 Good afternoon, everybody at DEF CON. Thank you for coming. I'd like to take this time to introduce myself really quick. My name is Christopher Donovsky. I was the principal at FlyLogic. However, as of yesterday, it was announced that FlyLogic has now been acquired by IOActive. Thus, we will become FlyOactive. So, anyway, with all that said, you can expect to see lots of good stuff coming from us as a team. Going to have some people working with me now, I won't just be myself, make things a lot easier, more productive, which benefits the customer, which is maybe you guys. So, what I'm going to do today is basically walk through basically a look into my world, the way I see things, so to speak, compared to the way many of you might see it in regards to chips. And so, in 2010, February, I reverse engineered the Infineon 66 PE TPM. Is anyone familiar with this? Okay. So, now I started to reverse engineer ST Microelectronics version of their TPM. I speak really, really fast and I'm really wound up today. I have a lot of friends in the audience. So, if I speak too quick or you have a question, raise your hand, get my attention and we'll pause and I'll take your question. Otherwise, I'll just continue and never stop. So, these chips are put into your motherboards or your computers, depending what kind of motherboard you have. You're supposed to trust them, put all your key material in there and everything. Windows can use it in BitLocker and so forth. But these chips are not really that secure. And I'm baffled and cannot understand how Infineon and ST and AppMal as well can take the same processor families that they use for their smart cards and then just put some band-aids on to it and sell it to you as a trusted platform module. Remember, this chip is going to sit in your motherboard for years. So, you know, this legacy, you're only as strong as your legacy products were. And they're not that strong in most cases. So, who here is familiar with ST smart cards? Okay, so let's go back in time a little bit. I want to make sure that everybody understands today the principles. This is all about the principles. You can shrink to 90 nanometers, for example, the ST23 today. And you can get your EAL 6 plus rating for common criteria. But honestly, it doesn't mean anything. If you take the time, polish down the chips, do your imaging, what I call your due diligence. You find out that it's really not that complicated when you break it down into simple terms. So, everything that ST makes today in their smart card field that is 6805 variant, it's all based on their past. And that's why I always like to say you're only as strong as your past. Because the first thing that I'm going to do is go look at your past, then look at newer and out and slowly advance up to today. Not much has changed. In 1998, they came out with the first 19 series. And it was a 600 nanometer process. And it had three metal layers of aluminum. It had an 8-bit bus internally for the core. And everything basically was 8-bits. The ROM, the RAM, the EEPROM. It was a micro-coded based design. So they had some tables of 1s and 0s that represented how to dispatch the instructions and so forth. And it was based on an even older version of their smart card families known as the ST16. So then, in about 2001, ST starts to come out with this X series platform. So the X, there was an XL series, there was an XT series. These now went smaller in feature size. They went from a 600 nanometer 3-metal. They went to a 350 nanometer 4-metal. Still aluminum process. The ROM and all the other output buses of memories accept the EEPROM. It's an 8-bit internal bus still. The micro-code tables got removed. And basically, it became this nest of glue logic. Who here does, anybody do layout in here? No? Okay, good, good, good. So we'll get into that. That will be the last thing we get into. So we're going to go through all my slides and then I'm going to put you into Photoshop. And we'll have some fun in Photoshop. So they added some additional instructions as well. So then they came out with what they call the W series, which is what my target is, my WP18. The 18 means 18 kilobytes of WEPROM. So now they shrunk from 300, so 600, 350. Now they're down to a 180 process and it still has 4-metal layers. The ROM bus output became 16 bits, but then what happens, it goes through a little block of logic and it gets deduced to the actual true 8-bit value that this chip speaks internally. So it was a shrink and it was, like I'm saying here, a typical, it was just bandated together on top of the old stuff. They add a little bit of new stuff and then, uh-oh, we ran out of room so we have to get rid of the active shielding in an area to fit our changes into place. Because of what they did on this TPM chip, they actually made it weaker than any other ST19 that I've ever seen because the mesh does not consistently cover the entire surface anymore. In this hole that I'll show you, I found three or four different clock signals that I can use to e-strap the data bus because these chips run on their own internal clock. They can switch to the outside world if software allows, but they power up on the internal clock and they may never switch to the outside world. For example, XM satellite radio. They used a 19 AF08, it never ran on the outside world clock. So this makes the WP-18 weaker than the Infineon TPM by far and I've never seen the 19 WP-18 in the field in use. I've found them on the surplus markets. So they start to take a look at this just so everybody can understand. I did a real quick cross-section into the WP-18 just to kind of give everybody an understanding of what we're going, what we're, what I'm trying to talk about today because you'll hear me talk about M1, M2, M3, M4 which really means metal one, metal two, metal three, metal four or you might hear me talk about the poly. And so you can see here in the picture, I milled away a staircase into the chip and then tilted it and imaged it. And you can see there's some metal, two big fat chunks of metal four. Okay, my mouse. Then I drew these blue lines for a show, but then you can see metal three was under there and then we can see there's a, there's a via right here and there's a via right there. There's a one more via here that I didn't put an arrow to. And then there's your metal two. And then finally metal one. I should have probably did a little bit longer cross-section. But, and then you can see the poly or the actual, where they designed their transistor down in the bottom a little bit. Anybody have questions yet? Okay. ST, like all these other manufacturers, they like to put little like pictures on their chip sometimes or, you know, little code names. So they've, they've code named this particular device Longhorn. I have no idea why, but I just thought it was interesting to show you. So before we even, there's an active shield over the whole 99% of this entire surface area. There's an active shielding that they place down. If you, you have a fingers of ground and then you have, going at 45 degrees and then you have a single serpentine wire going, going in between them. If you break this line or ground it out in any way, it'll pull down the ground. If you cut it, if it ever sees zero, the chip will bulk erase it's, it's e-prom. And it will, it will, it's a sanity check on power up that it will never boot again. But you can see what I have to do to polish these chips down. I have to, well, I could polish off this layer with a, a lapping machine, but it's very time consuming. So I, I, I tend to cheat. Use the quickest way possible to get the task accomplished reliably. And so here, this image you can see, I've removed the shield by dipping it in, in hydrofluoric acid for about two minutes. As soon as it came off, I rinsed it, cleaned it, and now you can still see the oxide residue of where the shield used to live. Can everybody see the, the, the, the ripples in the, in the, uh, like the, the orange area? So it looks pretty ugly though. So do you see, you cannot, you can't really see anything down deep. It just looks like fog, fog layers on top of it. But once we start to, now once we start to polish the chip, now it can, it to completely change it. And that's what we end up with once that, that oxide layer has been polished off. So this, so this is the TPM chip with its active shield stripped off and polished clean, till it was nice and, nice and shiny for, you know, and then a quick image was made. Um, you can see here we've got eight, we've got a ROM right here. This is, uh-oh, hold on. Okay, this is the ROM, uh, the read-only memory. This is where the CPU will always boot up first. You've got 18 kilobytes of EEPROM in here. You've got, I don't recall, I think this is four kilobytes of static RAM down here. You have two tables up in this upper, the upper right quadrant, if you can see my mouse here, which are firewall access rules. Where are you coming from? Where do you want to go to? Can you read? Can you write from there? And so forth, execute. Uh, you've got a two kilobyte RAM that they added in, uh, under the word metal. There's a 2K RAM right there. They talk about this in the, in the product quick spec that you can find online. And then if you look to the, below my mouse, just to the left of the M in metal three, there's a little black spot. There's a little black box. Can everybody see that black box? That black box is, is where metal four had to be used to, to finish their modeling of the, of their additional logic that they added into this. The CPU and this chip is all contained to the left of the RAM near this, this metal four area that I would, I continue to refer to. Everything else pretty much is something to do with cryptography, hardware crypto units, the SHA-1, RSA, triple DES and so forth. Um, polish again. So when I'm polishing a chip, I don't polish one chip. I'll polish four or five of them. So here's one chip. I'll take them all to metal three, let's say, and then whoever's the best stays at metal three. Then I'll take the rest and I'll go to metal two. Whoever's the best, he stays in metal two. And I don't need the chip to be perfectly smooth. I need the chip to be perfectly, uh, smooth in the area of my interest. So it's, it's very normal for me to, to not have it a hundred percent even in Planner. Um, I'm