Archive for the ‘Smartcards’ Category

ST19XL18P – K5F0A Teardown

Tuesday, May 22nd, 2012

4 Metal, 350 nanometer fabrication process, EAL4+ smart card.  A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink).

 

Figure 1:  Logo of the ST19XL18 die coded K5F0A.  Notice active shielding presence.

The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off.  The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4).  This also helps begin the polishing process on the lower layers fairly evenly.

Figure 2:  Active shield is removed.  Device needs polishing now.

The oxide thickness of a layer once the passivation oxide is removed requires less than 2 minutes per layer to remove.  We purposely stop just before the Metal 3 (M3) surface is exposed leaving the vias visibly clear (there are several gates tied to the ground of the mesh on Metal 4 (M4) as well as the active shield’s begin and end vias.

Figure 3:  Metal 3 (M3) polish until only a thin layer of oxide remains.

The device was very modularly placed n’ routed.  The picture below is not 100% to scale but more less highlights the various blocks present.  The MAP consists of asymmetric and symmetric crypto functions (DES, RSA, etc).

Figure 4:  M3 with comments drawn into place.

The EEPROM control logic is actually in the lower left corner of the EEPROM block.  When drawing on the picture, highlighting that area was forgotten ;) .

Figure 5:  M2 layer

As Metal 3 (M3) was removed exposing the M2 layer, the device is beginning to not look so complicated.

 

Figure 6:  M1 layer

Metal 1 (M1) shows us all the transistors.  We did not polish down to the poly.  Most of the gates are understandable without it for the purposes of finding the clear data bus.

 

Figure 7:  Small memory area located behind EEPROM block.

 

Figure 8:  Second small memory area located behind the EEPROM block.

 

Most likely, these NVM areas in Figure 7 & 8 are trimming or security violation related.  No further investigation is planned on these areas (it isn’t necessary).

 

 Figure 9:  Clear ROM drivers feeding the ‘clear’ data bus highlighted on each of the 3 layers.

Strangely enough, it is now understandable why ST cannot achieve high performance on the ST19 platform.  Each logic area with access to the clear data bus runs via a high-output driver that is tri-stated (hi-z) when not driven.  This means that all drivers are OR-tied and only one set of 8 drivers are ever active at a time.  This is a very large and cumbersome way of creating a MUX.

As time permits, the ST19W and ST19N series will be looked at.  It is expected to again find this kind of pattern.  Overall, finding the clear data bus took 1.5 hours once the images were created.  Most of the 1.5 hours was the alignment of the layers.

Posted in Smartcards | 4 Comments »

When MUXes Attack

Sunday, April 8th, 2012

 

In this image, there are several Flip-Flops, AND, INVerters and 8 MUXes. The MUXes are highlighted in black boxes with a number (the bit weight).

These muxes are 3 input 1 output selectable switches basically. The output is the complimented output of one of 3 inputs.

Posted in Smartcards | No Comments »

Atmel AT90SC3232CS Smartcard Destruction

Friday, March 16th, 2012

Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS.  We had already several AT90SC3232 and AT90SC3232C.  We assumed that the CS was just a 3232C with an extra IO pad.  Well, one should never ass-u-me anything!  The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device.

Above:  A decapsulated sample of the TQFP44 packaged AT90SC3232CS devices we received.

 

Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device.  A 350nm, 4 metal process was used on the AT90SC3232CS where the AT90SC6464C was a 350nm, 3 metal.

Above: Active shield metal was removed with wet-etching leaving the oxide residue.

A quick polishing session removes that residue you saw in the previous photo.  Now the device looks very similar to the AT90SC6464C.

Above:  With the mesh removed Metal 3 is now exposed.

 

Given the AT90SC family all run encrypted code that even Atmel claims they don’t know the key on.  It’s mandatory to polish down the device and image areas of interest at each level to trace through the logic.

Above:  Polished to Metal 2 in our area of interest.

 

With the chip at Metal 2, it was time to go to Metal 1.  This is where the actual transistor is put together to become something such as AND, OR, INVert, …

Above:  Metal 1 ready for imaging.

