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices. The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV). Once the fuse bit has been returned to a ‘1’, all memory contents is permitted to be read or written in the clear (unencrypted). Normally in order to do so, you need to either authenticate to the device or…
ATMEGA88 Teardown
An 8k FLASH, 512 bytes EEPROM, 512 bytes SRAM CPU operating 1:1 with the external world unlike those Microchip PIC’s we love to write up about :). It’s a 350 nanometer (nm), 3 metal layer device fabricated in a CMOS process. It’s beautiful to say the least; We’ve torn it down and thought we’d blog about it! The process Atmel uses on their .35 micrometer (um) technology is awesome. Using a little HydroFluoric Acid (HF) and we partially removed the top metal layer (M3). Everything is now clearly visible for our…
Security Mechanism of PIC16C558,620,621,622
Last month we talked about the structure of an AND-gate layed out in Silicon CMOS. Now, we present to you how this AND gate has been used in Microchip PICs such as PIC16C558, PIC16C620, PIC16C621, PIC16C622, and a variety of others. If you wish to determine if this article relates to a particular PIC you may be in possession of, you can take an windowed OTP part (/JW) and set the lock-bits. If after 10 minutes in UV, it still says it’s locked, this article applies to your…
AND Gates in logic
As we prepare for the New Year, we wanted to leave you with a piece of logic taken out of an older PIC16C series microcontroller. We want you to guess which micro(s) this gate (well the pair of them) would be found in. After the New Year, we’ll right up on the actual micro(s) and give the answer :). An AND gate in logic is basically a high (logic ‘1’) on all inputs to the gate. For our example, we’re discussing the 2 input AND. It should be noted that…
ST201: ST16601 Smartcard Teardown
ST SmartCards 201 – Introduction to the ST16601 Secure MCU This piece is going to be split into two articles- The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology. They have overgone a few generations. We consider this device to be a 3rd generation. In a seperate article yet to come, we are going to apply what you have read here to a smartcard used by Sun Microsystems, Inc. called Payflex. From what we have gathered on the internet, they are used to control access to…
Infineon SLE4442
The SLE4442 has been around for a long time. Spanning a little more than 10 years in the field, it has only now began to be replaced by the newer SLE5542 (We have analyzed this device too and will write up an article soon). It is basically a 256 byte 8 bit wide EEPROM with special write protection. In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC). The code is locked tightly inside the memory area of the device and if you…
The KEYLOK USB Dongle. Little. Green. And dead before it was born!
We decided to do a teardown on a Keylok USB based dongle from Microcomputer Applications, Inc. (MAI). Opening the dongle was no challenge at all. We used an x-acto knife to slit the sidewall of the rubber protective coating. This allowed us to remove the dongle’s circuit board from the surrounding protective coating. The top side of the printed circuit board (PCB) is shown above. MAI did not try to conceal anything internally. We were a little surprised by this :(. The backside consists of two tracks…