Whenever the blog is enabled, spammers are able to deface the mainpages index.html file replacing it with hundreds of spam links to software.
The only way we can stop it is to stop the blog. We’ve tried cleaning the blog up but they still get in somehow through Wordpress 
.
If you think you can help us, please email tech at flylogic.net
Thanks!
During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers. Jeff Moss’ group setup a poll here. Given todays Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in. The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the class down to a few devices of the chosen family.
While the classes are not cheap, all participants will learn and understand the chosen targets security model. Armed with such knowledge will help you to understand and recognize potential risks in future design work allowing you to avoid the possiblity of compromise (and I suppose this would also enhance job security 
. Full mosaic blowups of the targets, decapsulated devices, use of a probe station and all users will “modify” the security model of their devices themselves (unless they ask for some help). I don’t believe such a class has ever been given and seating will be limited per class.
Feel free to comment here but Blackhat really needs the feedback.
Thank you,
-Christopher Tarnovsky
Before going deeper into the analysis of today’s chips, we will take a quick journey to where it all began: the Intel 4004, world’s first widely-used microprocessor. The 4004 and most other antiquated chips differ from modern chips in two main characteristics: They only use a single type of transistor (PMOS or NMOS) and each logic gate is custom-designed to best utilize the available area — an inevitable optimization for chips built from transistors about 150x larger than those used in their modern descendants.
The pictures below show four custom-designed variations of the same logic function, 2-NAND:
Each of the gates is composed of two transistors and one resistor. If either of the transistors is open (that is: having Vcc applied to its gate), the output is strongly connected to Vcc. If neither of the transistors is open, the gate is weakly connected to GND through the resistor, but still strong enough to pull the output to GND. The next image shows the only metal layer of the 4004, just above the 2-NANDs:
PMOS is very area-efficient, but more power hungry and slower than alternatives such as CMOS, which combines PMOS and NMOS transistors as illustrated in this post. It’s beautiful to see how none of the inefficiencies we see in modern chips are found on the 4004 and how the available space is completely filled with logic. The entire 4004 has only some 2,300 transistors and makes for a perfect exercise in learning neat chip layout and logic gate design (click for a high-res version):
[edit - Jan 9, 2009: Adding mosaic of entire substrate]
(Clicking on the picture above will result in a 45 MB download!)
As a challenge for next time, identify the extra 3 layers that the Intel museum claims. Last episode’s challenge was correctly solved first by Jeri Ellsworth. Respect for her almost perfect circuit diagram as well as her remarkable on-your-kitchen-table semiconductors fab.
Credit for the chips go to Tim McNerney. Tim is an expert on the 4004 who has built an interactive exhibit of the chip for the Intel museum. For more information please visit the Intel 4004 35th anniversary project web site.
-Karsten Nohl
All of us at Flylogic want to wish all of our wonderful readers a wonderful new year as we enter into 2009! We will make an effort to post more frequently on the blog this year and appologize for lack of content last year.
Let’s start the year off right! Who out there can guess what the image below is?
All of you were really fast to guess the above image so we decided to append a few more interesting pictures onto this article for your viewing pleasure.
Could these be mushrooms in the forrest of the smurfs?
These appear to be snails but snails of what and they are not the same!
Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors.
To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter:
To read logic, you first have to find the transistors and decide where Vcc (+) and ground (-) are located. Transistors are easy to spot. They will always look very similar to those two transistors marked in the picture: A rectangle shape with a line in the middle. Vcc is always next to the larger transistors (PMOS) and ground is closer to the smaller ones (NMOS).
Once you identified the transistors, you draw a small circuit diagram that shows how they are connected to each other. In the example, the inputs of the two transistors are connected and so are their outputs on the left side. From this circuit diagram you can read that whatever you assert at the input, the output will be forced to the opposite state — an inverter.
Every gate will follow these basic principles, but vary in the number and constellation of transistors. A 2-NOR gate (Y = !(A|B) ), for instance, is composed of 4 transistors in this setup:
Once you figured out a gate, you can recognize every occurrence of that function on the whole chip because the exact same shape is always used for the same function. Generally, you only need to read a few dozens gates at most to generate a map of functions across whole chip. Get a head start on reading logic and check out the logic gate collection at The Silicon Zoo.
Here is a challenge for you to try (open in GIMP or Photoshop and toggle between the different layers):
It’s about the hardest function found on most chips with a total of 34 transistors, 3 inputs, 2 outputs, and time-variant behavior. The solution will be posted next week.
