 Good evening everybody, my name is Christopher Tronovsky, and I'm with FlyLogic Engineering. And glad to see a big turnout for the last track of the day. So this track is going to basically consist of a very deep analysis of an older microcontroller from Infineon. At Black Hat, we decided we'd do the Infineon 44 series, used in some smart cards from Sylink. Have you ever heard of Sylink data security? You know, link encryptors, things like this, trust your data with them on your laptop, so forth. Who uses smart cards here? Anybody? Awesome. You guys probably use much newer ones. The problem with the newer ones is the principles you're going to hear today all apply to tomorrow as well. But you have newer challenges as everything starts to shrink. The average smart card today is about 180 nanometers. What we'll play on this afternoon this evening is going to be about 1000 nanometers. The average smart card today is getting meshed now with active meshing to keep this type of stuff from getting direct access to the bus lines or the memory outputs, things like this. I'd like to go through a quick, quick overview of what I talked about at Block Hat and then get as much time as possible probing with you guys. We'll actually sit on the bus of this chip, we'll use Drop It, and I'll explain some points because some of you will probably be thinking, well, we run encrypted busing, encrypted address fetching, scrambling, who knows what. Honestly, it's good, but these principles apply to everything because there's always another way to skin a cat. Who uses the 68.05 or the 80.51? Excellent. Now, do you guys know assembler? Most excellent. You guys count clock cycles? Good, because we're going to count some clock cycles. So this chip is, again, it's pretty old, but if you can grasp what we're going to talk about, you can do it to anything if you've got some challenges obviously ahead of you. So, momentary fault. What is it? Basically, it's opening up the chip to get to the substrate and temporarily changing the behavior of this state machine that's running because that's really what a microcontroller is. It's a complex state machine with specific behaviors and dynamic behaviors. So the change is always going to be precisely calculated. It's guaranteed as soon as you do your homework and do your calculations of where to apply it. Most of the time, the fault lasts no more than a few clock cycles. I had wanted to do a demonstration with a stack overflow. However, it took a little too much time given the probe setup the way it is. So I'm going to show you basically a destruction of a loop that reads bytes out of the e-square of the chip. Normally, we'll get 16 out and with one glitch with a needle, I'll make it spill 256. And I could keep repeating this loop as well. This particular glitch is going to last one clock cycle period inside the core of the 44 series Infineon part. Sometimes though, I may hold the fault forever. Maybe I want to freeze the instruction latches and make the chip latch a 2-byte fetched instruction of some kind with an instruction and an operand. Something like this is very, very favorable to a hacker. And most of the smart cards today still don't have any defenses against this. Well, I take that back. They have defenses, the meshing, the size and such. But once someone overcomes these, there's no defenses for allowing me to read out all of memory. You mess with the MMU, change the memory mapping if it's over 64K, things like this. So there's always going to be challenges, but what you're going to see today applies to it. You may need to think a little bit outside the box to get it to work. Just for the slide-up, I should have asked you guys, you want to sit on the bus. Does anybody do reverse engineering here? Okay. I mean, substrate reverse engineering with microscopes, needles and things. Anybody? Okay. This chip, any chip is no different than a PCB if you lay out PCBs. Anybody do PCB board design, things like this? Okay, excellent. So the only difference is, instead of doing a scan on a PCB on like a scanner to look at the tracks, if you're trying to trace out wires or using an o-meter, you need to use a microscope. And to touch these watt-low wires, they're much weaker than we are on the outside world. We need to use like a very low-capacitance buffer or an op-amp, for example. Something very light so the wire doesn't sink down and the slew rates don't get destroyed for the transition between a zero to a one and one to a zero. The driver needs to be capable for our purposes of this talk. An op-amp won't work because an op-amp is only going to take the signal out, amplify it and bring it to you. That's just listening. We're not going to just listen. We're going to listen and then we're going to momentarily induce a fault that we've chosen at what point in time to do it. So we know their clock counts. We know where they are at what precise point in time. And we're going to physically change the value on the bus at that moment. The driver needs to be low-capacitance, needs to be capable of driving a one or a zero, because this way it gives you the flexibility. If it's a one, you can make it a zero. If it's a zero, you can make it a one. If it's 180 nanometer technology or smaller, maybe the voltage, you can't make a one, let's say. You don't have a driver that supports like 1.65 volts, maybe. Maybe you find then an instruction that you want to instead drive to a zero, because it's very easy to force a line to ground through a driver that's running at 2.5 volts or 3.3 volts or 5 volts even, just as long as you don't drive 5 or 3.3 or whatever into it. So these chips are getting smaller, getting lower voltage. There's new challenges, but all of these techniques today will apply to anything tomorrow. So why do we do it? We do it because maybe we want to overwrite the stack pointer, make this loop as you'll see soon, repeat as many times as we'd like. I've only prepared it to do it once. It's not really useful to do it more than once because the high side of the data pointer is not getting incremented. So we're stuck in a page of 256 anyway. But maybe this is not a microcontroller because this is not just smart cards. This is also any type of silicon device that you've got. Any digital circuit we can apply these techniques to. Maybe it's a cryptographic ASIC of some kind and you want to falsify a MAC or an HMAC or a cryptogram of some type. This technique can apply again. It just takes a little bit of effort on the attacker's part. So to put the fault into the chip, we're going to need to physically touch the substrate. So we've got to open it up with some assets. None of this is being discussed today. You can see the video on wired. Has anybody seen the video on wired? I was very tired, but I'm good. Did you understand most of what you saw? Good, even better, good. So you take that and you, again, apply it to today. There are some new challenges, but it's the principle of what I did in that video that with a little bit of thought, you can do it. Infineon 6688s have a mesh, 220 nanometer technology, five metal layers with the mesh. So use a fib, bridge the end to the out, and then use my wet chemical techniques and blow a hole right through it and get right down to the core of the 66P. Okay. So this is a Thompson 19 series processor. I don't remember which one, but something I took a long time ago, and it's very interesting. So you can see the yellow track is the data bus of D0. The blue line is a trigger, some trigger that I had. The green line is the clock. And again, just going back to this chip versus that chip, this chip happened to run on an internal clock. So this green clock you see actually had to get plucked out of the CPU with a needle. So this was many needles, I think five needles on the substrate. But for this point in purpose, we care about D0 and the fact that we're in sync with their internal clock. The purple line is reset. So this is literally like five or six instructions on the D0 bus line. D0 is the LSB of the instruction fetch or the data bus. It's also the bit that flips the most. You make a 0, 1, 1, 0, change to 24 to 25, anything. Motorola, like 2021, 2021, 22, 23, they're all the complements of each other. In 8051 it's a little harder because it's like 20 or 30, jump if not bit, jump if bit, but you move the needle to bit four instead then. I prefer to use D0 though as much as possible. So you can see here, we're just listening. My blue line is some type of a trigger point. It's probably the trigger point that tells the driver to fire. Fire meaning I've already prepared my higher low level glitch. So I've set that side of the 126 that I'm using to be able to cock the gun, you know, cock the chamber. And that trigger is basically the trigger. So here in the Linux picture, we changed it. We physically induced a 0 when it should have been a 1. And so you can see, I changed the entire instruction processing afterwards. Now we're only sitting on D0, so we can clearly see that what came afterwards is some of our other fetches and some of them, the one was on high a lot of periods and then down low and on high again. The instruction cycle period here is, it's pretty quick, it's like 10 or 12 megahertz for our smart card. Anyway, so this is the theory, this is the whole theory. Before we do a glitch, you don't just randomly throw, you know, you don't put a needle on the bus and just start jamming it down to ground or jamming it high and stuff, you're just going to go nowhere. So the first thing to do is for us to take what's called, what I call the running code. So it means that we basically put a needle on D0, we come out of reset, so we turn on VCC, we have the reset line low, we just start the clock and then we release reset and we just basically, we take say 32 kilobits of samples on D0, then we save it in the software and then we move the needle to D1 and then we do D1 and we can put down two or three needles if we want and do them in batches of two or four, et cetera. It's quicker for me to use one needle and walk the bus, so to speak, to do this running long than it is to manipulate two each time. How many needles do you think it takes to dump one of these smart cards? You guys think it takes a SIM to dump one of these smart cards? Anybody know what a SIM is? Scanning an electron beam microscope? Does anybody use a SIM? Or do SIM prepping? It's a pain in the butt. And I don't use a SIM. I don't even use a Fib for half the chip out there today and you'll hear all these rumors that a Fib and a SIM and university level is needed, it's never been needed and it's only now needed since say 2002-ish when they started to get below 350 nanometers. Anything above 350 is typically only three metals. It's really easy to get to metal three or two. If it's below 350, typically it's going to be a four-metal layer. It could even go up to five and plus a mesh maybe. The microchip, the Microsoft licensing device, 8-pin SOIC and every one of your wired or wireless controllers used on an Xbox 360, it's got a little Infineon chip inside. Infineon is so paranoid that you're going to get to their logic underneath that they laid a triple mesh. So they got two active meshes with a ground plane in the middle. Infineon kept that practice and took it to the SLE88. Does anybody use the 88 series SLE? No? 32-bit risk from Infineon. 