1. Advanced Hardware Hacking Techniques
DEFCON 12
Friday, July 30
Electrical engineer, run my own business Grand Idea Studio - product development and intellectual property licensing, San Diego
Formerly "Kingpin" from the L0pht and co-founder (left in April 2002)
Specializes in embedded system design, computer security research, and inventing new products - creating and breaking.
Author of the Syngress book "Hardware Hacking: Have Fun While Voiding Your Warranty" published in January 2004 (giving away a book at the end of the talk, so stay awake!)
Joe Grand (Kingpin)

2. Agenda The "What" and "Why" of Hardware Hacking
Enclosure & Mechanical Attacks
Electrical Attacks
Final Thoughts and Conclusions
Feel free to interrupt and ask questions during the presentation… Better than me rambling on for an hour.
How many people are actively involved in hardware hacking of any sort? Modifications, creations, braking things, etc.
No? Scott Fullam's giving a talk next on "Introduction to Hardware Hacking"
This presentation looks at advanced hardware hacking and reverse engineering techniques. Not an introductory talk - we'll assume you have some basic electronics background.
Also, this talk will give you a lot of ideas and directions for attacking products - you'll obviously have to tweak things for your particular target.

3. What is Hardware Hacking (to me)?
Doing something with a piece of hardware that has never been done before
Personalization and customization (e.g., "hot rodding for geeks")
Adding functionality
Capacity or performance increase
Defeating protection and security mechanisms (not for profit)
Creating something extraordinary
Harming nobody in the process
"Hardware hacking" can mean different things to different people - it comes down to a personal preference, like art or music.
Arguably dates back 200 years - Charles Babbage's Difference Engine (early 1800s), William Crooke's discovery of the electroni in mid-1800s.
Wireless telegraphy, vacuum tubes, radio, television, transistors, computers, microprocessors
All hackers:
Benjamin Franklin
Thomas Edison
Alexander Graham Bell
Hewlett and Packard
Jobs and Wozniak
Richard Stallman
Linus Torvalds
Contrary to how major media outlets enjoy using the word to describe criminals breaking into computer systems, a hacker can simply be defined as somebody involved in the exploration of technology. And a "hack" in the technology world usually defines a new and novel creation or method of solving a problem, typically in an unorthodox fashion.
1. Personalization and Customization. Think "Hot Rodding for Geeks", the most prevalent of hardware hacking. This includes things such as case modifications, custom skins and ring tones, and art projects like creating an aquarium out of a vintage computer.
2. Adding Functionality. Making the system or product do something it wasn't intended to do. This includes things such as converting the iPod to run Linux, turning a stock iOpener into a full-fledged PC, or modifying the Atari 2600 to support stereo sound and composite video output.
3. Capacity or Performance Increase. Enhancing or otherwise upgrading a product. This includes things such as adding additional memory to your favorite PDA, modifying your wireless network card to support an external antenna, or overclocking your PC's motherboard.
4. Defeating Protection and Security Mechanisms. This includes things such as removing the unique identifier from CueCat barcode scanners, finding easter eggs and hidden menus in a TiVo or DVD player, or creating a custom cable to unlock the secrets of your cellphone. Theft-of-service hacks fall into this category, but this book doesn't cover them.

4. Why Hardware Hacking? Curiosity Improvement and Innovation
To see how things work
Improvement and Innovation
Make products better/cooler
Some products are sold to you intentionally limited or "crippled"
Consumer Protection
I don't trust glossy marketing brochures...do you?
Remember taking apart your parents radio?
Example: DES-encrypted RF modules (using 56-bit key stored in EEPROM) seen in EE Product News magazine. Only good protection over the air, NOT at the endpoints where a device could be opened and key extracted - then future wireless transmissions not secure.

5. Hardware Security Myths
Many security-related products rely on misconceptions to remain "secure"
Hardware hacking is hard
Consumers lack the competency or courage to void their warranty
Therefore, hardware is "safe"

6. Gaining Access to a Product
Purchase
Buy the product from a retail outlet (with cash)
Evaluation
Rent or borrow the product
Active
Product is in active operation, not owned by attacker
Remote Access
No physical access to product, attacks launched remotely
Purchase:
The attacker will own the product - purchase from retail outlet with no means of detection (e.g., paying cash)
Only physical tamper countermeasures prevent disclosure of potential of system
Attacker can discover mechanisms by attempted or successful disassembly of the product
Can obtain more than one device in order to sacrifice one for the sole purpose of discovering mechanisms
Can be monetarily prohibitive due to the cost of the product
Evaluation: Expensive network or test equipment
Attacker will rent the product from vendor or distributor - often on a monthly basis
Cautious to tamper with since it needs to be returned (high risk of detection)
Active: Mobile devices, cellphones, authentication tokens, etc.
Target product not owned by attacker
Device is in active operation or may below to a specific person
Most difficult, most risky
Might still have physical access to the device for a short period of time (lunchtime attack)
Remote Access: Network appliances, servers, etc.
Attacks without physical access to device - launch attacks remotely (wired or wireless network, modem, etc.)
Doesn’t require special hardware tools
Attackers can easily mask their location (risk of detection is low)

