Post by thread:CODE SECURE WITH PIC?

Bob Lunn 12/16/97 01:17 PM -> Well... Since Microchip are careful not to promise ANYTHING in -> regards to the security of the PIC code-protection, I guess the -> answer is, "Yes." Come now, Andy. You're being a mite disengenuous! The very label 'code protection' contains a promise that code will be protected. Such a promise must be subject to a 'reasonableness' test. Microchip promote 'programmable code protection' as a feature of their devices, in the same way that they promote a 'power saving SLEEP mode'. If you discovered that the 'power saving' was a mere 5% you would be justified in questioning the reasonableness of Microchip's claim (despite its factual correctness). In the same way, if you discovered that the 'code protec- tion' could be defeated with $5 worth of electronics you would (should) dispute the claim, and its implied promise. ___Bob

15 Dec 97, zhuxhKILLspamcheerful.com writes to All: z> I am woundering if the code protection with PIC's is as secure as z> promised by Microchip? Yes, due to Microchip promise only, that code protection exists, and nothing about actual strength of code protection. z> as far as I know, there is a company in Beijin that offers service to z> help decode the Microchip's PICs. The cost is about US$1000 for each z> chip! The same service you can also found in Moskow, Russia. They promise any protected PIC code reverse engineering with cost lower, than $1000 (same price!) in one-two days. For PIC16C84 it can be done for almost free and for PIC16F8x price is lower, than $100. Probably, both companies use some technological backdoors in Microchip products. Sorry, I don't know any technical details, only see advertisiments and know some cases of the successfull using of this service. z> I am afriad my own coding with PICs will be copied by others one day. z> Do you have any idea on this? Is my worry unnecessary? The only things, that can protect you - change you product as frequently, as possible, add new features, new ideas and didn't try to obtain superprofit. If you need really protected product for security applications - use special security designed chips, not wide available microcontrollers. Alexey --- GoldED/2 2.50+

Terviist! please, can you be more specific? Can you tell me who offers such services, or how to find them? I don't doubt the technical feasibility of this, but as it is presented so far, it sounds like one of those "urban legends" (you know: the story about the dog in the closet choking on the burglar's finger it had bitten off, or whatever that was...) I would like to know how much it really costs and how long it really takes, and what the success rate is (do you need a number of parts to ensure full ROM reconstruction), is it a destructive process (can you sneak the cracked part back into service?). And then I would like to hear these guys discuss what methods are better, more expensive, etc. Peter F. Klammer / .....pklammerKILLspam.....racom.com Racom Systems, Inc. / 6080 Greenwood Plaza Blvd. / Englewood, CO 80111 (303)773-7411 / FAX:(303)771-4708 / http://www.racom.com World's First Dual-Interface Symmetric-Access FRAM Smartcard {Quote hidden}> ---------- > From: Alexey Vladimirov[SMTP:EraseMEavladspam_OUTTakeThisOuTMAILBOX.RIGA.LV] > Reply To: pic microcontroller discussion list > Sent: Tuesday, December 16, 1997 7:36 AM > To: PICLISTspam_OUTMITVMA.MIT.EDU > Subject: CODE SECURE WITH PIC? > > 15 Dec 97, @spam@zhuxhKILLspamcheerful.com writes to All: > > z> I am woundering if the code protection with PIC's is as secure as > z> promised by Microchip? > > Yes, due to Microchip promise only, that code protection exists, and > nothing > about actual strength of code protection. > > z> as far as I know, there is a company in Beijin that offers service > to > z> help decode the Microchip's PICs. The cost is about US$1000 for > each > z> chip! > > The same service you can also found in Moskow, Russia. They promise > any > protected PIC code reverse engineering with cost lower, than $1000 > (same price!) in one-two days. For PIC16C84 it can be done for almost > free and > for PIC16F8x price is lower, than $100. Probably, both companies use > some > technological backdoors in Microchip products. Sorry, I don't know any > technical details, only see advertisiments and know some cases of the > successfull using of this service. > > z> I am afriad my own coding with PICs will be copied by others one > day. > z> Do you have any idea on this? Is my worry unnecessary? > > The only things, that can protect you - change you product as > frequently, as > possible, add new features, new ideas and didn't try to obtain > superprofit. > If you need really protected product for security applications - use > special > security designed chips, not wide available microcontrollers. > > Alexey > > --- GoldED/2 2.50+ >

