Popular Science Cracking MCU Technology, It’s That Simple

The security level of MCU is gradually improving, and some companies have even launched secure master controls. This is a good phenomenon, indicating that people are paying more and more attention to information security and program security in the embedded field. However, for many special industries, such as consumer electronics, low-cost communication modules, power control modules, etc., due to cost pressure and replacement speed issues, they cannot use more secure master control MCUs. A large part of products are still using 51 single-chip microcomputers.

Everyone may know that it is easy to crack 51 single-chip microcomputers

but why it is easy and how to crack it may not be clear to many people. Here I will combine the information compiled by some predecessors on the Internet and my own experience to make a simple analysis of MCU cracking technology.

Don’t think that decryption is very complicated. It is not like developing a product. First determine customer needs or the main functions of new products, then establish a project to determine technical indicators, assign software and hardware development tasks, debug programs based on hardware, and then verify functions, test bugs, and do environmental tests. There are many ways to decrypt in the industry, and everyone’s ideas for cracking are different. But it can be roughly divided into several types.

1.Software cracking

The method of using software to crack the target microcontroller will not cause physical damage to the target MCU components. It is mainly used for WINBONGD, SYNCMOS microcontrollers and GAL gate arrays. This method uses software decryption equipment, follows certain steps, executes the program in the chip to send instructions outside the chip, and then intercepts it with the decryption equipment. In this way, the program inside the chip is decrypted (GAL uses logical guessing), and the program in the encrypted microcontroller can be obtained.

2.Hardware cracking process

Testing

Use high-end programmers and other equipment to test whether the chip is normal and save the configuration word.

3.Uncovering

Use manual or special uncovering equipment to uncover. The uncovering here does not mean that the microcontroller or other MCU really has a cover. To explain briefly, MCU is actually a large-scale integrated circuit, which is composed of N circuits, and the wafer is the carrier of the integrated circuit. After the wafer is packaged, it forms the IC chip we use in daily life. There are many packaging forms, such as TSSOP28, QFN28, etc. You can go to Baidu to search by yourself, and I will not repeat it here.

4.Modify the circuit

For different chips, provide corresponding drawings and let the manufacturer modify the circuit, the purpose is to make the storage area of ​​MCU readable. Some MCUs do not allow the data in Flash or E2PROM to be read by default, because there is a hardware circuit for protection, and once the encryption connection is cut off, the program is exposed and readable. As shown in Figure 2

5.Read the program

Take back the modified MCU and read the program directly with the programmer, which can be a HEX file or a BIN file.

6.Burn the sample to the customer

According to the read program and configuration, burn it into the target MCU, so that the MCU is cracked. So far, the hardware cracking method has been successfully completed.

7.Combining software and hardware

Using a combination of software and hardware requires a very familiar understanding of the internal structure of the chip. There are also other cracking technologies, such as electronic detection attacks, fault generation technology, etc., but the ultimate goal is only one, that is, to be able to imitate the function of the target MCU.

Seeing this, everyone should understand that cracking the MCU cannot restore the program in the MCU intact. Current technology cannot do it, at least it should not be done in China. In response to the above situation, encryption chips came into being. In the early stage, they could really protect the security of MCU, but vulnerabilities were soon found.

Let me give an example of actual cracking and analyze it, so that everyone can understand it.

Encryption principle:

MCU and encryption chip each store an authentication key and store the same encryption algorithm;
MCU generates a random number and sends it to the encryption chip, which encrypts it with the secret key and returns the ciphertext. At this time, after the MCU decrypts, it compares whether the plaintext is equal to the generated random number. If they are equal, the program runs normally; if they are not equal, an error is handled.

Because the pirates do not have this secret key, and the data interacting between the encryption chip and the MCU changes randomly, it is impossible to find a pattern, so they can only crack the encryption chip program and copy another encryption chip to make the MCU program run. The encryption chip is different from the general MCU. It has many security mechanisms inside, and it is very difficult to crack. This encryption scheme seems very safe, but it still has loopholes.

Cracking method:

First, follow the second cracking method to obtain the HEX file of the MCU. N steps are omitted here and will not be repeated. Use software to decompile HEX. There are many decompilation software at present.

In the decompiled program, find the comparison point. For example, as shown in Figure 3, the CJNE statement may be this comparison point. Therefore, as long as the statement in arrow 2 is deleted, and then the assembly language is downloaded to the MCU again, the cracking work is completed. At this time, even without the encryption chip, the MCU can run normally. In fact, the reason is very simple. The MCU is to judge the return value of the encryption chip, so if it is not allowed to make a judgment, the program can run normally regardless of the return value of the encryption chip.

Therefore, this encryption scheme was quickly cracked. Of course, it is not so absolute, because some MCUs cannot obtain the HEX or BIN files inside even if they are dissected, so this cracking scheme also depends on whether the security level of the MCU is high enough. But it is enough to illustrate a problem. This scheme that realizes encryption by comparing encryption results is still not secure enough and there are still cracking vulnerabilities.