66, single mesh, very easy. So we're going to study a running cone on this chip. None of these principles about meshing and things apply. The chip is very opened up. We're going to look at the code, see where it went, and we're going to pick an instruction that we want to change, and instruction is going to give us something that we want it to do and not what it should have done, such as keeping a loop that fetches a byte and transmits the byte to the outside world. Keep it going. So if a DJNZ is one, what happens? It loops one more time, but when that goes to zero, it's decrement jump if not zero. The jump stops and you fall through to the next piece of code. So what if when it goes to execute that instruction, I change, in this instance here, that one being read out to go into the ALU to decrement it? Because that's exactly what happens in this 8051. You see the program counter low on the bus. You see the opcode fetch. You then see the DJNZ of R or whatever. You'll see the value come out of the register into the ALU. You'll see it get decremented and stored back again. So if it comes out with a one and I hold it to zero, it goes in as a zero. It underflows, becomes FF. FF is 255. We get 255 more bytes back from the loop. So be very careful when you do, like, move X at A at the data pointer, increment data pointer, you know, that type of thing in a loop. We don't always play with the data bus, although we will today. The data bus could be encrypted. It could be in the clear. It honestly doesn't matter. You can kind of tell what's going on with behaviors of CPUs, typically unless there's some wacky, zany, crazy, you know, no one knows the instructions at CPU. 8051 is zero to 255 possibility for what the instruction really was that got fetched if you are encrypting it. 6805, same boat. AVRs, things like this, they're a little wider of an instruction. It changes the rules, but again, these principles apply in theory. address bus, though, can change, you know, location zero. I can make you go to location one instead. You don't know, but whatever came out is going to be, you know, is going to be used by whatever is being done at that behavior at that state of time. address bus faults, typically, I'm only going to play with them on a cryptographic memory type devices, Admiral Crypto memory, Dallas Onewire type parts, things like this, things where I don't really have control. I can read out public areas of memory, but I can't read out private areas where you hide your key material or secret seeds, things like this. So it knows if it gets to 80, that it needs to, it throws a mux, and you can't read out that data. So it sends you zeros or FFs, depends who does it, you know, everybody's got their own way to do things. So what if we tell it to read zero, but I force bit seven high on the address bus? What's that to come? I just ordered something into the bus. It becomes 80. So let's say 80 is protected, but I gave you address zero to read from. So I told the chip's logic with the firewall area of the chip is saying, oh, it's zero, it's okay, let it go. But I'm oaring in bit seven later on behind the address bus drivers. Well, behind logic where it can backfeed. And it works beautifully. So zero becomes 80, one becomes 81, and so forth. Does anybody have any questions? If you do, stand up please and just ask. I want this to be very interactive, and I want you guys to come up on stage and put a needle down too. Anybody want to play with the needle? Okay, cool, cool. Excellent. Anybody have questions right now? Am I going too fast? Because I'm trying to cram this in. You, sir. Absolutely. Two needles. Five needles is easy too. You start to go above five needles, it starts to get really hard. The more needles people that I talk to that don't really appear, you know, that maybe are telling little lies and stuff, they typically tend to exaggerate the needle count on how many it would take to extract the code from a processor or something. But if I can make behavior repeat, if I can make a fault repeat, I can maybe do it in two needles. But with this technique, I can do it in one needle. Let's say you're doing software, and you may say, oh, well, we do software randomizations, or we do hardware randomization. So you're randomizing things in hardware, like the cores randomizing things with dummy bus cycles and stuff. That's fine. Then I'll put down another needle, and I'll eavesdrop the internal latches coming in, and now the only time that I need to clock in data is when those latches open and close. But I would miss some of the bytes, too. I would miss operands, because the latches will not open and close on there. So generally, honestly, one to two needles, I'm done. Two needles, I'll do it quick. One needle, I'll build a script. Let me rephrase this. With two needles, I can not care about what's in the code, and I can simply freeze an instruction in the code and basically walk the bus and read out memory in most cases. Or I can let something run, freeze it, and then let something else run, this type of thing. Maybe skip over signature check. You can do anything by freezing instruction latches. But it's also very beneficial for a 64K memory map to do a readout, like on the older 6805s from Thompson, Motorola, this stuff. The newer stuff has MMUs, a memory management unit. So you have more than 64K of physical memory, so you've got to kind of let the processor run for you, and then when you get that page mapped to the memory, then do your attack. Things like this, but two needles, one needle, pretty much, you're good. Does that answer your question, sir? Okay, yes, sir? Somebody had a question over here? Yes. We'll go there in about five minutes. So you mean if structure-wise, how do I know what I'm looking at? Yeah, we'll go there in a few minutes, and I think that's kind of something you kind of learn with experience and you can pretty much tell who laid it out once you've, as you open up devices, because maybe they won't mark Infineon on a smart card, although they do typically, or ST, they do. The cell library is going to look just like it does on the off-the-shelf stuff of that feature size, of that geometry. You know, and like for example, today Intel is down at 45 nanometers. That's pretty small. But I don't need to probe the logic, I need to get to the wires. And that's where we're going to go there in one minute. Anybody else have any questions before we continue? Yes? What's the chip? Hitachi? I'd have to see it and read the spec. The spec's going to tell you a lot. I mean, they... Well, I'll give you a good example. This batch has a 9SO8 on the back of it. Anybody use the 9SO8? Nobody? Anybody use the free-scale Motorola? I call Motorola still. The Motorola free-scale 908s, like the JB12, things like this. The 908 was more secure than the 9SO8. The 9SO8 got shrunk. It's a TSMC process. It's a 250 nanometer 4 metal layer. And the irony here is they tried to make you believe that it's super, super secure now. So they tell you if the last address in memory has to be a complemented, like a 1-0 combination on two bits, on like bits 0 and 1. And they tell you, so when you do a bulky... The only way to clear this is if they're a bulky race. Blah, blah, blah. That's great, but what if I tell it to bulky race... One second. Then they warn you, once you bulky race it, you need to make sure that you set those bits back to 1-0 because they become FF, all ones. You need to set those bits back to 1-0 before the next reset. So what's that tell you? That tells you that in logic, they just execute a bulky race where in these actual bits that would normally load that address and store that am I locked or not, they clear those for you. So what if I cut the VPP line? Does anybody know what happens if I cut the VPP line and then tell it to bulky race? It doesn't do anything except clear those two bits. And then I read your chip out. So, I mean, just food for thought, there's a lot of ways to get into these backdoor monitors and such that run. And a lot of these chips are being fabbed by TSMC, like FreeScale, I'm trying to think here well. I see it a lot, you see it a lot though. There's databiz.wiz or something out of like Irvine and they're making a smart card. It's got like 10K of static RAM on it, 32-bit ALU, 16-bit opcode pitch. It's a TSMC, same exact memory model. Once I learn the memory model on the off-the-shelf FreeScale parts, I can just buy their smart cards at 10 bucks a piece and I can whack them. I know exactly where the database outputs are, the address structure. Be careful. Database faults are all we're going to focus on today. And it's the most probable choice. It's very easy to spot the database. And this is what your question was about before. It's got to come out of the memory and it may come out of the memory encrypted, but that doesn't mean that you can't understand at least you can understand when it loops. Because if it's encrypted, if a 20, let's say it's a 20, 20 FE, chip, but that's a 6805 branch to yourself. So let's say it's an 80 FE, a short jump to yourself in 8051, either of those two. Let's say they're encrypted and they're coming out as, you know, 1055, who knows. You're going to see on the bus, you're going to see 1055, 1055, you're going to see this come out constantly. So you don't know really what it is, but you can tell it's a branch to itself and it's sitting there forever and in this loop. So you just figured out two instructions from that address point of what they decoded to. You don't know that. You can see encrypted code running in loops. Let's say I know that 66 is a non-ISO reset. Does anybody know what non-ISO reset is? It's in an Infineon 6644. It's when you hold the IO line low and you release it out of reset for about 400 clock cycles and then you release it back to a pulled up state, to a one. It then identifies you, it's chip lot and things like this. This is what we're going to exploit today. If it's encrypted code, I can see the loop where I can see encrypted code that says basically, do a fetch from wherever the data pointer points, transmit the byte, and then you can see the decrement, whichever register it is, go back up and do it again if it's not done. You just don't understand it, but you can make heads and tails out of it quickly if you're focused enough. So be careful if you run encrypted data buses and these techniques are still going to apply. Anyway, cryptographic, we can make key spills, as I explained before. Execution steps, same thing. Determine when to induce it. We may want to repeat the fault we can if we want to. Just need to precisely time things. I want to get to more of log traces that I've done and take some with you guys at this time and show you some code snippets from this Cypress chip which is like defunct over 10 years old and show you what I see on the bus and show you where we're going to do our attack and then we'll demo and you can basically watch exactly what I'll do, but in my lab it's much quicker because this is the wrong equipment but this is something you guys could build yourself to. This was built purely for like a show and tell. Otherwise the probe station is over 300 pounds. Okay, so I mean technology, it's improving and it gets great and the whole theory here is how long is it going to take the person to do it, to be successful and that's really what you need to focus on and I think a lot of these companies are on the right track to do it but there's still a lot of room for improvement and there always will be. Every smart card to date that's ever been made by these manufacturers except possibly the 88 series of Infineon has been broken by pirates if it's been used in an area where they can sell counterfeit things and it's not just like conditional access for television it could be satellite radio for example they're using a Thompson 19 I don't know why they're using it, it's not secure Scientific Atlanta they're hiding a Thompson 16 and 19 in their set-top box, why? It's obscurity and obscurity is not security, it's a layer if it's made by human it could be taken apart by human so I'm going to get out of this and I'm going to try to work with you here a little more dynamically and interactively and this is does anybody like ROM bits and things like this? You hear people talking about doping ROMs to read them back out that's probably the most useful technique of today and the reason for that is because most likely if you're not encrypting the address they're scrambling it and it needs to be decoded so that