polishing these chips with my finger and a silica solution, a .05 micron, um, like a sandpaper, liquid sandpaper. So here's the metal two. So you can see metal, there's metal three, go back to metal two. You can see it slowly, things are starting to, it's getting less and less dense as you, as you, as you, as I polish down to the bottom. Then we've got metal, metal one. So you got metal, metal three, metal two, metal one, metal four, we don't care about because that was the mesh, the shielding. The only reason I would care about metal four is for that unprotected area where, where I was talking about that they left, that they had to re, um, where there's tracks being, there's routing there. Um, some metal one is where you're going to have all your gates created, metal, poly metal one, metal two, three, and in this case part of four, it's all routing. It's all routing to get your, your NAND to your, to your OR, to your OR, to your MUX, um, you know, to your flip flop, whatever, make, to make the state machine, uh, run. That small section you can see in this picture from the fib. Uh, so I went in on, does everybody know what a focused on being workstation is? So it's a machine that'll basically, it's a nuclear weapon to a terrorist kind of. So this machine will let me, uh, deposit metals, um, deposit insulator, millaway material and so forth. So I can totally change the behavior of circuits. And, um, here I was having some fun. I was going to do some, this is where I did the cross section that you saw earlier. And so I, I've sputter coat with some tungsten to, to make the area visible. Otherwise you would see black everywhere because it's insulated by the oxide layer on the surface. Um, so again, I, this is, this is unacceptable for a device that's EAL5 certified. And I have no clue who certifies these chips, but there, there, Chroma Criteria doesn't mean anything to someone like myself going in out, you know, if it's a target. So here's just, in that logic zone on metal four, here's a random shot I took in the, in the fib again at 15,000 magnification. Um, the fib can go up to about 800,000. It can go up to 800,000. I've only ever been as high as 200,000 mag though. And it's, just depends how small the device was to begin with. So here you can see another, another shot of, of the, of the shield, the active shield to the left is ending. And to the right, you can see the metal four, uh, routing that they, that they placed. This is such a big boo boo. Because you know, in this area, I guarantee you the data bus is in there. There's eight lines that'll have the data going back and forth on it. It's going to be mangled. It'll be encrypted with an XOR, but X, exclusive or on, on data is when you know what the data should have been in the clear, isn't hard to figure out. Um, and then, and there, of course, there'll be a clock in here. So what do I need as an attacker? I need the, the data bus or maybe the instruction registers. That way I can induce glitches to change the behavior of an instruction being executed and I need a clock because I have to synchronize with the chip's internal, internal operations. So here, that same area, I started playing around milling and I just, I just milled and there was an open space in that cavity right there. And so I, I milled till I hit metal three, metal three, um, excuse me. And, uh, it's nothing significant in the picture, just, just a show. The ROM on this super, super trustable chip that you would put your secrets in, um, isn't even encrypted very hard because you can see these spots. You can see the, the checkerboard pattern. Do you see the checkerboard pattern? This is giving away the key that they're using the XOR, the ROM material with. So where we see these XOR patterns, it's clearly FFs right there or zeros. Um, and it's, but it's been encrypt, it's been, I'd like to say mangled or scrambled with an XOR. And the XOR is based on a mix of high and low address. Just going to stay on that image for one second. The scariest thing about this whole thing is that this, this is the metal one layer of, um, where they laid their mask, their mask ROM. That's only a 20 X objective that I took this picture with. And you can make out little things. Just imagine it, you don't even have to have high tech equipment to, to image this ROM. And I think the best example of, of this in, in real life are the people who hack Nogger vision in satellite TV. Because these guys study optically read this ROM out for, for Nogger 2. And we're able to figure it out and produce everything and, and, and glitch into it. Every chip that ST's ever made has been broken just for the record. Here's the same, those same ROM bits, um, metal one again, but now I've zoomed in to the, to the max I can go opt, optically. So the maximum my Zeiss can do optically is 1,500 power. And so just, they just give you, I mean, that's a beautiful shot. You can see the bits clear as day. And, um, I mean it's, it's not game over because the ROM is like this, but it's, you can clearly see that the ROM is not encrypted at all. It's some type of very, very weak scrambling. So ST likes to play this game. They like to