7. Attack Vectors Interception (or Eavesdropping)
Gain access to protected information without opening the product
Interruption (or Fault Generation)
Preventing the product from functioning normally
Modification
Tampering with the product, typically invasive
Fabrication
Creating counterfeit assets of a product
Based on Pfleeger's Security In Computing book.
Sometimes a successful attack consists of a combination of above
Interception: Passive attack, such as promiscuous mode network monitoring, monitoring external interfaces, protocol timings, electromagnetic radiation, etc.
Interruption: Denial-of-Service attack, malicious destruction of a hardware device, intentional erasure of program or data contents
Fault Generation: Operating the device under abnormal environmental conditions to intentionally provoke malfunctions (could bypass security measures)
Modification: Adding/removing circuitry, microprobing of IC dies (hardware), changing values of data or altering a program (software/firmware)
Fabrication: Man-in-the-Middle attack, inserting spurious network traffic, adding data contents into a device

8. Enclosure & Mechanical Attacks
Opening Housings
External Interfaces
Anti-Tamper Mechanisms
Conformal Coating and Epoxy Encapsulation Removal

9. Opening Housings Goal is to get access to internal circuitry
Usually as easy as loosening some screws or prying open the device
Opening some products is as simple as loosening a few screws or prying open the side with a hobby knife or screwdriver
Apple iPod using a jeweler's screwdriver: This picture from a chapter in my book, "Hardware Hacking: Have Fun While Voiding Your Warranty"
Aladdin eToken USB authentication device with an X-ACTO knife: This picture from previous USB token research - presented at Black Hat and available on my website

10. Opening Housings 2
If glue is used to seal housing, use heat gun to soften glue and pry open with a knife
Some designers use glue with a high-melting point - enclosure will melt/deform before the glue does
Some devices are sonically-welded to create a one-piece outer shell
If done properly, will require destruction of device in order to open it
If done properly, will require destruction of device to open it

11. Opening Housings 3 Security bits and one-way screws
Used to prevent housings from being easily opened
Ex.: Bathroom stalls, 3.8mm and 4.5mm security bit for Nintendo and Sega game cartridges/systems
To identify a particular bit type, visit
Bits available at electronics stores, swapmeets, online
Security/tamper resistant screws are sometimes used on product housings to prevent them from being easily opened. There are many types of these specially-shaped bits (Figure 1.6). To identify a particular bit type you might need to use for a hack, visit

12. External Interfaces Usually a product's lifeline to the outside world
Manufacturing tests, field programming/upgrading, peripheral connections
Ex.: JTAG, RS232, USB, Firewire, Ethernet
Wireless interfaces also at risk (though not discussed here)
Ex.: b, Bluetooth
Any interface that connects to a third-party may contain information that is useful for an attack
Could possibly obtain data, secrets, etc.
Could be considered a circuit board attack, too, but many times the interface is accessible without even opening the product!
Insecurity of b WEP (Wired Equivalent Privacy), Airopeek or Ethereal to monitor wireless traffic
Ollie Whitehouse's War Nibbling: Bluetooth Insecurity paper and Redfang tool: finds non-discoverable Bluetooth devices by brute-forcing the last six bytes of the device's Bluetooth address and doing a read_remote_name().

13. External Interfaces 2 Look for obfuscated interfaces
Ex.: Proprietary or out-of-the-ordinary connector types, hidden access doors or holes
Many times, test points just hidden by a sticker
Left: One-time-password authentication device - accessible by removing small plastic sticker, can be replaced after attack
Looking at uncle's 10-year-old radar detector - 5 text points visible on board, accessible underneath sticker on back housing

14. External Interfaces 3
Use multimeter or oscilloscope to probe and determine functionality
Logic state of pins can help with an educated guess
Ex.: Pull pins high or low, observe results, repeat
Monitor communications using H/W or S/W-based protocol analyzer
USB: SnoopyPro
RS232 and parallel port: PortMon
Send intentionally malformed/bad packets to cause a fault
If firmware doesn't handle this right, device could trigger unintended operation useful for an attack
Probe connections to determine functionality and then monitor interface. Knowing the state of the pins can help an attacker make an educated guess on the type of interface the product is using. Could implement probing detection discussed in later section.
Trivial for an attacker to monitor the communications using a dedicated protocol analyzer (e.g., CATC) or software-based tool, such as SnoopyPro for USB, SysInternals' PortMon for serial (RS232) and parallel port, and Ethereal for network protocols.
Physically remove unnecessary interfaces (JTAG, programming, etc.)
One attack against a known protocol is to generate malformed or intentionally bad packets (using the traffic generation features of a protocol analyzer, for example) and observe the results. If the product does not properly handle errors or illegal packets, a failure may trigger an unintended operation that is useful to the attacker.

