Searching \ for '[PIC:] Code protection, is it secure?' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/microchip/devices.htm?key=pic
Search entire site for: 'Code protection, is it secure?'.

Exact match. Not showing close matches.
PICList Thread
'[PIC:] Code protection, is it secure?'
2004\07\20@194336 by Ben Hencke

picon face
Hi all,
I am using a 12f629 with code protection. I have read and seen places
that advertise reverse engineering or "recovery" of secured devices.

I imagine this would be somewhat easy with a ROM mask type device, if
you could pull the top off, a good enough microscope could see the
ROM.

Is there a way to "read" flash based devices in a similar manner? How
practical would it be for them to connect probes and/or bypass the
protection curcuitry or maybe just unset the CP bit? Is an OTP any
different than a flash in this reguard?

I have even heard (on piclist archives) of special (read: expensive)
programmers that violate the chips in such a way that it could read
the code.

I don't want to do this, I just want to know if anyone knows if it is
possible and how easy or common a practice it is.

Thanks,
 Ben

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\07\20@195204 by Ryan Underwood

flavicon
face
part 1 406 bytes content-type:text/plain; charset=iso-8859-1 (decoded quoted-printable)


I found these to be extremely interesting papers on the subject:
http://www.cl.cam.ac.uk/~sps32/mcu_lock.html
http://www.cl.cam.ac.uk/~mgk25/tamper2.pdf

-- Ryan Underwood, <spam_OUTnemesisTakeThisOuTspamicequake.net>

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads




part 2 190 bytes content-type:application/pgp-signature; name="signature.asc" (decode)

2004\07\20@200034 by M. Adam Davis

flavicon
face
The short answer is:
Yes, it's possible to read the memory contents of any PIC.

The caveat being that it often requires large resources to do so.

I use a baseline for my protection:  If the product is not worth $5,000
to break, then the PIC protrection is good enough.  If it's worth $5,000
to someone to get my program then I may want to look at more robust
protection methods.  It may cost vastly more for various chips, and it
may be trivial for others - it's just a simple rule of thumb I use.

Except for cryptographic keys, there are very few programs you could
make for a PIC that could not be duplicated with non-invasive reverse
engineering by a knowledgable programmer.  Tell me what the device does,
and I can duplicate it without having seen the chip.  Chances are good
it'll cost you a lot less than $5,000, and it's not illegal (unless, for
instance, parts are patented and licenses not paid).

But these issues are not often discussed on the list, primarily because
most here have a vested interest in keeping any easy exploits from
entering common knowledge, and partly because you  can't know who to
trust and the list is archived so you can't say anything without it
becoming public knowledge.

Also, be aware that those who engage in code protect breaking know that
they can take your money and return nothing with little fear of
successful legal reprisal.

-Adam

Ben Hencke wrote:

{Quote hidden}

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\07\20@200658 by David VanHorn

flavicon
face
>
>
>Also, be aware that those who engage in code protect breaking know that
>they can take your money and return nothing with little fear of
>successful legal reprisal.

Then again, maybe they just employ starving elbonian students to reverse engineer it from the description, for peanuts.  How would YOU know the difference? :)

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\07\20@203209 by Mike Harrison

flavicon
face
On Tue, 20 Jul 2004 20:00:12 -0400, you wrote:

>The short answer is:
>Yes, it's possible to read the memory contents of any PIC.
>
>The caveat being that it often requires large resources to do so.
>
>I use a baseline for my protection:  If the product is not worth $5,000
>to break, then the PIC protrection is good enough.  If it's worth $5,000
>to someone to get my program then I may want to look at more robust
>protection methods.  It may cost vastly more for various chips, and it
>may be trivial for others - it's just a simple rule of thumb I use.
>
>Except for cryptographic keys, there are very few programs you could
>make for a PIC that could not be duplicated with non-invasive reverse
>engineering by a knowledgable programmer.  Tell me what the device does,
>and I can duplicate it without having seen the chip.  Chances are good
>it'll cost you a lot less than $5,000, and it's not illegal (unless, for
>instance, parts are patented and licenses not paid).