This is not just an urban legend. There are some very sophisticated techniques that are "very" destructive to the device under attack. I used to have a link to a site that described in detail some of the methods these "service" companies use, but I seem to have lost it. Maybe someone else out there will know the one I am talking about. Anyway, some of these techniques can be hacked at home, but for difficult jobs, complex and expensive "fab" equipment is used. Various chemicals and mechanical methods are used to obtain access to the die, then by connecting to various points on the die, the contents of the ROM can be read out. Like most MCU's, PIC's a very vulnerable to an extremely sophisticated attack. These guys are so good at what they do that several companies (I think ATMEL is one of them) have developed high security MCU's, that use a variety of tricks to thwart this kind of attack. I believe some such chips actually self-destruct if the package is compromised. CIAO - Martin. On Tue, 16 Dec 1997 10:31:33 -0700, Pete Klammer <KILLspampklammerKILLspamRACOM.COM> wrote: {Quote hidden}>Terviist! > >please, can you be more specific? > >Can you tell me who offers such services, or how to find them? > >I don't doubt the technical feasibility of this, but as it is presented >so far, >it sounds like one of those "urban legends" (you know: the story about >the dog >in the closet choking on the burglar's finger it had bitten off, or >whatever that was...) > >I would like to know how much it really costs and how long it really >takes, >and what the success rate is (do you need a number of parts to ensure >full ROM reconstruction), >is it a destructive process (can you sneak the cracked part back into >service?). > >And then I would like to hear these guys discuss what methods are >better, more expensive, etc. > >Peter F. Klammer / RemoveMEpklammerTakeThisOuTracom.com >Racom Systems, Inc. / 6080 Greenwood Plaza Blvd. / Englewood, CO 80111 >(303)773-7411 / FAX:(303)771-4708 / http://www.racom.com >World's First Dual-Interface Symmetric-Access FRAM Smartcard > >> ---------- >> From: Alexey Vladimirov[SMTP:spamBeGoneavladspamBeGoneMAILBOX.RIGA.LV] >> Reply To: pic microcontroller discussion list >> Sent: Tuesday, December 16, 1997 7:36 AM >> To: TakeThisOuTPICLISTEraseMEspam_OUTMITVMA.MIT.EDU >> Subject: CODE SECURE WITH PIC? >> >> 15 Dec 97, RemoveMEzhuxhTakeThisOuTcheerful.com writes to All: >> >> z> I am woundering if the code protection with PIC's is as secure as >> z> promised by Microchip? >> >> Yes, due to Microchip promise only, that code protection exists, and >> nothing >> about actual strength of code protection. >> >> z> as far as I know, there is a company in Beijin that offers service >> to >> z> help decode the Microchip's PICs. The cost is about US$1000 for >> each >> z> chip! >> >> The same service you can also found in Moskow, Russia. They promise >> any >> protected PIC code reverse engineering with cost lower, than $1000 >> (same price!) in one-two days. For PIC16C84 it can be done for almost >> free and >> for PIC16F8x price is lower, than $100. Probably, both companies use >> some >> technological backdoors in Microchip products. Sorry, I don't know any >> technical details, only see advertisiments and know some cases of the >> successfull using of this service. >> >> z> I am afriad my own coding with PICs will be copied by others one >> day. >> z> Do you have any idea on this? Is my worry unnecessary? >> >> The only things, that can protect you - change you product as >> frequently, as >> possible, add new features, new ideas and didn't try to obtain >> superprofit. >> If you need really protected product for security applications - use >> special >> security designed chips, not wide available microcontrollers. >> >> Alexey >> >> --- GoldED/2 2.50+ >> Martin R. Green elimarEraseME.....NOSPAMbigfoot.com To reply, remove the NOSPAM from the return address. Stamp out SPAM everywhere!!!

