Author Topic: Hacking PICs by microtoming  (Read 4153 times)

0 Members and 1 Guest are viewing this topic.

Offline MikeWTopic starter

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
  • Self confessed noob
Hacking PICs by microtoming
« on: July 20, 2015, 07:14:26 pm »
So one of the incredibly knowledgeable people at work told me about this really cool technique today.

Basically, if you really, really, really want to get the code off a PIC, but it's locked (and you have some kind of military grade lab). Then you microtome down to the silicon level, x-ray it and read the positions of the gates.

How cool is that?

I didn't press him for more specifics cos I was busy, but anyone else got any reading material about this?

 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 8550
  • Country: us
    • SiliconValleyGarage
Re: Hacking PICs by microtoming
« Reply #1 on: July 20, 2015, 07:20:36 pm »
WRONG. Then you have the position of the gates, but not the code. that is stored as electrical charge.

the easiest way is to take a blank pic, set the protect bit , cut it open, ebeam to find the protect bit , then take the protected pic, go to the same coordinates and erase it with the ebeam.
« Last Edit: July 20, 2015, 07:23:08 pm by free_electron »
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline MikeWTopic starter

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
  • Self confessed noob
Re: Hacking PICs by microtoming
« Reply #2 on: July 20, 2015, 07:21:38 pm »
Then please correct me?
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7218
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Hacking PICs by microtoming
« Reply #3 on: July 20, 2015, 07:25:39 pm »
The data is stored in flash memory. Charges on capacitors. You can't directly read it by eye or by any obvious probing method, without destroying the data first. For the really early "mask rom" devices this was possible but not for modern flash based devices.

There is an easier way, using carefully angled UV light it is possible to flip the "chip protect" bit. Bunnie has some information on this: http://www.bunniestudios.com/blog/?page_id=40
 

Offline Richard Crowley

  • Super Contributor
  • ***
  • Posts: 4321
  • Country: us
  • KJ7YLK
Re: Hacking PICs by microtoming
« Reply #4 on: July 20, 2015, 07:28:00 pm »
1) Microtoming is a mechanical process which will either fail to reveal the surface of the die or else destroy the die. It is NOT a practical method if you want to avoid destroying the die.
A practical method of de-potting a typical injection-molded plastic IC package is to dissolve it in red fuming nitric acid, a particularly nasty material to contain, ship, and use.

2) X-ray will not reveal the "position of the gates" (does that mean the value of the data bits????)
Now, some types of scanning electron microscopes can read data values, but it seems much more practical to use a micromanipulator to probe the bond pads or even the internal circuit interconnect nodes.
 

Offline MikeWTopic starter

  • Regular Contributor
  • *
  • Posts: 104
  • Country: gb
  • Self confessed noob
Re: Hacking PICs by microtoming
« Reply #5 on: July 20, 2015, 07:31:17 pm »


(does that mean the value of the data bits????)


Not sure, it was quite an off the cuff conversation.

For the really early "mask rom" devices this was possible but not for modern flash based devices.

Dude is 50 something years old, did security for IBM for twenty years or so. I think that's what he was talking about actually.

Even if you can't do it anymore it's still fascinating to think about.

Quote
There is an easier way, using carefully angled UV light it is possible to flip the "chip protect" bit. Bunnie has some information on this: http://www.bunniestudios.com/blog/?page_id=40

Thanks
 

Offline hamster_nz

  • Super Contributor
  • ***
  • Posts: 2812
  • Country: nz
Re: Hacking PICs by microtoming
« Reply #6 on: July 21, 2015, 12:04:29 am »
Basically, if you really, really, really want to get the code off a PIC, but it's locked (and you have some kind of military grade lab). Then you microtome down to the silicon level, x-ray it and read the positions of the gates.

For some reason, this makes me think of XKCD  #538 - https://xkcd.com/538/ - perhaps it is because if you are sufficiently well resourced to get the information back this way, then I am pretty sure you could also get the contents back in a more cost effective way...
Gaze not into the abyss, lest you become recognized as an abyss domain expert, and they expect you keep gazing into the damn thing.
 

Offline T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 22436
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: Hacking PICs by microtoming
« Reply #7 on: July 21, 2015, 07:36:21 am »
Curious, I wonder if a tightly collimated x-ray beam could erase the lock bit, once you know where it is.

Or, assuming you have a population of identically programmed chips, if you could x-ray them just until the lock bit flips, and reconstruct the data (which will be mostly obliterated, but in mostly random, but weighted, patterns i.e. ), you might get a good enough (confidence > 99%?) idea of program and data to be able to reverse engineer and error correct it.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Offline marshallh

  • Supporter
  • ****
  • Posts: 1462
  • Country: us
    • retroactive
Re: Hacking PICs by microtoming
« Reply #8 on: July 21, 2015, 07:35:11 pm »
That's what I did to extract program code from a mask rom MCU.



It had to be stained a certain way to expose the implant layer (where the rom bits were).
Will have a full presentation on the technique and stuff later on.
Verilog tips
BGA soldering intro

11:37 <@ktemkin> c4757p: marshall has transcended communications media
11:37 <@ktemkin> He speaks protocols directly.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf