IC cracking is a complex and sophisticated process, with various methods available to attackers. In this article, we will explore the different methods used for IC cracking.
1.Software Attacking
Software attacking involves exploiting the vulnerabilities in the processor communication interfaces, protocols, cryptographic algorithms, or security holes in these algorithms. An example of a software attack is the attack on the early ATMELAT89C family of microcontrollers. The attacker took advantage of the loopholes in the timing design of the erasing operation of the microcontrollers to stop the erasing process after erasing the encryption locking bit. The program became non-encrypted and was then read out by the programmer. Recently, a device called Kai Ke Di Technology 51 chip decryption equipment was developed in China to unlock ICs mainly through SyncMos.Winbond due to the loopholes in the IC production process.
2.Electronic Detection Attacks
This method involves monitoring the processor’s analog characteristics of all power and interface connections during normal operation with high temporal resolution and attacking by monitoring its electromagnetic radiation characteristics. The corresponding power consumption changes as it executes different instructions, allowing the attacker to acquire specific critical information by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistics. RF programmer can directly read the old model of the encryption MCU program using this principle.
3.Error Generation Attack Technology
This technique involves using abnormal operating conditions to cause processor errors, enabling the attacker to provide additional access. The most widely used error generation technologies include voltage and clock strikes. Low-voltage and high-voltage attacks can be used to disable the protection circuit or force the processor to perform incorrect operations. A clock transition may reset the protection circuitry without disrupting the protected information.
4.Probe Technology
Probe technology involves directly exposing the chip’s internal connections and then observing, manipulating, and interfering with the microcontroller to achieve the purpose of the attack.
5.UV Attack Method
The UV attack involves applying ultraviolet radiation to the chip, converting the encrypted chip into a non-encrypted chip, and then using the programmer to read the program directly. This method is suitable for OTP chips, which can only be erased by UV light. At present, most OTP chips produced in Taiwan can be decrypted using this method.
6.Chip Loopholes
Many chips have cryptographic vulnerabilities at design time, which can be exploited to read out the code in memory. For example, the chips such as Winbond or Shimao MCU chips, for example, W78E516 decryption, N79E825 decryption, ATMEL 51 series AT89C51 decryption, use the byte loopholes in the code to attack.
7.FIB Recovery Encryption Fuse Method
This method is suitable for many chips with fuse encryption, such as TI’s MSP430 unlocking. Because the MSP430 encryption is to burn fuse, as long as the fuse can be restored, then the IC changes to non-encrypted chips. We can use the probe to achieve the fuse re-connection.
8.Modifying the Encryption Circuit
For CPLD and DSP chip design, which is complex and has high encryption performance, the above methods are difficult to use. In this case, we need to analyze the chip’s structure, find the encryption circuit, and use the chip circuit modifying equipment to make some changes and make the encryption circuit fail. The encrypted DSP or CPLD can then be read out.