The security level of MCUs is gradually improving. Some companies have even introduced dedicated security masters, which is a positive development, indicating that more attention is being paid to information and program security in the embedded field. However, for many specialized industries—such as consumer electronics, low-cost communication modules, and power control systems—cost constraints and rapid product cycles make it impractical to use highly secure master MCUs. As a result, many still rely on the 51-series microcontrollers.
Most people know that 51 MCUs are easy to crack, but few understand *why* they are vulnerable or *how* the process works. In this article, I will share some insights based on information from online resources and my own experience, providing a basic analysis of MCU cracking techniques.
Cracking an MCU might seem complicated, but it’s not as daunting as it sounds. It's similar to product development: first, you identify customer needs, set technical specifications, assign tasks, debug hardware, test functionality, and conduct environmental testing. In the industry, there are various decryption methods, and each person may approach it differently. However, these methods can generally be categorized into three main types: software cracking, hardware cracking, and hybrid approaches.
**1. Software Cracking**
This method involves using software tools to bypass the security mechanisms of a target MCU without causing physical damage. It is commonly used on chips like WINBONGD, SYNCMOS MCUs, and GAL gate arrays. The decryption device executes the on-chip program, sends off-chip instructions, and intercepts the data. Once decrypted (or through logic guessing in the case of GAL), the internal program can be retrieved.
**2. Hardware Cracking**
The process typically involves several steps:
1. **Testing**: A high-end programmer is used to verify the chip’s functionality and save its configuration.
2. **Opening the Package**: The MCU package is removed manually or with special tools. While the term "cover" may imply a physical lid, in reality, the MCU is an integrated circuit packaged in various forms like TSSOP28 or QFN28.
3. **Circuit Modification**: Based on specific schematics, manufacturers modify the circuit to make the MCU’s memory readable. Some MCUs prevent Flash or E2PROM access by default due to built-in protection circuits. By cutting these connections, the program becomes accessible.
4. **Reading the Program**: Once modified, the program can be read directly via a programmer, resulting in a HEX or BIN file.
5. **Programming the Target**: The extracted program is then burned into a new MCU, completing the cracking process.
**3. Hybrid Method**
This approach combines both software and hardware techniques and requires a deep understanding of the chip’s internal architecture.
Other methods, such as electronic probing attacks or fault generation techniques, also exist, but their ultimate goal is to replicate the function of the target MCU.
It’s important to note that current technology cannot fully restore the original program from an MCU. At least in China, this isn’t feasible. To counter these threats, encryption chips were developed. Initially, they provided strong protection, but vulnerabilities were quickly discovered.
Let’s take an example of a real-world attack. The encryption principle involves both the MCU and the encryption chip storing the same authentication key and algorithm. The MCU generates a random number and sends it to the encryption chip, which encrypts it using the secret key. The MCU then decrypts the response and compares the plaintext with the original random number. If they match, the program runs; otherwise, an error occurs.
However, pirates can reverse-engineer the program, find the comparison point (like a CJNE instruction), remove the check, and reprogram the MCU. This allows the MCU to run normally without the encryption chip. Although this encryption scheme appears secure, it has weaknesses. For instance, if the MCU’s security is low, the HEX or BIN file can be extracted, making the system vulnerable.
In conclusion, understanding how MCUs are cracked is essential for developing stronger security measures. Only by knowing the enemy can we better protect our systems. This article provides a brief overview of common decryption techniques and highlights the importance of continuous innovation in embedded security.
Lithium Storage Battery,Lithium Ion Battery,Lithium Battery,Electric Car Lithium Battery
Henan Xintaihang Power Source Co.,Ltd , https://www.taihangbattery.com