While not really required but always desired, removal of Metal 1 leaves us with the poly/diffusion areas visible.  This is always helpful to explain P/N FETs for our purposes.

Above:  Poly/Diffusion layer exposed.

 

All of the images above were quick 50x mosaics.  Clicking on any of them will open the full version of the image.

Given the feedback received from the recent 3 Metal display, we thought we would do it again.  This time however, we imaged it at 1000x for a distance of 25,000 pixels across by 2413 down (25,000 is the max a JPEG will allow).

Having no knowledge of how the Atmel AVR smart card family works means we have to tear it down and trace out the databus paths.  The next 4 images are just a sample of the real image we created.  The real image is so huge, it would take days to download.

The next four images can be clicked on to open up the full 25,000 pixel JPEG.  Metal 4 was not imaged because it was the active shield.  The active shield is an obstacle  that can be ignored until the signals determined to be important are identified.

Metal 3:

Metal 2:

Metal 1:

Poly:

 

Each of those files are 37.9 MB each.  They are aligned for use in GIMP or Photoshop.  If you wish to download these same 4 images in higher quality overlaid already, please click here.  This image is a layered TIFF and is 1.6 GB.

None of these images have been watermarked.  We ask that people respect our work and give proper credit if they are reused.  In these images, you have 28 EEPROM bit outputs (most likely the crypto key unique per part) and a 16 bit databus coming into the area from the top of the picture.  When I briefly looked at the cropped image ‘section.tif’, I immediately spotted several 2 in, 1 out MUXes, several FlipFlops (I caught 2 variants) and random glue-logic.

This is definitely the memory encrypt-decrypt block (MED) or at least the entry of it ;) .

- – - – - – - – - – -

Update 03-17-2012 :: Added a few more hi-res but smaller pics

Above:  Small section taken from the section.tif image.  The layers have been tiled for view but should be stacked over each other if section.tif is opened a proper viewer (Photoshop or GIMP will work).

The file above can be downloaded quickly in it’s layered form as a Photoshop .PSD or a layered .TIFF.

Please let us know if anyone is having problems with the images.

- – - – - – - – - – -

Update 03-18-2012 ::  Hosted the 1.6GB layered TIFF on Bit Torrent here.

Llink above in case of problems: http://flylogic.net/chippics/at90sc3232cs/section.torrent

Posted in Atmel Corp Device Reviews, Smartcards | 6 Comments »

Blackhat TPM Talk Follow-up

Sunday, March 20th, 2011

Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.

Here are some issues that should be pointed out:

We have heard, “..it took 6 months to succeed..

The reality is it took 4 months to tackle obsticles found in any <200nm device such as:

  1. Capitance/load of probe needles when chip is running.
  2. Powering the device inside the chamber of a FIB workstation.
  3. Level-shifting a 1.8v core voltage following what we learned in #1 above.
  4. Cutting out metal layers without creating electrical shorts.
  5. Other more minute issues regarding the physical size of the die.

Upon overcoming the points above,  the actual analysis required no more than approximately 2 months time.  

In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).

 We have heard, “..you said the Infineon SLE66 was the best device out there in the market..

The Infineon SLE66PE is a very secure device however, it (as do it’s competitors) all have their strengths and weaknesses.

Some examples of weaknesses are:

  1. Layout of all Infineon SLE50/66 ‘P’ or ‘PE’ are very modular by design.
  2. Lack of penalty if active shield is opened.
  3. Begin runtime from a CLEAR (unencrypted) ROM which is ‘invisible’ to the user.
  4. CPU core is based on a microcode/PLA type implementation.
  5. Power-on-reset always begins running from the externally supplied clock.
  6. Current design is based on a previous 600nm version designed around 1998.
  7. 3 metal layer design for ”areas of interest” (4th layer is the active shield).

Some examples of strengths are:

  1. ‘PE’ family used bond-pads located up the middle of the device.
  2. ROMKey must be loaded before begin attacked (else you just see their clear ROM content).
  3. MED is quite powerful if used properly for EEPROM content.
  4. Mesh is consistent across the device and divided into sections.
  5. Auto-increment of memory base address.
  6. Mixing of physical vs. virtual address space for MED / memory fetch.