means not only do you have to put the bits all back together the way they went and you may make a mistake optically you need to understand the address decoding logic as well, it's a lot of work and effort and the method we're about to get into is a lot easier but if you did want to study the ROM you could play around like this this is the actual instruction dispatcher table of this 44 that we're going to play with this is a 500 magnification view of the ROM stripped down to its poly diffusion area and so now you can kind of see I didn't finish this you guys are welcome to all these pictures and such I just didn't want to post them on a public link but if anybody would like them, I'll have business cards at the end or my email is on the presentation email me and just ask for it and I'll give you a link off my server and you can download the whole archive it's going to be about 800 megabytes this is a photograph through an optical microscope Zeiss Axiotron 2 with com focal scanning it's a 500 subjective with a 10x mag so it's basically a 500x magnification of the area again this is a 1000 nanometer process it's very pretty big I mean anything under 130 I need UV I need to use ultraviolet with camera and I have to make mosaics to study the logic but again the wires I can see them I just can't see the actual gate structures but you can make out based off of the way things come into metal one what the circuit might be doing and then if you can put a needle on it you can just deduce the behavior immediately so you can see here I drew little lines it's a 36 across this is common 44 Infineon 44 series instruction dispatch table it's a 256 by 9 256 elements with 9 bits across if you want to look at it as a table in bit form though it's 36 across and 64 down so you can see from here to here there's 32 plus 4 more that gives you 36 and then each one of these rows there's 64 rows this has been chemically wet etched with buffered hydrofluoric acid before this image could be seen like this I then took a dark field reflected light image of the area it's four or five images well four or six images excuse me tiles stitched together as one and basically you can see everywhere I mean I didn't finish but if you guys wanted to play with this in Photoshop like I started anywhere you see right here for example I would put a dot there put a dot there the blue and the red lines cross if there's if you see the glasses connected the poly or the right here put a dot there and then it's either then you can every so this would be this would be a bit this would be a bit this would be a bit and so forth every first one for let's say address zero it may not be decoded that way though but that's just a hypothetical example and then you may have it backwards maybe a one or maybe a zero it all depends on the remainder of the logic how they've laid it but we're not going to go any deeper but you can have the pictures alright so we're going to go into this chip it's it's got a mathematical coprocessor in it again it's doing RSA internally does anybody know what RSA is the graphical map algorithm okay I don't think it's any larger than a 512 bit RSA type mathematical setup however you can see it you can tell this is a crypto block it's isolated by itself it's actually been like an extension to this to this chip it took their normal 44C80 and they added this math block to it and it's basically a ton of RAM and some shift registers and you know the modular multiply whatever you need to do square but this is really where we care about we don't care about this area so just we'll forget about this area and we'll go right into here does anybody know what this area is right here this is the non-volatile double EEPROM it's only 8K and it's a pretty large element your static RAM is going to be your smallest size element but largest area consumed for the amount of cells that they're giving you so you've got some static RAM here you've got ROM here 32K and you've got 8K of EEPROM so you know that there's a bussing there's bussing structures that are going to tie into here then we can see there's some type of a ROM here and some type of a ROM here here's the ground here's the IO line here's VCC reset and clock ISO 7816 most of you guys know what this is do I have to explain it? half duplex, smart card after reset sends out answer to reset tells you about itself okay so this is a 5x mosaic a 50x mag it's too small for us to try to look we can't see anything we're looking we see like there's some bussing structures we see the static RAM is right here it's connecting we can count the lines I mean this is a thousand nanometers so a 50x mag is good for a general blow-up of what are our goals what are our challenges what do we see to kind of plan your attack we see some lines coming out so something's telling me that this is going to be a pretty good area to kind of sit on and sit in we know that the 8051 has a multiplexed data bus so we know that the low address of things are going to be present on it and static RAM is connected to it as well as the e-square and the ROM there's no MMU because we know it's within 64k of a physical of a virtual memory map so we take this we already located where we want to be we want to look in here we're very curious so we image it at a higher mag in that area only this is about this is two rows of 10 each so this is not just two pictures here ironically the older chips do not look as pretty as the newer ones do the newer ones have a lot of different colors and stuff so we look at this and we start to see some bits some these lines that we saw at the 50x mag at the 500x mag now we can see we can see a little bit better where their vias are how they're plugged down things like this so we see one two three hey look at that this one's plugged into that same track and it goes up towards that static RAM so we're on the right sheet of music or we're heading in the direction that we got another one here there's another plug another one another one another one and it keeps going so this looks like it could be a good candidate to be the data bus of this chip it is the data bus of the chip to cut to the chase so it's pretty easy to find the data bus a lot of times because you know the RAM is connected to it that's the moral of the story here it's not the case in all smart cards and such because they try to isolate things nowadays and throw them muxes what area of memory are you in things like this but you can always go to the edge of the ROM because you know the chip powers out of its ROM so you know it's running right there and the data bus drivers are always pretty pretty straightforward of what they'll look like you can see here that there's actually you can't see here because I didn't go enough but you can see down here if I zoom in more you can see this is repetitive logic here does anyone have any idea anybody do logic that has an idea what these are what do you think they are yeah they're latches they're the instruction latches so there's two ways we could suck the code out of this chip we could induce a bunch of faults we could study the behavior of the running code which we'll do and we could then like look at what was happening on this bus and we can change the instructions as they're happening to force an overflow of the stack possibly it takes a long time it takes me maybe a whole morning to do this to get this trojan to work but when I'm done I just put a single needle down and press a key and the key and it executes like clockwork on any of these and so that's the easy way that's the hard way to do it but the payoff is the reward is tenfold when I'm done yes it's a very good question actually and I didn't even talk about that in the intro the point is to do maybe maybe maybe you want to know the RSA key of this chip maybe you know how RSA works you know that you send in whatever it and it processes it with its secret key and it returns the result maybe you want to make a clone of this card or well I don't know why you want to do it but if you're in if you're in like satellite TV pirate you'd want to make a physical change this to turn on all the services for example or maybe maybe it's a crypto memory and you can't you can't write unless you know the secret so you have to sign something to get it in things like this is why you'd want to you'd want to get the code out or make a change to it oh you do well you need to do it so basically you need to look and see how okay I'm sorry he's asking like how do you make a stack overflow work and it's no different than the if you guys right you know if you guys are windows hackers or something or you know these guys right in these windows exploits it's the same theory you basically write further into memory than you should be allowed to because we changed the instruction to make it continue in receiving data and storing it indirectly so an indirect pointer basically is writing in memory the stack has to reside in a memory somewhere it would be nice if it was in its own private area such as a pic micro controller has its stack privatized but in most cases it doesn't it's right there as well so we find some locations in memory that that are of use we already have seen a lot by looking at the running code so we can pick addresses to jump to off the stack so we're basically just going to reload the stack adjust any type of loop pointers to make it stop and hope it hits a return soon to execute the sequences that we've pushed into place kind of but these pushes should never have happened they're happening because we executed this physical glitch with a needle or if it's a 6805 beautiful beautiful yes so he's asking about executing RAM code from RAM that's even better on the 6805 you can you can instead load your worm into the RAM and then tell the stack now jump to jump to 100 or wherever your code went and you know where it's getting stored because you've already looked analyze the running code of the chip the goal or yeah the goals either the goals to get the secrets out get the key material out or maybe do a permanent modification to the chip to where now you have free right access to it most of these chips do not let you write to the e-square anything useful so the only way you're going to do it is to kind of simply or through a voltage glitching you might have heard of on loopers things like this make it skip an instruction or in our case modify an instruction just to abuse something and do it once it's done though you have complete control okay so we're going to look at some logs actual logs taken today I'll show you a couple logs actually there's too many chips to get into I tried I wanted to get into the 66 on a gem plus does anybody here work for us really you're going to love me so I have like some 68-05 gem plus cards here and from the IBM smart card secure way as anybody does anybody use this to secure their laptops or files and stuff no okay how about gem safe does anybody use gem safe has anybody ever seen this little orange card actually both of these cards are in eBay for like pennies and that's where these came from you just buy 100 200 of them for pennies and then you can do all your R&D to hack them that you want to leapfrog does anybody ever has ever heard of leapfrog they made they went out of business this is again this is the same processor as this without the crypto okay gsm sim card anybody clone your gsm sim card that's exactly why we're here except today they use a lot of ATMA AVRs and such things that are hard to get to but they did use easier chips 8 years ago I mean I've had A3A8 the precomp 128 whatever dash 1 algorithm out for 6-7 years now because they put it in an AT51 they put it in the 68-05 they put it in chips that were never really that secure that got cc certified comic criteria certified whatever the FIPS is 180 or 140 certified and so forth so here we go I'm looking for the better log I have a commented log more than that one okay so basically what