What is MCU decryption? MCU decryption principle

MCU decryption is also called chip decryption, MCU cracking, chip cracking, IC decryption, but strictly speaking, these names are not scientific, but they have become customary names. We are accustomed to calling CPLD decryption and DSP decryption as MCU decryption.

Microcontrollers (MCUs) generally have internal EEPROM/FLASH for users to store programs and working data. What is MCU decryption? If you want to read the program illegally, you must unlock the password to read it out. This process is usually called MCU decryption or chip encryption. In order to prevent unauthorized access or copying of the program in the MCU, most MCUs have encryption lock bits or encryption bytes to protect the program in the chip; if the encryption lock bit is enabled (locked) during programming, the program in the MCU cannot be directly read with an ordinary programmer. MCU attackers use special equipment or homemade equipment to exploit loopholes or software defects in the design of the MCU chip. Through a variety of technical means, they can extract key information from the chip and obtain the program in the MCU. This is called MCU decryption. After most MCU programs are written into the MCU, engineers encrypt them to prevent others from illegally stealing (infringing) and reading the program inside.

MCU decryption principle:

MCU decryption simply means erasing the encryption lock bit in the MCU. Take the AT89C series MCU decryption as an example:

Due to the unreasonable design of the erasing operation timing of the AT89C series microcontroller, it is possible to erase the encryption lock bit before erasing the on-chip program. The erasing operation timing of the AT89C series microcontroller is: erase start ----> erase operation hardware initialization (10 microseconds) ----> erase encryption lock bit (50-200 microseconds) ---> erase data in the on-chip program memory (10 milliseconds) -----> erase end. If the program is used to monitor the erasing process, once the encryption lock bit is erased, the erase operation is terminated, and further erasing of the on-chip program memory is stopped. The encrypted microcontroller becomes an unencrypted microcontroller. The on-chip program can be read out through the bus.

There are two uncrackable encryption methods for AT89C series microcontrollers.

1. An encryption method that permanently destroys the encryption bits of the microcontroller. It is referred to as OTP encryption mode.

2. A method to permanently destroy the encryption of the microcontroller's data bus, referred to as the burn bus encryption mode.

AT89C series MCU OTP encryption mode principle

This programming encryption algorithm burns out the encryption lock bit (breaks through the silicon chip inside the chip) without damaging other parts and does not occupy any resources of the microcontroller. After the encryption lock bit is burned out, it no longer has the erasure feature. The 89C51/52/55 has 3 encryption bits to further increase the reliability of encryption. Once encrypted in OTP mode, the encryption bit in the microcontroller chip and the data in the program memory cannot be erased again. The 89C51/52/55 microcontroller is like a one-time programming OTP type microcontroller. If the user program length is greater than the capacity of the 89C51 microcontroller chip memory, the OPT mode can also be used for encryption. The specific method is as follows:

1. Expand a large-capacity program memory as usual, such as 27C512 (64K).

2. Place the key program parts in the first 4K of the program.

3. Write the entire program into 27C512, and then fill the first 4K of 27C512 with 0.

4. Fix the first 4K of the program into AT89C51 and encrypt it in OPT mode.

5. Connect the EA pin of the MCU to a high level. In this way, the first 4K of the program runs inside the MCU, and the last 60K runs outside the chip. Pirates cannot read the first 4K of the program, and it is useless even if they know the last 60K.

AT89C series single chip microcomputer bus encryption mode principle

Because the program code in the microcontroller chip must eventually be read out through the data bus, if one of the lines of the data bus that guides the microcontroller is permanently damaged, the decryptor cannot read the correct code of the program in the chip even if the encryption bit is erased. The data bus of 89C1051/2051 is P1 port. The bus burning mode burns the P1.0 port of 89C2051. The original program code is 02H, 01H, 00H. The read data is 03H, 01H, 00H. The lowest bit is always 1, and the program code read out is obviously wrong. This encryption mode is used to encrypt 89C1051/2051 microcontrollers. The disadvantage is that it occupies the resources of the microcontroller. When designing the microcontroller hardware system, the development and design personnel only need to reserve the export line P1.0 for use, and then use the bus burning mode to encrypt the microcontroller in the future.