The microcontroller generally has internal ROM/EEPROM/FLASH for the user to store the program. In order to prevent unauthorized access or copy of the microcontroller's internal programs, most microcontrollers have encryption lock bits or encrypted bytes to protect the on-chip program. If the encryption lock bit is enabled (locked) during programming, the program in the microcontroller cannot be directly read by an ordinary programmer. This is called copy protection or locking. In fact, such protection measures are very fragile and can easily be cracked. SCM attackers use special devices or home-made devices to exploit the vulnerabilities or software defects of SCM chip design. Through a variety of technical means, they can extract key information from the chip and obtain the SCM internal program. Therefore, as a design engineer of an electronic product, it is very necessary to understand the latest technology of the current single-chip microcomputer attack, so that we can know ourselves, know ourselves and know what we can do to effectively prevent ourselves from spending a lot of money and time designing products that are counterfeited by people overnight. occur. 1. Microcontroller attack technology Currently, there are four main technologies for attacking SCMs: (1) Software Attack This technique typically uses processor communication interfaces and exploits protocols, encryption algorithms, or security holes in these algorithms to attack. A typical example of a successful software attack is an attack on an early ATMEL AT89C series microcontroller. The attacker exploited the loopholes in the design of erasing operation sequence of the series of single-chip microcomputers. After erasing the encryption lock bits, the self-programming program stopped the operation of erasing the on-chip program memory data, thereby increasing the density of the microcontroller. Unencrypted MCU, and then use the programmer to read the on-chip program. (2) Electronic detection attack This technique usually monitors the analog characteristics of all power and interface connections during normal operation of the processor with high temporal resolution and performs the attack by monitoring its electromagnetic radiation characteristics. Because the SCM is an active electronic device, when it executes different instructions, the corresponding power consumption of the power supply also changes accordingly. In this way, by using special electronic measuring instruments and mathematical statistical methods to analyze and detect these changes, specific key information in the microcontroller can be obtained. (3) Fault-making technology This technique uses abnormal operating conditions to make a processor error and then provides additional access to attack. The most widely used fault-generating attack methods include voltage shocks and clock shocks. Low-voltage and high-voltage attacks can be used to disable protection circuits or force the processor to perform erroneous operations. A clock transient transition may reset the protection circuit without breaking the protected information. Power and clock transients can affect the decoding and execution of individual instructions in some processors. (4) Probe Technology This technology directly exposes the internal wiring of the chip, and then observes, manipulates, and interferes with the microcontroller to achieve the purpose of the attack. For convenience, people classify the above four attack techniques into two types. One is intrusive attack (physical attack). Such attacks require destruction of the package and then use of semiconductor test equipment, microscopes, and micropositioners in specialized laboratories. It takes hours or even weeks to complete. All microprobe technologies are invasive. The other three methods are non-intrusive, and the attacked MCU will not be physically damaged. In some situations, non-intrusive attacks are particularly dangerous because the equipment needed for non-invasive attacks is usually self-managing and upgradeable and therefore very inexpensive. Most non-intrusive attacks require the attacker to have good processor knowledge and software knowledge. In contrast, intrusive probe attacks do not require much initial knowledge, and a wide range of similar technologies can often be used to deal with a wide range of products. As a result, attacks on microcontrollers often begin with invasive reverse engineering, and the accumulated experience helps develop cheaper and faster non-intrusive attack techniques. 2. The general process of intrusive attacks The first step in an intrusive attack is to remove the chip package. There are two ways to do this: The first is to completely dissolve the chip package and expose the metal connections. The second is to remove only the plastic package on the silicon core. The first method requires that the chip be bound to a test fixture and manipulated using a bonding station. The second method requires not only the attacker's knowledge and necessary skills, but also the individual's intelligence and patience, but it is relatively easy to operate. The plastic on the chip can be peeled off with a knife, and the epoxy around the chip can be etched away with concentrated nitric acid. Hot concentrated nitric acid will dissolve the chip package without affecting the chip and