Memory extraction

Started by Electronic Lithuania September 8, 2004
Have important question to group members.
I am trying to find a company or person able to extract the programm/data memory from protected ATmega128 and .jed Xilinx XCR3032.
The work will be paid in limits of 3-5K USD.
I heard that http://www.semiresearch.com provides services, as memory recovery for all microcontrollers and programmable logic.
Someone have any refference about them ?
 
Regards,
John Trompson
Digikey Inc.

__________________________________________________


I've always wondered about how easily this could be done. It would
be kind of bad if it was pretty easy. Is PIC more or less secure
than AVR?

--- In , Electronic Lithuania
<ltu_electronic@y...> wrote:
> Have important question to group members.
> I am trying to find a company or person able to extract the
programm/data memory from protected ATmega128 and .jed Xilinx XCR3032.
> The work will be paid in limits of 3-5K USD.
> I heard that http://www.semiresearch.com provides services, as
memory recovery for all microcontrollers and programmable logic.
> Someone have any refference about them ?
>
> Regards,
> John Trompson
> Digikey Inc. > __________________________________________________
>






Apparently it is possible for some devices. Xilinx is going to
extaordinary lengths to be certain that their FPGA devices and the
associated serial programming ROM are not attacked. The good news
about an FPGA is that is loses its configuration when it loses
power. The serial ROM that reprograms the FPGA on powerup is using
very heavy encryption between the ROM and the FPGA. Apparently ROMS
are not even interchangeable between FPGA devices.

One attack is to shave the plastic away and get inside with a
microscope (probably SEM) and look for the bits in the flash
memory. I don't think this is a hobbyist type of attack. You have
to want the code quite badly.

Given a knowledge of the input and output characteristics of a PIC,
reverse engineering seems easier. At least at the PIC level, most
things are intuitive. The thing about the FPGA losing configuration
is that it makes NSA happy. Power down the crypto box and lose all
the keys, etc. The ROM has the algorithm which is usually pretty
available but it doesn't have the keys. Xilinx has references on all
this stuff since apparently crypto is a big market for them.

I've toyed with the idea of building a pair of Enigma machines from
a couple of CPLDs just to watch the lights flash. When I get some
other projects off my plate... I know, software machines and
network packets would be easier.

--- In , "Phil" <phil1960us@y...> wrote:
> I've always wondered about how easily this could be done. It
would
> be kind of bad if it was pretty easy. Is PIC more or less secure
> than AVR?
>
> --- In , Electronic Lithuania
> <ltu_electronic@y...> wrote:
> > Have important question to group members.
> > I am trying to find a company or person able to extract the
> programm/data memory from protected ATmega128 and .jed Xilinx
XCR3032.
> > The work will be paid in limits of 3-5K USD.
> > I heard that http://www.semiresearch.com provides services, as
> memory recovery for all microcontrollers and programmable logic.
> > Someone have any refference about them ?
> >
> > Regards,
> > John Trompson
> > Digikey Inc.
> >
> >
> > __________________________________________________
> >





Hi,

I think the key here is that to extract code from a PIC or other similar
device would be only cost-effective if said PIC contained particular
mathematical algorithms, encryption keys or the like, which could not easily
be infered from observation of it's normal behaviour. An example would be
pay-TV smartcards. For most commercial applications, the functionality that
a PIC implements can be copied and implemented by a competent programmer at
an extremely lower cost than pulling the code from a competitor's PIC and
reverse-engineering it. External communications can be sniffed, etc. etc.

Regards,

Mike

----- Original Message -----
From: "rtstofer" <>
To: <>
Sent: Wednesday, September 08, 2004 10:49 PM
Subject: [piclist] Re: Memory extraction >
> Apparently it is possible for some devices. Xilinx is going to
> extaordinary lengths to be certain that their FPGA devices and the
> associated serial programming ROM are not attacked. The good news
> about an FPGA is that is loses its configuration when it loses
> power. The serial ROM that reprograms the FPGA on powerup is using
> very heavy encryption between the ROM and the FPGA. Apparently ROMS
> are not even interchangeable between FPGA devices.
>





<<< snip >>>

> One attack is to shave the plastic away and get inside with a
> microscope (probably SEM) and look for the bits in the flash
> memory. I don't think this is a hobbyist type of attack. You have
> to want the code quite badly.
>
<<< snip >>>

Humm. There is a piece of cake, two hour hobbyist way with stuff from
Radio Shack (Digikey), but I don't think I should post it to a
newgroup. :P Only saying that, because if somebody wants to charge you
$10K to do it, call me first, I'll take the $10K for a couple hours
work.

I believe from the research I have read the only safe ways are
encryption on the ROM or lose it on power down.

Chad

=====
My software has no bugs, only undocumented features.
__________________________________



I dont disagree with what you are saying about a competant programmer
but recreating a couple of K of firmware isn't that easy, especially
if there are timing issues. Compatibility has to be 100%. 90% ain't
good enough. there are people out there that will rip off a design
and just copy the firmware. I like that PICs have the ability to
protect me from low tech pirates - make 'em design their own stuff or
pay big bucks to suck the FW out of my chips. at least that leaves a
paper trail. You can't ever be 100% secure but it doesn't hurt to
have hurdles.

--- In , "Michael Puchol" <mpuchol@s...> wrote:
> Hi,
>
> I think the key here is that to extract code from a PIC or other
similar
> device would be only cost-effective if said PIC contained particular
> mathematical algorithms, encryption keys or the like, which could
not easily
> be infered from observation of it's normal behaviour. An example
would be
> pay-TV smartcards. For most commercial applications, the
functionality that
> a PIC implements can be copied and implemented by a competent
programmer at
> an extremely lower cost than pulling the code from a competitor's
PIC and
> reverse-engineering it. External communications can be sniffed,
etc. etc.
>
> Regards,
>
> Mike
>
> ----- Original Message -----
> From: "rtstofer" <rstofer@p...>
> To: <>
> Sent: Wednesday, September 08, 2004 10:49 PM
> Subject: [piclist] Re: Memory extraction > >
> > Apparently it is possible for some devices. Xilinx is going to
> > extaordinary lengths to be certain that their FPGA devices and the
> > associated serial programming ROM are not attacked. The good news
> > about an FPGA is that is loses its configuration when it loses
> > power. The serial ROM that reprograms the FPGA on powerup is
using
> > very heavy encryption between the ROM and the FPGA. Apparently
ROMS
> > are not even interchangeable between FPGA devices.
> >