One not-too-uncommon example of the 'few' would be proprietory/clever algorithms which are not
obvious or easily deduceable from the overall functioning of a device, e.g. characterisation of some
physical process, maybe doing calibration, linearisation and temp compensation of a cheap sensor.

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

2004\07\21@002252 by Ben Hencke

picon face
Wow, I had no idea it would be that that easy. Thanks for the info,
although now half the list knows how to break CP by now!

At least the examples the 12c508 needed to be opened, I think I can
live with that. It looks like the flash parts are easier to circumvent
with just with a power glitch, so a special programmer does the trick
:-(

Anyone know a good patent lawyer? ;-)

- Ben


On Tue, 20 Jul 2004 18:52:46 -0500, Ryan Underwood
<.....nemesis-listsKILLspamspam@spam@icequake.net> wrote:
{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@002300 by Ben Hencke

picon face
I figured it is possible, but I was hoping for it to be more expensive
than $5k or a homemade programmer.

It is something I have been coding and recoding and optimizing and
reopimizing for 6 months now, so I would like to think it would cost
more than $5k to reverse-engineer. (I could be fooling myself on that
point, but its better than not trying).

Thanks all for the info.
 Ben



On Tue, 20 Jul 2004 20:00:12 -0400, M. Adam Davis <.....adampicKILLspamspam.....ubasics.com> wrote:
{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@021038 by Chetan Bhargava

picon face
Last year I read about the copy protection in one of the Dallas
appnote. Here is the appnote:

http://www.maxim-ic.com/appnotes.cfm/appnote_number/2033

Regards,

Chetan

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@031837 by Bob Axtell

face picon face
Come on, guys! All ya have to do, when you are satified that the code is
secure- is to break off the PGCK or PGSD pin.

--Bob

Ben Hencke wrote:

{Quote hidden}

--

Replier: Most attachments rejected
      --------------
        Bob Axtell
PIC Hardware & Firmware Dev
  http://beam.to/baxtell
      1-520-219-2363

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@033120 by Robert Rolf

picon face
Bob Axtell wrote:

> Come on, guys! All ya have to do, when you are satified that the code is
> secure- is to break off the PGCK or PGSD pin.
>
> --Bob

A dremel tool, 3 minutes and some conducting epoxy, and the
pin function is restored.

Given that the DTH satellite security system is repeatedly compromised,
I'd say PICs, and most secure parts, are pretty insecure.

R

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@042419 by Bob Axtell

face picon face
You're right. That was a truly awesome article...

Robert Rolf wrote:
{Quote hidden}

--

Replier: Most attachments rejected
      --------------
        Bob Axtell
PIC Hardware & Firmware Dev
  http://beam.to/baxtell
      1-520-219-2363

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@045154 by Philip Pemberton

face picon face
In message <40FDB20C.3050406spamspam_OUTubasics.com>
         "M. Adam Davis" <@spam@adampicKILLspamspamUBASICS.COM> wrote:

> I use a baseline for my protection:  If the product is not worth $5,000
> to break, then the PIC protrection is good enough.  If it's worth $5,000
> to someone to get my program then I may want to look at more robust
> protection methods.  It may cost vastly more for various chips, and it
> may be trivial for others - it's just a simple rule of thumb I use.
One of the tricks I heard was to blow out the bond wire going to RB6 or RB7.
You can get the part into program mode, but you can't get any data in or out.
A -12V pulse (i.e. GND = 12V, RB7 = 0V) should be enough to do that. Play
with the voltage, play with the polarity, have fun :)
After spending around an hour trying to get the chip to divulge its program
with various power glitches, the attacker would be forced to resort to
removing the IC encapsulation and microprobing the FLASH.

Later.
--
Phil.                              | Acorn Risc PC600 Mk3, SA202, 64MB, 6GB,
KILLspamphilpemKILLspamspamdsl.pipex.com              | ViewFinder, 10BaseT Ethernet, 2-slice,
http://www.philpem.dsl.pipex.com/  | 48xCD, ARCINv6c IDE, SCSI
Do not adjust your mind - it's a reality malfunction.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@045815 by Jake Anderson

flavicon
face
hell microsofts custom made hard coded security key was hacked in fairly
short order.
by one guy (who happened to have access to a chem lab and an electron
microsope)

he read the key straight off the silicon in the chip.

