INSIGHTS | August 7, 2010

Parallax Propeller P8X32A Quick Teardown

By Cesar Cerrudo

Parallax has a really neat 8 core 32 bit CPU called the ‘Propeller’. It’s been out for a few years but it is gaining popularity. There is no security with the device as it boots insecurely via a UART or I2C EEPROM. None the less, we thought it was interesting to see an 8 core CPU decapsulated!

One can clearly see 8 columns that appear almost symmetric (except in the middle region). The upper 8 squares are each ‘cogs’ 512 * 32 SRAMs as described in the manual. The middle left 4 and right 4 squares are the ROM’s Parallax describes. The 8 rectangular objects are the 32KB SRAM as described. The 8 cores are basically the 8 columns above the middle ROM’s to include the 512 * 32 SRAMs because they describe each cog as having it’s own 512 * 32 SRAM :).

Last but not least is the logo by Parallax. Nice job Parallax on this beast! We have one favor- implement some flash on the next generation with a security bit ;).

INSIGHTS | August 6, 2010

Echostar v NDS appellate court ruling update

By Christopher Tarnovsky

Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.

The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.

As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.

I wish all persons whom this lawsuit effects the best (yes even you Charlie),

Christopher Tarnovsky

infosec

INSIGHTS | February 14, 2010

Infineon / ST Mesh Comparison

By IOActive

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation.

Both devices are a 4 metal ~140 nanometer process. Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think!

The Infineon mesh consists of 5 zones with 4 circuits per zone. This means the surface of the die is being covered by 20 different electrical circuits.

The ST mesh consists of a single wire routed zig-zag across the die. It usually begins next to the VDD pad and ends at the opposite corner of the die. The other wires are simply GND aka ground fingers. On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe).

Zooming in at 15,000 magnification, the details of each mesh really begin to show. Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.

In the Infineon scheme above, each colored wire is the same signal (4 of them per zone). Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.

The ST simply has the single conductor labeled in red. All green are the fingers of ground which can be usually cut away (removed) without penalty. The latest ST K7xxx devices have a signal present that appears analog. A closer look and a few minutes of testing proved it to simply need to be held high (logic ‘1’) at the sampling side of the line. Interesting how ST tried to obscure the signal.

Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up.

ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low (‘0’) with power applied (irrelevant of reset/clock condition).

You tell us your opinion what you think security wise.

infosec

INSIGHTS | February 12, 2010

We are now on Twitter too!

We probably should have been tweeting (sic?) for some time now but we are finally doing it!

You can join/follow us here: https://x.com/semiconduktor

As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net :).

infosec

INSIGHTS | January 13, 2009

Blackhat USA 2009 Poll – Rev Eng Class

By IOActive

During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers. Jeff Moss’ group setup a poll here. Given today’s Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in. The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the class down to a few devices of the chosen family.

While the classes are not cheap, all participants will learn and understand the chosen targets security model. Armed with such knowledge will help you to understand and recognize potential risks in future design work allowing you to avoid the possibility of compromise (and I suppose this would also enhance job security :). Full mosaic blowups of the targets, decapsulated devices, use of a probe station and all users will “modify” the security model of their devices themselves (unless they ask for some help). I don’t believe such a class has ever been given and seating will be limited per class.

Feel free to comment here but Blackhat really needs the feedback.

Thank you,

-Christopher Tarnovsky

INSIGHTS | September 13, 2008

Reverse-Engineering Custom Logic (Part 1)

By IOActive

Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors.

To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter.

To read logic, you first have to find the transistors and decide where Vcc (+) and ground (-) are located. Transistors are easy to spot. They will always look very similar to those two transistors marked in the picture: A rectangle shape with a line in the middle. Vcc is always next to the larger transistors (PMOS) and ground is closer to the smaller ones (NMOS).

Once you identified the transistors, you draw a small circuit diagram that shows how they are connected to each other. In the example, the inputs of the two transistors are connected and so are their outputs on the left side. From this circuit diagram you can read that whatever you assert at the input, the output will be forced to the opposite state — an inverter.

Every gate will follow these basic principles, but vary in the number and constellation of transistors. A 2-NOR gate (Y = !(A|B) ), for instance, is composed of 4 transistors in this setup:

Once you figured out a gate, you can recognize every occurrence of that function on the whole chip because the exact same shape is always used for the same function. Generally, you only need to read a few dozens gates at most to generate a map of functions across whole chip. Get a head start on reading logic and check out the logic gate collection at The Silicon Zoo.

Here is a challenge for you to try (open in GIMP or Photoshop and toggle between the different layers):

It’s about the hardest function found on most chips with a total of 34 transistors, 3 inputs, 2 outputs, and time-variant behavior. The solution will be posted next week.

General

INSIGHTS |

New Author: Herr Karsten Nohl!

By IOActive

We are proud to announce that those who enjoy reading the blog (which we apologize for the lack of content lately) can soon enjoy reading posts from Karsten Nohl as well.

For those of you who are not familiar with Karsten, he played an important role in the discovery and analysis of the Crypto-1 mathematical algorithm found in Philips (NXP) Mifare RFID devices.

He recently obtained his PhD from University of Virginia in the United States. He’s well known within the Chaos Computer Club (CCC) in Germany as well.

We too look forward to reading Karsten’s posts. Feel free to give Karsten a round of applause by posting a quick comment!

Karsten- Congratulations on your PhD!!

INSIGHTS | April 3, 2008

Atmel AT91SAM7S Overview

By IOActive

Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual…

The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes.

After decapsulating the die from inside the QFP, we find a beautifully layed out 210nm 5 metal design! Thats right, 5 metal layers! Strangely enough, we would have thought this was a 220nm 5 metal but apparently Atmel doesn’t have a .22um process so this is matching their .21um.

The core runs at 1.8v and allows 1.65v operation (thus it is their ATC20 process being used). The datasheet on the device can be found here. The 32KB Flash part also contains 8KB of SRAM (that’s a lot of ram!).

Notice on this particular layout, there is CMP filler metal (e.g. dead metal, metal slugs that are not connected to anything floating in SIO2) covering almost the entire die.

The picture above actually has had the top 2 metal layers removed. Metal 5 (M5) being the highest with the CMP filler and some power planes. Metal 4 (M4) had additional power planes and routing wires.

With Metals 1-3 still present, we can get a nice overview of the floorplan now. We can see the Flash, Fuses, and SRAM clearly. The Flash has a solid coating of metal over the entire cell area which has become common from Atmel to prevent UV light attacks we suppose?

We can now label the areas on the original top metal overview photo. There is a small boot-rom loader present on the device as well and is explained in the manual.

These cells were actually on Metal 1 and 2 but there are connections via Metal 3 as well.

There were additional power planes across the lower area of the photo from Metal 4 and 5 that cover those fuses however this isn’t buying them any security if the actual lock bits were buried there. A laser can go right through it all keeping the power-bus in tact with a hole in it.

In summary, this is a very well secured device. Fuses buried in a 5 metal layer design make the Microchip DSPIC’s look like a piece of cake in comparision (They are 350nm 4 metal).

We didn’t test this, but we are sure UV will set this fuses to a bad state if you can get the light to the floating gate since most all Atmel’s behave this way.

Nice job Atmel!

INSIGHTS | February 13, 2008

Atmel CryptoMemory AT88SC153/1608 :: Security Alert

By IOActive

A “backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory.

Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices.

The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV). Once the fuse bit has been returned to a ‘1’, all memory contents is permitted to be read or written in the clear (unencrypted).

Normally in order to do so, you need to either authenticate to the device or use a read-once-given “secure code” as explained in the AT88SC153 datasheet and the AT88SC1608 datasheet.

For those of you who are unfamiliar Atmel’s CryptoMemory, they are serial non-volatile memory (EEPROM) that support a clear or secure channel of communications between a host (typically an MCU) and the memory. What is unique about the CryptoMemory are their capabilities in establishing the secure channel (authenticating to the host, etc).

