Protect your designs from being counterfeited using NEC microcontrollers

Nowadays, soon after a new product is launched, counterfeit products often appear on the market, causing intellectual property infringement and economic damage to the companies and individuals who have conducted early research and development. As an engineer, you should try to consider the possibility of product plagiarism in the early stage of product design, choose a microcontroller with good confidentiality and encrypt the microcontroller system to prevent competitors from plagiarizing.

Methods for cracking microcontroller programs

There are two main methods to steal programs in microcontrollers: invasive and non-invasive. The invasive method is to destroy the chip package, and use semiconductor testing equipment, microscopes, micropositioners and other instruments to find the location of the protection fuse in the chip and erase it, making it an unencrypted chip, and then use a programmer to read out the program, or directly place a probe on the chip's internal bus to read out the program in the memory. The non-invasive method is to use certain loopholes in the chip design or chip programming timing to decrypt the chip. For example, for the loopholes in the erase operation timing design of the early AT89C series chips, a self-compiled program is used to stop the next step of erasing the program memory data in the chip after erasing the encryption lock bit, thereby making the encrypted microcontroller look like it is not encrypted, and then the program in the chip can be read out using an ordinary programmer.

It can be seen that the use of invasive decryption methods requires expensive equipment and takes a long time, and the decryption cost is high; while the equipment required for the non-invasive decryption method is relatively cheap, and decryption is possible as long as the loopholes in the chip design can be found, but it requires the decryptor to have deep professional knowledge.

 

Figure 1: Confidentiality features of NEC 78K series microcontrollers.

The Confidential Design of NEC Single Chip Microcomputer

Theoretically, it is impossible to keep the program of the MCU 100% confidential. Encrypting the program of the MCU is just to increase the cost of cracking. When the cost of cracking a product is as high as the cost of designing an identical product independently, no one will be interested in cracking the product.

In product design, in order to avoid adding peripheral hardware and thus increasing product costs, the confidentiality of product software is usually mainly guaranteed by the confidentiality of the selected single-chip microcomputer. Therefore, it is particularly important to choose a single-chip microcomputer with good confidentiality to increase the cost of cracking by plagiarists. NEC (NEC Electronics) has designed sufficient protection measures in its FLASH-type 78K series single-chip microcomputer to ensure the security of the single-chip microcomputer program code.　

In addition to the developer's reasons, there are usually three reasons for the leakage of microcontroller program target files: 1. The target file is stolen during the program burning process in mass production; 2. The product is obtained by the spies after it is on the market, and the target file in the microcontroller is obtained by intrusive or non-intrusive methods; 3. The application target file is stolen when the product is upgraded on-site using the BootLoader program through the serial port, CAN interface, etc.

Figure 2: Encryption settings for the production programmer.

Program confidentiality during mass production programming

The mass production programmer FL-G03 designed by a third party for NEC can support the simultaneous programming of 8 chips. The development engineer uses a 128-bit key to encrypt the original HEX file and fix the key into the programming for decryption during programming. The engineer can also set a limit on the number of chips that can be programmed on the programmer, and then provide the programmer and the encrypted HEX file to the programmer. This prevents other personnel from accessing the original HEX file, and only a set number of chips can be programmed.

Figure 3: Even if the security bit is destroyed, the program cannot be read.　

Prevents intrusive and non-intrusive program theft

Intrusive cracking methods can turn an encrypted chip into a non-encrypted chip, and then use a programmer to read out the program. Of course, a probe can also be used to read the program from the chip's internal bus, but the cost of doing so is quite high; non-invasive cracking methods generally require the programmer to read out the program in the end. NEC's 78K series microcontrollers do not have a PROGRAM READ function, so the programmer cannot be used to read out the program. (Note: The verification function when programming a chip with a programmer is not to read out the program for verification, but the programmer sends the data to the chip, and the chip core independently completes the comparison with the storage area data, and then returns the comparison result to the programmer).

Figure 4: Field upgrade using encrypted target file

Program confidentiality during product field upgrades

 

If the MCU programmer uses the BootLoader function, the MCU program can be easily upgraded through the serial port and other communication ports after the product is sold. However, this also leaves an opportunity for spies to take advantage of it, and the target file of the new version of the application may be leaked. The solution is that the designer encrypts the target file of the application according to a custom algorithm and puts the decryption algorithm in the BootLoader program. When upgrading, the BootLoader program decrypts the target file and then writes it to the target FLASH area. This can prevent the original target file from being leaked.

Prevent chip program from being accidentally erased or rewritten

 

In addition to the measures mentioned above to prevent the program from being leaked or cracked, the 78K series microcontrollers also take a number of measures to ensure that the program will not be accidentally erased or rewritten. The 78K series microcontrollers can perform the following security settings on the FLASH through the programming software during programming:

1. Chip-erase operation is prohibited.

2. Block erase operation is disabled.

3. Disable write operation.

4. Rewriting the boot cluster0 area is prohibited.

 

These settings can prohibit the programmer from erasing and writing the chip, but the user program in the chip can still erase and write the FLASH area. Once the "Prohibit full chip erase operation" is set, the program in the chip can no longer be erased and rewritten, and this setting cannot be canceled.

 

The relationship between various security settings and operation commands is shown in Table 1.

 

Table 1: Relationship between various security settings and operation commands.

Conclusion

NEC's 78K series microcontrollers take measures from multiple aspects to enhance the confidentiality of microcontroller programs. In particular, the lack of a READ command and the inability to read program data out of the chip greatly increase the cost of cracking it, effectively protecting the designer's intellectual property rights.