> {Original Message removed}

2004\07\21@051305 by Jake Anderson

flavicon
face
in the X-Box "the most secure platform" btw sorry

{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@095430 by Philip Pemberton

face picon face
In message <MKENLEDCNAOEOEPHHDIGIEAMFJAA.grooveeeEraseMEspam.....optushome.com.au>>          Jake Anderson <EraseMEgrooveeespamOPTUSHOME.COM.AU> wrote:

> hell microsofts custom made hard coded security key was hacked in fairly
> short order.
> by one guy (who happened to have access to a chem lab and an electron
> microsope)
There was also the incident where NDS (big satellite TV crypto provider, they
make the cards for BSkyB UK among others) allegedly paid to have a bunch of
Canal+ SECA crypto cards reverse engineered to source code level then
released it on the Internet. I think the lawsuit is still working its way
through the courts. The file that caused all the trouble was - IIRC -
SECAROM.ZIP.
Canal were understandably peeved - they allege that the source code was on a
PC in a vault with no network connection. Or something like that, anyway.

Later.
--
Phil.                              | Acorn Risc PC600 Mk3, SA202, 64MB, 6GB,
RemoveMEphilpemEraseMEspamEraseMEdsl.pipex.com              | ViewFinder, 10BaseT Ethernet, 2-slice,
http://www.philpem.dsl.pipex.com/  | 48xCD, ARCINv6c IDE, SCSI
... Open mouth, insert foot, echo internationally.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@114843 by Ben Hencke

picon face
> One of the tricks I heard was to blow out the bond wire going to RB6 or RB7.

Hmm! I think I can redesign and spare that pin too! Does anyone know
how far the damage would/could be? Would it get to the input schmit
buffer or just blow the bond wire? The bond wire could just be
replaced, the bond pad (please excuse the terminology) it probably one
of the easiest points on the chip to access once the cover is removed.

If it is possible to fry some of the programming interface circuitry,
I think that would make it a lot harder to get to.

Thanks, I will try this!
 Ben

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@115522 by Ben Hencke

picon face
I have heard a story (friend of a friend ;-) about hacking some
volatile ram board that had an exposed spaghetti supply wire suspended
in some kind of epoxy or silicon goo so that if anyone tryed to remove
the protective layer, they would short or break the supply. It was
hacked, but at least it took him a few months to do it.

- Ben

On Wed, 21 Jul 2004 14:55:00 +0100, Philip Pemberton
<RemoveMEphilpemspam_OUTspamKILLspamdsl.pipex.com> wrote:
{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@115523 by David VanHorn

flavicon
face
>
>If it is possible to fry some of the programming interface circuitry,
>I think that would make it a lot harder to get to.

Of course the trick is to do this without damaging the rest of the chip.
Good luck.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@120259 by Mike Harrison

flavicon
face
On Wed, 21 Jul 2004 08:48:26 -0700, you wrote:

>> One of the tricks I heard was to blow out the bond wire going to RB6 or RB7.
>
>Hmm! I think I can redesign and spare that pin too! Does anyone know
>how far the damage would/could be? Would it get to the input schmit
>buffer or just blow the bond wire? The bond wire could just be
>replaced, the bond pad (please excuse the terminology) it probably one
>of the easiest points on the chip to access once the cover is removed.
>
>If it is possible to fry some of the programming interface circuitry,
>I think that would make it a lot harder to get to.
>
>Thanks, I will try this!
>  Ben

The trick is to blow the input protection diode, which will usually fail short

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@121713 by David VanHorn

flavicon
face
At 08:55 AM 7/21/2004 -0700, Ben Hencke wrote:

>I have heard a story (friend of a friend ;-) about hacking some
>volatile ram board that had an exposed spaghetti supply wire suspended
>in some kind of epoxy or silicon goo so that if anyone tryed to remove
>the protective layer, they would short or break the supply. It was
>hacked, but at least it took him a few months to do it.

I've built boards like that.
Discrete logic with the tops sanded off, powering through unused inputs, point-to-point wiring with wire-wrap wire, add pointless wires that don't do anything (input to input), add wires and mechanical tricks to make pulling on the wires (to see where they go) a very bad idea, and then glob the whole thing in RTV.

