INSIGHTS | November 1, 2007

Unmarked Die Revisions :: Part II

[NOTE- This article will describe a process known as “Wet-Etching“.  Wet-etching is a process that can be very dangerous and we do not recommend anyone reading this try it unless you know what you are doing and have the proper equipment.

The chemicals required such as Hydrofluoric Acid (HF) attack bone marrow.  HF is painless until several hours later when it’s too late to take proper action so please be careful and be responsible. ]

Previously we discussed noticing Microchip making changes to their silicon substrates (aka the die) without marking the outside of the packaging as companies normally do.

See below a picture of the second generation PIC18F1320 die (same one you saw in Part I)-

We thought we would show you what this substrate looks like with a little wet-etching.  The picture below has the top metal (Metal 3 or M3) removed or stripped off-

Flylogic Engineering are experts on doing the unbelievable (unthinkable!) when it comes to silicon-substrate attacks.  We are the only known lab in the world to have ever executed a technique we call, “Selective Wet-Etching” where we lay a mask down and wet-etch only areas we select.  The important thing to point out here is that when we are finished, the part is still 100% functional!  This plays an important role to bypass security meshes or other obstructions.

Now for the good stuff.  We did not etch off the metal completely because we noticed the hole size was touching an active wire on the top metal (M3).  So we decided this was enough and light could easily get back through.

A little more etching and the metal inside this hole would have been gone however the vertical track (wire) to the left would have also been gone.  This was enough and 45 minutes in UV resets the fuses (unlocking the device).

As we explained earlier, this part functions 100% except now the UV light can easily get underneath down to Metal 1 without hindrance.

PS-  Bunnie was right regarding the CPU running on Microcode.  All Microchip PIC’s ranging from the 10 series upto the 18 series contain a micro-coded architecture.  This should shed light to some of you as-to why they are sooo slow (Feed them 40 Mhz, you get an execution time of 10 Mhz).  Some of the newer PIC’s include Phase Lock Loops (PLLs) to 4x the external frequency.

INSIGHTS | October 30, 2007

Safenet iKey 2032 In-depth Look Inside

Chances are you have probably seen one of these little USB based tokens made from  Safenet, Inc.

The one we opened was in a blue shell.

 

Safekey says, iKey 2032 is a compact, two-factor authentication token that provides client security for network authentication, e-mail encryption, and digital signing applications.”

As well, the brochure the link above takes you too states,  iKey 2032s small size and rugged, tamper resistant construction, make it easy to carry so users can always have their unique digital entities with them.”

Now we’re not really sure what tamper resistant construction has to do with making things easy for a user to carry around  but let’s get down to the good stuff.

 

We carefully decapsulated the epoxy covering the die buried inside the 24 pin SOIC part.  What did we find?  We found a Cypress CY7C63613!  We suspected it might be this part because of the pinout.   This is why scratching off the top of the part does not always help.  Even with the silkscreen scratched away, there are only a few possible candidates using this pinout.   Additionally, this CPU is very common used in  USB  applications.

 

Once the CPU was decapsulated, we performed some tests on the device.   After executing some tricks, the software contained internally was magically in our hands.

 

We looked for some type of copyright information in the software but all we found was the USB identifier string at address offset $3C0: i.K.e.y. .2.0.3.2

 

Now that we successfully analyzed the CPU, the protocol for communications to whatever is present under the epoxy is available to us.   At this point, we believe it’s more than a serial EEPROM because this CPU is not strong enough to calculate  asymmetric cryptographic algorithms in a timely manner.

 

Next we carefully removed the die-bonded substrate from the PCB:

 

With the die-bonded device removed and a little cleanup, we can clearly see the bondout pattern for a die-bonded smartcard IC. We can see VCC, RST, CLK, IO, and GND layed out according to the ISO-7816 standard which Flylogic Engineering are experts on.

 

After completely decapsulating the smartcard processor, we found a quite common Philips smartcard IC.   We will call this part from now on the Crypto-Coprocessor (CCP).

