INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Monday, December 17, 2007

ST201: ST16601 Smartcard Teardown

ST SmartCards 201 - Introduction to the ST16601 Secure MCU

This piece is going to be split into two articles- 

  • The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology.  They have overgone a few generations.  We consider this device to be a 3rd generation.

  •  In a seperate article yet to come, we are going to apply what you have read here to a smartcard used by Sun Microsystems, Inc. called Payflex.  From what we have gathered on the internet, they are used to control access to Sun Ray Ultra Thin Terminals.  Speaking of the payflex cards, they are commonly found (new and used) on eBay.


The ST16601 originated as far back as 1994.  It originally appeared as a 1.2 um, 1 metal CMOS process and was later shrunk to 0.90 um, 1 metal CMOS to support 2.7v - 5.5v ranges.  

It appears to be a later generation of the earlier ST16301 processor featuring larger memories (ROM, RAM, EEPROM).

The ST16601 offers (quick spec is here):

  • 6805 cpu core with a few additional instructions

  • Lower instruction cycle counts vs. Motorola 6805.

  • Internal Clock can run upto 5 Mhz at 1:1 vs 2:1.

  • 6K Bytes of ROM

  • 1K Bytes of EEPROM

  • 128 Bytes of RAM

  • Very high security features including EEPROM flash erase (bulk-erase)


Although it was released in 1994 it was being advertised in this article in 1996.  Is it possible an 'A' version of the ST16601 was released without a mesh?  We know the ST16301 was so anything is possible.

 

Above:  ST16301 1.2um "secure" MCU sporting 160 bytes of RAM, 3K bytes of ROM, and 1K bytes of EEPROM and NO TOP METAL PROTECTION (MESH).







Above:  Original 1994 1.2um ST16601B.  Notice this part has been covered in a mesh that was basically a humoungous ground plane over the device. 



Above:  Final revision of the ST16601(C?).  The part has been shrunk to 0.90um and now has ST's 2nd generation mesh in place.  The newer mesh still in use today consists of fingers connected to ground and a serpentine sense line connected to power (VDD).



Using our delayering techniques, we removed the top metal mesh from the 1997 version of the part.  The part numbering system was changed in 1995 onward to not tell you what part something really is.  You have to be knowledgable about the features present and then play match-up from their website to determine the real part number.

As you can see, this part is clearly an ST16601 part except it is now called a K3COA.  We know that the '3' represents the entire ST16XYZ series from 1995-1997 but we'll get into their numbering system when we write the ST101 article (we skipped it and jumped straight to ST201 to bring you the good stuff sooner!).



Above:  1000x magnification of the beginning of the second generation mesh used ont he 1995+ parts.  This exact mesh is still used today on their latest technology sporting 0.18um and smaller!  The difference- the wire size and spacing.

In the above image, green is ground, red is connected to power (VDD).  Breaking this could result in loss of ground to a lower layer as well as the sense itself.  The device will not run with a broken mesh. 



Above you can see Flylogic has successfully broke their mesh and we did it without the use of a Focus Ion-Beam workstation (FIB).  In fact, we are the ONLY ONES who can open the ST mesh at our leisure and invasively probe whatever we want.  We've been sucessful down-to 0.18um.

Using our techniques we call, "magic" (okay, it's not magic but we're not telling ;) ), we opened the bus and probed it keeping the chip alive.  We didn't use any kind of expensive SEM or FIB.  The equipment used was available back in the 90's to the average hacker!  We didn't even need a university lab.  Everything we used was commonly available for under $100.00 USD. 

This is pretty scary when you think that they are certifying these devices under all kinds of certifications around the world.

 Stay tuned for more articles on ST smartcards.  We wanted to show you some old-school devices before showing you current much smaller ones because you have to learn to crawl before you walk!

10 comments:

  1. [...] wish the * in the present UK government that are determined to push ID cards upon us would read this and reflect upon [...]

    ReplyDelete
  2. Hi, impressive blog. Did you use distiled water diluted HNO3 or HCL, (both from industrial cleaning products) with a syringe and a suctioner? That's what I would do but I still don't have any microscope.

    ReplyDelete
  3. No, we never dilute HNO3. HNO3 does not attack oxides. HCL should be diluted when used to achieve the proper rate of etch (ROE) however this is for etching metals off.

    We use diluted HF (HydroFluoric acid) which if absorbed into your skin will attack your bone-marrow and feel painless until it's too late.

    HF attacks oxiodes :).

    If you master the use of HF, you can control the ROE and etch only certain depths (in micrometers) and achieve the results as seen in this introduction.

    ReplyDelete
  4. Hi, there:

    - Impressive...
    Any chances on: - "[...] but we’ll get into their numbering system when we write the ST101 article (we skipped it and jumped straight to ST201 to bring you the good stuff sooner!). [...]"
    Looking forward ;)...

    Thx.

    ReplyDelete
  5. Yes, we will write up the ST101 article as soon as we can find the time. More of the problem is the setup for the article what to image and display and such. It might be so-so boring to most users otherwise.

    ReplyDelete
  6. Hi again:

    - I thank you for your initiative, so I'm really keen on finding out how their numbering system works.
    Another thing is: - if I'm interested on layer removal, I should get some HF (fluoridric acid)which is not easy to find here. Can I use some other product? What are the concentrations of the chemicals?

    Sorry about all these questions...

    Thx.

    Best regards ;-).

    ReplyDelete
  7. Please see Wired magazine's recent article-

    http://www.wired.com/politics/security/news/2008/05/tarnovsky
    http://blog.wired.com/27bstroke6/2008/05/hacker-at-cente.html

    ReplyDelete
  8. old-school devices? You should have a look at the AMSTRAD40908, this chip was used in the 90s by Amstrad as a protection device for their GX4000 game cartridges. Would be interesting to see how secure it really was...

    ReplyDelete
  9. Patiently waiting for more ST secure MCU teardown articles...!

    ReplyDelete
  10. does st use light sensors on there newer chips like infineon does ? also are the bus lines always next to the eeprom ?

    ReplyDelete