have a bunch of different areas of memory. And everybody basically, if you're not driving the bus, you're tri-stated. They don't believe, this is kind of like a 1980s MUX in my opinion. So rather than, rather than using a true, um, multiplexer, they, they basically have these tri-statable drivers everywhere around the chip. And this explains why they're only capable of about 15 megahertz, uh, compared to an Infineon running at 33, Renaissance is running at 30ish, uh, EM microelectronic hits 60 megahertz. Those guys, they do it right. And ST, I think they have a lot to learn. Um, this is a, in this picture you can see metal, the metal one layer which makes the actual, it, it completes that this, these gates, these, there's two gates here. You've got a buffer or I'm sorry, a driver, uh, a high output driver. And then you've got the trend, the tri-statable, uh, area to the left. It almost acts like a 74-126, uh, if everybody, uh, does electronics. And then you can see the polysilicon below that. So the, the WP-18, here we go again. Same exact tri-state, uh, tri-state drivers, just, it's a shrink. It's, this was the 350 nanometer design of the driver. This is the 180 nanometer design of the driver. Same crap, different day. I mean, it's, I don't understand. They just shrink. That's it. Size doesn't matter either because this is from their latest generation, ST23. That's a 90 nanometer process that I did in the SEM. So you can see clearly here, there again is your poly and then above it, there, that's actually, there's two tri-state drivers in this image. So even one on the left, one on the right. And those, those had been overlaid and then I cropped it and I, um, separated them and put them into the slide deck. Does anybody have any questions? Cause I'm moving really fast. No? Okay. Yes. They, you, what? We have, that, I had, that's a very good question. That's what I was saying. This is like a 1980s design. You know, where, where if you're not on, you're, you're, you're tri-state and you're off. Um, it's, it's a very, I don't know why. Every other manufacturer that I've ever looked at uses a true MUX, a multiplexer. I can't, I can't, I can't hear you. Okay. Move on. Okay. Um, so we can learn a lot by studying their past. So the, the WPs, it's fairly small. It's 180 nano. You're getting, you're pushing the optic limits almost. 140 you're really at your optical limits for seeing what, you know, the, the metal one and the poly area. Um, but, um, going back to their past, which is, um, which I've shown two different chips above, um, you can learn a lot. So, um, these are two 350 nanometer versions of their chips. But remember, so remember what I just said five minutes ago. There's nothing different about the 23 or the W series or the N series. They still, the, the only differences are the ROM outputs. They fetched 16 bits wide or they fetched 34 bits, you know, 32 plus two bit parity. But as soon as they're done with their, their little cypher block, um, they, they end up with an 8 bit bus again internally with the tri-states. Looking at the 350 nanometer, uh, chip, I did some extensive work on this a few months ago. Um, you can see here in the, in the middle of the CPU, which we'll get to that after the slide deck's finished, you can see that metal one, metal two, sorry, metal three, metal two, metal one. You can see that the three, the three, uh, these had been overlaid on top of each other. And then I, I separated them and put them into the picture. Those are, those are the eight driver, tri-stable drivers for the ROM output, the decrypted ROM fetch. So this is a, a fib picture where from my reference, excuse me, or my reference point, I went over on the X axis, 900, 1925 microns, and then went up 1500 microns. And then I milled a little arrow into the, into the chip with, well I deposited an arrow with platinum, uh, down, down here in the bottom, but you can barely see it because of the, uh, slideshow. So in summary, um, this chip really doesn't come as a shocker to me. They, there were a lot of exposed and unprotected areas in that one, in that, that block on metal four that I was showing you. Clock signals are present. I have to finish all my tracing and I, I'm not done imaging on my imaging of the lower layers of the, of the WP. Um, but so far from what I found, it's there on the same road as the other chips, as their other variants have been, uh, for, uh, failure. Um, you know, it's, it's, again, it's based on the same, it's the same, same, uh, device as the past, except it shrunk and they added some extra things to it. So who wants to go into Photoshop? Okay. So, thank you. Then, so this is the end of my slide deck. Um, so be sure and fill out the DEFCON card, please. Um, if they have, if they have one. So, does anybody know how to make photo, the Photoshop, uh, screenshot on, on there? Any Mac guys here that knows how to make my screen become active here? It's not showing me. Mirror. No, it's not going. Okay. Okay. So now, uh, can everybody see it? I can't tell from here. Okay. So, this is actually a nice spot, wherever we are. I have no clue where we are. Um, because it's all offset now. Everything's