Saturday, December 1, 2007

Infineon SLE4442

The SLE4442 has been around for a long time.  Spanning a little more than 10 years in the field, it has only now began to be replaced by the  newer SLE5542 (We have analyzed this device too and will write up an article soon).

It is basically a 256 byte 8 bit wide EEPROM with special write protection.  In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC).  The code is locked tightly inside the memory area of the device and if you try to guess it, you have 3 tries before being permanently locked out forever (well forever for some, we can always perform magic on the part).

Note:  Clicking on all pictures except the diagram will give you a larger ~2 MB 2400 * ~2400 image in a seperate window

The photo above is a picture shows the entire substrate.  There was still some dirt on the die but it didn't effect our interests.  The geometry of the device is pretty big (> 2 uM).  It has one polysilicon layer and one metal layer fabricated using an NMOS process.

Note:  Just because the device is big does not constitute ease of an attack but it does make execution of an attack easier for an attacker without large amount of expense.

The above diagram has been taken from Page 7 of the SLE4442 PDF.Â

A successful attack on this device means an attacker knows the PSC which enables write operations to the device under attack or the ability to clone the device under attack into fresh new target who can act like the original device.  We'll discuss the PSC in more detail below.

We have pretty much identified all the important areas listed on the Page 7 diagram in the above picture.  We can see again a test circuit that has had its enable sawn off during production.  We can see the enable line looping back for the die that was placed to the right of this die.  Notice the duck?  Hrmmmm... Seems to be pointing at 2 test points.  We'll just say that the duck probably knows what he's looking at ;)

We left out a few areas noted in the block diagram however the most important areas have been highlighted in red.


We removed the top metal (the only metal layer) and you can now see the diffusion and poly layers.  You can literally take these two pictures above and create a schematic from them if you understand NMOS circuits.

Possible attacks on the device:

  • Electrical glitches:  Fed through VCC / CLOCK line are possible.  The circuit latches are all toggled from the serial clock provided by the user.

  • Optical Erasure:  UV seems to clear cells of the EEPROM to zero.  Masking of the EEPROM except for the 3 PSC bytes would result in a PSC of $00,$00,$00 for that particular device.  However note this is not a favorable attack as the device would probably become rejected by the host that this device belongs too.

  • Optical glitches:  These give strange results.  An optical glitch in the right area might produce readback of the PSC code through command $31 (Read Security Memory).

  • Bus attacks:  Sitting on the databus will show you the PSC of the device.  This method is effective but not easilly accomplish by most.

  • PSC Control logic:  Find the right signal in this area and you can make the device believe a valid PSC has been previously given allowing readback of the PSC through command $31.  This is our prefered method, just ask the duck ;).

The security model used on this type of device is one in which the host-environment is trusted.  This is a risky way of thinking but ironically, it has been used a lot (Fedex/Kinko's payment cards(SLE4442, SLE5542), Telephone cards in use worldwide (ST1335, ST1355), laundry machine smartcards (AT88SC102).

Proof of failure of this trust model has been shown in places such as:

  • Phone card emulation in Europe.  It became so bad, metal detectors were placed inside the phones smartcard area to deter eavesdropping.

  • Fedex/Kinko's was successfully compromised by a man named Strom Carlson.  He demonstrated the abuse of the SLE4442 in use by Kinko's at the time.  You can read an article about it here.


  1. [...] shorting a trace might defeat the security measures. You can see high-resolution images of the die on his site. [Strom Carlson] went right to the source and snooped the password with a logic analyzer, as [...]

  2. [...] shorting a trace might defeat the security measures. You can see high-resolution images of the die on his site. [Strom Carlson] went right to the source and snooped the password with a logic analyzer, as [...]

  3. [...] shorting a trace might defeat the security measures. You can see high-resolution images of the die on his site. [Strom Carlson] went right to the source and snooped the password with a logic analyzer, as [...]

  4. The Chinese company xxxxxxxxxx is offering a small box that they claim returns the PSC in just a few seconds. IF it works, then there must be some way of cutting down the search from 16 million. If you write to the first byte of the PSC 3 times, what happens then? Their kit supports wireless cards as well so timing and electrical characteristics cannot be part of the trick.

    Its a fascinating field...

  5. [...] SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, accessed on [...]

  6. What's the simplest way to identify where's eg. RAM, data bus or security fuses on chip structure, while we have its magnification? Last question what's the best way to remove external metal junctions of Smartcard chip, nitric acid will do the job (fast reacts with copper)? Regards

  7. The Chinese company Setchief offer a box that returns the PSC values after a few seconds so there is certainly a way. The other simple way (and Strom missed this one) is to keep the power flowing to the chip when it's disconnected. A simple 5v supply would have kept the chip in writable mode and the PSC value can be read back. If the hardware vendors try to perform a reset before the chip is removed, just disconnect the RESET line. The hardest it will get is if 1 reset is needed. Simple with a couple of gates to allow only 1 reset to occur.

  8. That box Setchief is selling simply connects in-between the card and the terminal to eavesdroppe.

    In the case of a Fedex/Kinko's store as Strom demonstrated, this unit wont work as it is because the card is completely inside the terminal. Strom used a modified card with a flex-cable to listen.

  9. According to the datasheet, once the PSC value has been written, The PSC can be read until a reset is performed or the card is powered-down. I would imagine that placing 5v between pin1 & pin5 & cutting the RST line would allow the card to be removed after a valid PSC write & then placed in a second reader. Issuing command $34 will read back the 3-byte PSC value....

    or is that too simple???