STM32F103; the Security of Drop-in Replacement and Counterfeit Microcontrollers

[techman-001]

For all those Bluepill users out there who would like to see some interesting research into  "the Security of Drop-in Replacement and Counterfeit Microcontrollers"

https://arxiv.org/abs/2008.09710

The 13 page PDF itself is at https://arxiv.org/pdf/2008.09710

It covers:

Device                      Manufacturer
--------------------------   ------------------------------------------------------
STM32F103(C8T6)  STMicroelectronics
APM32F103(CBT6)  Apex Microelectronics
CKS32F103(C8T6)   China Key System & Integrated Circuit
GD32F103(C8T6)    Gigadevice
GD32F130(C8T6)
GD32VF103(CBT6)

[CJay]

Fascinating, I love these in depth investigations and have done for years.

[peter-h]

I cannot believe anybody will make working counterfeit processors - beyond the Z80 or some such.

I have seen counterfeit Hitachi H8/332 ones but it was just an empty package with legs. And they could not even make it the right size; it was a tight fit into the programmer. And the best bit was a typo in the markings

The way this activity works is usually by buying say 10k chips from a disti, then sending them 10k of the fake ones, get a refund, and now you have 10k good ones you can sell, and the disti has the 10k duff ones which another customer will eventually get, possibly many months later.

You do sometimes get manufacturers test rejects being offered - stolen from the factory, or remarked.

[janoc]

I cannot believe anybody will make working counterfeit processors - beyond the Z80 or some such.

I have seen counterfeit Hitachi H8/332 ones but it was just an empty package with legs. And they could not even make it the right size; it was a tight fit into the programmer. And the best bit was a typo in the markings

The way this activity works is usually by buying say 10k chips from a disti, then sending them 10k of the fake ones, get a refund, and now you have 10k good ones you can sell, and the disti has the 10k duff ones which another customer will eventually get, possibly many months later.

You do sometimes get manufacturers test rejects being offered - stolen from the factory, or remarked.

That you don't believe in something doesn't make it not being true.

GD32 is a reality and it is not a counterfeit processor (unless someone is remarking it as a genuine ST32F). It is not even a copied die but own design with some improvements over the original. 

You can order them e.g. from LCSC, TME.eu and elsewhere. This is nothing new.

[andersm]

I was surprised that some of the clones had copied the boot ROM, because that is something ST could nail them for (provided they own the copyrights - it's always possible everyone licensed the same third-party code).

I wonder if ST would simply be willing to license out older products like the STM32F1 series. Proper second-sourcing, like in the olden days.

[CJay]

I cannot believe anybody will make working counterfeit processors - beyond the Z80 or some such.

Oh they do and it's been going on a *long* time.

There's a *huge* number of them out there, clone PIC chips, clone AVR, all sorts.

[GromBeestje]

I cannot believe anybody will make working counterfeit processors - beyond the Z80 or some such.

Oh they do and it's been going on a *long* time.

There's a *huge* number of them out there, clone PIC chips, clone AVR, all sorts.

What is a clone and what is a counterfeit? When a part is not called STM32* but APM32*, BLM32*, CH32*, CK32*, GD32*, HK32*, MM32*  etc. etc. It is clearly marked as something else then STM32*. So unless relabelled, they're not counterfeit. A clone? perhaps. When is something a clone, and when it is a re-implementation? I mean, designing peripherals with ST's reference manual as the requirement document, could be considered a new implementation rather then a clone. And keep in mind, not all of them are actually STM32* compatible. I'm looking at the MindMotion part. But that one for reference manuals available.

From my experience, the Gigadevice parts are good, but the others are questionable. But that's mainly because Gigadevice has proper data sheets, reference manuals, errata sheets.

[CJay]

I cannot believe anybody will make working counterfeit processors - beyond the Z80 or some such.

Oh they do and it's been going on a *long* time.

There's a *huge* number of them out there, clone PIC chips, clone AVR, all sorts.

What is a clone and what is a counterfeit? When a part is not called STM32* but APM32*, BLM32*, CH32*, CK32*, GD32*, HK32*, MM32*  etc. etc. It is clearly marked as something else then STM32*. So unless relabelled, they're not counterfeit. A clone? perhaps. When is something a clone, and when it is a re-implementation? I mean, designing peripherals with ST's reference manual as the requirement document, could be considered a new implementation rather then a clone. And keep in mind, not all of them are actually STM32* compatible. I'm looking at the MindMotion part. But that one for reference manuals available.

From my experience, the Gigadevice parts are good, but the others are questionable. But that's mainly because Gigadevice has proper data sheets, reference manuals, errata sheets.

Easy, clone is licensed IP, counterfeit isn't licensed.

If it's a clean room reverse engineering from, say, a datasheet and publically available information then, as I understand it, it's technically legal but very dubious.

[drussell]

Easy, clone is licensed IP

Say what now?!   

[CJay]

Easy, clone is licensed IP

Say what now?!   

If you pay to licence your IP and produce a functionally identical device what would you call it?

Clone is not necessarily illegal, counterfeit is.

[riyadh144]

Would you call an AMD processor a counterfeit? I wouldn't in some ways AMD was very beneficial for Intel as it provided some kind of future security for the customers of Intel.
If one company failed there is another that can stay up and running.

[janoc]

Clone is not necessarily illegal, counterfeit is.