No device is perfect.  All devices have room for improvement.  Some things to consider when choosing a smartcard are:

  • Does CPU ever run on external clock?
  • What is the penalty for an active-shield breach?
  • What is the fabrication process geometry?
  • How many metal layers is the device?
  • List of labs who might have evaluated this device and their capabilities.

Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.  This is a common-oversight.

There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!  This makes a person scratch there head and say, “WTH????”

We have some new content to post soon on the blog.  Be sure and tune in for that.  We will tweet an alert as well.

Posted in Smartcards | 5 Comments »

Atmel CryptoMemory AT88SC153/1608 :: Security Alert

Wednesday, February 13th, 2008

A ”backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory.

Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices.

The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV).  Once the fuse bit has been returned to a ’1′, all memory contents is permitted to be read or written in the clear (unencrypted).

Normally in order to do so, you need to either authenticate to the device or use a read-once-given “secure code” as explained in the AT88SC153 datasheet and the AT88SC1608 datasheet.

For those of you who are unfamiliar Atmel’s CryptoMemory, they are serial non-volatile memory (EEPROM) that support a clear or secure channel of communications between a host (typically an MCU) and the memory.  What is unique about the CryptoMemory are their capabilities in establishing the secure channel (authenticating to the host, etc). 

Figure 1:  AT88SC153 magnified 200x.

 

Figure 2:  AT88SC1608 magnified 200x.

These device includes:

  • High-security Memory Including Anti-wiretapping

  • 64-bit Authentication Protocol

  • Secure Checksum

  • Configurable Authentication Attempts Counter

  • Multiple Sets of Passwords

  • Specific Passwords for Read and Write

  • Password Attempts Counters

  • Selectable Access Rights by Zone

Figure 3:  Commented AT88SC153.

 

Figure 4:  Commented AT88SC1608.

Section 5 of the datasheet labled, “Fuses” clearly states, “Once blown, these EEPROM fuses can not be reset.

This statement is absolutely false.  UV light will erase the fuses back to a ’1′ state.  Care must be used to not expose the main memory to the UV or else it too will erase itself.

We are not going to explain the details of how to use the UV light to reset the fuse.  We have tried to contact Atmel but have not heard anything back from them.

Reading deeper into the datasheet under Table 5-1, Atmel writes, “When the fuses are all “1″s, read and write are allowed in the entire memory.“ 

As strange as it reads, they really do mean even if you have setup security rules in the configuration memory, it doesn’t matter.  The fuses override everything and all memory areas are readable in the clear without the need for authentication or encrypted channel!  The attacker can even see what the “Secure Code” is (it is not given out in the public documentation, nor with samples).  Atmel was even kind enough to leave test pads everywhere so various levels of attackers can learn (entry to expert).

Our proof of concept was tested on samples we acquired through Atmel’s website.  Atmel offers samples to anyone however they do not give out the “Secure code” as mentioned above. 

  • The secure code of the AT88SC153 samples was “$D_ $F_ $7_”. 

  • The secure code of the AT88SC1608 was “$7_ $5_ $5_”.

We are not going to show you the low nibble of the 3 bytes to make sure we don’t give the code out to anyone.  This is enough proof to whoever else knows this code.  That person(s) can clearly see we know their transport code which appears to be common to all samples (e.g. All die on a wafer contain the same secure code until a customer orders parts at which time that customer receives their own secure code.).  A person reading this cannot guess the secure code in because there are 12 bits to exhaustively search out and you only have 8 tries ;) .

Of all the other CryptoMemory products, only the AT88SC153/1608 has this backdoor.  We have successfully analyzed the entire CryptoMemory product line and can say that the backdoor doesn’t exist in any other CryptoMemory part.  None of the CryptoMemory parts are actually as “secure” as they make it seem.  The words, “Smoke n’ Mirrors” comes to mind (It is almost always like that).  In this particular category of CryptoMemory, there are two parts, the AT88SC153 and the larger AT88SC1608.

