Hacking PICs by microtoming

[MikeW]

So one of the incredibly knowledgeable people at work told me about this really cool technique today.

Basically, if you really, really, really want to get the code off a PIC, but it's locked (and you have some kind of military grade lab). Then you microtome down to the silicon level, x-ray it and read the positions of the gates.

How cool is that?

I didn't press him for more specifics cos I was busy, but anyone else got any reading material about this?

[free_electron]

WRONG. Then you have the position of the gates, but not the code. that is stored as electrical charge.

the easiest way is to take a blank pic, set the protect bit , cut it open, ebeam to find the protect bit , then take the protected pic, go to the same coordinates and erase it with the ebeam.

[MikeW]

Then please correct me?

[tom66]

The data is stored in flash memory. Charges on capacitors. You can't directly read it by eye or by any obvious probing method, without destroying the data first. For the really early "mask rom" devices this was possible but not for modern flash based devices.

There is an easier way, using carefully angled UV light it is possible to flip the "chip protect" bit. Bunnie has some information on this: http://www.bunniestudios.com/blog/?page_id=40

[Richard Crowley]

1) Microtoming is a mechanical process which will either fail to reveal the surface of the die or else destroy the die. It is NOT a practical method if you want to avoid destroying the die.
A practical method of de-potting a typical injection-molded plastic IC package is to dissolve it in red fuming nitric acid, a particularly nasty material to contain, ship, and use.

2) X-ray will not reveal the "position of the gates" (does that mean the value of the data bits?)
Now, some types of scanning electron microscopes can read data values, but it seems much more practical to use a micromanipulator to probe the bond pads or even the internal circuit interconnect nodes.

[MikeW]

(does that mean the value of the data bits?)

Not sure, it was quite an off the cuff conversation.

For the really early "mask rom" devices this was possible but not for modern flash based devices.

Dude is 50 something years old, did security for IBM for twenty years or so. I think that's what he was talking about actually.

Even if you can't do it anymore it's still fascinating to think about.

There is an easier way, using carefully angled UV light it is possible to flip the "chip protect" bit. Bunnie has some information on this: http://www.bunniestudios.com/blog/?page_id=40

Thanks

[hamster_nz]

Basically, if you really, really, really want to get the code off a PIC, but it's locked (and you have some kind of military grade lab). Then you microtome down to the silicon level, x-ray it and read the positions of the gates.

For some reason, this makes me think of XKCD  #538 - https://xkcd.com/538/ - perhaps it is because if you are sufficiently well resourced to get the information back this way, then I am pretty sure you could also get the contents back in a more cost effective way...

[T3sl4co1l]

Curious, I wonder if a tightly collimated x-ray beam could erase the lock bit, once you know where it is.

Or, assuming you have a population of identically programmed chips, if you could x-ray them just until the lock bit flips, and reconstruct the data (which will be mostly obliterated, but in mostly random, but weighted, patterns i.e. ), you might get a good enough (confidence > 99%?) idea of program and data to be able to reverse engineer and error correct it.

Tim

[marshallh]

That's what I did to extract program code from a mask rom MCU.



It had to be stained a certain way to expose the implant layer (where the rom bits were).
Will have a full presentation on the technique and stuff later on.