[Bunnie’s] Archives: Unlocking Protected Microcontrollers

A few years back [Bunnie] took a crack at cracking the security fuses on a PIC microcontroller. Like most of the common 8-bit microcontrollers kicking around these days, the 18F1320 that he’s working with has a set of security fuses which prevent read back of the flash memory and EEPROM inside. The only way to reset those security fuses is by erasing the entire chip, which also means the data you sought in the first place would be wiped out. That is, if you were limited to using orthodox methods.

[Bunnie] had a set of the chips professionally uncapped, removing the plastic case without damaging the silicon die inside. He set to work inspecting the goodies inside with an electron microscope and managed to hammer out a rudimentary map of the layout. Turns out that flash memory can be erased with ultraviolet light, just like old EPROM chips. Microchip thought of that and placed some shielding over the security fuses to prevent them being reset in this manner. But [Bunnie] managed to do so anyway, creating an electrical tape mask to protect the rest of the data stored in the chip while bouncing UV light underneath the shielding at an angle.

Want to uncap some chips of your own without enlisting the help of others? Give this method a try.

[via Dangerous Prototypes]

25 thoughts on “[Bunnie’s] Archives: Unlocking Protected Microcontrollers

  1. “…inspecting the goodies inside with an electron microscope…”

    No, I think all he needed was a good optical microscope, probably 50 or 100x at the very most. Optical microscopes are usually sufficient for reverse-engineering chips like the PIC on a circuit level. You only need to resort to electron microscopes if you need to resolve individual circuit element construction, or you’re looking at the very latest chip from Intel. (Actually in the latter case, your biggest problem is going to be digging past the thick stack of metal layers to even get to the actual devices.)

  2. Most UV filters aren’t actually 100% effective. I suspect that given enough UV (think a 250 or 500 watt bulb) would be more than enough to bruteforce through the UV filter. Those things will give you a sunburn in seconds.

    Need to watch the heat output though.

    What did he use to dissolve the chip case? Sulfuric? Nitric?

  3. @Hackerspacer: It says he had the chip de-capped professionally. They probably used RFNA.

    I’m not sure what you’re talking about there with respect to UV filters. All he had to do was tip the chip at an angle to get the UV light to bounce under the shield. That’s certainly easier than using a 500W bulb. Are you trying to say that he could just blast light through the case? I don’t think that’s going to happen…

  4. Really slick work.

    So whats the next step? If you’re able to dump the flash contents to file, you’re simply left with the code in assembly opcodes and the data. Reverse engineering that would most likely take longer than simply copying the product.

    But I think the main advantage would be for recovering data on the IC. Maybe if the chip is used for some kind of security application with codes saved on the flash.

  5. @vtl,
    1. If he had the flash data he could just burn it to other pic’s (and copy the product)
    2. A lot of PIC users program in assembly and we’d be fine with the data once it was put through a dissembler. No need to reverse engineer.
    3. He’s a hacker he hacked the chip.

  6. Didn’t someone describe a way to access (=read out) avr flash overriding the fuse bits somewhere here in the hackaday comments?

    I’ve read many times that it is possible but I didn’t find a way to do it, unfortunately.

  7. The first real hack on HAD in a couple of years. This one utterly ROCKS!

    Super crunchy Kudos! This person is a Uber HaXor in every sense of the word. All others are posers in their shadow…..

    We are not worthy….. We are not worthy….

  8. Ye I remember a similar article somewhere but can’t remember where. What would be interesting now is to see an example of FPGA with Anti-Fuse attack method… I believe that one requires and Ion Scanner to “set” the fuses again. Any one have any info?

  9. Microchip should have mixed in some parity bits for this very reason… imagine a checkerboard pattern of lock bits where an unlocked state is checked one way, locked is the inverse, and anything else such as “all clear” resets the chip.

  10. For those who question the use of being able to reset the security bits on protected chips, one big use is to read out the data from old consoles, arcade machines and computers (many of which used protected chips to prevent unauthorized copying)

Leave a Reply to ZeUsCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.