 

The CCP fits into place on the PCB.   It is glued down and then five aluminum wires were wedge-bonded to the PCB.   Aluminum wedge-bonding was used so the PCB would not need to be heated which would help them cut down the time required on the assembly line.

 

In preparation for analysis, we had to rebond the  CCP into a 24-pin ceramic dip (CDIP). Although we only needed five contacts rebonded, the die-size was too large to fit into the cavity of an 8-pin CDIP.

 

The CCP is fabricated by Philips.  It appears to be a  ~250nm, five metal layer technology based on the Intel 8051 platform.  It contains 32k of EEPROM, two static ram areas and a ROM nested underneath a mesh made up of someone(s) initials (probably the layout designers).

 

This CPU (The CCP is also a CPU but acting as a slave to the Cypress CPU)  is not secure.   In fact, this CPU is also all over the globe in GSM SIM cards. The only difference is the code contained inside the processor.

 

Some points of interest:

 

Point #1-  The ‘mesh’ protecting probing from the ROM’s databus outputs is NOT SECURE!
Point #2- A quick search on the internet and we came across a public document from when Philips tried to get this part or a part very close to this one common criteria certified. The document labels this assumed to-be part as a, “Philips P8WE5033V0F Secure 8-bit Smart Card Controller.

 

Reading over this document, we find a block diagram on page 8.

 

“Security Sensors” as a block of logic.  That’s ironic considering we opened a gaping hole in their “mesh” over the ROM and the processor still runs 100% functional.

 

Point #3-  For such a “secure” device, Philips could have done a lot more.  The designer’s were pretty careless in a lot of areas.  Simply reconnecting the two tracks together will definately be helpful to an attacker.   A Focused Ion-Beam Workstation can make bond-pads for those two tracks that we can then bond out to the CDIP.  This way  we can short or open this test-circuit.

 

Now ask yourself if you are a potential customer to Safenet, Inc   Would you purchase this token?
INSIGHTS | October 26, 2007

Decapsulated devices

Recently at Toorcon9 (www.toorcon.org), some individuals asked to see images of decapsulated parts still in their packages. I dug around and came up with some examples. Click on any of the pictures for a larger version.

Above: Dallas DS89C450
Above: Microchip dsPIC30F6013

Using our proprietary procedures, all parts remain 100% functional with no degradation after exposing the substrate.

INSIGHTS |

Unmarked Die Revisions :: Part I

We have noticed a few different die revisions on various Microchip’s substrates that caught our attention.  In most case when a company executes any type of change to the die, they change the nomenclature slightly.  An example is the elder PIC16C622.  After some changes, the later part was named the PIC16C622A and there was major silicon layout changes to the newer ‘A’ part.

The PIC16C54 has been through three known silicon revs (‘A’ – ‘C’) and has now been replaced by the PIC16F54.

However, we’ve noticed two different devices from them (PIC12F683 and PIC18F1320) that caught our eye.  The PIC12F683 changes seem purely security related concerns.  The code protection output track was rerouted.

Our guess- They were concerned the magic track was too easilly accessable.

We will focus this article to the PIC18F1320 and consider this as a follow-up to our friends at Bunnie Studios, LLC.  A few years ago Bunnie wrote an article about being able to reset the fuses of the PIC18F1320 to a ‘1’ thus unlocking the once protected PIC.

The newly improvised second generation PIC18F1320 with fill patterns place over open areas.

You might ask yourself:  What are they hiding?  The part contains three metal layers however, the top layer has been partially removed by wet-etching techniques.  This allows us to see below in denser areas.The newly improvised second generation PIC18F1320 now has these cells covered aka Bunnie attack prevention!

Conclusion:  Did they archieve their goal?  From an optical attack, sort-of.  They are not expecting the attacker to be able to selectively remove this covering metal.  Stay tuned for part II of this report where we show you this area with the covering metal removed and the fuses exposed once again!