Site icon Break IC, Recover MCU, Microcontroller Reverse Engineering

Secure Microcontroller Memory Recovery

As a first target to demonstrate the affordable process of Secure Microcontroller Memory Recovery, an early 2000s smartcard was chosen. It is based on the Hitachi HD6483102 chip fabricated with 0.8μm process with 2 metal layers and has embedded Mask ROM and EEPROM.

Secure Microcontroller Memory Recovery

The Mask ROM is protected against optical MCU reading with doping encoding. The Von-Newmann RISC 16-bit CPU with H8/300 architecture of this chip allows access to all resources in the linear address space and has a relatively simple instruction set [10]. The interesting property of this instruction set is if the most significant bit equals to 1 then the CPU will always execute single-cycle instructions without any branches. This can be achieved with a laser cutter [2] and the result is shown in Fig. 3.

Figure 3 Cuts in the data bus lines to modify instructions

In order to microprobe the data bus only opening in the passivation layer is required (Fig. 4). This cavity will help in holding the tip of the needle in place during the microprobing process.

Figure 4 Opening in passivation layer above the data bus line

Once the CPU is forced into execution of simple instructions it will access the whole memory by fetching all the addresses sequentially. This way the memory contents can be extracted by placing a microprobing needle over each bit of the data bus one at a time and recording the information on a digital storage oscilloscope. After that all the acquisitions could be synchronised with the Reset signal.

Exit mobile version