15. External Interfaces: Backdoors
Architecture-specific debug and test interfaces (usually undocumented)
Diagnostic serial ports
Provides information about system, could also be used for administration
Ex.: Intel NetStructure crypto accelerator administrator access [1]
Developer's backdoors
Commonly seen on networking equipment, telephone switches
Ex.: Palm OS debug mode [2]
Ex.: Sega Dreamcast CD-ROM boot
Intel NetStructure: Based on work by Brian Oblivion back in System was a Pentium II PC with filesystem mounted on CompactFlash card. dd'ed the filesystem (BSD), found and reverse-engineered the password generator for the admin password (based on the MAC address of the box).
Palm OS password decoding: Encoded form of ASCII password is transmitted through serial port, infrared, and network. Can easily decode into original password, giving attacker access to device and private data.
Sega Dreamcast: Run unauthorized code from CDRs provided special "code" is located on CD

16. External Interfaces: JTAG
JTAG (IEEE ) interface is often the Achilles' heel
Industry-standard interface for testing and debugging
Ex.: System-level testing, boundary-scanning, and low-level testing of dies and components
Can provide a direct interface to hardware
Has become a common attack vector
Ex.: Flash memory reprogramming on Pocket PC devices (
The standard boundary scan interface provides a means of driving and sampling all the external pins of the device irrespective of the core state.
This permits testing the device’s electrical connections to the circuit board as well as its connections to other interfaced devices (such as Flash or SRAM, which are connected directly to the address and data bus lines).

17. External Interfaces: JTAG 2
Five connections (4 required, 1 optional):
 TDO = Data Out (from target device)
 TDI = Data In (to target device)
 TMS = Test Mode Select
 TCK = Test Clock
 /TRST = Test Reset (optional)
H/W interface to PC can be built with a few dollars of off-the-shelf components
Ex.: or ftp:// jtag05_sch.pdf

18. External Interfaces: JTAG 3
JTAG Tools ( serves as the S/W interface on the PC
Removing JTAG functionality from a device is difficult
Designers usually obfuscate traces, cut traces, or blow fuses, all of which can be repaired by an attacker
In combination with "JTAG Tools", a software package which enables working with JTAG-aware hardware devices and boards, practically any electronics hobbyist can connect to the JTAG interface.

19. Anti-Tamper Mechanisms
Primary facet of physical security for embedded systems
Attempts to prevent unauthorized physical or electronic tampering against the product
Most effectively used in layers
Possibly bypassed with knowledge of method
Purchase one or two devices to serve as "sacrificial lambs"
"Secure hardware" or "embedded security" usually refers to tamper mechanisms
Research has been on-going in this area for decades - much of the mechanisms can be bypassed with enough time and resources
Often, tamper mechanisms can only be discovered by attempted or complete disassembly of the target product.

20. Anti-Tamper Mechanisms 2
Tamper Resistance
Specialized materials used to make tampering difficult
Ex.: One-way screws, epoxy encapsulation, sealed housings
Tamper Evidence
Ensure that there is visible evidence left behind by tampering
Only successful if a process is in place to check for deformity
Ex.: Passive detectors (seals, tapes, glues), special enclosure finishes (brittle packages, crazed aluminum, bleeding paint)
Bleeding paint - paint of one color is mixed with tiny spheres of a contrasting color paint which rupture when the surface is scratched
Crazed aluminum - fine cracks on the surface that are unique like a fingerprint.
Glue: Holdtite Secure 42 for screws
Google search for tamper evident seals and tapes will give you hundreds. However, many are bypassed as shown in Johnston and Garcia's paper.
Vulnerability of Security Seals paper explains that most can be bypassed with ordinary tools
All 94 seals tested were defeated
Ex.: Adhesive tape, plastic, wire loop, metal cable, metal ribbon, passive fiber optic

21. Anti-Tamper Mechanisms 3
Tamper Detection
Enable the hardware device to be aware of tampering
Switches: Detect the opening of a device, breach of security boundary, or movement of a component
Sensors: Detect an operational or environmental change
Circuitry: Detect a puncture, break, or attempted modification of the security envelope
Switches:
Microswitches, magnetic switches, mercury switches, pressure contacts
Sensors:
Temperature & radiation: environmental change (heat or cold attacks)
Voltage & power: glitch attacks
Radiation: particles from X-rays (used to see what's inside a sealed or encapsulated device) and ion beams (advanced attacks on specific IC gates)
Circuitry:
Flexible circuitry, nichrome wire, fiber optics, W.L. Gore's D3 electronic security enclosure
Nichrome wire: resistance produces a consistent voltage drop over the length of the wire. A change in temperature and a break will affect the resistance properties of the wire, causing a detectable voltage drop.
Fiber optics: light power
Gore's D3 enclosure ( combines a number of tamper evidence and detection features. Sensor comes as a foldable sheet to be wrapped around product. Conductive ink crisscrosses through the sheet. Maximum distance of traces 200 to 300 microns. Electrical state of sensor changes if broken, enabling tamper response mechanisms. Transparent to X-ray, tested against reagents and solvents.