• If it is identical to the original and manufactured under a license - that's the original or a licensed copy (e.g. second-sourced parts)
• If it is functionally identical/compatible to the original but not necessarily physically identical (different dies, etc.) and thus not made under a license (because it doesn't need it unless patents are involved) - that is a clone. E.g. the many Z80 clones or MCS-51 or the GD32 ...
• If it is a clone or even something completely different being sold as the original - that's a counterfeit

The first two are perfectly legal and there are plenty of examples around.

It becomes illegal only when either some IP of the original company is violated (copyright, patents or trademarks - e.g. someone copies the complete design of the original die - copyright violation) or when an otherwise legal clone is sold as the original (e.g. markings are erased and replaced with fake ones - trademark violation). Reimplementing someone's design from documentation/functional specs is not a violation of copyright and is perfectly legal. 

[drussell]

If you pay to licence your IP and produce a functionally identical device what would you call it?

What about all the functional clones where they are not licensing the original IP?

If you're licensing the IP and producing the same product, that is really just normal traditional second sourcing.  I don't call that a clone, I just call that multiple manufacturers making the same part.  A clone is something that has been designed to do the same function as some other original device, but it's often not a licensed design. 

For example, Phoenix and Award made functional clones of the original IBM PC BIOS firmware, not license the ability to put IBM's code on their own generic ROM chips, etc.  AMD used to be a second source for things like 80286 and 80386 chips, where they were licensing Intel's masks and making the same chip.  They later refined the process and made the 80386DX-40 that ran faster than any Intel variant but it was still the same chip.  They later went on to produce functional clones and enhanced models that were compatible with the Intel offerings in the 486 and 586 world and onward, but none of those were licensed Intel designs, they certainly were functional clones though, and yet certainly not counterfeit (unless you're talking about some actual knock-off that came off Wan-Hung-Lo's production line instead of AMD's.)

[CJay]

If you pay to licence your IP and produce a functionally identical device what would you call it?

What about all the functional clones where they are not licensing the original IP?

If you're licensing the IP and producing the same product, that is really just normal traditional second sourcing.  I don't call that a clone, I just call that multiple manufacturers making the same part.  A clone is something that has been designed to do the same function as some other original device, but it's often not a licensed design. 

For example, Phoenix and Award made functional clones of the original IBM PC BIOS firmware, not license the ability to put IBM's code on their own generic ROM chips, etc.  AMD used to be a second source for things like 80286 and 80386 chips, where they were licensing Intel's masks and making the same chip.  They later refined the process and made the 80386DX-40 that ran faster than any Intel variant but it was still the same chip.  They later went on to produce functional clones and enhanced models that were compatible with the Intel offerings in the 486 and 586 world and onward, but none of those were licensed Intel designs, they certainly were functional clones though, and yet certainly not counterfeit (unless you're talking about some actual knock-off that came off Wan-Hung-Lo's production line instead of AMD's.)

I should have said Clone 'may be' licensed IP and is not illegal.

[thm_w]

Very cool. The implementation of all of them at the hardware level gives such differences (image from the paper).

[peter-h]

I reckon the chances of somebody synthesising a "copy" of say a 32F400 and getting it to actually work the same way, down to the last bit and the last clock cycle, is nil, and what would be the point?

Simple and very popular chips, I can believe.

If a Chinese or whatever outfit produces a supposedly binary compatible processor, good luck to them, I suppose. But you can't call it "counterfeit".

[phil from seattle]

I reckon the chances of somebody synthesising a "copy" of say a 32F400 and getting it to actually work the same way, down to the last bit and the last clock cycle, is nil, and what would be the point?

Simple and very popular chips, I can believe.

If a Chinese or whatever outfit produces a supposedly binary compatible processor, good luck to them, I suppose. But you can't call it "counterfeit".

The point is to profit off of some other company's reputation and name recognition.  This happens even with slim margin products. Like the counterfeit 386p [sigh] 328P in the Arduino Nanos that is the subject of a long thread here. It was uncovered due to sleep current deviance from the datasheet. What makes it abundantly clear that this is not a case of remarking - you can't find these chips for sale labeled other than as an Atmel part. A company designed and manufactured this chip with intent of fraud. It is close but not exact and yet seems be to shipping in high volume and, guessing here, making money and profit for the company doing it.

[balu]

More details and information about silicone dies for the STM32F103 and other clones, counterfiets or replacements can be found here:

https://www.richis-lab.de/STM32.htm

The Page and information are in German. But the pictures and photos are great. 

Richi’s Lab Main Page: https://www.richis-lab.de/

[bson]

I reckon the chances of somebody synthesising a "copy" of say a 32F400 and getting it to actually work the same way, down to the last bit and the last clock cycle, is nil

If you license the same ARM Cortex-M core it's going to work exactly the same.  You get the same core peripherals and bus crossbar.  All you have to do is reimplement the peripherals, clock tree, etc.  Looking at each in isolation they're not that complex and really just a matter of throwing payroll at the problem.

It's not likely to have exactly identical electrical characteristics, though, if for no other reason than you'll be using a slightly different process.  And it may require software changes.  For example, an F103 board I have doesn't work at all with a GD32F103 on it.  It seems to power up, but it's not responsive on the SWD pins.  It's probably something trivial, but I haven't gotten around to figuring out what's going on.