Saturday, December 29, 2007
An AND gate in logic is basically a high (logic '1') on all inputs to the gate. For our example, we're discussing the 2 input AND. It should be noted that this is being built from a NAND and that a NAND would require 2 less gates than an AND.
The truth table is all inputs must be a '1' to get a '1' on the output (Y). If any input is a '0', Y = '0'.
The photo above shows the schematic layout using P and N type FETs. A P-FET is conducting between the source and the drain when a logic '0' is presented on its gate. The N-FET is the exact opposite (a '1' conducts).
As seen above, there are 2 signals we labeled 'A' and 'B' routed in the Poly layer of the substrate (under all the metal). This particular circuit is not on the top of the device and had another metal layer above it (Metal 2 or M2). So technically, you are seeing Metal 1 (M1) and lower (Poly, Diffusion).
It's quickly obvious that this is an AND gate but it could also be a NAND by removing the INVERTER and taking the '!Y' signal instead of 'Y'.
The red box to the left is the NAND leaving the red box to the right being the inverter creating our AND gate.
The upper green area are PFET's with the lower green area being NFET's.
After stripping off M1, we now can clearly see the Poly layer and begin to recognize the circuit.
This is a short article and we will follow up after the New Year begins. This is a single AND gate but was part of a pair. From the pair, this was the right side. We call them a pair because they work together to provide the security feature on some of the PIC16C's we're asking you to guess which ones :)
If you have Photoshop, here is a link to a Photoshop image we created for you that you can control the layer opacity to see the remove the top metal to see how the poly and M1 layers connected virtually.
Happy Holidays and Happy Guessing!
Monday, December 17, 2007
This piece is going to be split into two articles-Â
- The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology.Â They haveÂ overgone a few generations.Â Â We consider this device to be a 3rd generation.
- Â In a seperateÂ article yet to come, we are going to applyÂ what you have read here toÂ a smartcard used by Sun Microsystems, Inc. calledÂ Payflex.Â From what we have gathered on the internet, theyÂ are used toÂ controlÂ access to Sun Ray Ultra Thin Terminals.Â Speaking of the payflex cards, they are commonly foundÂ (new and used) on eBay.
The ST16601 originated as far back as 1994.Â It originallyÂ appeared as a 1.2Â um, 1 metalÂ CMOS process and was laterÂ shrunk to 0.90Â um, 1 metal CMOS to support 2.7v - 5.5v ranges. Â
It appears to be a later generation of the earlier ST16301 processor featuring larger memories (ROM, RAM, EEPROM).
The ST16601Â offers (quick spec is here):
- 6805Â cpu core withÂ a few additional instructions
- Lower instruction cycle counts vs. Motorola 6805.
- Internal Clock can run upto 5 Mhz at 1:1 vs 2:1.
- 6K Bytes of ROM
- 1K Bytes of EEPROM
- 128 Bytes of RAM
- Very high security features including EEPROM flash erase (bulk-erase)
Although it was released in 1994 it was being advertised in thisÂ articleÂ in 1996.Â Is it possible an 'A' version of theÂ ST16601 wasÂ released without a mesh?Â We know theÂ ST16301 was so anything is possible.
Above:Â ST16301 1.2um "secure" MCU sporting 160 bytes of RAM, 3K bytes of ROM, and 1K bytes of EEPROM and NO TOP METAL PROTECTION (MESH).
Above:Â Original 1994 1.2um ST16601B.Â Notice this part has been covered in a mesh that was basically a humoungous ground plane over the device.Â
Above:Â Final revision of the ST16601(C?).Â The part has been shrunk to 0.90um and now has ST's 2nd generation mesh in place.Â The newer mesh still in use today consists of fingers connected to ground and a serpentine sense line connected to power (VDD).
Using our delayering techniques, we removed the top metal mesh from the 1997 version of the part.Â The part numbering systemÂ was changed in 1995 onward to not tell you what partÂ something really is.Â You haveÂ to be knowledgable about the features present and then playÂ match-up from their website to determine the real partÂ number.
As you can see, this part is clearly an ST16601 part exceptÂ it is now calledÂ a K3COA.Â We know that theÂ '3' represents the entire ST16XYZ series from 1995-1997 but we'll get into their numbering system when we write theÂ ST101 articleÂ (we skipped it and jumped straight to ST201 to bring you the good stuff sooner!).
Above:Â Â 1000x magnification of the beginning of theÂ second generation mesh used ont he 1995+ parts.Â This exact mesh is still used today on their latest technology sporting 0.18um and smaller!Â The difference- theÂ wire size and spacing.
In the above image, green is ground, red is connected to power (VDD).Â Breaking this could result in loss of ground to a lower layer as wellÂ asÂ the sense itself.Â The device will not runÂ with a broken mesh.Â
Above you can see Flylogic has successfully broke their mesh and we did it without the use of a Focus Ion-Beam workstation (FIB).Â In fact, we are the ONLY ONES who can open the ST mesh at our leisure and invasively probe whatever we want.Â We've been sucessful down-to 0.18um.
Using our techniques we call, "magic" (okay, it's not magic but we're not telling ;) ), we opened the bus and probed it keeping the chip alive.Â We didn't use any kind of expensive SEM or FIB.Â The equipment used was available back in the 90's to the average hacker!Â We didn't even need a university lab.Â Everything we used was commonly available for under $100.00 USD.Â
This is pretty scary when you think that they are certifying these devices under all kinds of certifications around the world.
Â Stay tuned for more articles on ST smartcards.Â We wanted to show you some old-school devices before showing you current much smaller ones because you have to learn to crawl before you walk!
Saturday, December 1, 2007
It is basically a 256 byte 8 bit wide EEPROM with special write protection.Â In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC).Â The code is locked tightly inside the memory area of the device and if you try to guess it, you have 3 tries before being permanently locked out forever (well forever for some, we can always perform magic on the part).
Note:Â Clicking on all pictures except the diagram will give you a larger ~2 MB 2400 * ~2400 image in a seperate window
The photo above is a picture shows the entire substrate.Â There was still some dirt on the die but it didn't effect our interests.Â The geometry of the device is pretty big (> 2 uM).Â It has one polysilicon layerÂ and one metal layer fabricated using an NMOS process.
Note:Â Just because the device is big does not constitute ease of an attack but it does make execution of an attack easier for an attacker without large amount of expense.
The above diagram has been taken from Page 7 of the SLE4442 PDF.Â
A successful attack on this device means an attacker knows the PSC which enables write operations to the device under attackÂ or the abilityÂ to clone the device under attack into fresh new target who can act like the original device.Â We'll discuss the PSC in more detail below.
We have pretty much identified all the important areas listed on the Page 7 diagramÂ in theÂ above picture.Â We can see again a test circuit that has had its enable sawn off during production.Â We can see the enable line looping back for the die that was placed to the right of this die.Â Notice the duck?Â Hrmmmm... Seems to be pointing at 2 test points.Â We'll just say that the duck probably knows what he's looking at ;)
We left out a few areasÂ noted in the block diagram however the most important areas have been highlighted in red.
We removed the top metal (the only metal layer) and you can now see the diffusion and poly layers.Â You can literally take these two pictures above andÂ create a schematic from them if you understand NMOS circuits.
Possible attacks on the device:
- Electrical glitches:Â Fed through VCC / CLOCK line are possible.Â The circuit latches are all toggled from the serial clock provided by the user.
- Optical Erasure:Â UV seems to clear cells of the EEPROM to zero.Â Masking of the EEPROM except for the 3 PSC bytes would result in a PSC of $00,$00,$00 for that particular device.Â However note this is not a favorable attack as the device would probably become rejected by the host that this device belongs too.
- OpticalÂ glitches:Â TheseÂ give strange results.Â An optical glitch in the right area might produce readback of the PSC code through command $31 (Read Security Memory).
- Bus attacks:Â Sitting on the databus will show you the PSC of the device.Â This method is effective but not easilly accomplish by most.
- PSC Control logic:Â Find the right signal in this area and you can make the device believe a valid PSC has been previously given allowing readback of the PSC through command $31.Â This is our prefered method, just ask the duck ;).
The security model used on this type of device is one in which the host-environment is trusted.Â This is a riskyÂ way of thinking but ironically, it has been used a lot (Fedex/Kinko's payment cards(SLE4442, SLE5542), Telephone cards in use worldwide (ST1335, ST1355), laundry machine smartcards (AT88SC102).
Proof of failure of this trust model has been shown in places such as:
- Phone card emulation in Europe.Â It became so bad, metal detectors were placed inside the phones smartcard area to deter eavesdropping.
- Fedex/Kinko's was successfully compromised by a man named Strom Carlson.Â He demonstrated the abuse of the SLE4442 in use by Kinko's at the time.Â You can read an article about it here.
Thursday, November 15, 2007
We decided to do a teardown on a Keylok USB based dongle from Microcomputer Applications, Inc. (MAI).
A picture of the dongle is to the right.
Opening the dongle was no challenge at all. We used an x-acto knife to slit the sidewall of the rubber protective coating. This allowed us to remove the dongle's circuit board from the surrounding protective coating.
The top side of the printed circuit board (PCB) is shown above. MAI did not try to conceal anything internally. We were a little surprised by this :(.
The backside consists of two tracks and a large ground plane. The circuit is very simple for an attacker to duplicate.
With the devices removed, a schematic can be created literally within minutes. The 20-pin version of CY7C63101A can even be used in place of the smaller SOIC 24-pin package (which is difficult for some to work with). The 20-pin is also available in a dual-inline-package (DIP) making it a great candidate for an attacker to use.
Red pin denotes pin 1 on the device.
You might have seen this picture from the iKey1000 teardown. That's because we borrowed the Cypress pictures from that teardown :).
We performed some magic and once again we have success to unlock the once protected device. A quick look for ASCII text reveals a bunch of text beginning around address $06CB: .B.P.T. .E.n.t.e.r.p.r.i.s.e.s...D.o.n.g.l.e. .D.o.n.g.l.e. .C.o.m.m.<
.E.n.d.P.o.i.n.t.1. .1.0.m.s. .I.n.t.e.r.r.u.p.t. .P.i.p.e.
Ironically, they say, "There are many advantages to using a hardwareâ€“based security solution â€“ AKA, a Dongle. There are even more advantages however to using KEYLOK Dongles over other competing solutions."
Statement's such as the one above are the reason Flylogic Engineering started this blog. We have heard this just one too many times from companies who are franckly pushing garbage. Garbage in, garbage out. Enough said on that.
This dongle is the weakest hardware based security token we have ever seen!! The outer physical protection layers ease of entry places this dongle last on our list of who's hot and who's not!
Tuesday, November 13, 2007
We chose to examine their picoPower line of AVR's since they claim true 1.8v operation. The only picoPower device in stock from Digikey was the ATMEGA169P. We used the 64 pin TQFP package for our review.
We took some quick images of some areas we think you will enjoy-
Delayering the device is one of the steps in analyzing any substrate. The part below was being delayered to remove it's top two metal layers. The part is in-between Metal3 (M3) and Metal1 (M1) right now. Some of Metal2 (M2) has begun to remove. More time would finish off the removal of M2 but this was enough for us.
We are very familiar with the Atmel AVR line (to include the AT90SC smartcard family) and thus left it in the package not being concerned (there are various reasons to remove it completely out of the carrier it is bonded in which we won't get into here).
The lower corner has the die identification (AT 355B6), Corporate logo, and the year.
A picture of the Flash and EEPROM output areas-
It is our opinion that this processor is one of the most secure from the less-than 32 bit MCU off-the-shelf choices out there. There are debug test-points spread around the device (we would love to hear feedback from whoever thinks they see them hint hint) but don't try to probe them if the device is locked. Atmel wised up around 2005 are turned those off if the lockbits are set (Hello Arne!).
Saturday, November 3, 2007
We had two purple iKey 1000 tokens on hand that we took apart-
Cypress 24 pin CY7C63001/101 type USB controller is a likely candidate underneath the epoxy above
Cypress' USB controllers run from a 6 Mhz oscillator and an 8 pin SOIC EEPROM might be beneath this smaller epoxy area
Once we took our initial images of the two sides, it was time to remove whatever was under the epoxy.
If needed, we can clean off the remaining epoxy
There was indeed a serial EEPROM underneath the bottom side.Â Removing took some heat and we lost the cover to our oscillator during the process.
Opening the device revealed exactly what we suspected (we could sort-of tell by the 24 pin SOIC) being familiar with the Cypress family of processors.Â We discovered a Cypress CY7C63101.
The red pin denotes pin 1 of this Cypress CY7C63101
A 200x magnification photo of the die above shows a 20 pin version of the CPU used in the iKey1000 token.
The Cypress CY7C63 family of USB microcontrollers have serious security issues.Â This family ofÂ processors should not be used by anyone expecting their security token to be secure.Â Unfortunately, we've seen a lot of dongles using this family of CPU's.
