Posts Tagged ‘MCU’

Atmel AT91SAM7S Overview

Thursday, April 3rd, 2008

Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual…

The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes.

After decapsulating the die from inside the QFP, we find a beautifully layed out 210nm 5 metal design! Thats right, 5 metal layers! Strangely enough, we would have thought this was a 220nm 5 metal but apparently Atmel doesn’t have a .22um process so this is matching their .21um.

The core runs at 1.8v and allows 1.65v operation (thus it is their ATC20 process being used). The datasheet on the device can be found here. The 32KB Flash part also contains 8KB of SRAM (that’s a lot of ram!).

Notice on this particular layout, there is CMP filler metal (e.g. dead metal, metal slugs that are not connected to anything floating in SIO2) covering almost the entire die.

The picture above actually has had the top 2 metal layers removed. Metal 5 (M5) being the highest with the CMP filler and some power planes. Metal 4 (M4) had additional power planes and routing wires.

With Metals 1-3 still present, we can get a nice overview of the floorplan now. We can see the Flash, Fuses, and SRAM clearly. The Flash has a solid coating of metal over the entire cell area which has become common from Atmel to prevent UV light attacks we suppose?

We can now label the areas on the original top metal overview photo. There is a small boot-rom loader present on the device as well and is explained in the manual.

The picture above shows some of the bits of this ROM.

In the above picture lay the configuration fuses. Single cell’s of EEPROM type memory where any given cell can be set or cleared independently of another. Atmel layed them out very orderly as we see typically. It should be noted that these fuses are buried under 3 metal layers!

These cells were actually on Metal 1 and 2 but there are connections via Metal 3 as well.

There were additional power planes across the lower area of the photo from Metal 4 and 5 that cover those fuses however this isn’t buying them any security if the actual lock bits were buried there. A laser can go right through it all keeping the power-bus in tact with a hole in it.

Finally, the Atmel part number of this die. The CMP filler is visible in this picture too.

In summary, this is a very well secured device. Fuses buried in a 5 metal layer design make the Microchip DSPIC’s look like a piece of cake in comparision (They are 350nm 4 metal).

We didn’t test this, but we are sure UV will set this fuses to a bad state if you can get the light to the floating gate since most all Atmel’s behave this way.

Nice job Atmel!

Tags: , ,
Posted in Atmel Corp Device Reviews | 5 Comments »

AT90S8515 – Legacy!

Thursday, February 7th, 2008

Some people asked for some of those older Atmel parts after seeing the MEGA88 and ATMEGA169 teardowns.

Here’s a quick one on the AT90S8515. It’s still very popular even though it’s been replaced by the MEGA8515. It’s built on a larger process and it’s not planarized (.50um and below are planarized but you may find some .50um non-planarized)

8KB Flash, 512 Byte SRAM, 512 Byte EEPROM with 32 working registers. That’s sooo nice! 4x faster than the typical PIC.

There was a mistake in the above picture too when we highlighted the areas! We forgot to outline the EEPROM area.

The side of the array is touching the ’8′ in 8KB EEPROM above and it runs vertical along-side the FLASH. So in theory there are two 8 bit FLAH arrays and a single 8 bit EEPROM area all running veritical in the “8KB Flash” highlighted area.

Do you see it? Give us your feedback!

Tags: , ,
Posted in Atmel Corp Device Reviews | 9 Comments »

ATMEGA88 Teardown

Thursday, January 24th, 2008

An 8k FLASH, 512 bytes EEPROM, 512 bytes SRAM CPU operating 1:1 with the external world unlike those Microchip PIC’s we love to write up about :) .

It’s a 350 nanometer (nm), 3 metal layer device fabricated in a CMOS process.  It’s beautiful to say the least;  We’ve torn it down and thought we’d blog about it!

[Note:  Clicking on pictures will give you a large ~13 MB file]

The process Atmel uses on their .35 micrometer (um) technology is awesome.  The picture above is 200x magnified of the die (aka the substrate).

 

Using a little HydroFluoric Acid (HF) and we partially removed the top metal layer (M3).  Everything is now clearly visible for our analysis.

After delaying earlier above, we can now recognize features that were otherwise hidden such as the Static RAM (SRAM) and the 32 working registers.

As we mentioned earlier, we used the word, “awesome” because check this out- It’s so beautifully layed out that we can etch off just enough of the top metal layer to leave it’s residue so it’s still visible depending on the focal point of the microscope!  This is very important.  See the pictures below to better understand.

The pictures above and below are the same pictures with the exception that the lower picture has M3 removed but the trough in the SIO2 remains (e.g. the layer has not been completely etched off). 