changed on my side too. Um, so ST likes to do a lot of funny things. A lot of weird things. A lot of things that I have no idea why, because I don't work with them. Um, one thing that they like to do is they like to drop in what I call dead gates. And I, I don't know why they do it. It's, it's almost as if they think that, that, that they'll scare you off if you're, if you're going to try to polish them down or something. So they leave these, these gates that, that are actually strapped off, tied to the ground fingers of the mesh that, that's now been removed. So if, in theory, if you're an attacker, I suppose, and you don't know anything, you'll think, uh-oh, you know, the chip can never run like this because there was a, there was a signal tied to the mesh's ground finger. And I, and I've just cut this finger off. But it's not true. It's not true at all. It's completely bogus. Um, so let's see. So this, in, in this picture, in, in the middle of the view right here where my mouse is, uh, this, that is an example of a bogus gate. This thing has, this gate has no purpose in life whatsoever. Uh, let's, I don't even know what it is. Let's look at, see what it is. Um, so we can see like there was one, uh, that this right here used to come to the surface, to the finger of ground. That little black dot is what's left of the via that had been there before I polished. So this has been polished until the aluminum became nice and white. This way I didn't have, I don't have to sputter coat it if I put it in, in a, in a SEM or a focused on the workstation. You should sputter coat, but I'm lazy. And so I didn't, but I could have. Anyhow. And I should have. So, okay. This, this work has all been hobby. It's not a job. So that's why I'm, I'm saying I'm lazy about it. But if this had been a job, I'd do it from eight steps A to Z and be done. So now we can see that that had gone to here. And then it went down. They like to play these games with their routing too. Uh, some of it's auto, auto placed and routed and some of it's not. Some of it you can surely, you can, you can certainly tell it's been, um, manually, uh, put in. And so then it went to this and then you guys are like, what's that? But look right here. Look at this is, this is one of the power rails. Now knowing ST, this is ground. It has to be ground because they're not going to tie one input to ground and the other input to, to, to a one, to VDD. Um, you know, VDD being, being let's whatever their internal core voltage is. They're, they're not going to do that. They're going to just strap the gates off, which is grounding them. Strap them the same I should say. So I know that this connects to there. It can't go anywhere else. And so we turned back on metal too and it did. Now the picture's slightly out of alignment right here. But it's such a large chip. You can get away with it being out of alignment. I don't have to have it perfectly aligned. But if I had taken some more time, I could have aligned it. Like, it's all rotational alignment. So, so this gate, we just, we, here we can see here, this is A, hypothetically, and then, and then this is B. And then this would have been Y, but it doesn't, it's not, it's no via nothing. It's just completing the gate. So, and they're, they're not spares. These are not like spare nans or nores. And let's see what it is though, because I don't know what it is. So, given that this was our ground rail right here, given that this, this is our ground rail here, oops, well, it's a little big, but you get the point. Well, let me kill that though. So if ground went across here, wrong color. Okay, so ground went over across here. A and B are in series with each other. Who can tell me what this gate is? You have two n-fets to the ground in series. Anybody? Thank you. It's a nand. It's a dead nand. So why they do it? I have no clue. You can, you can see a lot of other, other gates to the right that are really functional. The pictures don't lie. That's what I always tell everybody. If you do your due diligence, you do all your polishing, you can, you can, the chip, it's right in front of you, whatever you need. When we first, when we first came into the chip, it looked pretty scary. Let me zoom out. So you're looking, you look at the chip. And also, does everybody notice that I didn't image the whole chip? This is at a thousand power, optically. But I didn't image the whole chip. I only image my region of interest. I don't need to, I don't need to image the whole chip. Because you, you know that by design, there's no way that these guys would have the decrypted opcode, you know, the instruction that they're about to execute in the middle of this nest of logic. And then where's it going to decode to? It's going to fan out all around in a 360? No, it's not. It's going to be somewhere towards the side. And then it'll fan out to the right or it'll fan out to the left or up or down. But it's not going to be in the center of this whole nest. I suppose it could be. But I've never seen one. And I, I could show you app malls and everything at Infineon. And the instruction registers are always somewhere near the edge. So in this case, we've