what you're about to see is basically the dumped code that came out some snippets so we can kind of line up just so you can understand that what we're seeing on the needle with the needles is actually it's the same as what you'd write in assembler it's just you kind of have to you don't see clock 1, clock 2, clock 3 you have to kind of parse it apart and I do this manually by hand typically although I do have tools to automate it so bear with me one second yeah this is actually I want to show it to you but I'm just looking I have one I'm trying to find it that's heavily documented on a lot of the instructions to kind of show you otherwise it's kind of really the lowest level that you can get inside of here unless you really want to start tearing the poly apart and you don't see the gates and everything and that's something I mean I do it I do it and Karsten Nol does it a lot there's a lot of people bunny-wanging we all do it but this is much easier than starting to tear apart logic and decode it and put things back together okay I think okay this is fine this will work perfect okay so this is a log I made a while back so the chip powers up the manual barely even tells you what clock cycle it really starts running at this particular chip takes a while to fire up they clear ff to down to f8 and ram to a zero and so you can see it here you see on clock cycle zero clock cycle one so this is basically what period of time the processor was on when I took the sample but I didn't just take the sample once I had to repeat this eight times so I put one needle down and walked across the bus eight times just let the code run if you got randomizers I'll see it because all of a sudden the code that looks normal will go to will will become garbage basically and so I'll just look in front of what what happened before that went to garbage and I'll just whack that and stop it that'll be glitch one you know so I'm very serious a lot I saw a lot of chips with like each an e-squares has a seed value that then seeds suffer randomization and it's great you guys should be randomizing things and trying to take time between the ATR first byte and the second byte coming out and things like this you've got to get the first byte out fast and then they so they send it out fast and then they try and randomly change the delay between the second byte and the first and that first byte and I mean I guess it's good but there's other there's other things that they should be worried about but everything you can never not do enough that's really don't forget that so we sit here boom finally at clock three f-hecks this chip fires up can everybody see this I don't know let me see if I can zoom in oh is that better okay I have no idea what it does it's like a function icon on my laptop okay so but it works you know okay so at clock three f we've got a zero on the bus guess what it's the program counter the low side of the program counter remember I told you the 8051 is a multiplex data bus it means you're gonna see it makes it take more time too because that's a wasted clock cycle right there so you wonder why that move of an immediate value into a register on this 8051 took I believe 10 clock cycles it's because three of them were address address sets of the low of the low side so with PCL gets set to a zero boom all of a sudden a 75 is sitting on the bus on the next clock cycle sample and then again there's a 75 on the clock next clock cycle sample and then we see a PCL of one come onto the bus and then we see the operand then we see a two and we see the operand and here's the end this would be the end so this is the complete this is exactly what's on the bus of an 44 series 8051 during a move a move a move a move an immediate value of 80 into register d8 which I have no idea what it does because I don't have the data sheet does anybody have any questions now okay are you guys bored okay good good I'll go all night but we got to put some needles down too so don't forget okay so then boom here we go with a program counter low of three and it just continues and continues so I'm using the code on every clock cycle I see what's going on I mean now we can go let me shrink this let me shrink of this and let's put these two next to each other and I run Linux by the way as well I got some there were some comments online that oh these windows and most of my tools are windows it's so easy but my server is Linux so you know quad core eight ways on it's good so here we got we've got that same listing I'm just trying to get synchronized here so now it's too small is it too small for you guys or can you see it okay so originally on this chip I had sat on the bus and read it and then I just decided it was taking too much time so I tried the instruction latch approach that worked but I was missing there for some reason this particular chip gave me some trouble with this doesn't always work like you'd hope it would and so I went back to the invasive single needle glitches and the problem with that is the time as I said the nice thing about this was I realized that in Phineon on power up all of a sudden has this like take some bytes from the outside world and stuff them into memory indirectly and you know decrement a register in loop well it's beautiful because the stack is at seven or eight still wherever it powers up to and the loop should be like ten bytes and we just we whack the R3 and we can overwrite the whole stack load our program in and go wherever we want but to load the program in we needed to first do a lot of running logs maybe send a five byte ISO header into it see what it wants can we overwrite the stack through the ISO header we probably can in most cases they loop that too or they loop some of the bytes coming out of the ACR to if you want to read out the entire memory space or e-square let's say so we see here here's the initial power up code we see there's that move of into d8 that ten this is the clock count right here this is the line of code it was on these are the opera the whatever number of opera you know the instruction and operands are present clear a takes three clock cycles it's an e3 where is it there it is right there so boom program counter low comes out e4 instruction e4 instruction it clears the accumulator what's next and it just continues and continues and continues and so basically there's some strange behavior that nobody would know unless you're at this level and this is something that we were examining earlier when we wrote the script that you'll see get executed and things like R1 touches of increments it starts it and then it finishes it during the next instructions dispatch it's just the weirdest behavior but I mean they can do it as long as they get both things done sequentially so if we go back to this line of code we see that there's this like thing in power breakers is jump and by the way guys this code is pretty much static across any 44 series if I show you it from the 66 it's going to be static in the P or the 64 series with some variety to it sometimes but pretty much all the S's would be the same all the P's would be the same all the 44 series are the same every infineon 4466 is going to do this thing that we're going to abuse so if the IOL line is high execute the person's the wrong code that you wrote in or the designers wrote but if it's low they go into this what I call CMS hello which is like the hello of the infineon part give you a lot number of things like this it's very cool though they start the data pointer at 8000 and then they read out 10 bytes or it could be 11 bytes it depends on which series this is for practical for our hands on it's not really a loop that's easily abused because the high side of the data pointer is not getting incremented so we're stuck in the page of 256 of where they set it and if you look up above 8 to 80 so because they set this to 80 we're only going to be able to glitch and get out 8000 to 8000 ff in the memory map but it's e-square and there's a lot of secrets a lot of times in these people's codes up in the front and then they put all of their code later in time I was just going to get into that so with a little more effort I can start playing around and I can start exactly make it 81, make it 82, make it but it's a pain it really is so I would find a better loop if I really wanted to do this and there is a better loop because the stack pointer abuse is in here too so but for today a quick demo I did it on the machine in my room this afternoon we're going to basically bring it into this area and notice it says move in a 10 into R2 so that means basically R2 is going to become their counter and it's going to think it's going to send out 16 bytes of the e-prom to us well it's going to send out 256 but we're not so there's a little delay here they pull a value from e-square so this is a special instruction from these guys and we'll abuse it but notice only R1 gets incremented so since R1 is the only thing getting incremented it's not going to get us too far but maybe there is something we do need like a secret backdoor key or maybe the only key that you need is in the clear right there at that point of memory or it's how to decrypt it things like this so hypothetically this will be fun when it's done it does some things we don't care about this it's going to end up freezing because the chip is not in Infineon's test mode any longer if we did want to read it out we wouldn't have come here we would have followed this jump to 45 right here we'd let all this stuff we'd do it actually we would glitch this or we would glitch this it's a check that they do because Infineon claims that you can never get back into test mode they're liars but they're nice ones because I mean you really normally can't get back in but I can get back in so we can change the address of this fetch or we can change the data fetch from the address there's a bunch of ways to skin the cat but I prefer to keep one needle only down and never move it so it's much easier if you don't have a laser cutter you don't want to be moving trying to open up two different tracks and so here you can open the track with like a sewing needle and 45 degree angle kind of stab the silicon and you can pop the glass off the top this will work for you but down to about 350 nanometers if the wires are spaced apart if they're too close together you'll probably short two wires together, two tracks and it may still run though so you may still be okay so we're going to glitch this if we wanted to overwrite that stack we were talking about before we'd continue we would be changing the behavior so instead of going towards normal power up it goes towards getting back into their test mode it's behavior they're trying desperately to keep us out of so this is just one check of several checks that you'd have to get through we'd have to change this one then we have to change this A call if this A call comes out the way it's written it'll freeze on this next instruction so yes I don't remember oh the 4x password is something they set in memory it needs to be like it's a 4x infinite password that says yeah you're in test mode still type thing and when you're done it's an OTP value I think it's 99 actually the A9 is one of the bytes if I remember them correctly and the 33 shouldn't be 33 so those two are two of them but when they're done they took away some of the other bits and the A9 I believe they destroy that to something else and then they write the lock code in on all the good stuff so it's a 4x password but we destroy that A call and that's see so what am I saying here I'm saying 51 A4 so do you see what I did so this used to be 51 B5 so oh I'm sorry this is here I destroyed this A call with it so instead of being A5 I make it A4 by grounding out the bit 0 of that fetch so we've done some glitches to get past like this 4x password and things like this and now we'll do a glitch here to make sure that this jump if not carry is goes in a good