22. Anti-Tamper Mechanisms 4
Tamper Response
Countermeasures taken upon the detection of tampering
Ex.: Zeroize critical memory, shutdown/disable/destroy device, enable logging features
Physical Security Devices for Computer Subsystems [3] provides comprehensive attacks and countermeasures
Ex.: Probing, machining, electrical attacks, physical barriers, tamper evident solutions, sensors, response technologies
Tamper Response: Works hand-in-hand with tamper detection mechanisms
Extreme solution: Physical destruction using small, shaped explosive charge. Explosives obviously not practical for most (if any) consumer electronics - sensitive military and government operations?
Logging: Simple response to keep track of attacks or attempted attacks
Many tamper-responsive devices are designed and manufactured with the stipulation that they will never be opened again - legitimately or not.

23. Conformal Coating and Epoxy Encapsulation Removal
Encapsulation used to protect circuitry from moisture, dust, mold, corrosion, or arcing
Epoxy or urethane coatings leave a hard, difficult to remove film
Conformal coatings and encapsulates are typically used to protect an assembled circuit board from moisture, dust, mold, corrosion, or high-voltage arcing. They can also reduce mechanical stress on components and protect them from thermal shock.
Urethane provides a hard, durable coating that offers excellent abrasion and solvent resistance. It shrinks significantly during coating, which may stress components. Epoxies also offer excellent resistance to moisture and solvents. Usually consisting of a two-part thermosetting resin, the coating also shrinks during curing, leaving a hard, difficult to remove film.
Conformal coatings provided by 3M (DP-270), GE Silicones, Dow Corning, MG Chemicals

24. Conformal Coating and Epoxy Encapsulation Removal 2
The good news: The coatings are not specifically designed for security
Can usually be bypassed with special chemicals like MG Chemicals' 8310 Conformal Coating Stripper (
Brute force approach: Dremel tool and wooden skewer as a drill bit
Doesn't damage the components underneath coating
Might remove the soldermask, but not a big deal...
MG Chemicals' 8310 Conformal Coating Stripper "removes protective coatings, including epoxy, urethane, silicones, and acrylics."

25. Conformal Coating and Epoxy Encapsulation Removal 3
When all else fails, use X-ray to determine location of components or connections
Even with the coating, one attack would be to use an X-ray machine (accessible in hospitals, research centers, failure analysis laboratories, and veterinarian offices) to determine where components or connections are located.
Image: Example of an epoxy-encapsulated device and the resultant X-ray image, showing all of the digital components and bus connections.
Clay Cowgill, 2000,
Example: Super Pac Man arcade game upgrade chip: encased in a sheet of plexiglass filled with epoxy-potting compound. Daughter card plugs into the Z-80 socket and uses encrypted ROMs to prevent people from duplicating the upgrade without the special hardware from Bally/Midway.

26. Electrical Attacks Surface Mount Devices Probing Boards
Memory and Programmable Logic
Chip Delidding and Die Analysis
Emissions and Side-Channel Attacks
Clock and Timing
Many of the weaknesses, security vulnerabilities, and design flaws of a product are identified when analyzing the circuit board.
Simple attacks range from reading or modifying the contents of a microprocessor or memory device, or replacing components on the board.
More advanced attacks involve microprobing, in which a chip package is opened, its internals accessed with semiconductor test equipment, and the internal data paths observed or manipulated,
or fault generation attacks in which the device is operated under environmental stress conditions outside its designed operational range (such as extreme temperature, supply voltage variations and spikes, protocol violations, and partial system resets).

27. Surface Mount Devices Harder to work with than through-hole devices
Ex.: Fine-pitched packages, tiny discrete components
Don't get discouraged
Human hands have more resolution than the naked eye can resolve
A microscope can go a long way to solder components
Circuit Cellar, July 2004: Build your own computer-controlled, temperature-adjusting SMT oven

28. Surface Mount Devices 2
Easy to desolder using ChipQuik SMD Removal Kit (
Quickly and easily remove surface mount components, such as PLCC, SOIC, TSOP, QFP, and discrete packages.
The primary component of the kit is a low-melting temperature solder (requiring less than 300 degrees F) that reduces the overall melting temperature of the solder on the SMD pads.

29. Probing Boards Look for test points and exposed traces/bus lines
Surface mount leads and points are usually too small to manually probe
Many ways to access:
Solder probe wire onto board using microscope
Use an SMD micrograbber ($5-$50)
Use a probe adapter (> $100) from or
Build your own probe
If traces are accessible on top or bottom PCB layer, soldermask can simply be scraped off.
Probed using logic analyzer, digital oscilloscope, or custom circuitry.