Thus the questions- 

  • Why has Atmel only backdoored this part (NSA for you conspiracists)?
  • Who was the original intended customer supposed to be?
  • Was the original intention of these devices to be used in a product that used some kind of cryptography?
  • If the above was true, was this device originally intended to be a cryptographic key-vault?

All these questions come to mind because the backdoor makes it so easy to extract the contents of the device they want you to trust.  Some of you may be familiar with the GSM A5/1 algorithm having certain bits of the key set to a fixed value.

Judging by the wording of the documentation, Atmel gives the appearance that CryptoMemory are the perfect choice for holding your most valuable secrets.

Give us your thoughts…

Tags:, , , ,
Posted in Atmel Corp Device Reviews, Smartcards | 16 Comments »

ST201: ST16601 Smartcard Teardown

Monday, December 17th, 2007

ST SmartCards 201 – Introduction to the ST16601 Secure MCU

This piece is going to be split into two articles- 

  • The first being this article is actually a primer on all of the ST16XYZ series smartcards using this type of Mesh technology.  They have overgone a few generations.  We consider this device to be a 3rd generation.
  •  In a seperate article yet to come, we are going to apply what you have read here to a smartcard used by Sun Microsystems, Inc. called Payflex.  From what we have gathered on the internet, they are used to control access to Sun Ray Ultra Thin Terminals.  Speaking of the payflex cards, they are commonly found (new and used) on eBay.

The ST16601 originated as far back as 1994.  It originally appeared as a 1.2 um, 1 metal CMOS process and was later shrunk to 0.90 um, 1 metal CMOS to support 2.7v – 5.5v ranges.  

It appears to be a later generation of the earlier ST16301 processor featuring larger memories (ROM, RAM, EEPROM).

The ST16601 offers (quick spec is here):

  • 6805 cpu core with a few additional instructions
  • Lower instruction cycle counts vs. Motorola 6805.
  • Internal Clock can run upto 5 Mhz at 1:1 vs 2:1.
  • 6K Bytes of ROM
  • 1K Bytes of EEPROM
  • 128 Bytes of RAM
  • Very high security features including EEPROM flash erase (bulk-erase)

Although it was released in 1994 it was being advertised in this article in 1996.  Is it possible an ‘A’ version of the ST16601 was released without a mesh?  We know the ST16301 was so anything is possible.

 

Above:  ST16301 1.2um “secure” MCU sporting 160 bytes of RAM, 3K bytes of ROM, and 1K bytes of EEPROM and NO TOP METAL PROTECTION (MESH).

Above:  Original 1994 1.2um ST16601B.  Notice this part has been covered in a mesh that was basically a humoungous ground plane over the device. 

Above:  Final revision of the ST16601(C?).  The part has been shrunk to 0.90um and now has ST’s 2nd generation mesh in place.  The newer mesh still in use today consists of fingers connected to ground and a serpentine sense line connected to power (VDD).

Using our delayering techniques, we removed the top metal mesh from the 1997 version of the part.  The part numbering system was changed in 1995 onward to not tell you what part something really is.  You have to be knowledgable about the features present and then play match-up from their website to determine the real part number.

As you can see, this part is clearly an ST16601 part except it is now called a K3COA.  We know that the ’3′ represents the entire ST16XYZ series from 1995-1997 but we’ll get into their numbering system when we write the ST101 article (we skipped it and jumped straight to ST201 to bring you the good stuff sooner!).

Above:  1000x magnification of the beginning of the second generation mesh used ont he 1995+ parts.  This exact mesh is still used today on their latest technology sporting 0.18um and smaller!  The difference- the wire size and spacing.

In the above image, green is ground, red is connected to power (VDD).  Breaking this could result in loss of ground to a lower layer as well as the sense itself.  The device will not run with a broken mesh. 

Above you can see Flylogic has successfully broke their mesh and we did it without the use of a Focus Ion-Beam workstation (FIB).  In fact, we are the ONLY ONES who can open the ST mesh at our leisure and invasively probe whatever we want.  We’ve been sucessful down-to 0.18um.