We successfully read out the CPU (using our magic wand again).Â Poking around the code looking forÂ ASCII text we found the USB identifier string at address offset $0B7:Â Â "i.-.K.e.y"
The code contained inside the Cypress CPU is always static between iKey1000 tokens.Â The Cypress CPU is a One-Time Programmable (OTP) type device.Â There is noÂ non-volatile type memory inside except for for the EPROM you may program once (hence OTP).Â The only changes possible are within the external EEPROM which is a dynamic element to the token.Â The EEPROM turned out to be a commonly foundÂ 24LC64 8K byte EEPROM.Â
Given the above, we can thenÂ assume that the iKey1032 is identical to this token with the except of replacing the 24LC64 with a largerÂ 24LC256 32K byte EEPROM.Â This is a logical assumption supported by Safenet's brochure on the token.
Are you securing your laptop with this token?Â We are not...
We happen to have a 1982 era Siemens 80286 and here's what it looks like: (Click on any picture for a larger version)
If anyone is interested in donatingÂ any old devices such as an i4004 or i8008, please email us.
Thursday, November 1, 2007
The chemicals required such as Hydrofluoric Acid (HF) attack bone marrow.Â HF is painless until several hours later when it's too late to take proper action so please be careful and be responsible.Â ]
Previously we discussed noticing Microchip making changes to their silicon substrates (aka the die) without marking the outside of the packaging as companies normally do.
See below a picture of the second generation PIC18F1320 die (same one you saw in Part I)-
We thought we would show you what this substrate looks like with a little wet-etching.Â The picture below has the top metal (Metal 3 or M3) removed or stripped off-
[Click on photo for a ~2.5 MB version]
Flylogic Engineering are experts on doing the unbelievable (unthinkable!)Â when it comes to silicon-substrate attacks.Â We are the only known lab in the world to have ever executed a technique we call, "Selective Wet-Etching" where we lay a mask down and wet-etch only areas we select.Â The important thing to point out here is that when we are finished, the part is still 100% functional!Â This plays an important role to bypass security meshes or other obstructions.
Now for the good stuff.Â The picture below shows the hole we made.Â We did not etch off the metal completely because we noticed the hole size was touching an active wire on the top metal (M3).Â So we decided this was enough and light could easilly get back through.
Below is a closeup of the hole we made.Â As you can see, it's a lot more open than the other areas.Â A little more etching and the metal inside this hole would have been gone however the vertical track (wire) to the left would have also been gone.Â This was enough and 45 minutes in UV resets the fuses (unlocking the device).
As we explained earlier, this part functions 100% except now the UV light can easilly get underneath down to Metal 1 without hinderence.
PS-Â Bunnie was right regarding the CPU running on Microcode.Â All Microchip PIC's ranging from the 10 series upto the 18 series contain a micro-coded architecture.Â This should shed light to some of you as-to why they are sooo slow (Feed them 40 Mhz, you get an execution time of 10 Mhz).Â Some of the newer PIC's include Phase Lock Loops (PLLs) to 4x the external frequency.
Tuesday, October 30, 2007
[We are aware of issues regarding the images when viewed in the latest Firefox browser.Â This page has been tested on bothÂ Internet ExplorerÂ and Opera to properly display the pictures.]Â
Chances are you haveÂ probably seen one of these little USB based tokens made fromÂ Safenet, Inc.
The one we opened was in a blue shell.
As well, theÂ brochure the link above takes youÂ too states,Â "iKey 2032s small size and rugged, tamperresistant construction, make it easy to carry so users can always have their unique digitalÂ entities with them."Â
Now we're not really sure what tamperresistant construction has to do with making things easy for a user to carry aroundÂ but let's get down to the good stuff.
So we took our token apart and the following picturesÂ are what we found:
Above:Â Main CPU side of the token.Â
Our suspicion:Â Could there be aÂ Cypress CY7C63xxx series CPU present?
Above:Â Something buried under epoxy.Â Appears to be die-bonded to the PCB.
Once initial images of the PCB intact were taken.Â It was time to remove the CPU.
We carefully decapsulated the epoxy covering the die buried inside the 24 pin SOIC part.Â What did we find?Â We found a Cypress CY7C63613!Â We suspected it might be this part because of the pinout.Â This is why scratching off the top of the part does not always help.Â Even with the silkscreen scratched away, there are only a few possible candidates using this pinout.Â Additionally,Â this CPU is very common used inÂ USBÂ applications.
Here is the CPU opened up.Â Note that pin 1 on the PCB is in the upper-right corner while in our picture we rotated the device so pin 1 is in the lower-left (we labeled it with a red dot).
Above:Â Cypress CY7C63613 USB CPU (Click on picture for a larger size)
Above:Â Actual closer view of the bare CPU substrate (Click to see commented higher-res image)
Once the CPU was decapsulated, we performed some tests on the device.Â After executing some tricks, the software contained internally was magically in our hands.
We lookedÂ for some type of copyright information in the software but all we found was the USB identifier string at address offset $3C0: i.K.e.y. .184.108.40.206
Now that we successfully analyzed the CPU, the protocol for communications to whatever is present under the epoxy is available to us.Â At this point, we believe it's more than an serial EEPROM because this CPU is not strong enough to calculateÂ asymmetric cryptographic algorithms in a timely manner.
Next we carefully removed the die-bonded substrate from the PCB:
With the die-bonded device removed and a little cleanup, we can clearly see the bondout pattern for a die-bonded smartcard IC.Â Â In the picture above, we can see VCC, RST, CLK, IO, and GND layed out according to the ISO-7816 standard which Flylogic Engineering are experts on.
After completely decapsulating the smartcard processor, we found a quite common Philips smartcard IC.Â We will call this part from now on the Crypto-Coprocessor (CCP).Â Notice there is still a small spec of dirt in the middle of the die.Â We decided to leave itÂ since it's not in our way.
Rotating this picture of the CCP (50x magnified)Â 90 degrees counter-clockwise,Â you can see how it fits into place on the PCB.Â It is glued down and then five alluminum wires were wedge-bonded to the PCB.Â Alluminum wedge-bonding was used so the PCB would not need to be heated which would help them cut down the time required on theÂ assembly line.
In preparation for analysis, we had to rebond theÂ CCP into a 24-pin ceramic dip (CDIP).Â Although we only needed five contacts rebonded, the die-size was too large to fit into the cavity of an 8-pin CDIP.
The CCP is fabricated by Philips.Â It appears to be aÂ ~250nm, five metal layer technology based on the Intel 8051 platform.Â It contains 32k of EEPROM, two static ram areas and a ROM nested underneath a mesh made up of someone(s) initials (probably the layout designers).
This CPU (The CCP is also a CPU but acting as a slave to the Cypress CPU)Â is not secure.Â In fact, this CPU is also all over the globe in GSM SIM cards.Â Â The only difference is the code contained inside the processor.Â
Some points of interest:
Point #1-Â The 'mesh' protecting probing from the ROM's databus outputs is NOT SECURE!
When we cropped and shrunk this picture, it came out pretty bad.Â However, you can see that there is now an opening where we wrote our url.Â The device is alive still but now has a gaping hole over the signature-mesh.
Point #2-Â A quick search on the internet and we came across a public document from when Philips tried to get this part or a part very close to this one common criteria certified.Â You can find this document here.Â Alternatively in case that link goesÂ bad,Â we have saved a copy of the document here.Â You will need Adobe Acrobat reader to view the document.
The document labels this assumed to-be part as a, "Philips P8WE5033V0F Secure 8-bit Smart Card Controller."
Reading over this document, we find a block diagram on page 8.
In the above diagram they mention, "Security Sensors" as a block of logic.Â That's ironic considering we opened a gaping hole in their "mesh" over the ROM and the processor still runs 100% functional.
Point #3-Â For such a "secure" device, Philips could have done a lot more.Â The designer's were pretty careless in a lot of areas.Â Below are some photo's showing a sawn-off test-enable line.Â Simply reconnecting the two tracks together will definately be helpful to an attacker.Â A Focused Ion-Beam Workstation can make bond-pads for those two tracks that we can then bond out to the CDIP.Â This wayÂ we can short or open this test-circuit.
Above:Â Two test tracks (inside the red box)Â lead off to the left edge of the die.
Above:Â Notice on the very right lower edge there is a wire in orange.Â This was the loop back of the track that has now been sawn off.Â This orange loopback would have belonged to the die to the right of this die when still present on the wafer.
Â Now ask yourself if you are a potential customer to Safenet, Inc-Â Would you purchase this token?