Not debuggable, or repairable. :)

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@130704 by Martin Klingensmith

face
flavicon
face
> I've built boards like that.
> Discrete logic with the tops sanded off, powering through unused inputs, point-to-point wiring with wire-wrap wire, add pointless wires that don't do anything (input to input), add wires and mechanical tricks to make pulling on the wires (to see where they go) a very bad idea, and then glob the whole thing in RTV.
>
> Not debuggable, or repairable. :)

I can't help but wonder what the point of that is?

--
--
Martin Klingensmith
http://infoarchive.net/
http://nnytech.net/

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@131533 by David VanHorn

flavicon
face
At 01:06 PM 7/21/2004 -0400, Martin Klingensmith wrote:

>>I've built boards like that.
>>Discrete logic with the tops sanded off, powering through unused inputs, point-to-point wiring with wire-wrap wire, add pointless wires that don't do anything (input to input), add wires and mechanical tricks to make pulling on the wires (to see where they go) a very bad idea, and then glob the whole thing in RTV.
>>
>>Not debuggable, or repairable. :)
>
>I can't help but wonder what the point of that is?

When handing boards to someone you suspect might try to copy them.
Wasn't my choice who to hand them to, just to make the difficult.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@132852 by Randy Abernathy

picon face
In a message dated 7/21/2004 1:08:40 PM Eastern Daylight Time,
martinSTOPspamspamspam_OUTNNYTECH.NET writes:

>  I've built boards like that.
> Discrete logic with the tops sanded off,  powering through unused inputs,
point-to-point wiring with wire-wrap wire, add  pointless wires that don't do
anything (input to input), add wires and  mechanical tricks to make pulling on
the wires (to see where they go) a very  bad idea, and then glob the whole
thing in RTV.
>
> Not  debuggable, or repairable. :)

I can't help but wonder what the point of  that is?

--
--
Martin  Klingensmith
http://infoarchive.net/
http://nnytech.net/


That sounds like something Auto manufacturers do so you have to purchase a
complete new unit.  They make them throw aways.  I have also seen a  few
industrial OEMs do the same thing in an attempt to keep the hardware design  from
being reverse engineered, thinking it would be too much trouble to remove  the
potting compound or that enough of the circuitry would be damaged that  copying
it would be, at the least, very difficult.

Most have abandoned that tho as they are using off the shelf standard PCs
for the industrial control "heart" and are concentrating on the software being
secure.




Randy  Abernathy
4626 Old Stilesboro Road NW
Acworth, GA 30101-4066
Phone /  Fax: 770-974-5295
Cell: 678-772-4113
E-mail: spamBeGoneCnc002STOPspamspamEraseMEaol.com

I  furnish technical support, repair, and other related services for your
industrial woodworking machinery. My background as Senior Service Engineer for
the SCMI Group for nearly fifteen years with factory training, combines with
my  extensive background in electronics, mechanics, pneumatics, electrical and
CNC  machinery to offer you needed support for your  machinery.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@140729 by Ryan Underwood

flavicon
face
part 1 626 bytes content-type:text/plain; charset=iso-8859-1 (decoded quoted-printable)

On Wed, Jul 21, 2004 at 06:57:24PM +1000, Jake Anderson wrote:
> hell microsofts custom made hard coded security key was hacked in fairly
> short order.
> by one guy (who happened to have access to a chem lab and an electron
> microsope)
> > he read the key straight off the silicon in the chip.

Do you have a link to the methodology he used?   Sounds interesting.

-- Ryan Underwood, <KILLspamnemesisspamBeGonespamicequake.net>

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics




part 2 190 bytes content-type:application/pgp-signature; name="signature.asc" (decode)

2004\07\21@173927 by Robert Rolf

picon face
Ryan Underwood wrote:

> On Wed, Jul 21, 2004 at 06:57:24PM +1000, Jake Anderson wrote:
>
>>hell microsofts custom made hard coded security key was hacked in fairly
>>short order.
>>by one guy (who happened to have access to a chem lab and an electron
>>microsope)
>>
>>he read the key straight off the silicon in the chip.
>
>
> Do you have a link to the methodology he used?   Sounds interesting.

