The "attack" and "defense" of MCU decryption

　　Microcontrollers generally have internal ROM/EEPROM/FLASH for users to store programs. In order to prevent unauthorized access or copying of the program in the microcontroller, most microcontrollers have encryption lock bits or encryption bytes to protect the program in the chip. If the encryption lock bit is enabled (locked) during programming, the program in the microcontroller cannot be directly read with an ordinary programmer. This is the so-called copy protection or lock function. In fact, such protection measures are very fragile and can be easily cracked. With the help of special equipment or homemade equipment, microcontroller attackers can use loopholes or software defects in the design of microcontroller chips and various technical means to extract key information from the chip and obtain the program in the microcontroller. Therefore, as a design engineer of electronic products, it is very necessary to understand the latest technology of current microcontroller attacks, know yourself and the enemy, and have a clear mind, so as to effectively prevent the products that you have spent a lot of money and time to design hard from being counterfeited overnight.

　　2 MCU attack technology

　　At present, there are four main technologies for attacking MCUs, namely:

　　(1) Software attack

　　This technique usually uses the processor communication interface and exploits the security loopholes in the protocol, encryption algorithm or these algorithms to attack. A typical example of a successful software attack is the attack on the early ATMELAT89C series of microcontrollers. The attacker took advantage of the loopholes in the timing design of the erase operation of this series of microcontrollers, and used a self-written program to stop the next step of erasing the program memory data on the chip after erasing the encryption lock bit, thereby turning the encrypted microcontroller into an unencrypted microcontroller, and then used the programmer to read out the program on the chip.

　　(2) Electronic detection attack

　　This technology usually monitors the analog characteristics of all power supplies and interface connections of the processor during normal operation with high time resolution, and implements attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, when it executes different instructions, the corresponding power consumption also changes accordingly. In this way, by using special electronic measuring instruments and mathematical statistical methods to analyze and detect these changes, specific key information in the microcontroller can be obtained.

　　(3) Fault-generating technology

　　This technique uses abnormal operating conditions to cause the processor to fail, which then provides additional access to conduct the attack. The most widely used fault-generating attack methods include voltage shock and clock shock. Low-voltage and high-voltage attacks can be used to disable protection circuits or force the processor to perform incorrect operations. Clock transient jumps may reset protection circuits without destroying protected information. Power and clock transient jumps can affect the decoding and execution of single instructions in some processors.

　　(4) Probe technology

　　This technology directly exposes the internal wiring of the chip, and then observes, manipulates, and interferes with the microcontroller to achieve the purpose of the attack. For convenience, people divide the above four attack techniques into two categories. One is an invasive attack (physical attack), which requires destroying the package, and then using semiconductor testing equipment, microscopes, and micropositioners, it takes hours or even weeks to complete in a special laboratory. All microprobe techniques are invasive attacks. The other three methods are non-invasive attacks, and the attacked microcontroller will not be physically damaged. In some cases, non-invasive attacks are particularly dangerous because the equipment required for non-invasive attacks can usually be made and upgraded, so it is very cheap. Most non-invasive attacks require the attacker to have good processor knowledge and software knowledge. In contrast, invasive probe attacks do not require too much initial knowledge, and a whole set of similar techniques can usually be used to deal with a wide range of products. Therefore, attacks on microcontrollers often start with invasive reverse engineering, and the accumulated experience helps to develop cheaper and faster non-invasive attack techniques.