We are proud to announce that those who enjoy reading the blog (which we appologize for the lack of content lately) can soon enjoy reading posts from Karsten Nohl as well.
For those of you who are not familiar with Karsten, he played an important role in the discovery and analysis of the Crypto-1 mathmatical algorithm found in Philips (NXP) Mifare RFID devices.
He recently obtained his PhD from University of Virginia in the United States. He’s a known within the Chaos Computer Club (CCC) in Germany as well.
We too look forward to reading Karsten’s posts. Feel free to give Karsten a round of applause by posting a quick comment!
Karsten- Congratulations on your PhD!!
Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual…
The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes.
After decapsulating the die from inside the QFP, we find a beautifully layed out 210nm 5 metal design! Thats right, 5 metal layers! Strangely enough, we would have thought this was a 220nm 5 metal but apparently Atmel doesn’t have a .22um process so this is matching their .21um.
The core runs at 1.8v and allows 1.65v operation (thus it is their ATC20 process being used). The datasheet on the device can be found here. The 32KB Flash part also contains 8KB of SRAM (that’s a lot of ram!).
Notice on this particular layout, there is CMP filler metal (e.g. dead metal, metal slugs that are not connected to anything floating in SIO2) covering almost the entire die.
The picture above actually has had the top 2 metal layers removed. Metal 5 (M5) being the highest with the CMP filler and some power planes. Metal 4 (M4) had additional power planes and routing wires.
With Metals 1-3 still present, we can get a nice overview of the floorplan now. We can see the Flash, Fuses, and SRAM clearly. The Flash has a solid coating of metal over the entire cell area which has become common from Atmel to prevent UV light attacks we suppose?
We can now label the areas on the original top metal overview photo. There is a small boot-rom loader present on the device as well and is explained in the manual.
The picture above shows some of the bits of this ROM.
In the above picture lay the configuration fuses. Single cell’s of EEPROM type memory where any given cell can be set or cleared independently of another. Atmel layed them out very orderly as we see typically. It should be noted that these fuses are buried under 3 metal layers!
These cells were actually on Metal 1 and 2 but there are connections via Metal 3 as well.
There were additional power planes across the lower area of the photo from Metal 4 and 5 that cover those fuses however this isn’t buying them any security if the actual lock bits were buried there. A laser can go right through it all keeping the power-bus in tact with a hole in it.
Finally, the Atmel part number of this die. The CMP filler is visible in this picture too.
In summary, this is a very well secured device. Fuses buried in a 5 metal layer design make the Microchip DSPIC’s look like a piece of cake in comparision (They are 350nm 4 metal).
We didn’t test this, but we are sure UV will set this fuses to a bad state if you can get the light to the floating gate since most all Atmel’s behave this way.
Nice job Atmel!
A ”backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory.
Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices.
The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV). Once the fuse bit has been returned to a ’1′, all memory contents is permitted to be read or written in the clear (unencrypted).
Normally in order to do so, you need to either authenticate to the device or use a read-once-given “secure code” as explained in the AT88SC153 datasheet and the AT88SC1608 datasheet.
For those of you who are unfamiliar Atmel’s CryptoMemory, they are serial non-volatile memory (EEPROM) that support a clear or secure channel of communications between a host (typically an MCU) and the memory. What is unique about the CryptoMemory are their capabilities in establishing the secure channel (authenticating to the host, etc).
Figure 1: AT88SC153 magnified 200x.
Figure 2: AT88SC1608 magnified 200x.
These device includes:
High-security Memory Including Anti-wiretapping
64-bit Authentication Protocol
Secure Checksum
Configurable Authentication Attempts Counter
Multiple Sets of Passwords
Specific Passwords for Read and Write
Password Attempts Counters
Selectable Access Rights by Zone
Figure 3: Commented AT88SC153.
Figure 4: Commented AT88SC1608.
Section 5 of the datasheet labled, “Fuses” clearly states, “Once blown, these EEPROM fuses can not be reset.“
This statement is absolutely false. UV light will erase the fuses back to a ‘1′ state. Care must be used to not expose the main memory to the UV or else it too will erase itself.
We are not going to explain the details of how to use the UV light to reset the fuse. We have tried to contact Atmel but have not heard anything back from them.