wiring. This process is generally performed under very dry conditions because the presence of water can erode the exposed aluminum wire connections. Then, the chip was first washed with acetone in an ultrasonic bath to remove residual nitric acid, and then washed with clear water to remove salt and dried. Without an ultrasound pool, this step is generally skipped. In this case, the surface of the chip may be a little dirty, but it does not affect the operation effect of the ultraviolet light on the chip. The last step is to find the location of the protection fuse and expose the protection fuse to UV light. A microscope with a magnification of at least 100 times is generally used to trace the wiring from the programming voltage input pin to find the protection fuse. Without a microscope, a simple search is performed by exposing different parts of the chip to ultraviolet light and observing the results. The opaque paper is used to cover the chip during operation to protect the program memory from being erased by ultraviolet light. Exposing the protection fuse to ultraviolet light for 5 to 10 minutes can destroy the protection of the protection bit. After that, the program memory can be read directly using a simple programmer. For microcontrollers that use a protective layer to protect EEPROM cells, the use of a UV reset protection circuit is not feasible. For this type of microcontroller, microprobe technology is generally used to read the memory contents. After the chip package is opened, placing the chip under the microscope makes it easy to find the data bus that connects the memory to the rest of the circuit. For some reason, the chip lock bit does not lock access to the memory in programming mode. Using this flaw, the probe can be read on the data line to read all the desired data. In programming mode, all information in the program and data memory can be read by restarting the read process and connecting the probe to another data line. Another possible attack is to search for protection fuses with equipment such as microscopes and laser cutters to find all the signal lines associated with this part of the circuit. Due to the design flaw, the entire protection function can be disabled by cutting off a certain signal line from the protection fuse to other circuits. For some reason, this line is very far from other lines, so using a laser cutter can completely cut this line without affecting the adjacent line. In this way, the contents of the program memory can be directly read out using a simple programmer. Although most common microcontrollers have the function of fuse blow protection to protect the code in the microcontroller, because the general low-end microcontroller is not located in the production of security products, they often do not provide targeted preventive measures and have a low security level. With the wide range of single-chip microcomputer applications, large sales, frequent commissioning of processing and technology transfer between manufacturers, a large number of technical data spillovers, making use of the design flaws of the chip and the manufacturer's test interface, and by modifying the fuse protection bit and other invasive type Attack or non-intrusive attack means to read the microcontroller's internal program becomes easier. 3. Some suggestions for cracking SCM Any single-chip microcomputer, in theory, attackers can use enough investment and time to use the above methods to break. Therefore, when using a single chip as an encryption authentication or design system, the attacker's attack cost and time spent should be increased as much as possible. This is the basic principle that system designers should always keep in mind. In addition, the following points should also be noted: (1) Before selecting the cryptographic chip, it is necessary to fully investigate and understand the new progress of the MCU cracking technology, including which MCUs have been confirmed to be able to crack. Try not to use chips that have been cracked or have the same series and the same type. (2) Try not to use MCS51 series microcontrollers because the microcontroller has the highest degree of penetration in the country and has been studied most thoroughly. (3) The original creators of the products generally have the characteristics of large output, so it is possible to use rarer, less popular microcontrollers to increase the difficulty of counterfeiters. (4) Choose the new technology, new structure, and short time-to-market microcontrollers, such as the ATMEL AVR series of microcontrollers. (5) Under the condition of design cost licensing, a smart card chip with hardware self-destruction function should be selected to effectively deal with physical attacks. (6) If conditions permit, two different types of MCUs can be used for mutual backup and mutual authentication to increase the cost of cracking. (7) Grind the chip model and other information or re-print other models to make it real. Of course, if you want to fundamentally prevent the SCM from being decrypted, and the program is pirated and other infringements occur, you can only rely on legal means to protect it. plastic keychains wholesale,plastic keychain craft,plastic keychain diy,plastic keychain tags,custom plastic keychains Shenzhen Konchang Electronic Technology Co.,Ltd , https://www.konchangs.com