30. Probing Boards 2
Ex.: Tap board used to intercept data transfer over Xbox's HyperTransport bus [4]
Bunnie Huang's Xbox HyperTransport Bus tap circuit,
from
The tap board, consisting of a single LVDS (low voltage differential signaling)-to-CMOS logic converter (Texas Instruments SN75LVDS386, available for $8 US), interfaced to a Xilinx Virtex-E FPGA development board (estimated cost $1500 US, though the entire development board is not necessary and an attacker could simply use the FPGA on their own custom circuit board).
Bunnie was able to retrieve the symmetric encryption key used for protection of a secret boot loader, which ultimately allowed him to executed untrusted code on the system.

31. Memory and Programmable Logic
Most memory is notoriously insecure
Not designed with security in mind
Serial EEPROMs can be read in-circuit, usually SPI or I2C bus (serial clock and data) [5]
Difficult to securely and totally erase data from RAM and non-volatile memory [6]
Remnants may exist and be retrievable from devices long after power is removed
Could be useful to obtain program code, temporary data, crypto keys, etc.
Simply erasing memory is usually not enough. In Data Remanence in Semiconductor Devices, Gutmann showed that it is extremely difficult to securely and totally erase data from RAM and non-volatile memory. He observes that "contrary to conventional wisdom, volatile semiconductor memory does not entirely lose its contents when power is removed. Both static (SRAM) and dynamic (DRAM) memory retains some information."
Storing data in a fixed RAM location can lead to "burn in" and other phenomena that will enable data recoverability even if power is removed from the volatile device. This means that remnants of program code, temporary data, cryptographic keys, or other secrets may still exist and be retrievable from devices long after power has been removed or after the memory contents have been rewritten.
Because of this, the current best practice is to limit the amount of time that critical data is stored in the same regions of memory. Either moving the secret around to different RAM locations (while overwriting the previous area) or periodically flipping the stored bits of the secret as described by Gutmann will help reduce the effects of burn in.

32. Memory and Programmable Logic 2
SRAM-based FPGAs most vulnerable to attack
Must load configuration from external memory
Bit stream can be monitored to retrieve entire configuration
To determine PLD functionality, try an I/O scan attack
Cycle through all possible combinations of inputs to determine outputs
SRAM-based FPGAs are easy to retrieve configuration and clone.
New devices exist that eliminate the need for external configuration memory. Single chip, live at power up. Harder to tamper with, even at die level.
I/O scan attacks: Easiest against low-density PLDs w/ dedicated I/O and asynchronous circuits/latches, but possible with more complex devices, too.

33. Memory and Programmable Logic 3
Security fuses and boot-block protection
Enabled for "write-once" access to a memory area or to prevent full read back
Usually implemented in any decent design
Might be bypassed with die analysis attacks (FIB) or electrical faults [7]
Ex.: PIC16C84 attack in which security bit is removed by increasing VCC during repeated write accesses
Some electrical attacks can be mitigated by the use of diodes in line with the address, data, and control lines of discrete memory devices. This will prevent those devices from being powered by applying VCC to those lines.
PIC attack: PIC Microcontroller Discussion List, "Re: Code protect," Posted April 26, 1995, ~eric/pic/84security.html

34. Chip Decapping and Die Analysis
Analysis of Integrated Circuit (IC) dies is typically the most difficult area for hardware hacking
With access to the IC die, you can:
Retrieve contents of Flash, ROM, FPGAs, other non-volatile devices (firmware and crypto keys stored here)
Modify or destroy gates and other silicon structures (e.g., reconnect a security fuse that prevents reading of the device)
Analysis of integrated circuit (IC) dies, though commonly done for failure analysis and chip design, has long since been the most difficult vector for attack purposes.
Flash & ROM - non-volatile, will retain contents even if power is removed
Kömmerling and Kuhn’s Design Principles for Tamper-Resistant Smartcard Processors paper details techniques to extract software and data from smart card processors, including manual microprobing, laser cutting, FIB manipulation, glitch attacks, and power analysis. Their attacks show that it is indeed possible to remove the IC package without damaging the chip.
Much of the attack research in Kömmerling and Kuhn’s paper is based on Beck’s Integrated Circuit Failure Analysis – A Guide to Preparation Techniques book which details failure analysis techniques for opening the package/chip insulation, etching procedures for removing layers of chip structure, and health and safety procedures.
Pre-computation difficulty and/or preparation time = Moderate
Cost and resources = Significant
Difficulty/effort = Moderate
Time required to execute = Moderate
Goals/results = Gaining access to the die of the IC in order to analyze the gate structure and read the contents
Destructiveness = Moderate to Significant (removes the top of the IC, will need to be fixed with epoxy)

35. Chip Decapping and Die Analysis 2
The good thing is that IC designers make mistakes, so tools are needed
Failure analysis
Chip repair and inspection
What tools?
Chip Decappers
Scanning Electron Microscope (SEM)
Voltage Contrast Microscopy
Focused Ion Beam (FIB)
Due to the economic downturn in recent years, equipment has become available on the surplus market and the prices of analysis services have been reduced to a level affordable to any determined attacker. Additionally, access to the required equipment can be found in many academic institutions worldwide.
Will look at each of the tools in the following slides...

36. Chip Decapping and Die Analysis 3
Equipment available on the used/surplus market
Access to tools in most any large academic institution
Reverse engineering and analysis services exist (still high priced, $10k-$20k)
Can provide functional investigation, extraction, IC simulation, analyze semiconductor processes, etc.
Ex.: Semiconductor Insights ( and Chipworks (
Reverse engineering and IC analysis services exist, which aid in functional investigation, extraction, and simulation of ICs. They can also analyze semiconductor and fabrication processes, techniques and materials.
Costing in the range of $10,000 to $20,000 US, a well-funded attacker could make use of such services

37. Chip Decapping and Die Analysis: IC Decapsulation
Decapsulation tools used to "delid" or "decap" the top of the IC housing
Uses chemical or mechanical means (or both)
Will keep the silicon die intact while removing the outer material
Ex.: Nippon Scientific ( Nisene Technology Group ( ULTRA TEC Manufacturing ( com), approx. $30k new, $15k used
Decapsulation products, tools that will "delid" or "decap" the top of the housing from ICs
Decapsulation tools, which use chemical or mechanical means (or a combination of both), will keep the silicon die intact while removing the outer material from the IC.
The current price Nippon Scientific PA103 IC Decapsulation System using Fuming Nitric Acid is $29,000 US for a new unit and $15,000 US for a used one on the surplus market.

38. Chip Decapping and Die Analysis: Scanning Electron Microscope
Used to perform sub-micron inspection of the physical die
Metal or other material layers might need to be de-processed before access to gate structures
Depending on ROM size and properties, can visually recreate contents
SEM is used to perform submicron inspection with long depth of field. The technique allows surface inspections at the sub-micron level. Defects too small to be seen by an optical microscope are easily seen by a SEM.
Left: Magnified portion of a ROM die showing actual data bits. 16 columns and 10 rows = 160 bits of storage.
Every bit represented by a present or missing connection
Ex.: Top row,
Right: Die of COB IC (covered in epoxy) that I manually uncovered
(Photos from ADSR Ltd. and FIB International)

39. Chip Decapping and Die Analysis: Voltage Contrast Microscopy
Detect variances of voltages and display them as contrast images
Performed with a SEM
Ex.: Could extract information from a Flash ROM storage cell
SEMs specializing in voltage contrast (VC) are used for contactless, damage free probing within the IC
These microscopes have the ability to detect variance of voltages on the internal conductors of the IC and display the information as voltage contrast images and waveforms for documentation and classification of IC failures.
Applying power to the IC and observing the IC in image mode reveals the DC conditions on the surface layers of the chip. They are displayed by bright (more negative) and dark (more positive) contrast superimposed on the image of the surface metal tracks. This is an immediate indication to the troubleshooter of the DC voltage conditions on the monitored cell.
(Photo from

40. Chip Decapping and Die Analysis: Focused Ion Beams
Send a focused stream of ions onto the surface of the chip
Beam current and optional use of gas/vapor changes the function
Cutting
Ex.: Cut a bond pad or trace from the die ($1k-$10k)
Deposition
Ex.: Add a jumper/reconnect a trace on the die ($1k-$10k)
Focused ion beam (FIB) systems have been produced commercially for approximately ten years, primarily for large semiconductor manufacturers. FIB systems operate in a similar fashion to a scanning electron microscope (SEM) except, rather than a beam of electrons and as the name implies, FIB systems use a finely focused beam of gallium ions that can be operated at low beam currents for imaging or high beam currents for site specific sputtering or milling.
Using focused ion beams (FIB), a specialist company such as Fibics Incorporated ( or FIB International ( can cut bond pads to remove a trace or add ion deposits to add a jumper or set a bit based on the velocity of the ion beam.

41. Chip Decapping and Die Analysis: Focused Ion Beams 2
Imaging
High-resolution image of die structure
Ex.: Fibics Incorporated ( or FIB International (
Left: FIB precision sectioniong can accuractely and cleanly isolate a bond pad from the surrounding circuitry, as demonstrated here on a seven metal, 0.15 µm technology device.
Right: FIB deposition can produce features 200 nm or less in thickness. This structure required approximately 30 minutes of FIB time to produce.
(Photos from Fibics Incorporated)

42. Chip Decapping and Die Analysis: Focused Ion Beams 3
The precise sectioning and imaging capabilities of FIB milling, combined with its ability to etch complex patterns (including bitmapped images) make focused ion beam microscopes the ideal tool for one-of-a-kind micromachining, or micromachining of a wide variety of materials.
Left: FIB micromachined to produce a narrow, 100-nm diameter parabolic tip for sub-micron indentation into hard materials.
Right: FIB deposition of tungsten can produce “drill bits” and other complex structures which can be further FIB machined to a final shape.
(Photos from Fibics Incorporated)

43. Emissions and Side-Channel Attacks
All devices leak information
EMI (electromagnetic interference) from circuits (TEMPEST) [8, 9]
Power supply fluctuations
Visible radiation from LEDs and monitors [10, 11]
Can be monitored and used by attacker to determine secret information
Devices may also be susceptible to RF or ESD (immunity)
Intentionally injected to cause failure
TEMPEST: Wim van Eck: Electromagnetic Radiation from Video Display Units (1985) - first public text on the subject
Receive electromagnetic interference (EMI) from monitors or keyboards and recreate signal/data
As voltages are applied to the CRT of a monitor, creates detectable spikes that can be retrieved
Rao and Rohatgi's EMPowering Side-Channel Attacks: Focused EMI attacks on small devices such as smartcards

44. Emissions and Side-Channel Attacks: Power Supply
Simple Power Analysis (SPA)
Attacker directly observes power consumption
Varies based on microprocessor operation
Easy to identify intensive functions (cryptographic)
Differential Power Analysis (DPA) [12]
Advanced mathematical methods to determine secret information on a device
SPA and DPA proposed by Paul Kocher and Cryptography Research - most commonly achieved on smart card devices
SPA: visual inspection to identify relevant power fluctuations
DPA: statistical analysis and error correction techniques
SPA and DPA attacks monitor the power consumption or electrical activity of a device in order to determine secret information or cryptographic functionality. Essentially, these attacks work because the amount of power consumed by a microprocessor (and thus the rest of the system) varies based on the operation it is performing.

45. Clock and Timing
Attacks rely on changing or measuring timing characteristics of the system
Active (Invasive) timing attacks
Vary clock (speed up or slow down) to induce failure or unintended operation
Passive timing attacks
Non-invasive measurements of computation time
Different tasks take different amounts of time
Speed up system - view more iterations to look for repeated sequences
Example: Time-based token
Slow down system - single-step, external measurement tools (logic analyzer)
To prevent clock skewing attacks, a Phase-Locked Loop (PLL) could be implemented to help reduce the clock delay and skew within a device. This will also regulate the internal system timing to compensate for variances in clock crystals.
By going with the notion that different computational tasks take different amounts of time, it might become possible to determine secret components or break the cryptographic system of the device under attack.
Ex.: Rainbow iKey 1000 hypothesized software attack to determine the 64-bit MKEY (Master Key):
When an 8-bit processor needs to compare two 64-bit numbers, it is achieved by first comparing A1 with B1. If they match, A2 and B2 will be compared, and so on until the entire value has been compared. The more bytes that match, the longer the compare routine will take. If the routine returns quickly, it can be assumed that the bytes being compared do not match.

46. Security Through Obscurity
"Security through obscurity" does not work
Provides a false sense of security to designers/users
Might temporarily discourage an attacker, but it only takes one to discover it
Weak tactics to look out for when hacking "secure" hardware products:
Encoded forms of fixed data
Scrambled address lines through extra logic
Intentionally messy/lousy code
Spurious and meaningless data ("signal decoys")

47. Hardware Hacking Challenges
Advances in chip packaging
Ultra-fine pitch and chip-scale packaging (e.g., BGA, COB, CIB)
Not as easy to access pins/connections to probe
Discrete components can now easily be inhaled
Highly-integrated chips (sub-micron)
Difficult, but not impossible, to probe and modify
High speed boards
Processor and memory bus > hundreds of MHz
Serial bus speeds approaching Gigabit/sec.
Based on presentation by Bunnie Huang at O'Reilly's Emerging Tech conference in April, 2004
Designing with and probing high speed bus lines requires some finesse
Discrete components can be smaller than a grain of salt.

48. Hardware Hacking Challenges 2
Cost of equipment
Advanced tools still beyond the reach of average hobbyist (probing, decapping, SEMs, etc.)
"State of the art" defined by what hackers can find in the trash and at swapmeets
Societal pressures
Hardware hacking is practically mainstream, but "hacker" is still a naughty word

49. Conclusions Hardware hacking is approaching a mainstream activity
Plays an important role in the balance between consumers and corporations (e.g., The Man)
Think as a designer would
Nothing is ever 100% secure
Given enough time, resources, and motivation, you can break anything
The possibilities are endless
Have fun!
You can't fully exploit a product without understanding how they are designed - get inside the mind of the developer
It has been said that "The only way to stop a hacker is to think like one" - well, being a hacker, think of it in reverse "the only way to defeat a designer is to think like one"
Nothing is 100% secure. The best that product designers try to do, if anything, is to "raise the bar" - given enough time and effort, the bar can be broken.