These device includes:

High-security Memory Including Anti-wiretapping

64-bit Authentication Protocol

Secure Checksum

Configurable Authentication Attempts Counter

These device includes:

Multiple Sets of Passwords
Specific Passwords for Read and Write
Password Attempts Counters
Selectable Access Rights by Zone
High-security Memory Including Anti-wiretapping
64-bit Authentication Protocol
Secure Checksum
Configurable Authentication Attempts Counter

Section 5 of the datasheet labled, “Fuses” clearly states, “Once blown, these EEPROM fuses can not be reset.”

This statement is absolutely false. UV light will erase the fuses back to a ‘1’ state. Care must be used to not expose the main memory to the UV or else it too will erase itself.

We are not going to explain the details of how to use the UV light to reset the fuse. We have tried to contact Atmel but have not heard anything back from them.

Reading deeper into the datasheet under Table 5-1, Atmel writes, “When the fuses are all “1”s, read and write are allowed in the entire memory.”

As strange as it reads, they really do mean even if you have setup security rules in the configuration memory, it doesn’t matter. The fuses override everything and all memory areas are readable in the clear without the need for authentication or encrypted channel! The attacker can even see what the “Secure Code” is (it is not given out in the public documentation, nor with samples). Atmel was even kind enough to leave test pads everywhere so various levels of attackers can learn (entry to expert).

Our proof of concept was tested on samples we acquired through Atmel’s website. Atmel offers samples to anyone however they do not give out the “Secure code” as mentioned above.

The secure code of the AT88SC153 samples was “$D_ $F_ $7_”.
The secure code of the AT88SC1608 was “$7_ $5_ $5_”.

We are not going to show you the low nibble of the 3 bytes to make sure we don’t give the code out to anyone. This is enough proof to whoever else knows this code. That person(s) can clearly see we know their transport code which appears to be common to all samples (e.g. All die on a wafer contain the same secure code until a customer orders parts at which time that customer receives their own secure code.). A person reading this cannot guess the secure code in because there are 12 bits to exhaustively search out and you only have 8 tries ;).

Of all the other CryptoMemory products, only the AT88SC153/1608 has this backdoor. We have successfully analyzed the entire CryptoMemory product line and can say that the backdoor doesn’t exist in any other CryptoMemory part. None of the CryptoMemory parts are actually as “secure” as they make it seem. The words, “Smoke n’ Mirrors” comes to mind (It is almost always like that). In this particular category of CryptoMemory, there are two parts, the AT88SC153 and the larger AT88SC1608.

Thus the questions-

- Why has Atmel only backdoored this part (NSA for you conspiracists)?

- Who was the original intended customer supposed to be?

- Was the original intention of these devices to be used in a product that used some kind of cryptography?

If the above was true, was this device originally intended to be a cryptographic key-vault?

All these questions come to mind because the backdoor makes it so easy to extract the contents of the device they want you to trust. Some of you may be familiar with the GSM A5/1 algorithm having certain bits of the key set to a fixed value.

Judging by the wording of the documentation, Atmel gives the appearance that CryptoMemory are the perfect choice for holding your most valuable secrets.

Give us your thoughts…

INSIGHTS | February 7, 2008

AT90S8515 – Legacy!

Some people asked for some of those older Atmel parts after seeing the MEGA88 and ATMEGA169 teardowns.

Here’s a quick one on the AT90S8515. It’s still very popular even though it’s been replaced by the MEGA8515. It’s built on a larger process and it’s not planarized (.50um and below are planarized but you may find some .50um non-planarized)

8KB Flash, 512 Byte SRAM, 512 Byte EEPROM with 32 working registers. That’s sooo nice! 4x faster than the typical PIC.

There was a mistake in the above picture too when we highlighted the areas! We forgot to outline the EEPROM area.

The side of the array is touching the ‘8’ in 8KB EEPROM above and it runs vertical along-side the FLASH. So in theory there are two 8 bit FLAH arrays and a single 8 bit EEPROM area all running veritical in the “8KB Flash” highlighted area.

Give us your feedback!