got in the middle of here with all my drawings, we have a whole bunch of little blocks and things that I highlighted. You can see here in this image. So these are those drivers that we were talking about. So how do I get here? Who has a good idea? Who has an idea? How do I find this in the middle of all this logic? How do I find this? Anybody? Where the chip power up first? Powered up in its ROM. If these chips have any type of ROM on them, it has to power up there because it's the only place where the CPU knows that it's got static code set. Same with, same with anything. You know, you're always going to power a phone. Take care of baseband processor in a phone. It has a boot ROM inside. The boot ROM powers up to some checks, determines is the flash loaded, etc. You know, what motor we in, this type of thing. It's the same with a smart card or any other type of device that fits this, this, this mold. And so by following the ROM, which was to our left, the ROM was to the left in this image. Here, let me, the ROM was over here. Now I've cropped this image. So because this image got cropped, and you can see here, I didn't even image this spot right here. It's missing. Because this is the, this is part of the math coprocessor. So this, this chip has math coprocessor. It can do SHA1, it can do RSA, DES, and a bunch of things. I don't even know what some of the functions it has besides those. But I don't, so I knew I didn't need that very bottom area. And I took it on, I actually went in more than I needed to in the left section. So if we look here, you can see, I've been drawing here. If I turn off all the layers for a second, it's really slow. One second. So now you can see my eight, the ROM bits. So the ROM's output drivers were to our left. They're out of view. We don't, we don't need them, just trust me, they were there. If I went back in my slide deck, one of those two chips that I had shown you about the past was this chip. And so they, again, they're going to play games. They're going to weave their way through memory. And so you really do need to image. You need to image from the ROM and then figure out which way did it go. And then some of them went up. So they play this game. You know, he went up and she went over this way. But they all meet again, you know, a few hundred micrometers to the right. They all meet right there. And let's take it there right now. Anybody, is everybody following? Okay. So we, just following the wires without turning on metal three. Metal three, it's not so easy to see it. We can see, boom. And then I even have some notes here still. So ST has this little thing they're doing. And it's, it's funny because Dr. Karstenow and I have a back going right now to see who's right. I tell, I say that XOR1 is decrypting the ROM fetch and XOR2 is re-encrypting the decrypted ROM fetch before it goes out on the open data bus. This way, if you eavesdrop the open data bus, you, you'll see scrambled data, basically. But this is yet to be proven, so I haven't finished probing right now. I'm in the middle of it, but again, this has been a hobby, you know, it's a side project. It's not work. So if we take a given bit, well, number four, ROM trace number four, it came, it came in on metal three. Let's see. You can see right here, if it paints one second, it will not paint. Okay. So, so can everybody see ROM trace with a little arrow? I drew a little arrow? Okay. So this came in on metal three. So we, now it vias down. So now we undo that. And now we look. And then, and then again it vias down very shortly after. And then boom, and it goes. And then, and then, you know, we have this weird looking gate here. And so it, as I said before, the images don't lie. So metal one, as you can see here, and the poly, we can see clearly that this is an exclusive or. So it's, it's, I'm not going to get into how you make an XOR or NAND and NAND, but there's many of you in here, it sounds like that know, that understand this. So does anybody have questions? So the output of XOR one feeds into what I call XOR two. These both of XOR one and XOR two could be turned off if they wanted to. ST could turn it off depending what's going on in the system. I, I don't know why they would but they could in theory. Maybe during test mode, maybe in the factory they don't want to scramble that main central core. Or maybe when certain operations are happening to the crypto unit or something, maybe it's turned off for there. I'll be able to answer these, I'll actually blog about this in a few weeks once I, I'll finish these tests. I have found the instruction registers though, which is even more important. But so I can probe later. So the output of XOR two came over and it plugs in, it plugged into, into this, this here, I have it labeled number four. My mouse, where my mouse is, this box. And I can turn the boxes off but I think they actually help. Is it easier with the boxes lit up or with them off? Okay, I'll leave them on. So when we shrink down, actually I'll turn them off because you can't see now. So the decrypted value with it re-encrypted again feeds into this tri-state that I labeled number four. And I, I don't know if