Chip decryption is also known as single-chip decryption (IC decryption). Since the single-chip microcomputer chips in the official product are encrypted, the program cannot be read directly using the programmer.

In order to prevent unauthorized access or copying of the on-chip programs of the microcontroller, most microcontrollers have encrypted lock bits or encrypted bytes to protect the on-chip programs. If the encryption lock bit is enabled (locked) during programming, the program in the microcontroller cannot be directly read by a common programmer, which is called microcontroller encryption or chip encryption. MCU attackers use special equipment or self-made equipment, exploit loopholes or software defects in MCU chip design, and through various technical means, they can extract key information from the chip and obtain the internal program of the MCU. This is called chip cracking.

Chip decryption method

1.Software Attack

This technique typically uses processor communication interfaces and exploits protocols, encryption algorithms, or security holes in these algorithms to carry out attacks. A typical example of a successful software attack is the attack on the early ATMEL AT89C series microcontrollers. The attacker took advantage of the loopholes in the design of the erasing operation sequence of this series of single-chip microcomputers. After erasing the encryption lock bit, the attacker stopped the next operation of erasing the data in the on-chip program memory, so that the encrypted single-chip microcomputer becomes Unencrypted single-chip microcomputer, and then use the programmer to read the on-chip program.

On the basis of other encryption methods, some equipment can be developed to cooperate with certain software to do software attacks.

2. electronic detection attack

This technique typically monitors the analog characteristics of all power and interface connections of the processor during normal operation with high temporal resolution, and implements the attack by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, when it executes different instructions, the corresponding power consumption also changes accordingly. In this way, by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistical methods, specific key information in the microcontroller can be obtained.

3. fault generation technology

The technique uses abnormal operating conditions to bug the processor and then provides additional access to carry out the attack. The most widely used fault-generating attacks include voltage surges and clock surges. Low-voltage and high-voltage attacks can be used to disable protection circuits or force the processor to perform erroneous operations. Clock transients may reset the protection circuit without destroying the protected information. Power and clock transients can affect the decoding and execution of individual instructions in some processors.

4. probe technology

The technology is to directly expose the internal wiring of the chip, and then observe, manipulate, and interfere with the microcontroller to achieve the purpose of attack.

For the sake of convenience, people divide the above four attack techniques into two categories, one is intrusive attack (physical attack), this type of attack needs to destroy the package, and then use semiconductor test equipment, microscopes and micro-positioners in a specialized laboratory. It can take hours or even weeks to complete. All microprobing techniques are invasive attacks. The other three methods are non-invasive attacks, and the attacked microcontroller will not be physically damaged. Non-intrusive attacks are particularly dangerous in some cases because the equipment required for non-intrusive attacks can often be self-built and upgraded, and therefore very cheap.

Most non-intrusive attacks require the attacker to have good processor knowledge and software knowledge. In contrast, invasive probe attacks do not require much initial knowledge, and a broad set of similar techniques can usually be used against a wide range of products. Therefore, attacks on microcontrollers often start from intrusive reverse engineering, and the accumulated experience helps to develop cheaper and faster non-intrusive attack techniques.