way and not a bad way or it's going to freeze us right there but again if it freezes us right there we could do something to change that too it's just probably not going to sit on D0 anymore they've got some weird thing here I thought it was maybe on a race, bulky race because you're trying to get back into their test mode but it's not, I have no idea what it does they do some silly things we don't care about and then they call this routine at C5 and this I've never seen in any of the other 44s that I worked on that were used by my old employer but on the commercial ones in GSM the Leapfrog card the silent card every commercial over the shelf 44 otherwise has this in it and I don't know why so when I'm done building the script over at the stack it'll work on pretty much all of these popular 44 public chips so C5 says receive a byte, store it in wherever R1's pointing increment the pointer decrement R3 if it's not 0 continue fetching bytes one squash of that R3 and we can over at the stack and we're done you've got to prepare everything and make sure it's the right stacking of whatever you're going to do and it will work fine so today how many people want to put a needle actually down do you want to see me walk the bus and build should I walk the bus I mean I want your input here should I walk the bus and build this script like you see here similar to that in front of you exactly how it's being built and you can see how if I had things wrong and the data bus wasn't right they're always laying their data buses in like a sequential ordering of 0-7 7-0 even today the latest in Phineon 66's claims all this address bus scrambling that's great but I'm not going to sit out there on the ROM I'm going to go right to the heart the core and it's right in series again in sequential ordering again some people never learn Thompson same thing anybody use ST Thompson products you yes or no I didn't see any hands ST yeah so like the whole smart card 19 series line is on microcode in Phineon 66 runs on microcode these are no nose for today because these point may right to the instruction latches of these architect architectures 220 nanometer 180 nanometer they can't be any smaller than 150 or they'd be copper and they're not copper processes or they turn gangrene a day later so these ships are getting smaller but they're still running on old school techniques they've got the room to lay pure pure logic implementation like an AVR has an AVR has no microcode or PLA in it whatsoever free scale likes to do it Thompson ST a lot of them they're a hacker's dream you know to go to go backwards through the maze kind of so well I need about two minutes to set up I think it'd be great if you guys want like come up and hang out I think if you you know maybe that's easier I'll try to talk into the mic and we'll build the log in fact if you guys want one of you guys can hit the key for me to like take the samples and then when we're done you guys can try to put the needle down which is very hard so so basically this is a used Carl Seuss Ph 150 micro positioner these things are about $6,000 new you can get them for under $1,000 used on the surplus market when you get them used they don't come with the little arms the nice little arms that I'll show you a picture on the screen what you know so basically it's hard to see so I'll show you here that's a probe needle right there you can see the little needle it's going into an LVR this is used in some type of power device or something back when I was with my old employer you know get the code out of anything one needle can get it out so with one needle I can turn off a lock bit on a lock microcontroller and it's funny because I build these libraries of chips that I've whacked Thompson 19 five needles the codes out I've got it down to four needles now so you can see like you can see I've got like one two three four five micro positioners later on the table later on this die this little wire that you see going over here it's going to a different board I build these little boards out of CD carriers and then radio shack parts and then you can see there's a smart card slot that I put a hole in I don't know if everybody can see it but I wish I tried to get a camera hooked up here but I couldn't do it so there's a little hole there the smart card goes in and if the smart card's been opened one of these is opened you'll see it through the hole and the needle can touch it we're going to work with one that I've rebonded down so I've actually thrown it completely into acid actually here's a smart card so it's a whole nother it'd be a whole day to show you guys like opening these chips and stuff the best thing would be to see the wired video so this I mean I'll just pass it around they probably never come back that's fine I actually got a bunch of swag to give away later so but this is what an open smart card looks like it's still alive all the bond wires are attached to it I'll use I'll typically use like another smart card I'll take an exacto knife and just chop out chop out the module kind of clean up the area where it lived and I'll tape it back into place with some Scotch tape to make sure I don't obviously isolate any of the contacts that I need like ground VCC and so forth so these are actually really handy to be a carrier as well and there's only a few different module types of where they sit in their positioning to make the contact when it's slid in but a smart card again it's just a microcontroller that's been upgraded as meshings added to it, things like this today but basically the fundamental of it was some type of off the shelf chip before the needles you can't really see them but I'll pass this one around too just that if you touch the end you'll damage the tip and the tip is shaped to a very it's under a mic don't call me honest I think it's under 0.10 microns they shave it with a mechanical mechanical mechanical process and so there's a little cat whisker at the end of this some people choose to buy to buy Pico Pro like Model 12C has anybody ever heard of that basically it's an active buffered like a needle to hold the needle on and you have to buy their $30 needles and it's very expensive these needles are $5 each and making my own buffers with the lowest capacitance possible and I succeed up to about 40 megahertz which no smart card has ever gotten to today and if it did I can slow it down by finding the ring oscillator and just jamming a new signal into it and if I Thompson 19 good example they left a big fat test pad right on the ring oscillator so if I inject my little FPGA board here can do 24 megahertz typically I run 3 megahertz so I just on the 19 series I used to inject 3 megahertz signal into the oscillator it would slow it down to about 150 kilohertz and the sensors and everything are all like based off of this so all this low frequency high frequency detection it just went out the window so I'm literally single stepping this processor with the mesh it's got a mesh over it and such and it was not in the wired video but I'd be glad to show you pictures of the reaches in the mesh if you want to see them so this is a needle I'll pass it around just don't touch the chip maybe look at it in that light and change the angle you'll see there's a little whisk at the end of it just like in the picture what do you guys work with typically like what kind of chips? you use that Molly, which one? just the stuff like honey stuff okay this is not most of my pictures are on another drive I have like 60 gig in pictures some of these pictures are 300 or 400 megabytes and things like this and so I have like all these pictures and not enough space to store them on my laptop drive so I had to like delete some of them and I wanted to I had MSP430 for Travis Goodspeed's talk and things like this so here's a mega 647 anybody use it? so this is just an overall of the die it's got a little dirt on it but honestly it you're not supposed to really be seeing this it's for me but it gives me an overall of where things live this is a three metal layer, 350 nanometer process I actually don't know where the RAM is it's buried in here somewhere you'd have to strip off top metal to see more underneath because the wires are hiding things but here's the flash and then here's the e-square and then the fuses over here on this particular one I think actually here so then what I did after I found them is I make a little nice little photo like this and basically if there's a fuses they were on the edge it's just there's so many varieties of where they live on AVRs it's tough and so you put down two needle on these two wires they're highlighted in red you hold them low and you read the chip back out like it was never locked and then you wonder why your code got stolen or whatever happened to it people hijack everybody's IP all the time it's hard to protect against it what's the FPGA board for? so this FPGA board used to be a custom microcontroller design board that I did when I was in NDS it's actually the first BGA board I ever made and it has a lot of flaws on it believe it or not it's just like eight layers, nine layers, something like this but it was our first BGA based design and so we didn't bring enough test pads out and there's a bunch of patches you know USB serial came out and so I tied it into a FTDI 232 hi Steve and there was a lot of cuts drilling to this to fix shorts but we got our act together and we did a new version of this board and the new version of the board I just can't get the instructions that agree it on and I call it the WASP and I don't remember what it stood for because I did it in 2005 but it has 16 megabytes of static RAM and then it has eight actually here I think I have an image of the no maybe I don't have this set anyway it had I actually have it in my room so it has eight individual like eight needles could come into it or drive, things like this it can voltage adjust from 1.65 volts up to 5.5 digitally through digital pen-tentiometer digital regulators there's actually nine of them but eight of them are meant for needles so there's like eight pin header rows because I basically need I need I need five wires on my little homemade drivers that I make I need VCC ground I need the sense I always want to sense what I'm seeing on the needle and I need overdrive or high Z do I want to listen or do I want to actually make a change and then if I do make a change what's the value going to be that's yellow so yellow is what's the value green is hit it or don't hit it type thing and orange is always returning the value so this is basically the original design that I tried a long time ago and this works up to about 12 megahertz but after that I have a better one than this that's a Philips 126 two drivers and it's good down to 1.65 volts and it's what I'm normally using but I didn't want to take this apart and it just I figured leave good good so anybody else have questions I didn't finish the FPGA though actually well the FPGA okay I'll get the code out let's say it's just going to be a bit stream and I can clone you like this but you're trying like vertex 4 vertex 5 type thing like like how about a Altair Max 7000 series yeah so let's say you were running a cool runner you're running Xilinx I've hit a lot of this stuff when I say hit I mean I've analyzed it and I've studied it and just kind of got an idea but the attacker if he does get your code out it's pretty expensive probably and when he's done he won't know what you did he'll just know how to copy it you know and write the same bit stream in so you take like an Altair 7064 maybe my next class should just be like showing you guys pictures the whole time you know so the Altair 1996 die these guys really had their act together does anybody work for Altair? no? well if anybody knows anybody in Altair this is really nice because this is 1996 they had some good techniques and they got better and better and of course today they're 65 nanometer FPGAs so it took me like three weeks to find what you're seeing in five minutes they have test pads laying around the die so these are test pads like this guy and this guy this guy this guy the designers thought they might need to come back later and look at it and so they lay these big fat huge pads that I can come down and touch with a needle very easily touching this pad compared to touching this wire for the average Joe it's pretty hard unfortunately with some practice you can get it really quick but these pads tell an attacker not only you know I should rephrase that these pads make things easy for the attacker but they also make him say why did you leave that pad there there's a reason you left the pad there if you were the designer so I'm going to find out why so the first thing he may do is open up every one of these pads put down a needle and say it locked what's it look like or just read it back and drive it or don't you know drive a zero, drive a one, drive the reverse of the state, things like this none of these pads did any good the fuse was actually it was buried under this like well like here we go again it's buried under this pseudo mesh so this is not really active so to say but it works because what Altera did was they routed every conductor from the left side of this picture way like hundreds of micrometers to the left they routed them completely across the die and they're all pretty much equal length covering every one of the logic cells that stores the configuration so now you to get the fuse is in there somewhere where is it it's a single cell of non-volatile double e-prom so it can be erased or set and they claim that it will only get cleared once you do a bulky erase of the chip it's not always the case so be careful you know sometimes you can start the erase kill the power and it erases the lock bit first and then does the bulky erase instead of the other way so you can see like this was before I learned how to use Photoshop so my lines aren't straight got little dots on it because it's just too hard to keep it straight there's a will, there's a way so pull out the book and dig and you figure out what shift does and things like this but they made one mistake on this design UV set the fuse so ultraviolet light after 45 minutes to an hour set an unlocked part to a locked state so guess what I did I opened it about 10 of these things and put nail polish masks down all over here we go again with the nail polish from the video nail polish blocks UV and HF HF though for the record it will only block it for about 30 to 45 seconds and it starts to kind of like you know make it like moist enough to kind of saturate through and get down but you're going to rinse in 15 okay so you follow it down to here it comes from metal 2 it goes down to metal 1 and then it goes across and you can barely see what's underneath here this is not a planarized die which means they didn't polish it smooth at all so you can see the under layers so you can see the ripples of where wires are underneath like you can kind of see tracks in these pictures going up and down versus across as well so the fuse was buried under here and a lot of work and effort showed me that this line right here was the magic line to make it unlock itself you guys using AVRs and 89 series Atmals they're very secure against UV light attacks because they actually set their fuse under UV instead of clearing the fuse we're like a Cypress USB controller does anybody use Cypress? the 63 I don't know what they are but they're like the most popular USB controllers for dongles security dongles Aladdin E-Token Pro uses a combination of a smart card chip and one of those controllers not sure what you'd find in something like this but some of these dongles just have that with an e-square it's very insecure, UV light, nail polish UV light you got the code out in 5 minutes okay, so let's go do some needles I was going to get into this but there's no way in heck we'll ever get into this I talked about it at Block Hat if you guys were there but this is Thompson 16 CF54 and this had a mesh over the top of it it was a very old school mesh but again the principles they applied today like they did yesterday so here's the remainder of the mesh after I hit it with HF with a mask and it was right in the middle of the chip and you can see I mean it's just beautiful it's a one metal layer with poly and this is just like a test with a laser and then there's your 8 tracks and it's either 0 to 7 or 7 to 0 I don't remember which way it went so here's a good question here's some microcode you've got again you've got these ROM tables let me open that, I've got a different picture here to show you actually what do you do if the data bus isn't exposed in the bottom layer it always explodes somewhere the way it's exposed or is it routed correctly together is the question but it's always going to be exposed coming out of the memory for example here I'll go to a newer chip this is kind of an older device and if we go to something newer let's see what we have here this is what you'll deal with a lot today this is an active mesh on a 66P so it's four conductors you can see them where it comes in and out of the bottom of the chip to check security it's basically like it's like four circuits that come in and out the problem with Infineon's design is the in and the out are about not even 50 micrometers away from each other so to get through this beautiful 220 nanometer substrate to get underneath this I just need a focus on being workstation and to do four eight cuts basically open the in and the out and deposit metal across the two to shorten together there's no chip to date that I've seen has ever had any type of analog meshing to where with an analog mesh I'd have to open it cut it, measure what I'm about to patch around and then lay a certain resistance in metal deposit I prefer to deposit with tungsten but some prefer platinum so it's pretty easy to do that I use a focus on being workstation so it's like 5 nanometer precision ion beam that fires down into onto your chip I might have some pictures of what I've been done with it on here and it can basically mill or it can deposit you can deposit silicon dioxide you know like an insulator where you can deposit metal and the metal tries to be tungsten or platinum and basically any fit can do either but they can and it's just a temperature change and tell the system platinum or tungsten is inside but then you want to eat holes too but the fib won't eat through this mesh as nice as wet chemicals will because you'll get uneven etching you'll get where the fib will leave the metal tracks but all the oxide's been removed and it's a big problem and that's the reason that there's actually probably a space between the lines but wet chemicals is a whole different ballgame so you can mix wet chemicals from the wired video with those techniques with the fibbing techniques so maybe I don't know where the data bus was I think you asked that, it's not always in order but here we are in the core of a 66P this thing's still produced today I mean it's the flagship 8 bit 8051 processor they're producing does anybody here work for Infineon or did I ask that? does anybody work for any of these major chip companies? what's that? I'll get to you in one second okay so Xilinx is the same way Xilinx is actually a reverse kind of almost like a reverse bullish notation calculator Altera set their lock bits with UV you guys clear them it's bad, bad, bad, no, no so in your case all I need to do is mask where the bitstream's been stored and say an XC95 you know CPLD or a cool runner I haven't spent much time on but I have some images of them I need a reason when I was in NDS I didn't care I had all the time in the world to do this kind of stuff but now I kind of have to take jobs that companies come to me and say hey we want to know how strong is this chip really because the vendor is always going to tell you how strong it is so to speak and the data she's going to tell you like obscured busing and all this like the 66 right here 7 now if you can get to this area good luck because you do need a fib so you need a fib to do the bridge or the mesh and it needs to remain you need to then use wet chemicals to open up and then there's another ground plane over this area so you've got to kind of fib twice but once you're through and you've prepped all this you're good to go it's only running at about 10 megahertz and if you drop VDD down to under like 3.3 volts versus 5 volts the chips all tend to slow down a little bit because propagation delays grow as the voltage level drops so let's see we'll go to the Xilinx and I better get rolling here you guys are going to miss the parties no? okay I don't know where the parties are my wife and I are wondering so if you guys know that'd be great where? how do I get in? okay cool I'll bring the pro station so basically I don't know anybody work for HP? thanks I actually don't have Xilinx with me I have it with me but it's in my room it's on that other drive I ran out of space as I was saying so basically let's go back to the task at hand here and let's get rocking yeah exactly the guy says let's probe something there's a whole area in here I'm going to keep it up on the screen actually I can't keep it up on the screen I'm going to do my best to keep it on the screen so here's what we're looking at this is all we care about on this chip we care about this area I'm going to rotate it this is how it's going to look for us under the microscope so basically this is data bus bit 0 this is data bus bit 1 2, 3, 4, 5, 6 and 7 so we'll sample each of these lines for say 32,000 clock samples see what was on the bus and stuff you're going to get basically the same log file that I had showed you earlier then we can look at that actually that'll be a different log file because we're going to go into that non-ISO reset mode instead of normal power up so after we do that I'll show you the location that we're going to squash I'll show you how Brooke Hill and I timed it earlier up in my room we'll basically repeat those steps over again and then you can kind of be in my world of how I would do it but again this is just kind of proof of concept to you because it's not that useful because it's only 256 bytes 100 hex alright so the FPGA board that was asked about before it's basically today I wrote like a risk processor into it that it's only 8 bit fetches and it's because of the way I like to write little scripts it's a pain to kind of stuff 36 or 32 bits across the new one that I came out with that I can't agree on the instructions it on is very long instruction word 36 bit fetch using a synchronous static RAM but again the problem is I don't like the way like here I say like I can say like on one line buff I'm filling a buffer and then I just ship it down to the board and then the board begins executing at 24 megahertz each line so to speak and doing certain things I can tell it what clocks I can tell it you know divide the clock by whatever our clock is here 24 megahertz divide it by 8 that's typically what I do do run the smart card nice and slow they all accept 3 megahertz if it's running on its own internal clock that really doesn't do anything for me except to talk to it that's the only thing I'm gonna have to pluck their clock out I can tell the board though take their clock from a needle and you run on that clock instead and so externally clocks basically I can also tell it which edge to clock the data in on positive or negative edge of that clock signal coming in I had thought to try to run it through a PLL but then I realized some of these ships like the Infineon 66 they run an asymmetric clock cycle so it's like 100 nanoseconds and 200 nanoseconds hypothetically it's not 100 and 100 nice square wave so PLL goes crazy and doesn't come out with the right multiplied frequency so we can also tell it if it is running on our clock such as the