Can you see why we said Atmel’s process is awesome?  We removed obscuring metal but can still see where it went (woot!).

 

The two photos above contain two of the 30+ configuration fuses present however it makes a person wonder why did Atmel cover the floating gate of the upper fuse with a plate of metal (remember the microchip article with the plates over the floating gates?)

 We highlighted a track per fuse in the above photos.  What do you think these red tracks might represent?

Tags: , , ,
Posted in Atmel Corp Device Reviews | 16 Comments »

Security Mechanism of PIC16C558,620,621,622

Tuesday, January 22nd, 2008

Last month we talked about the structure of an AND-gate layed out in Silicon CMOS.  Now, we present to you how this AND gate has been used in Microchip PICs such as PIC16C558, PIC16C620, PIC16C621, PIC16C622, and a variety of others.

If you wish to determine if this article relates to a particular PIC you may be in possession of, you can take an windowed OTP part (/JW) and set the lock-bits.  If after 10 minutes in UV, it still says it’s locked, this article applies to your PIC. 

IF THE PART REMAINS LOCKED, IT CANNOT BE UNLOCKED SO TEST AT YOUR OWN RISK.

The picture above is the die of the PIC16C558 magnified 100x.  The PIC16C620-622 look pretty much the same.  If there are letters after the final number, the die will be most likely, “shrunk” (e.g. PIC16C622 vs PIC16C622A). 

Our area of concern is highlighted above along with a zoom of the area.  

When magnified 500x, things become clear.  Notice the top metal (M2) is covering our DUAL 2-Input AND gate in the red box above.

We previously showed you one half of the above area.  Now you can see that there is a pair of 2-input AND gates.  This was done to offer two security lock-bits for memory regions (read the datasheet on special features of the CPU).

Stripping off that top metal (M2) now clearly shows us the bussing from two different areas to keep the part secure.  Microchip went the extra step of covering the floating gate of the main easilly discoverable fuses with metal to prevent UV from erasing a locked state.  The outputs of those two fuses also feed into logic on the left side of the picture to tell you that the part is locked during a device readback of the configuration fuses.

This type of fuse is protected by multiple set fuses of which only some are UV-erasable.  The AND gates are ensuring all fuses are erased to a ’1′ to “unlock” the device.

What does this mean to an attacker?  It means, go after the final AND gate if you want to forcefully unlock the CPU.  The outputs of the final AND gate stage run underneather VDD!! (The big mistake Microchip made).  Two shots witha laser-cutter and we can short the output stages “Y” from the AND-gate to a logic ’1′ allowing readback of the memories (the part will still say it is locked). 

Stripping off the lower metal layer (M1) reveils the Poly-silicon layer.

What have we learned from all this?

  • A lot of time and effort went into the design of this series of security mechanisms.
  • These are the most secure Microchip PICs of ALL currently available.  The latest ~350-400nm 3-4 metal layer PICs are less secure than these.
  • Anything made by human can be torn down by human!

:->

Tags: , , , , , , , ,
Posted in Microchip Technology, Inc. Reviews | 2 Comments »

Atmega169P (Quick Peek)

Tuesday, November 13th, 2007

We were curious if Atmel has finally shrunk the AVR series smaller than the current 350nm 3 metal layer process. Their main competitors (Microchip) have began showing 350nm 4 metal layer devices and Atmel has a few new product lines out (CAN, Picopower, and USB featured devices).

We chose to examine their picoPower line of AVR’s since they claim true 1.8v operation. The only picoPower device in stock from Digikey was the ATMEGA169P. We used the 64 pin TQFP package for our review.

We took some quick images of some areas we think you will enjoy-

Delayering the device is one of the steps in analyzing any substrate. The part below was being delayered to remove it’s top two metal layers. The part is in-between Metal3 (M3) and Metal1 (M1) right now. Some of Metal2 (M2) has begun to remove. More time would finish off the removal of M2 but this was enough for us.

We are very familiar with the Atmel AVR line (to include the AT90SC smartcard family) and thus left it in the package not being concerned (there are various reasons to remove it completely out of the carrier it is bonded in which we won’t get into here).

The lower corner has the die identification (AT 355B6), Corporate logo, and the year.

A picture of the Flash and EEPROM output areas-

It is our opinion that this processor is one of the most secure from the less-than 32 bit MCU off-the-shelf choices out there. There are debug test-points spread around the device (we would love to hear feedback from whoever thinks they see them hint hint) but don’t try to probe them if the device is locked. Atmel wised up around 2005 are turned those off if the lockbits are set (Hello Arne!).

Tags: , ,
Posted in Atmel Corp Device Reviews | 4 Comments »