Using our techniques we call, “magic” (okay, it’s not magic but we’re not telling ;) ), we opened the bus and probed it keeping the chip alive.  We didn’t use any kind of expensive SEM or FIB.  The equipment used was available back in the 90′s to the average hacker!  We didn’t even need a university lab.  Everything we used was commonly available for under $100.00 USD. 

This is pretty scary when you think that they are certifying these devices under all kinds of certifications around the world.

 Stay tuned for more articles on ST smartcards.  We wanted to show you some old-school devices before showing you current much smaller ones because you have to learn to crawl before you walk!

Tags:, , ,
Posted in General, Smartcards | 10 Comments »

Infineon SLE4442

Saturday, December 1st, 2007

The SLE4442 has been around for a long time.  Spanning a little more than 10 years in the field, it has only now began to be replaced by the  newer SLE5542 (We have analyzed this device too and will write up an article soon).

It is basically a 256 byte 8 bit wide EEPROM with special write protection.  In order to successfully write to the device, you need to know a 3 byte password called the Programmable Security Code (PSC).  The code is locked tightly inside the memory area of the device and if you try to guess it, you have 3 tries before being permanently locked out forever (well forever for some, we can always perform magic on the part).

Note:  Clicking on all pictures except the diagram will give you a larger ~2 MB 2400 * ~2400 image in a seperate window

The photo above is a picture shows the entire substrate.  There was still some dirt on the die but it didn’t effect our interests.  The geometry of the device is pretty big (> 2 uM).  It has one polysilicon layer and one metal layer fabricated using an NMOS process.

Note:  Just because the device is big does not constitute ease of an attack but it does make execution of an attack easier for an attacker without large amount of expense.

The above diagram has been taken from Page 7 of the SLE4442 PDF. 

A successful attack on this device means an attacker knows the PSC which enables write operations to the device under attack or the ability to clone the device under attack into fresh new target who can act like the original device.  We’ll discuss the PSC in more detail below.

We have pretty much identified all the important areas listed on the Page 7 diagram in the above picture.  We can see again a test circuit that has had its enable sawn off during production.  We can see the enable line looping back for the die that was placed to the right of this die.  Notice the duck?  Hrmmmm… Seems to be pointing at 2 test points.  We’ll just say that the duck probably knows what he’s looking at ;)

We left out a few areas noted in the block diagram however the most important areas have been highlighted in red.

  

We removed the top metal (the only metal layer) and you can now see the diffusion and poly layers.  You can literally take these two pictures above and create a schematic from them if you understand NMOS circuits.

Possible attacks on the device:

  • Electrical glitches:  Fed through VCC / CLOCK line are possible.  The circuit latches are all toggled from the serial clock provided by the user.
  • Optical Erasure:  UV seems to clear cells of the EEPROM to zero.  Masking of the EEPROM except for the 3 PSC bytes would result in a PSC of $00,$00,$00 for that particular device.  However note this is not a favorable attack as the device would probably become rejected by the host that this device belongs too.
  • Optical glitches:  These give strange results.  An optical glitch in the right area might produce readback of the PSC code through command $31 (Read Security Memory).
  • Bus attacks:  Sitting on the databus will show you the PSC of the device.  This method is effective but not easilly accomplish by most.
  • PSC Control logic:  Find the right signal in this area and you can make the device believe a valid PSC has been previously given allowing readback of the PSC through command $31.  This is our prefered method, just ask the duck ;) .

The security model used on this type of device is one in which the host-environment is trusted.  This is a risky way of thinking but ironically, it has been used a lot (Fedex/Kinko’s payment cards(SLE4442, SLE5542), Telephone cards in use worldwide (ST1335, ST1355), laundry machine smartcards (AT88SC102).

Proof of failure of this trust model has been shown in places such as:

  • Phone card emulation in Europe.  It became so bad, metal detectors were placed inside the phones smartcard area to deter eavesdropping.
  • Fedex/Kinko’s was successfully compromised by a man named Strom Carlson.  He demonstrated the abuse of the SLE4442 in use by Kinko’s at the time.  You can read an article about it here.

Tags:, , , , ,
Posted in General, Smartcards | 9 Comments »