Hardware encrypt within HighVoltage?

Go To Last Post
25 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The price of AVR's crack is about $300.

I want to use this method:

1,Write code into the MCU;
2,Use high-voltage( example:+12V) connect to MISO(or MOSI,or SCK)pin,for destroy ISP interface;
3,Use high-voltage connect to one pin of PORTD,for destroy the parallel interface;
4,Update the code by UART in self-programming mode.

May I do it?

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

It may work, but it might not. The big danger is that you damage more than just the port interface circuit. Even worse, it might work on a prototype, but fail on random parts during the production run.

Are you sure the crack for $300 is real and not a scam ?

Markus

Markus

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Uhm, crack as in what? Read the code out of a locked AVR? You naughty boy!

From teh post I'm not exactly sure what you are asking.

There are pointy haired bald people.
Time flies when you have a bad prescaler selected.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

He wants to blow out the interface pins so that crackers can't extract his firmware from the chip.

OP: Not worth it. As Markus says you might do all sorts of other damage to the chip. Also, the crackers extract the data via opening up the IC package to get at the die with high powered microscopes and such, not through the standard programming interfaces.

Best to come up with a solution which ties your firmware to your own hardware (a thread a while ago contain suggestions from members, including myself) to make copying more difficult.

Markus, yes, those cracking offers are real. A forum member here has an anecdote about how he tested one out, and had the firmware of a test chip cracked in only a few days.

- Dean :twisted:

Make Atmel Studio better with my free extensions. Open source and feedback welcome!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Just for info, Google lead to this

https://www.avrfreaks.net/index.p...

which lead to this:

http://www.cl.cam.ac.uk/~sps32/m...

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I was not aware that there were such low-cost options for cracking available. Did these services use invasive attack methods ?
These are supposed to need a lot of expensive and sophisticated equipment and skilled engineers...

Searching for 'crack' on avrfreaks turned up this thread from 2004: https://www.avrfreaks.net/index.p...
with a pointer to an interesting paper on the subject:
http://www.cl.cam.ac.uk/techrepo...

Markus

Markus

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

SNAP!

(as far as I know they use a laser to switch the state of the charge on the lock bit transistors - but maybe I just dreamt that?)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

To:markus_b:
"It may work, but it might not" is worry of mine.
"Are you sure the crack for $300 is real and not a scam ? "-->Yes,of course.

To:abcminiuser:
Yes,I want to blow out the interface pins only for the crackers can't extract the code from the chip.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Just a thought:

Add a lithium battery and some sensors to your hardware.
Put it all into a box which can't be opend anymore.

The AVR monitors the sensors periodically (Once per 120ms via watchdog interrupt).

If someone opens the box, the AVR will reckognize it and kill
itself (hara-kiri mode) by reversing its power supply.

If you use a pico power device, you would be able to protect
your device for more than 10 years.

Regards
Sebastian

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

> If someone opens the box, the AVR will reckognize it and kill
> itself (hara-kiri mode) by reversing its power supply.

Wouldn't a simple page erase for all flash pages suffice? It
requires no extra parts.

Jörg Wunsch

Please don't send me PMs, use email if you want to approach me personally.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The Schroedinger's cat thing is all very well but if I'm a dedicated hacker I'll buy a few of the product. OK on the first one I may make the mistake of going "in the front door", tripping one of the sensors and destroying the code but, having opened up one I can now see where you have the sensors positioned so on the next one I'll work my way in via a route that doesn't disturb the sensors (like something out of an action movie with Tom Cruise dangling into the vault from wires in the ceiling!)

Cliff

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The fact is if you need a secure device... then buy a secure device... don't waste your time trying to secure an off the shelf chip that was never marketed as secure.

Writing code is like having sex.... make one little mistake, and you're supporting it for life.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

What a shame Atmel don't do Rad Hard AVRs: http://www.atmel.com/dyn/product... - I can't help thinking one might have a job getting into one of those! (it's unlikely you can just melt the plastic packaging using fuming nitric acid in this case)

Cliff

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The easiest way to protect your code, with a off the shelf part... get it custom screened... this way it looks like an ASIC and the 'hacker' will have no idea what chip is actually used, without A lot of work. While the $300 crack/dump is still valid, one would first need to know it's an AVR to know where to send the chip to be dumped.

Many manufacturers offer custoom screening in very modest quantities (though I've never tried to do this with Atmel) It is also possible to do this after purchase, but then it's more obvious as to what's been done.

Writing code is like having sex.... make one little mistake, and you're supporting it for life.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well, maxim has some secure items on their menu specially hardened against extracting firmware. Wonder how they do it.

Hmm, speaking of rad hard, make the hardware rad resistant, put a little radioactive stuff into the box (which will be lead) and just wait for the cracker to open it and laugh maniacaly ;-) Foolproof.