this is truly bit four or not, but I have to label them. I've got to label them in some order that I can deduce, you know, that I can tell the difference for, for that, for now. And then you, here's that game I was talking about. So look at the plate on number four right here. Number four's plate. It's getting a little fuzzy. I'm too zoomed in, but you can see there was a via where my mouse is here that went up. And then there was a via here and then it went down. And so if we follow this blue wire right here. And, and I don't want to turn the layers on and off because it'll get, it gets confusing to everybody. But the blue wire is following where the, the routing had gone. And then boom, look at that, it connects into another one. So this is what I was saying before. Now you've seen two different tri-state of output drivers for bit four, my pseudo bit four, to be determined. I found 14 or 15 of these. So this, and again it viaed, it viaed right to the right where my, where the, where my point more of my hand is. There's another via right there. So that tri-state keeps going. It's just, it's, it's really a strange idea. The SC-23 is still following this procedure in a 90 nanometer shrink. And the ST-19WP is doing the same things. So you can see here's, here's eight more. So, so here's, you know, two, four, six, eight. And then I changed the color. And this is the, this is coming from EEPROM. The EEPROM comes down and it gets latched into these next set of red boxes. And, and they are, they're all happily coupled together, you know, tri-stateable. Only ones ever on, of course. The NANDs can, so when the NANDs turn off the, or the NANDs, the NANDs are NANDs, I forget which, which one they were. But when they, in order to turn off the XOR, they basically output zero. And then, you know, one XOR zero is one. So you, you know, you, you know, you know that XOR gate and you simply make a propagation delay. So following these lines led me over here to these beautiful blue boxes. These beautiful blue blocks, blue boxes, there's only two spots in this whole ship, just stepping back for a second. That were, that were these lines went to the inputs. Every other place these lines went to were tri-stateable outputs. So out of 16 places I traced it to, two were inputs and one, and the 14 were output, were only output, you know, capable. So this is, you know, because this is a unidirectional bus. This is the, this is basically the TX side, let's say, and the RX side, I don't care about it. Because, you know, I want to care about change, latching an instruction into the CPU core and making it walk through time forever. Will I listen with my needles? So this is the only side that could possibly be the instruction registers. We have 24 flip-flops, they're daisy-chained, you know, eight that can feed again into eight, that can feed again into eight, which makes sense because anybody who knows the ST-19 architecture knows that there are three levels of instructions. There's a, there's a few instructions that are three op codes long and to dispatch like another, another set of 256 possibly. And so this would make perfect sense of why it should be the flip, the instruction register. Also, these are, these are sets of eight flip-flops that are all the same type of flip-flop, they're not different types of flip-flops. The other set, the other input, they didn't all go to the same kind of flip-flops and they didn't all go to flip-flops actually. So that would make more sense to me that that would be where the upper end is being latched, not latched but, you know, being looked at and analyzed, potentially latched. It just depends how they interpret. Is everybody lost? You're here, I see. But anybody have any questions? No? I have nine minutes. Okay. Sorry? Oh, I've looked at everybody. Renaissance, ST, Infineon, Atmel. I have some cool pictures from Atmel. They just happen to be on my desktop. Atmel is another company that's lost. Atmel likes to use a specific kind of flip-flop for their instruction registers. But you like, here's an Atmel. This is a security VR from an Atmel. It's an older one. It was, I was going to use it as a training tool. So it's a 350 nanometer chip as well. And so you can see, it's, it polishes very nicely. So I can see, here's a flip-flop. And you can even see like this. Here's a clock to a flip-flop. It's chained to this flip-flop. I have no idea what the area this is. These were random tiles that I pulled to show somebody. But I also have the Atmel stuff polished, overlaid. Same thing. It's always the same thing no matter who the manufacturer is. And that's what I was trying to explain before. It looks like, you know, it looks real scary. You know, when you look at it from a distance. But once you really get getting close, polish it down, you know, take all your images, you start to realize there's not much to it. Like, look at there. Follow your output, follow your ROM. Or this Atmel here, for example, it only has flash. So follow your flash data bus outputs. What you'll find is it goes through some combinatorial logic and then it latches into the flip-flop. You can't, you cannot latch something into