Do you really think he'd publish it??

STM (scanning tunneling microscopes) work quite well at detecting
minute electric fields, say from EEPROM cells.

R

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@174343 by Ryan Underwood

flavicon
face
On Wed, Jul 21, 2004 at 03:31:10PM -0600, Robert Rolf wrote:
>
> Do you really think he'd publish it??

Security researchers regularly publish their findings, if their intent
was to increase knowledge in the security field, and not simply to
defraud or put forth malice towards a particular vendor whose device
they managed to crack.  I wouldn't know what motivations drove the
hacker in question...

--
Ryan Underwood, <EraseMEnemesisspamEraseMEicequake.net>

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@175625 by Robert Rolf

picon face
David VanHorn wrote:

> At 08:55 AM 7/21/2004 -0700, Ben Hencke wrote:
>
>
>>I have heard a story (friend of a friend ;-) about hacking some
>>volatile ram board that had an exposed spaghetti supply wire suspended
>>in some kind of epoxy or silicon goo so that if anyone tryed to remove
>>the protective layer, they would short or break the supply. It was
>>hacked, but at least it took him a few months to do it.
>
>
> I've built boards like that.
> Discrete logic with the tops sanded off, powering through unused inputs, point-to-point wiring with wire-wrap wire, add pointless wires that don't do anything (input to input), add wires and mechanical tricks to make pulling on the wires (to see where they go) a very bad idea, and then glob the whole thing in RTV.
>
> Not debuggable, or repairable. :)

Not easily anyway.

A colleague had purchased a $12,000 real time ultrasound FFT analysis
unit that was built that way.
It failed, and he didn't discover this 'protection method' until the
unit failed. Of course the company had folded, so it was a royal
PITA to attempt a repair without docs.
Since it was 'digital' circa 1980 I assumed 74xx logic.
Voltage measurement of some pins confirmed this (Vout high
and floating input are unique for each logic family).

And the fact that the bad chip was getting really hot, at least
identified the location. Signal tracing (bad logic levels),
and looking for similar color and shape chips,
or stamped markings on the bottom,
led to a 'good' chip that turned out to be a 7400 based on
the measured signals. 3 DAYS of wracked brain but at least I fixed it.

Today I would just replace it with a PC, a damned fast A/D
and Matlab or similar.

R

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\21@175838 by Robert Rolf

picon face
Philip Pemberton wrote:

> In message <@spam@40FDB20C.3050406@spam@spamspam_OUTubasics.com>
>           "M. Adam Davis" <spamBeGoneadampicspamKILLspamUBASICS.COM> wrote:
>
>
>>I use a baseline for my protection:  If the product is not worth $5,000
>>to break, then the PIC protrection is good enough.  If it's worth $5,000
>>to someone to get my program then I may want to look at more robust
>>protection methods.  It may cost vastly more for various chips, and it
>>may be trivial for others - it's just a simple rule of thumb I use.
>
> One of the tricks I heard was to blow out the bond wire going to RB6 or RB7.
> You can get the part into program mode, but you can't get any data in or out.
> A -12V pulse (i.e. GND = 12V, RB7 = 0V) should be enough to do that. Play
> with the voltage, play with the polarity, have fun :)
> After spending around an hour trying to get the chip to divulge its program
> with various power glitches, the attacker would be forced to resort to
> removing the IC encapsulation and microprobing the FLASH.


A quick measurement of pin resistance would save you the time of
fumbling around.
Blowing the bond wire on a plastic chip, and not hurting the
device, is not easy.

The bottom line, anything you can think of, the hacker can undo,
sometimes a LOT more readily than you think possible.
e.g. Power glitching DSS access cards to get past 'trap'
instructions.

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\07\22@034502 by Jake Anderson

flavicon
face
I believe it was published
it was a university paper i believe.

though i dont think he actually revealed the code itself.

others however did the same (i believe) and the codes are now fairly freely
availablle.

i dont have a link to it but i believe i read about it online.


> {Original Message removed}

More... (looser matching)
- Last day of these posts
- In 2004 , 2005 only
- Today
- New search...