I have heard of a commercial product sold in the UK called a PICBuster, and I have seen a suggested attack method on the 16C84 which is alleged to work (it also sounded likely to fry the chip, though) - search on AltaVista for 16C84 and code and protect, I think. The interest in Europe regarding PIC code protection defeating is largely due to the use of these chips in satellite scrambling systems. There is a thriving black market in smartcards which defeat the encryption systems. Why they bother, I can't imagine. Its only 500 channels of utter crap, anyway, but that's human nature for you..... What these minds could do in solving the world's *real* problems (sigh!) {Quote hidden}> ---------- > From: Pete Klammer[SMTP:EraseMEpklammerRACOM.COM] > Reply To: pic microcontroller discussion list > Sent: Wednesday, December 17, 1997 6:31 AM > To: RemoveMEPICLISTEraseMEEraseMEMITVMA.MIT.EDU > Subject: Re: CODE SECURE WITH PIC? > > Terviist! > > please, can you be more specific? > > Can you tell me who offers such services, or how to find them? > > I don't doubt the technical feasibility of this, but as it is > presented > so far, > it sounds like one of those "urban legends" (you know: the story about > the dog > in the closet choking on the burglar's finger it had bitten off, or > whatever that was...) > > I would like to know how much it really costs and how long it really > takes, > and what the success rate is (do you need a number of parts to ensure > full ROM reconstruction), > is it a destructive process (can you sneak the cracked part back into > service?). > > And then I would like to hear these guys discuss what methods are > better, more expensive, etc. > > Peter F. Klammer / RemoveMEpklammerspam_OUTKILLspamracom.com > Racom Systems, Inc. / 6080 Greenwood Plaza Blvd. / Englewood, CO 80111 > (303)773-7411 / FAX:(303)771-4708 / http://www.racom.com > World's First Dual-Interface Symmetric-Access FRAM Smartcard > > > ---------- > > From: Alexey Vladimirov[SMTP:RemoveMEavladTakeThisOuTspamMAILBOX.RIGA.LV] > > Reply To: pic microcontroller discussion list > > Sent: Tuesday, December 16, 1997 7:36 AM > > To: EraseMEPICLISTspamspamBeGoneMITVMA.MIT.EDU > > Subject: CODE SECURE WITH PIC? > > > > 15 Dec 97, RemoveMEzhuxhKILLspamcheerful.com writes to All: > > > > z> I am woundering if the code protection with PIC's is as secure > as > > z> promised by Microchip? > > > > Yes, due to Microchip promise only, that code protection exists, and > > nothing > > about actual strength of code protection. > > > > z> as far as I know, there is a company in Beijin that offers > service > > to > > z> help decode the Microchip's PICs. The cost is about US$1000 for > > each > > z> chip! > > > > The same service you can also found in Moskow, Russia. They promise > > any > > protected PIC code reverse engineering with cost lower, than $1000 > > (same price!) in one-two days. For PIC16C84 it can be done for > almost > > free and > > for PIC16F8x price is lower, than $100. Probably, both companies use > > some > > technological backdoors in Microchip products. Sorry, I don't know > any > > technical details, only see advertisiments and know some cases of > the > > successfull using of this service. > > > > z> I am afriad my own coding with PICs will be copied by others one > > day. > > z> Do you have any idea on this? Is my worry unnecessary? > > > > The only things, that can protect you - change you product as > > frequently, as > > possible, add new features, new ideas and didn't try to obtain > > superprofit. > > If you need really protected product for security applications - use > > special > > security designed chips, not wide available microcontrollers. > > > > Alexey > > > > --- GoldED/2 2.50+ > > >

> The only things, that can protect you - change you product as frequently, as > possible, add new features, new ideas and didn't try to obtain superprofit. > If you need really protected product for security applications - use special > security designed chips, not wide available microcontrollers. Very seldom is it worthwhile to crack a code-protected chip. While the software in many chips has $1000's of dollars of engineering invested in it, the designer has access to knowlege and information NOT contained within the chip (e.g. info about debug modes, etc.) In many cases, it's better to rewrite software from scratch than to reverse-engineer what's there, especially if it's necessary to make any changes. The one time code-cracking is profitable (which is what made the 16X84's such a nice target) is when the contents of the chip are worth more than the device in which it's embedded. For example, in a Satellite TV decoder, the contents of the chip may be worth thousands of dollars even though the decoder itself may be worth only a few hundred. Note that the 16C84/16F84 may in fact be no easier to break than other 16Cxx parts; the big reason it got cracked was the value of the broadcast satellite signals.

Andrew Mayo <andrewSTOPspamspam_OUTGEAC.CO.NZ> wrote: > The interest in Europe regarding PIC code protection defeating is > largely due to the use of these chips in satellite scrambling systems. > There is a thriving black market in smartcards which defeat the > encryption systems. AFAIK, the PIC was never used in any original satellite descrambler or smartcard. It was designed into some of the pirate smartcards. The interest in defeating the PIC16C84 code protection was from people who thought it would be easier to copy a pirate smartcard than reverse-engineer the real (original) smartcard. The processor of choice for new pirate stuff seems to be the Dallas DS5000, which is designed to be very secure. I haven't heard whether anyone has figured out how to dump the memory of the Dallas part. > Why they bother, I can't imagine. Its only 500 > channels of utter crap, anyway, but that's human nature for you..... > What these minds could do in solving the world's *real* problems (sigh!) Typically the people who do the reverse-engineering aren't the same people who spend eight hours a day watching television. It is done by people who notice the large revenue stream from that group, and want to divert some of it into their own pockets. There is enough potential revenue that the pirates are willing to spend the money for some very heavy-duty reverse- engineering, including microprobing. Note that I don't condone any of this. And I personally don't have time to watch more than two hours of TV a week (Babylon 5, The Simpsons, and King of the Hill). I've got a big pile of Sony audio and video gear, and I've gotten really fed up with the fact that the volume control buttons on all the remotes send volume commands with the TV device code, not to the receiver/preamp. The speakers on my TV aren't even enabled. I've hacked some PIC code to receive the IR, decode the TV volume commands, change the device code, and forward them via Control-S to my preamp. Cheers, Eric