　　3. General process of invasive attack

　　The first step of an invasive attack is to remove the chip package. There are two ways to achieve this goal: the first is to completely dissolve the chip package and expose the metal connections. The second is to remove only the plastic package on the silicon core. The first method requires the chip to be bonded to a test fixture and operated with the help of a bonding station. The second method requires not only the attacker's knowledge and necessary skills, but also personal wisdom and patience, but it is relatively easy to operate. The plastic on the chip can be peeled off with a knife, and the epoxy resin around the chip can be corroded with concentrated nitric acid. Hot concentrated nitric acid will dissolve the chip package without affecting the chip and the connection. This process is generally carried out under very dry conditions because the presence of water may corrode the exposed aluminum wire connection. Then the chip is first cleaned with acetone in an ultrasonic bath to remove residual nitric acid, then cleaned with clean water to remove salt and dried. If there is no ultrasonic bath, this step is generally skipped. In this case, the chip surface will be a little dirty, but it will not affect the operation of the chip by UV light. The last step is to find the location of the protection fuse and expose the protection fuse to UV light. Generally, a microscope with a magnification of at least 100 times is used to trace the connection from the programming voltage input pin to find the protection fuse. If a microscope is not available, a simple search can be performed by exposing different parts of the chip to ultraviolet light and observing the results. During operation, an opaque paper should be used to cover the chip to protect the program memory from being erased by ultraviolet light. Exposing the protection fuse to ultraviolet light for 5 to 10 minutes can destroy the protection of the protection bit. After that, the contents of the program memory can be directly read using a simple programmer.
 

　　For microcontrollers that use a protective layer to protect the EEPROM cells, it is not feasible to use UV light to reset the protection circuit. For this type of microcontroller, microprobe technology is generally used to read the memory contents. After the chip package is opened, the data bus connecting the memory to the rest of the circuit can be easily found by placing the chip under a microscope.

　　For some reason, the chip lock bit does not lock access to the memory in programming mode. Exploiting this flaw, placing the probe on the data line will allow you to read all the desired data. In programming mode, restarting the read process and connecting the probe to another data line will allow you to read all the information in the program and data memory.

　　Another possible attack method is to use microscopes and laser cutters to find the protection fuse, and then find all the signal lines connected to this part of the circuit. Due to the design flaw, as long as a certain signal line from the protection fuse to other circuits is cut off, the entire protection function can be disabled. For some reason, this line is very far away from other lines, so using a laser cutter can completely cut this line without affecting the adjacent lines. In this way, the contents of the program memory can be directly read out using a simple programmer.

　　Although most common MCUs have the function of protecting the internal code by blowing the fuse, since general low-end MCUs are not positioned to make security products, they often do not provide targeted preventive measures and have a low security level. In addition, MCUs are widely used in a wide range of occasions, with large sales volumes, frequent commissioned processing and technology transfer between manufacturers, and a large amount of technical information leaked, making it easier to exploit the design loopholes of such chips and the manufacturer's test interface, and to read the internal program of the MCU by means of invasive attacks or non-invasive attacks such as modifying the fuse protection bit.

　　4. Some suggestions for dealing with MCU cracking　

　　Theoretically, any MCU can be hacked by attackers with enough investment and time using the above methods. Therefore, when using MCU for encryption authentication or system design, the attacker's attack cost and time should be increased as much as possible. This is a basic principle that system designers should always keep in mind. In addition, the following points should be noted:

　　(1) Before selecting an encryption chip, you should conduct a thorough investigation to understand the latest developments in MCU cracking technology, including which MCUs have been confirmed to be crackable. Try not to choose chips that have already been cracked or are of the same series or model.

　　(2) Try not to use the MCS51 series of microcontrollers, because this series of microcontrollers is the most popular in China and has been studied most thoroughly.

　　(3) The original creator of the product usually has a large output, so they can choose a relatively obscure and unpopular microcontroller to increase the difficulty for counterfeiters to purchase it.

　　(4) Choose microcontrollers that use new technology, new structure, and have a shorter time to market, such as the ATMELAVR series of microcontrollers.

　　(5) If design costs permit, smart card chips with hardware self-destruction functions should be selected to effectively deal with physical attacks.

　　(6) If conditions permit, two microcontrollers of different models can be used to back up each other and verify each other, thereby increasing the cost of cracking.

　　(7) Grind off the chip model and other information or reprint other models to make the fake look real. Of course, if you want to fundamentally prevent the microcontroller from being decrypted, the program from being pirated, and other infringements from happening, you can only rely on legal means to protect it.