Saturday, December 29, 2007

AND Gates in logic

As we prepare for the New Year, we wanted to leave you with a piece of logic taken out of an older PIC16C series microcontroller. We want you to guess which micro(s) this gate (well the pair of them) would be found in. After the New Year, we'll right up on the actual micro(s) and give the answer :).

An AND gate in logic is basically a high (logic '1') on all inputs to the gate. For our example, we're discussing the 2 input AND. It should be noted that this is being built from a NAND and that a NAND would require 2 less gates than an AND.

The truth table is all inputs must be a '1' to get a '1' on the output (Y). If any input is a '0', Y = '0'.

The photo above shows the schematic layout using P and N type FETs. A P-FET is conducting between the source and the drain when a logic '0' is presented on its gate. The N-FET is the exact opposite (a '1' conducts).

As seen above, there are 2 signals we labeled 'A' and 'B' routed in the Poly layer of the substrate (under all the metal). This particular circuit is not on the top of the device and had another metal layer above it (Metal 2 or M2). So technically, you are seeing Metal 1 (M1) and lower (Poly, Diffusion).

It's quickly obvious that this is an AND gate but it could also be a NAND by removing the INVERTER and taking the '!Y' signal instead of 'Y'.

The red box to the left is the NAND leaving the red box to the right being the inverter creating our AND gate.

The upper green area are PFET's with the lower green area being NFET's.

After stripping off M1, we now can clearly see the Poly layer and begin to recognize the circuit.

This is a short article and we will follow up after the New Year begins. This is a single AND gate but was part of a pair. From the pair, this was the right side. We call them a pair because they work together to provide the security feature on some of the PIC16C's we're asking you to guess which ones :)

If you have Photoshop, here is a link to a Photoshop image we created for you that you can control the layer opacity to see the remove the top metal to see how the poly and M1 layers connected virtually.

Happy Holidays and Happy Guessing!

Monday, December 17, 2007

ST201: ST16601 Smartcard Teardown

ST SmartCards 201 - Introduction to the ST16601 Secure MCU

This piece is going to be split into two articles- 

  • The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology.  They have overgone a few generations.  We consider this device to be a 3rd generation.

  •  In a seperate article yet to come, we are going to apply what you have read here to a smartcard used by Sun Microsystems, Inc. called Payflex.  From what we have gathered on the internet, they are used to control access to Sun Ray Ultra Thin Terminals.  Speaking of the payflex cards, they are commonly found (new and used) on eBay.

The ST16601 originated as far back as 1994.  It originally appeared as a 1.2 um, 1 metal CMOS process and was later shrunk to 0.90 um, 1 metal CMOS to support 2.7v - 5.5v ranges.  

It appears to be a later generation of the earlier ST16301 processor featuring larger memories (ROM, RAM, EEPROM).

The ST16601 offers (quick spec is here):

  • 6805 cpu core with a few additional instructions

  • Lower instruction cycle counts vs. Motorola 6805.

  • Internal Clock can run upto 5 Mhz at 1:1 vs 2:1.

  • 6K Bytes of ROM

  • 1K Bytes of EEPROM

  • 128 Bytes of RAM

  • Very high security features including EEPROM flash erase (bulk-erase)

Although it was released in 1994 it was being advertised in this article in 1996.  Is it possible an 'A' version of the ST16601 was released without a mesh?  We know the ST16301 was so anything is possible.


Above:  ST16301 1.2um "secure" MCU sporting 160 bytes of RAM, 3K bytes of ROM, and 1K bytes of EEPROM and NO TOP METAL PROTECTION (MESH).

Above:  Original 1994 1.2um ST16601B.  Notice this part has been covered in a mesh that was basically a humoungous ground plane over the device. 

Above:  Final revision of the ST16601(C?).  The part has been shrunk to 0.90um and now has ST's 2nd generation mesh in place.  The newer mesh still in use today consists of fingers connected to ground and a serpentine sense line connected to power (VDD).

Using our delayering techniques, we removed the top metal mesh from the 1997 version of the part.  The part numbering system was changed in 1995 onward to not tell you what part something really is.  You have to be knowledgable about the features present and then play match-up from their website to determine the real part number.

As you can see, this part is clearly an ST16601 part except it is now called a K3COA.  We know that the '3' represents the entire ST16XYZ series from 1995-1997 but we'll get into their numbering system when we write the ST101 article (we skipped it and jumped straight to ST201 to bring you the good stuff sooner!).