chip will work on we can tell it I want to be on for example I can over sample if I want to but there's no reason to so we're just going to take one sample per clock cycle there's no reason to take two per clock cycle because I only have I think on the inside the Xilinx 256,000 by 2 bits wide of memory space it's an 812 extended memory so we can tell it take a sample and where in that window we want it to be in an eighth so we can tell it walk into the when the clock fires wait two eighths and then sample or wait one eighth and then sample or wait eight eighths but I don't know why you'd wait that long that's honestly not going to work but so it's pretty pretty wild what you can do with the board and I'm always adding things to it so now what I've done is I've frozen the design it's frozen it was done in Leonardo Spectrum in Beralog and it's just I write in precision synthesis in Beralog now instead so I don't even want to mess with the design to convert it or anything I just want to leave it frozen and just get the new one working but it's it's a lot it's a lot of time so does anybody read my blog the FlyLogic blog yeah Karsten Noll is going to start writing for it before me to help me out I have no time to write guys I have a 4004 that I need to post the Intel 4004 from MIT told me that it's the highest resolution pictures they've ever seen in the 4004 it's 1971 November I think it came out and that's the thing the net masks back then or the mask set the quality that the image looks like is ancient you know so the optical resolution at 200 mag that I did on it is just phenomenal it's really lights up and there's poly layer and there's the metal layer I think it's an NMOS or might be PMOS I forget it's fun though to trace out the circuitry so that'll get posted soon and I'm always answering emails just the blog is kind of it's the last thing I can do you know that means I'm busy so this script is like basically you know turn off the overdriver if we are going to run the overdrive I have two overdrive circuits here versus eight on the new one let's just drop talking about the new one then we'll focus on this one so we have two overdivers that we can do we only have one needle right now though I have a second but it doesn't want to stay down so we're going to work with one we have limited space on this little thing and it's really flimsy and it's it's going to be a challenge to put the needle down because everything's moving and this is fixed the base is fixed and normally the base you can move the base normally I'll kind of nudge a needle into position I'll get it right around it and I'll kind of nudge a little bit on the base with the micro positioner and kind of just and it goes in and here we can't so it's going to be a challenge but I've done it and you guys are going to do it um so we'll be glitching low when we do finally glitch this is some stuff I have a FIFO in here that can receive data and store and just hold it in a FIFO where I can block read the bytes in to stay in a precise sync timing if I need to the board can if you were randomizing your software and I don't feel like figuring out where the call was or how it works or I can't destroy the call what I can do is I can take a sample and then I can take two needles and I can bring them both in and I can say I want you to sample up to 64 bits don't like a logic analyzer base basically don't start sampling until the 64th transition of what I the pattern I just gave you comes in and so now your randomizer just went down the tubes because you're eventually going to I'm going to pick up a location that is out after it and so you know it's going to my words going to wait until it sees the pattern and its depth is up to 64 bits so basically it's just they're just little commands that we write little nano commands you know do this do that I make the IO pull up turn on the receiver FIFO do a delay fire the and then this is the kicker right here it's going to be to fire the overdrive line to basically drive that zero so earlier before we let the chip come out of reset we told it to we prepared it to say drive a low so this instruction put a low on our little yellow line that I talked about earlier so we're ready to drive and when we do drive it'll be a low signal a low pulse sometimes you do do multiple glitches though so I mean I didn't have to do that it's just convenient to kind of lay it in up in the front so basically we're going to fire the overdrive we're going to leave the overdrive on momentarily for about 10 clock cycles this is a 24 bit delay that I wrote into the logic so it sees this little command and then it takes three values three operand values it's another reason why 36 bits would make it a better a better execution than fetching four bytes or three bytes so we do we hold the overdrive on after a specific clock cycle count we hold it on and we do this small 24 so that's 10 times 24 megahertz whatever the reciprocal is of it in timing the delay well basically so we're going to momentarily overdrive that signal down to ground which is going to squash the decrement jump of not zero of r3 but what it's going to squash is the one coming out on the bus to become a zero and so basically what this instruction says in logic is decrement the value if it's not zero stay in the loop branch relative so we don't want to kill anything else we just want to kill that one coming out and we but we remember the one coming out forced as a zero means it goes into the OU as a zero now it then under underflows and becomes an FF because there's only eight bits if we're too long it would become like FE it would come out as an FE because we'd still be driving low so we're only going to drive for 10 times the reciprocal of 24 megahertz whatever that is for nanoseconds it's going to be like 60 maybe 60 now what's 50 is 20 you guys can figure it out I use the calculator too much so we we turn it off and we just kind of wait some time because now we need to wait time to let the York fetch the remainder of these bytes that are going to come in so one glitch will destroy this loop and the loop will remain in the loop for another 255 clock repetitions and then this just says turn off the little sniffers that are sampling on whatever I previously told it to sample so there's a whole bunch of parallel blocks of logic in here that are doing different tasks and that's about it but that's only one part of this program but I have to take the mag off because I can't see so I have to undo what Brooke and I did in the room earlier or it's going to just glitch the card right away when we want to actually just sample the card at first so I'm going to comment comment it out for us I'm going to put the mic down though guys so basically we want to get honestly I'm going to comment more than this out a bunch of this is basically we just basically want to power up the chip and let it run and just listen one more second this should be good so basically when this flow of code hits this sniff off statement it'll turn off the sniffer because if it sniffs too much it's going to wrap around and it's going to overwrite samples I originally took from the beginning so we'll delay some clock period of time some value I pick it's like 1A hex cycle 1A thousand hex cycles we'll delay and that's just enough to get the entire reset out of the chip I do I do but the pump is starting to seize up on me today so can everybody hear me off the mic so the pump started to seize up on me today I'm going to actually don't laugh at this but this is why we're working on such a big chip too because you guys can put the needles down and the pump's going out it's the one thing I should have brought two of that I didn't it's the only thing I didn't bring two of and since the pump's going out I'm going to electrical tape the positioner in place after it's vacuumed down I mean this is just crazy you shouldn't be able to do this but you can you know and so because we can you guys can play too so that's the whole point here I know I mean I can use it still if it didn't get bent if it's either bent or it's not you know okay awesome awesome sometimes I burn through these things so fast and I'm like $5 $5 so well that's the thing if it's the pico pro I have pico pro 12c's and I have a ton of needles form and stuff and they're good but you have to you're loading on them and stuff and it's unique per device typically and the needles are too expensive I mean there really are I don't know what they are now but these needles used to be like $3.50 and then when I called and ordered like 100 needles a year ago she was like it's been like four years since they've been you know $3.50 and I was like well I need to be making needles and not be making this you know cracking chips okay so we're going to work on this chip the silent chip wherever they went so this chip is in here and if we take a razor blade which we could but it's buried under there and we cut out this area you could actually see it underneath the you know the card without popping the module out or you just pop the module out whatever so basically I throw it into fuming nitric let it be completely edged I'm afraid to pass it around because it's got five little bond wires that if they get broken off we won't be able to play but you'll see it when you look at it for the microscope of projective so I'm going to kind of set this up and if anybody has questions please ask this whole station is basically a velcro setup this is something Bunny Wang and I built for Torcon 9 Lester if you guys ever go to Torcon we'll probably do something like this again it's a lot of fun you know everybody can get some time to play and have the whole day to do it absolutely we actually did we did a two-part lecture kind of in the hands on the Infineon SSLE 4442 which is Kinko's anybody know the Kinko's yeah it's that processor that's actually not why we did it though we did it just because it was a fun old chip that I didn't care about and I thought it'd be a good experience it was fun, it's actually a lot of fun so this year we'll do something better maybe more logic you know and stuff principles for like first principles and then we got into second principles which is more the way I work I rarely study logic unless I have to but if I have to that's not a problem it just takes me time I don't live in a world of poly and a metal and what doping are they but it's not that hard to figure out where the P-fets are and where the N-fets are and when you do figure it out that whole row is going to be P's and that whole row is going to be N's you ever do any work with SSLE I've torn everything apart and it's you know I mean just to see what is it how it you know is it really that secure the chance to float any of the cappium network chips? never seen them now but it's more larger scale than what I would mess with the SSLE 4428 oh no what is it what is it exactly? it's a conu it's 4442 it's different this is a 4428 telephone conu oh I've seen it I've seen it I've also seen the ST it's also used a lot on larger so it's basically the same family memory as this one I thought you said the 28 which is what this is so this is a 28 and the 28 I couldn't get the whole thing to stitch stitching these chips when it's repetitive memory areas and things like this it's hard because there are always many many pictures wide this is another old chip though from them and stuff but this is a see that's not the part number what I'm highlighting with the mouse N1265 blah blah blah that's really a 4428 that's what it is so you have to build a library up 4442 is maybe close to what you're talking about 4442 was the one with FedExKey yes and then now they have a 55 series I've seen that one no I don't know I'll have to look this up I'll take a look at it but it's going to be something like this if it's a 44 series it's this era of technology I believe this was NMOS and again look at all these test pads here it's secure