a flip-flop to like hold it for being decrypted. And then, and then latch again. Because now you've created a two-clock penalty. So that means the CPU would be crawling on its knees to execute. So, you know, from the output stage of the ROM or the flash, wherever it boots from, it's going to trickle through some combinatorial logic, propagate down. And that, and then the first flip-flop you hit, it's either a key holding register of something for maybe like a cypher feedback chaining or like a cypher block chaining type thing. Or it's an instruction register. But it can't be anything, it cannot be anything else. And then you have the fun part of figuring out the order. That's always, on app Mali VR's, there's 16 bits. It's pain in the butt. So, anybody else have questions? Yes. No, no, but that is why I believe XR2 is in place. There are more things I could have shown you on that layout that I just had open. Because they do some wild things with what I call XR3 and XR4. And they have the same key bit material coming into them. And they're individually selectable to be turned off. And I believe that that's for DPA. You know, so that main common bus is every reset, it's randomized. Yes. The Infineon TPMs, yes. Okay, thank you. He asked if I've successfully recovered the key material from this particular chip. Not, I've successfully recovered the Infineon TPMs, which was much stronger than this one. I'm not finished with this work. So this is, that's why I said it's a look into it. I'm still, I'm probably three months if I keep it as a hobby project to actually put needles on the WP. To get, to get to the, so to follow the ROM, to get into that, where I showed you those tri-states, took an hour and a half. Yes, sir. I can't hear you, sir. No, I've wrote some tools on my own and I use Panavu image assembler to image, to stitch my images together. He asked me if there's any special software. I'm sorry. The only special software really is my probing board that I stimulate the chips with. It's an FPGA-based design that's all my custom logic. Anyone else? Yes. This TPM, if I really worked on it, I could have it finished in about two weeks. If it was... I can barely... Okay. So once I'm finished and I've extracted an image, which is the primary of a particular chip, the gentleman wants to know how much long, what's the time to do another one, to kind of repeat the process. On the Infineon chips, it took me six hours. On the ST, it would be significantly less because of their mesh concept, their concept. Their shielding is the weakest in the market. Then it's even worse on their newest... their 90 nanometer stuff is even worse. They have a one micrometer spacing on their new stuff between mesh tracks, which is absurd. I mean, I can put... I love millen 40 by 0.4 by 0.4 holes and that's large. And so one micron space is sad. But remember, the fingers, I can turn off the finger and it's dead metal and then I can use it as... I can actually use it as a conductor if I wanted to, or I can mill it completely away. And the main active mesh signal, I just have to mill down to VDD and then strap it and then I can cut it. I also... I can do selective wet etching on the ST chips. I can't do that on the Infineons. So left the wet etching, you can see my video from Wired, where I use nail polish to make a mask and then I use hydrofluoric acid, very selective time detches. So the ST chip would be maybe an hour and a half prep and then put needles on it. Anyone else? Yes. Sorry? The layout of the chip was very standard. Yes. And it almost all would... It would have been harder, but it's not that hard to identify where the actual core is because there's so many crypto blocks inside and what you'll see, you see a lot of register logic. You know, a lot of chain register logic and shift networks and stuff like this. So you know, if you isolate all of that out of the picture, which is what I did on that one Photoshop image that you saw, it's pretty much game over. You can start line tracing and things. It's more of how many... The smaller you are and the more layers you have, the harder you would make my life in a nutshell. Yes. There are a lot of things they could have done to obfuscate the surface and make it a little bit harder, but they didn't do it and I'm not going to voluntarily give them, you know, ways of slowing me down. Yes. 45 nanometer. Yes. Once I've done my... I have over 400 samples of this chip. They were like 20 cents on Hong Kong inventory surplus. So once I burned through whatever I need to do my initial analysis, my success rate is going to be 100%. Unless something catastrophic happened, like I wasn't... I wasn't eccentrically level in the fib and I stick the needle in and it's... Oops, it wasn't under microns above the surface and you know, and I scratch it. Otherwise, it's almost a zero risk because remember, if I break... If I did damage it in any way, it would be like maybe I sever a track with my needle. But on the ST chip, I can drop platinum everywhere because of it's... the mesh is inferior to most of the stuff I'm up against today. Okay. One more question please. Anybody? No? Okay. Thank you very much.