50. References
J. Grand, et al, "Hack Proofing Your Network: 2nd Edition," Syngress Publishing, 2002,
J. Grand (Kingpin), “Palm OS Password Lockout Bypass,” March 2001, palm_backdoor_debug_advisory.txt
S.H. Weingart, "Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses,'' Workshop on Cryptographic Hardware and Embedded Systems, 2000.
A. Huang, "Hacking the Xbox: An Introduction to Reverse Engineering," No Starch Press, 2003.
J. Grand (Kingpin), "Attacks on and Countermeasures for USB Hardware Token Devices,'' Proceedings of the Fifth Nordic Workshop on Secure IT Systems, 2000, token.pdf
P. Gutmann, "Secure Deletion from Magnetic and Solid-State Memory Devices," Sixth USENIX Security Symposium, 1996, library/proceedings/sec96/full_papers/gutmann/index.html

51. References 2
S. Skorobogatov, "Breaking Copy Protection in Microcontrollers,"
W. van Eck, “Electronic Radiation from Video Display Units: An Eavesdropping Risk?” Computers and Security, 1985,
J.R. Rao and P. Rohatgi, "EMPowering Side-Channel Attacks," IBM Research Center,
Joe Loughry and D.A. Umphress, "Information Leakage from Optical Emanations," ACM Transactions on Information and System Security v.5, #3, August 2002,
M. Kuhn, "Optical Time-Domain Eavesdropping Risks of CRT Displays," Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002,
P. Kocher, J. Jaffe, and B. Jun, "Overview of Differential Power Analysis,"

52. Appendix A: Additional Resources
J. Grand, et al, "Hardware Hacking: Have Fun While Voiding Your Warranty," Syngress Publishing, January 2004.
J. Grand, "Practical Secure Hardware Design for Embedded Systems," Proceedings of the 2004 Embedded Systems Conference, 2004, files/security/hardware/practical_secure_hardware_design.pdf
A. Huang, "Keeping Secrets in Hardware: the Microsoft XBox Case Study," Massachusetts Institute of Technology AI Memo , May 2002,
F. Beck, "Integrated Circuit Failure Analysis - A Guide to Preparation Techniques," John Wiley & Sons, 1998.
O. Kömmerling and M. Kuhn, "Design Principles for Tamper-Resistant Smartcard Processors," USENIX Workshop on Smartcard Technology, 1999, ac.uk/~mgk25/sc99-tamper.pdf
R.G. Johnston and A.R.E. Garcia, "Vulnerability Assessment of Security Seals", Journal of Security Administration, 1997, library/lanl_ pdf

53. Appendix B: Related Web Sites
Cambridge University Security Group - TAMPER Laboratory,
Molecular Expressions: Chip Shots Gallery,
Bill Miller's CircuitBending.com,
Virtual-Hideout.Net,
LinuxDevices.com - The Embedded Linux Portal,
Roomba Community - Discussing and Dissecting the Roomba,
TiVo Techies,
Just a few fun sites to visit...

54. Appendix C: Tools of the Warranty Voiding Trade
Bright overhead lighting or desk lamp
Protective gear (mask, goggles, rubber gloves, smock, etc.)
ESD protection (anti-static mat and wriststrap)
Screwdrivers
X-ACTO hobby knife
Dremel tool
Needle file set
Specific information and details can be found in my "Hardware Hacking: Have Fun While Voiding Your Warranty" or "Game Console Hacking" book

55. Appendix C: Tools of the Warranty Voiding Trade 2
Wire brushes
Sandpaper
Glue
Tape
Cleaning supplies
Variable-speed cordless drill w/ drill bits
Heat gun and heat-shrink tubing
Center punch
Specific information and details can be found in my "Hardware Hacking: Have Fun While Voiding Your Warranty" or "Game Console Hacking" book

56. Appendix C: Tools of the Warranty Voiding Trade 3
Nibbling tool
Jigsaw
Wire stripper/clipper
Needle-nose pliers
Tweezers
Soldering iron w/ accessories (solder sucker, various tips, etc.)
Basic electronic components
Specific information and details can be found in my "Hardware Hacking: Have Fun While Voiding Your Warranty" or "Game Console Hacking" book

57. Appendix C: Tools of the Warranty Voiding Trade 4
Microscope
Digital and analog multimeters
Adjustable power supply
Device programmer
UV EPROM eraser
PCB etching kit
Oscilloscope
Logic Analyzer
Specific information and details can be found in my "Hardware Hacking: Have Fun While Voiding Your Warranty" or "Game Console Hacking" book

58. Appendix D: Where to Obtain the Tools
The Home Depot (
Lowe's (
Hobby Lobby (
McMaster-Carr (
Radio Shack (
Digi-Key (
Contact East (
Test Equity (
Only a sampling, obviously...

59. Thanks! Joe Grand (Kingpin) joe@grandideastudio.com
Please fill out SPEAKER EVALUATIONS - helpful to gauge interest in talk and make necessary changes
GIVE AWAY HARDWARE HACKING BOOK
HH book signing in vendor area right after this talk!