There are pointy haired bald people.
Time flies when you have a bad prescaler selected.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

glitch wrote:
The easiest way to protect your code, with a off the shelf part... get it custom screened... this way it looks like an ASIC and the 'hacker' will have no idea what chip is actually used, without A lot of work. While the $300 crack/dump is still valid, one would first need to know it's an AVR to know where to send the chip to be dumped.

Actually many manufacturers use dremel or something to just scrape off the markings of the chips they want to keep secret.

But as with custom screened and scraped-off markings, somebody will at some point realize that the pinout resembles a certain device, if reverse engineering is really wanted.

- Jani

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:
But as with custom screened and scraped-off markings, somebody will at some point realize that the pinout resembles a certain device, if reverse engineering is really wanted.

Obfuscate the schematic! Use -5V as GND and GND as +5V. etc. Ignore traditional paterns. Design a selfdestruct solder: when heated the second time, it will explode. Heh.

There are pointy haired bald people.
Time flies when you have a bad prescaler selected.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Jepael wrote:
glitch wrote:
The easiest way to protect your code, with a off the shelf part... get it custom screened... this way it looks like an ASIC and the 'hacker' will have no idea what chip is actually used, without A lot of work. While the $300 crack/dump is still valid, one would first need to know it's an AVR to know where to send the chip to be dumped.

Actually many manufacturers use dremel or something to just scrape off the markings of the chips they want to keep secret.

But as with custom screened and scraped-off markings, somebody will at some point realize that the pinout resembles a certain device, if reverse engineering is really wanted.

- Jani

many packages like QFP's have common points for VCC & GND making it very hard to distinguish one from the other. I agree with somme reverse engineering one might be able to figure out the chip... but at the very least it makes it harder, as a full understanding of the hardware is required in order to make a good guess as to what the chip might be.

Writing code is like having sex.... make one little mistake, and you're supporting it for life.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

What if you have your processor, a backup battery, and some sort of "very sensitive antena" and some circuitry, all enclosed in a shielded box?
Today we have "radio waves noise" everywhere. Inside the shielding, there should be no noise. If the shielding is opened, the AVR periodic check for noise will fail, and the flash be erased. The backup battery is to keep the AVR running when no power is applied, and should be able to keep the AVR running for as long as possible (until the product has no more "value"), running on a special cycle just checking the noise presence.

Edit: added missing "b" letter.

Embedded Dreams
One day, knowledge will replace money.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:
These are supposed to need a lot of expensive and sophisticated equipment and skilled engineers...

No - it can be done at almost no cost. Another user here knew how to do it, and I had them prove it by sending them a locked device. It was read out easily...

It was a AT90S2313 device IIRC or something along those lines. The classic AVR series - the newer mega devices are supposed to be harder to crack. But this was a long time ago - i wouldn't be suprised it by now easy cracks are known.

Regards,

-Colin

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

To:S-Sohn:
"hara-kiri mode" is a good idea!but if the system without Backup-Battery,it can not implemented.

Usually I am use MCU of LPC213x or MSP430Fxxxx,but this project cost lower,I choose the AVR's because its low-cost and high-speed.

The day before yesterday and earlier,I wanted to read the content of DEVICE-IDENTIFICATION-REGISTER(D.I.R.) and store it into EEPROM by code itself when the sysrem is fisrt POWER-ON. In that case ,the system can compare the content from the chip's D.I.R. with the content of EEPROM .If there is an error,it will reset and keep its loop.but now I understood it can only read by programmer.

The best method is OTP FUSE-BIT during download the code into MCU,but how to do it?

Open the package of MCU? many crackers have not equipments or instruments to do these things,because the device's price is so high.

Thanks every friend.

Last Edited: Fri. Mar 9, 2007 - 05:10 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hi

Quote:
Inside the shielding, there should be no noise.

Well then he will use a Faraday Cage to get around this problem.

So, whatever means of protection there will be room to crack it.

Ken

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Wow this topic is interesting, my god the lengths these crackers go is quite amazing if you ask me, you really have to have some real skill to be able to take the guts out of a chip and just probe it like its nothing!

Does anyone have any sort of links like: http://www.cl.cam.ac.uk/~sps32/m...

I would love to take a look at that stuff!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The thing to remember is - the first time you crack a chip it's blood, sweat, and tears... but thereafter it's just production engineering. Once it's been done once, even if the process is complex, it's only a question of doing it again and again and again.

Neil

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

pykedgew wrote:
Quote:
Inside the shielding, there should be no noise.

Well then he will use a Faraday Cage to get around this problem.

So, whatever means of protection there will be room to crack it.

Dam :)!

Embedded Dreams
One day, knowledge will replace money.