In order to prevent unauthorized access or copying of the internal program of the single-chip microcomputer, most single-chip microcomputers have encrypted lock bits or encrypted bytes to protect the internal program. If the encryption lock bit is enabled (locked) during programming, the program in the MCU cannot be directly read with an ordinary programmer. This is the so-called MCU encryption or locking function. In fact, such protections are fragile and easily cracked. SCM attackers use special equipment or self-made equipment to exploit the design loopholes or software defects of the SCM chip, and through various technical means, they can extract key information from the chip and obtain the program in the SCM.

SCM Attack Technology Analysis

At present, there are four main techniques for attacking single-chip microcomputers, namely:

(1) Software attack

This technique usually uses processor communication interfaces and exploits protocols, encryption algorithms, or security holes in these algorithms to carry out attacks. A typical example of a successful software attack is the attack on the early ATMEL AT89C series microcontrollers. The attacker took advantage of the loopholes in the timing design of the erasing operation of this series of single-chip microcomputers, and used a self-programmed program to stop the next step of erasing the data in the on-chip program memory after erasing the encrypted lock bit, so that the encrypted single-chip microcomputer becomes Unencrypted single-chip microcomputer, and then use the programmer to read the on-chip program. At present, on the basis of other encryption methods, some devices can be developed to cooperate with certain software to do software attacks. Recently, a 51 MCU decryption device has appeared in China (created by a master in Chengdu). This decryptor is mainly aimed at SyncMos. The method to find whether there are continuous vacancies in the chip, that is to say, to search for consecutive FF FF bytes in the chip, the inserted byte can execute the instruction of sending the program on the chip to the off-chip, and then intercept it with the decrypted device, so The program inside the chip is decrypted.

(2) Electronic detection attack

This technique usually monitors with high temporal resolution the analog characteristics of all power and interface connections of the processor during normal operation, and conducts attacks by monitoring its electromagnetic radiation characteristics. Because the single-chip microcomputer is an active electronic device, when it executes different instructions, the corresponding power consumption of the power supply also changes accordingly. In this way, specific key information in the microcontroller can be obtained by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistical methods. At present, the RF programmer can directly read the program in the encrypted MCU of the old model, which is to adopt this principle.

(3) Fault Generation Technology

This technique uses abnormal operating co nditions to trip the processor, which then provides additional access to carry out the attack. The most widely used fault generation attacks include voltage shock and clock shock. Low-voltage and high-voltage attacks can be used to disable protection circuits or force processors to perform incorrect operations. Transient clock transitions may reset protection circuitry without destroying protected information. Power and clock transients can affect the decoding and execution of individual instructions in some processors.

(4) Probe technology

This technology directly exposes the internal wiring of the chip, and then observes, manipulates, and interferes with the single-chip microcomputer to achieve the purpose of attack.

For convenience, people divide the above four attack techniques into two categories. One is intrusive attack (physical attack). It can take hours or even weeks to complete. All microprobe techniques are invasive attacks. The other three methods are non-invasive attacks, and the attacked microcontroller will not be physically damaged. Non-intrusive attacks are particularly dangerous in some cases because the equipment required for non-intrusive attacks can usually be made and upgraded, so it is very cheap. Most non-intrusive attacks require the attacker to have good knowledge of processors and software. In contrast, intrusive probe attacks do not require much initial knowledge and can usually be used against a wide range of products with a similar set of techniques. Therefore, attacks on single-chip microcomputers often start from intrusive reverse engineering, and accumulated experience helps to develop cheaper and faster non-invasive attack techniques.

learn more here : https://www.cdebyte.com/Module-WiFi