this is some secure memory if they can't inject if they can't be between between the machine and the card when the password's sent they won't get the password because you have to think three tries but what if I sit on the data bus guess what I see I see the password come right out you brought up a good point too I can show you the 4442 run I think no I can't I thought I could yes I can simulate it in my lab because I know where the logic is the MUX that throws the MUX the PSC or not the PSC is the pin code or something they call a PSC in the 4442 the 55 5542 but really not much changed here what's that I know I'm trying no more questions 5542 like here's the busing too like 0, 2, 4, 6 and then there it is again I'm leaving little comments about the bus and you can see the plugs this is a very old chip but these chips are great to learn on and this duck actually controls if it lets you read back the password or not it's so weird the duck's pointing at the secrets if you take this test pad and you drive it low it's either this test pad or this test pad and you can see it if you know the PSC and you write it in on one of those two signals the line goes low when it's finally been given valid so if that line is low it lets you read out the PSC if the line is high it throws a MUX and the MUX says set a zero instead well no it's not encrypted just like Strom Carlson did you sniff the traffic and the average Joe just sniffs the traffic and he knows the password the company that makes Kinko smart cards randomizes the password and you can tell it how to generate what the password is so they run it through some type of hash and the result is what the password would be so now you got to steal the machine but this is their latest stuff and if you read about this they're telling you stuff like highly secure 1.2 micron CMOS process and I'm thinking 1.2 micron that's 1200 nanometer process now you went up instead of down but I mean honestly I talk about these chips and I make jokes about them I love to work on Infineon Thompson Dallas Maxim Microchip, Atmel, AVR I love all these chips and I mean it's the reason I have all the libraries of them the ones I can't stand are like Renaissance all these weird architectural ones that are large and I don't know I just get more thrilled from these guys Sylabs it's a TSMC production one of the other brands I was thinking to mention earlier which Sylabs you want to check this? no no which Sylabs chip so Sylabs I thought I had see this is my bad image directory it's not up to date because I ran out of space but Sylabs I have a whole ton of Sylabs parts done it's the same thing it's basically do a bulky race but don't let the bulky race happen and the register bits get cleared because they assume it happened when it really didn't and you read memory out or you can do an address bus attack we talked about that earlier that's another reason that I didn't think of to do an address bus attack you know if they fetch from the very last address in memory they read that byte out and then bits of that byte represent I'm locked or I'm unlocked etc it's a bad way to implement security because A I know how to make that flash return FFs so if you're doing a password oh it's a 32 byte password you know I don't know how many bits it is that would be but you know they give you these large bit numbers and they tell you this and that 8 byte password on free scale JB8, JB16, JB12 that's great so I short this one track down to ground and I get zeros for the password short another track down to ground I get FFs for the password and you can do your own tests on this because you can take a part that you bought from DigiKey and you can open it up and you can load it and just run the memory and play around and just induce a fault into the memory and see what's the result I grounded this line out momentarily or I shorted it or I forced it high as long as it's not like a direct VCC or ground connection you're fine anything else and you'll probably blow your driver or you know if it's a VCC or ground you'll probably blow your driver out and you can tell because you won't see any waveforms anymore or you may see noise but it won't work it won't give you any type of toggling everything you're saying really begs the question in your opinion what is the best security for this? to talk to somebody like myself that makes them all apart I mean no that's honestly my business model is to work with companies to help them make sure that they're strong well I mean security is layered it's not going to come overnight and so Infineon learns and that's that's always going to happen obviously but a lot of these companies making the chips are very arrogant and they believe that they know what's best and that's not true because if it was then you wouldn't see revisions of the die come out and marked or unmarked and I wouldn't get into the next one things like this happen they design the chip but they don't really they know what they did and they kind of the blinders come on and they're not in a black box to reverse engineer it and it's ironic that you say that you've done an analysis for some of these big companies I give them, I don't tell them what to do I give them suggestive solutions of what to do what I would recommend maybe trying to do but don't tell me what you did and then my hope is that you'll then implement your own way of doing things and send it back to me and say analyze it now and it's difficult for me because they tend to say we're going to take this and do it over on every chip now this will become the baseline and you know thanks FlyLogic you got 12,000 or 15,000 that's not far secure now so that part of my business model is kind of broken but um but they're so stingy they don't care otherwise I'm trying to find that win-win here to help best to help everybody but anyway then they'll come and say sabotage or something so we don't want to do that but I mean that's partially the blog too the blog is like a teaser but the blog kind of shows them that I'm not Joe Blow off the street I really do tear your chips apart I know what they're doing and I know how to unlock these chips and stuff like this and I think I do believe it's helped and I mean today I'm working with a lot of the major companies of microcontrollers I would love to work with Infineon or ST these guys I don't know I know Infineon knows what I'm doing though because they're scared and I heard to the grapevine so okay let's keep going here so I've got the chip mounted down here it's mounted in the socket everybody can see it and if you can't see it you'll see it shortly because you can come up and look through the eyepieces and stuff thank you so I don't know it's going to get hot I don't know it's cool now you may feel like you're in an expedition give it five minutes so basically you can come up and look through it that's a dead package chip and what do you use to get to what tool is our machine going to use to do that there is a machine to do that thank you I removed it I told you guys we have it all night alright let's see so basically I use a KNS wire bonder it's a 45-24 and this is basically what the machine looks like look at this machine you have this little mouse over here and I run one mill most of the guys that do failure analysis at this type of a level because really that's what I'm doing I'm doing security risk analysis it falls into kind of the subcategory of failure analysis so they'll use like a one mill wire anything smaller than one mill like the chip really used 0.7 is really hard for the average just and the wire is not very strong because we need it floating in the air we don't really have the epoxy shell to hold it in place and so one mill is the better wire for like the person like us to use so basically the machine has this little needle it's got the little mouse right here and the average person is going to leave it in manual Z mode and not semi-auto semi-auto is another mode it can be in where you know and how much force to put down in the time and you're going to bond 50 of the same package so you know if I was going to do 50 of these I'd put it in semi-auto and it kind of helps automate the process but when I do a onesie 2Z or five of them I leave it in manual Z and basically I manually the more I push this little black button on the mouse right here this little black button the more I push it the lower this little needle goes down that you can kind of not see the white thing so that's called the capillary and so the capillary is a needle that's hollow in the middle and the gold wire comes I think I have another photo that you can see it you can see the capillary kind of there so the wire is coming down through here it's got solenoids and such ultrasonic solenoids are keeping the tension proper and then it goes right through the middle of this little white thing and it uses high voltage to to like make the ball it's a little ball on the bottom of it so that's why it's called a ball-bonder so there's two types of bonders there's wedge bonders and ball bonders wedge bonders are typically aluminum and they don't need heat although they can be heated and a ball-bonder always will be heated although you don't really need that much heat I keep it at I think 30 degrees Celsius I may keep it at 50 degrees Celsius because I use superglue glue down because the conductive epoxy I have to bake it, it's a pain in the butt just like somebody said why don't you use photo resist the type that will wash away after I've hit it with UV patches for making masks against nail polish because that works as well to block hydrofluoric and things and I said because I have to cook it it has to be baked on, it's a pain it's more easier to just take some nail polish and like a red color drop the drop and spread it makes a little ball, connects and then you use the mouse to let go of the black button and you move it over to the landing pad where you want to place it you press it once more all the way and then it comes down and it automatically cuts it and makes a new ball with the high voltage and the connection is done the gold is nice though, it's very convenient because I can drop a ball, I can go A to B to C to D if I need it to sometimes on like MSP430s I take, does anybody use an MSP430? so you blow the JTAG fuse on a lot of these I just come over, if it's like a 2000 series or a lot of these a lot of the newer dye ribs from 2005 and on from TI the JTAG fuse is visible from top metal and the junction that they blew open that they've created an open on is actually on top metal so point A needs to get to point B but it's been severed so point A is actually that test pin for example on some of these 20 pin so I see so I take my laser cutter and I blow a big hole on the B side and then I come down with this wire burner and I just slap a big ball right over that hole that I made and then I take it right to pin 1 and so the JTAG fuse without even putting a needle down now it's just been repaired permanently forever it's pretty, it's okay right, no no no in some cases so like let's say you have a big VCC plane and for your internal core voltage and I want it for some reason and believe it or not I have in the past they'll be at the same exact logic level with my drivers I'll take one of your thick VCC planes and do the same thing open a big hole if it's not big enough open several big holes and then the more metal I expose the better oh no we didn't even probe yet can we have one more hour? can we have like 20 minutes? oh crap can we take it to the skybox? where is Joe Granter? Joe Granter wanted me to or that's even easier can everybody help take something? Joe Granter wanted to bring this up to the skybox the hardware hacking thing or something so um yeah that'd be great if we could just take the table that'd be actually excellent yellow hardware guy wait wait no no no no the screen oh you're can we stay here? if you get a big clap then we can do that yeah