Reading deeper into the datasheet under Table 5-1, Atmel writes, “When the fuses are all “1″s, read and write are allowed in the entire memory.“
As strange as it reads, they really do mean even if you have setup security rules in the configuration memory, it doesn’t matter. The fuses override everything and all memory areas are readable in the clear without the need for authentication or encrypted channel! The attacker can even see what the “Secure Code” is (it is not given out in the public documentation, nor with samples). Atmel was even kind enough to leave test pads everywhere so various levels of attackers can learn (entry to expert).
Our proof of concept was tested on samples we acquired through Atmel’s website. Atmel offers samples to anyone however they do not give out the “Secure code” as mentioned above.
The secure code of the AT88SC153 samples was “$D_ $F_ $7_”.
The secure code of the AT88SC1608 was “$7_ $5_ $5_”.
We are not going to show you the low nibble of the 3 bytes to make sure we don’t give the code out to anyone. This is enough proof to whoever else knows this code. That person(s) can clearly see we know their transport code which appears to be common to all samples (e.g. All die on a wafer contain the same secure code until a customer orders parts at which time that customer receives their own secure code.). A person reading this cannot guess the secure code in because there are 12 bits to exhaustively search out and you only have 8 tries 
.
Of all the other CryptoMemory products, only the AT88SC153/1608 has this backdoor. We have successfully analyzed the entire CryptoMemory product line and can say that the backdoor doesn’t exist in any other CryptoMemory part. None of the CryptoMemory parts are actually as “secure” as they make it seem. The words, “Smoke n’ Mirrors” comes to mind (It is almost always like that). In this particular category of CryptoMemory, there are two parts, the AT88SC153 and the larger AT88SC1608.
Thus the questions-
All these questions come to mind because the backdoor makes it so easy to extract the contents of the device they want you to trust. Some of you may be familiar with the GSM A5/1 algorithm having certain bits of the key set to a fixed value.
Judging by the wording of the documentation, Atmel gives the appearance that CryptoMemory are the perfect choice for holding your most valuable secrets.
Give us your thoughts…
Some people asked for some of those older Atmel parts after seeing the MEGA88 and ATMEGA169 teardowns.
Here’s a quick one on the AT90S8515. It’s still very popular even though it’s been replaced by the MEGA8515. It’s built on a larger process and it’s not planarized (.50um and below are planarized but you may find some .50um non-planarized)
8KB Flash, 512 Byte SRAM, 512 Byte EEPROM with 32 working registers. That’s sooo nice! 4x faster than the typical PIC.
There was a mistake in the above picture too when we highlighted the areas! We forgot to outline the EEPROM area.
The side of the array is touching the ‘8′ in 8KB EEPROM above and it runs vertical along-side the FLASH. So in theory there are two 8 bit FLAH arrays and a single 8 bit EEPROM area all running veritical in the “8KB Flash” highlighted area.
Do you see it? Give us your feedback!
An 8k FLASH, 512 bytes EEPROM, 512 bytes SRAM CPU operating 1:1 with the external world unlike those Microchip PIC’s we love to write up about .
It’s a 350 nanometer (nm), 3 metal layer device fabricated in a CMOS process. It’s beautiful to say the least; We’ve torn it down and thought we’d blog about it!
[Note: Clicking on pictures will give you a large ~13 MB file]
The process Atmel uses on their .35 micrometer (um) technology is awesome. The picture above is 200x magnified of the die (aka the substrate).
Using a little HydroFluoric Acid (HF) and we partially removed the top metal layer (M3). Everything is now clearly visible for our analysis.
After delaying earlier above, we know can recognize features that were otherwise hidden such as the Static RAM (SRAM) and the 32 working registers.
As we mentioned earlier, we used the word, “awesome” because check this out- It’s so beautifully layed out that we can etch off just enough of the top metal layer to leave it’s residue so it’s still visible depending on the focal point of the microscope! This is very important. See the pictures below to better understand.
The pictures above and below are the same pictures with the exception that the lower picture has M3 removed but the trough in the SIO2 remains (e.g. the layer has not been completely etched off).
Can you see why we said Atmel’s process is awesome? We removed obscuring metal but can still see where it went (woot!).
The two photos above contain two of the 30+ configuration fuses present however it makes a person wonder why did Atmel cover the floating gate of the upper fuse with a plate of metal (remember the microchip article with the plates over the floating gates?)
We highlighted a track per fuse in the above photos. What do you think these red tracks might represent?