Tuesday, October 30, 2007

Safenet iKey 2032 In-depth Look Inside

[We are aware of issues regarding the images when viewed in the latest Firefox browser.  This page has been tested on both Internet Explorer and Opera to properly display the pictures.] 

Chances are you have probably seen one of these little USB based tokens made from Safenet, Inc.

The one we opened was in a blue shell.

As well, the brochure the link above takes you too states, "iKey 2032s small size and rugged, tamperresistant construction, make it easy to carry so users can always have their unique digital  entities with them." 

Now we're not really sure what tamperresistant construction has to do with making things easy for a user to carry around but let's get down to the good stuff.

So we took our token apart and the following pictures are what we found:

Above:  Main CPU side of the token. 

Our suspicion:  Could there be a Cypress CY7C63xxx series CPU present?


Above:  Something buried under epoxy.  Appears to be die-bonded to the PCB.

Once initial images of the PCB intact were taken.  It was time to remove the CPU.

We carefully decapsulated the epoxy covering the die buried inside the 24 pin SOIC part.  What did we find?  We found a Cypress CY7C63613!  We suspected it might be this part because of the pinout.  This is why scratching off the top of the part does not always help.  Even with the silkscreen scratched away, there are only a few possible candidates using this pinout.  Additionally, this CPU is very common used in USB applications.

Here is the CPU opened up.  Note that pin 1 on the PCB is in the upper-right corner while in our picture we rotated the device so pin 1 is in the lower-left (we labeled it with a red dot).

Above:  Cypress CY7C63613 USB CPU (Click on picture for a larger size)


Above:  Actual closer view of the bare CPU substrate (Click to see commented higher-res image)

Once the CPU was decapsulated, we performed some tests on the device.  After executing some tricks, the software contained internally was magically in our hands.

We looked for some type of copyright information in the software but all we found was the USB identifier string at address offset $3C0: i.K.e.y. .

Now that we successfully analyzed the CPU, the protocol for communications to whatever is present under the epoxy is available to us.  At this point, we believe it's more than an serial EEPROM because this CPU is not strong enough to calculate asymmetric cryptographic algorithms in a timely manner.

Next we carefully removed the die-bonded substrate from the PCB:

With the die-bonded device removed and a little cleanup, we can clearly see the bondout pattern for a die-bonded smartcard IC.   In the picture above, we can see VCC, RST, CLK, IO, and GND layed out according to the ISO-7816 standard which Flylogic Engineering are experts on.

After completely decapsulating the smartcard processor, we found a quite common Philips smartcard IC.  We will call this part from now on the Crypto-Coprocessor (CCP).  Notice there is still a small spec of dirt in the middle of the die.  We decided to leave it since it's not in our way.

Rotating this picture of the CCP (50x magnified) 90 degrees counter-clockwise, you can see how it fits into place on the PCB.  It is glued down and then five alluminum wires were wedge-bonded to the PCB.  Alluminum wedge-bonding was used so the PCB would not need to be heated which would help them cut down the time required on the assembly line.


In preparation for analysis, we had to rebond the CCP into a 24-pin ceramic dip (CDIP).  Although we only needed five contacts rebonded, the die-size was too large to fit into the cavity of an 8-pin CDIP.

The CCP is fabricated by Philips.  It appears to be a ~250nm, five metal layer technology based on the Intel 8051 platform.  It contains 32k of EEPROM, two static ram areas and a ROM nested underneath a mesh made up of someone(s) initials (probably the layout designers).

This CPU (The CCP is also a CPU but acting as a slave to the Cypress CPU) is not secure.  In fact, this CPU is also all over the globe in GSM SIM cards.   The only difference is the code contained inside the processor. 

Some points of interest:

Point #1-  The 'mesh' protecting probing from the ROM's databus outputs is NOT SECURE!

When we cropped and shrunk this picture, it came out pretty bad.  However, you can see that there is now an opening where we wrote our url.  The device is alive still but now has a gaping hole over the signature-mesh.

Point #2-  A quick search on the internet and we came across a public document from when Philips tried to get this part or a part very close to this one common criteria certified.  You can find this document here.  Alternatively in case that link goes bad, we have saved a copy of the document here.  You will need Adobe Acrobat reader to view the document.

The document labels this assumed to-be part as a, "Philips P8WE5033V0F Secure 8-bit Smart Card Controller."

Reading over this document, we find a block diagram on page 8.

In the above diagram they mention, "Security Sensors" as a block of logic.  That's ironic considering we opened a gaping hole in their "mesh" over the ROM and the processor still runs 100% functional.

Point #3-  For such a "secure" device, Philips could have done a lot more.  The designer's were pretty careless in a lot of areas.  Below are some photo's showing a sawn-off test-enable line.  Simply reconnecting the two tracks together will definately be helpful to an attacker.  A Focused Ion-Beam Workstation can make bond-pads for those two tracks that we can then bond out to the CDIP.  This way we can short or open this test-circuit.

Above:  Two test tracks (inside the red box) lead off to the left edge of the die.

Above:  Notice on the very right lower edge there is a wire in orange.  This was the loop back of the track that has now been sawn off.  This orange loopback would have belonged to the die to the right of this die when still present on the wafer.

 Now ask yourself if you are a potential customer to Safenet, Inc-  Would you purchase this token?

Friday, October 26, 2007

Decapsulated devices

Recently at Toorcon9 (, some individuals asked to see images of decapsulated parts still in their packages. I dug around and came up with some examples. Click on any of the pictures for a larger version.

Above: Microchip PIC18F2550

Above: Dallas DS89C450

Above: Microchip dsPIC30F6013

Using our proprietary procedures, all parts remain 100% functional with no degradation after exposing the substrate.