Above:  1000x magnification of the beginning of the second generation mesh used ont he 1995+ parts.  This exact mesh is still used today on their latest technology sporting 0.18um and smaller!  The difference- the wire size and spacing.

In the above image, green is ground, red is connected to power (VDD).  Breaking this could result in loss of ground to a lower layer as well as the sense itself.  The device will not run with a broken mesh. 

Above you can see Flylogic has successfully broke their mesh and we did it without the use of a Focus Ion-Beam workstation (FIB).  In fact, we are the ONLY ONES who can open the ST mesh at our leisure and invasively probe whatever we want.  We've been sucessful down-to 0.18um.

Using our techniques we call, "magic" (okay, it's not magic but we're not telling ;) ), we opened the bus and probed it keeping the chip alive.  We didn't use any kind of expensive SEM or FIB.  The equipment used was available back in the 90's to the average hacker!  We didn't even need a university lab.  Everything we used was commonly available for under $100.00 USD. 

This is pretty scary when you think that they are certifying these devices under all kinds of certifications around the world.

 Stay tuned for more articles on ST smartcards.  We wanted to show you some old-school devices before showing you current much smaller ones because you have to learn to crawl before you walk!

Saturday, December 1, 2007

Infineon SLE4442

The SLE4442 has been around for a long time.  Spanning a little more than 10 years in the field, it has only now began to be replaced by the  newer SLE5542 (We have analyzed this device too and will write up an article soon).

It is basically a 256 byte 8 bit wide EEPROM with special write protection.  In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC).  The code is locked tightly inside the memory area of the device and if you try to guess it, you have 3 tries before being permanently locked out forever (well forever for some, we can always perform magic on the part).

Note:  Clicking on all pictures except the diagram will give you a larger ~2 MB 2400 * ~2400 image in a seperate window

The photo above is a picture shows the entire substrate.  There was still some dirt on the die but it didn't effect our interests.  The geometry of the device is pretty big (> 2 uM).  It has one polysilicon layer and one metal layer fabricated using an NMOS process.

Note:  Just because the device is big does not constitute ease of an attack but it does make execution of an attack easier for an attacker without large amount of expense.

The above diagram has been taken from Page 7 of the SLE4442 PDF.Â

A successful attack on this device means an attacker knows the PSC which enables write operations to the device under attack or the ability to clone the device under attack into fresh new target who can act like the original device.  We'll discuss the PSC in more detail below.

We have pretty much identified all the important areas listed on the Page 7 diagram in the above picture.  We can see again a test circuit that has had its enable sawn off during production.  We can see the enable line looping back for the die that was placed to the right of this die.  Notice the duck?  Hrmmmm... Seems to be pointing at 2 test points.  We'll just say that the duck probably knows what he's looking at ;)

We left out a few areas noted in the block diagram however the most important areas have been highlighted in red.


We removed the top metal (the only metal layer) and you can now see the diffusion and poly layers.  You can literally take these two pictures above and create a schematic from them if you understand NMOS circuits.

Possible attacks on the device:

  • Electrical glitches:  Fed through VCC / CLOCK line are possible.  The circuit latches are all toggled from the serial clock provided by the user.

  • Optical Erasure:  UV seems to clear cells of the EEPROM to zero.  Masking of the EEPROM except for the 3 PSC bytes would result in a PSC of $00,$00,$00 for that particular device.  However note this is not a favorable attack as the device would probably become rejected by the host that this device belongs too.

  • Optical glitches:  These give strange results.  An optical glitch in the right area might produce readback of the PSC code through command $31 (Read Security Memory).

  • Bus attacks:  Sitting on the databus will show you the PSC of the device.  This method is effective but not easilly accomplish by most.

  • PSC Control logic:  Find the right signal in this area and you can make the device believe a valid PSC has been previously given allowing readback of the PSC through command $31.  This is our prefered method, just ask the duck ;).

The security model used on this type of device is one in which the host-environment is trusted.  This is a risky way of thinking but ironically, it has been used a lot (Fedex/Kinko's payment cards(SLE4442, SLE5542), Telephone cards in use worldwide (ST1335, ST1355), laundry machine smartcards (AT88SC102).

Proof of failure of this trust model has been shown in places such as:

  • Phone card emulation in Europe.  It became so bad, metal detectors were placed inside the phones smartcard area to deter eavesdropping.

  • Fedex/Kinko's was successfully compromised by a man named Strom Carlson.  He demonstrated the abuse of the SLE4442 in use by Kinko's at the time.  You can read an article about it here.