We have noticed a few different die revisions on various Microchip’s substrates that caught our attention.Â In most case whenÂ a company executesÂ any type of change to the die, they change the nomenclature slightly.Â An example is the elder PIC16C622.Â After some changes, the later part was named the PIC16C622A and there was major silicon layout changes to the newer ‘A’ part.Â The PIC16C54 has been through three known silicon revs (‘A’ – ‘C’) and has now been replaced by the PIC16F54.
However, we’ve noticed two different devices from them (PIC12F683 and PIC18F1320) that caught our eye.Â The PIC12F683 changes seemÂ purely security related concerns.Â The code protection output track was rerouted.
Our guess- They were concerned the magic track was too easilly accessable.
We will focus this article to the PIC18F1320 and consider this as a follow-up to our friends at Bunnie Studios, LLC.Â A few years ago Bunnie wrote an article about being able to reset the fuses of the PIC18F1320 to a ’1′ thus unlocking the once protected PIC.
Above:Â The original PIC18F1320 without extra CMP fill.
Above:Â The newly improvised second generation PIC18F1320 with fill patterns place over open areas.
You might ask yourself:Â What are they hiding?Â We’ll show you-
Above:Â This is a 500 magnification view of four fuse cells.Â The part contains three metal layers however, the top layer has been partially removed by wet-etching techniques.Â This allows us to see below in denser areas.
Above:Â The newly improvised second generation PIC18F1320 now has these cells covered aka Bunnie attack prevention!
Conclusion:Â Did they archieve their goal?Â From an optical attack, sort-of.Â They are not expecting the attacker to be able to selectively remove this covering metal.Â Stay tuned for part II of this report where we show you this area with the covering metal removed and the fuses exposed once again!