Maker Pro
Maker Pro

Security fuses / reverse engineering

  • Thread starter Philipp Klaus Krause
  • Start date
P

Philipp Klaus Krause

Jan 1, 1970
0
PLDs like the ATF16V8B from atmel have security fuses to prevent
reverse-engineering.
How difficult and expensive would it be to reverse-engineer a device
where such a security fuse is used?

Philipp
 
L

Luhan

Jan 1, 1970
0
Philipp said:
PLDs like the ATF16V8B from atmel have security fuses to prevent
reverse-engineering.
How difficult and expensive would it be to reverse-engineer a device
where such a security fuse is used?


Probably more trouble and expense than just doing the engineering.

Luhan
 
Luhan said:
Probably more trouble and expense than just doing the engineering.

I did quite a ot of work on electron beam testers, so my approach would
be to try and de-encapsulate the chip without wrecking it, which is
expensive in its own right, then run the chip in the vacuum chamber of
a stroboscopic electron microscope set up for voltage contrast imaging
- an electron beam tester. Schlumberger sold one for years, but they
vanished into Credence a few years ago.
 
L

Luhan

Jan 1, 1970
0
I did quite a ot of work on electron beam testers, so my approach would
be to try and de-encapsulate the chip without wrecking it, which is
expensive in its own right, then run the chip in the vacuum chamber of
a stroboscopic electron microscope set up for voltage contrast imaging
- an electron beam tester. Schlumberger sold one for years, but they
vanished into Credence a few years ago.

Bribe a disgruntled former employee!

Luhan
 
J

Joel Kolstad

Jan 1, 1970
0
Philipp Klaus Krause said:
PLDs like the ATF16V8B from atmel have security fuses to prevent
reverse-engineering.
How difficult and expensive would it be to reverse-engineer a device
where such a security fuse is used?

If it's really a 16V8 or similar size device, just reverse-engineering the
functionality (by brute force, if need be) is probably cheaper than actually
trying to figure out how to read back the actual fuses... unless there's
already a known exploit for the IC in question.
 
P

Philipp Klaus Krause

Jan 1, 1970
0
Joel said:
If it's really a 16V8 or similar size device, just reverse-engineering the
functionality (by brute force, if need be) is probably cheaper than actually
trying to figure out how to read back the actual fuses...

It is such a simple device. It can have up to 8 registered outputs.
Since the register's outputs can be fed back into the device, the
brute-force approach will be a little bit more complicated than just
treating the inputs as adress lines, the outputs as data lines and thus
the whole PLD like a ROM.

Philipp
 
M

Mike

Jan 1, 1970
0
Philipp Klaus Krause said:
PLDs like the ATF16V8B from atmel have security fuses to prevent
reverse-engineering.
How difficult and expensive would it be to reverse-engineer a device
where such a security fuse is used?

Possibly not very, but it depends. I suspect some of the other responders
have been thinking of reverse engineering the chip. I'm guessing that you
don't want to reverse engineer the chip, you simply want to read out the
data programmed into it. If so, don't reverse engineer the chip, just
replace the fuse.

The fuse material depends on the process - in modern CMOS processes, like
you're probably dealing with here, the fuse is most likely made from a
silicided poly layer. The fuse itself is a small section of poly - minimum
width and maybe 2x or 3x longer than it is wide. It's contacted on both ends
with a row of vias, with contacts extending up to M1, the first metal layer.

The poly can't be repaired, but the metal can be shorted with FIB - Focused
Ion Beam. Time on an FIB machine will cost you around $500 per hour, and
you're probably looking at 15 to 30 minutes to cut through the glass to
expose the metal, then deposit the new metal. Before you do that, you're
going to need to find where to make the repair. For that, you'll need
someone with a good microscope and a reasonable idea of what the circuits
look like. That will probably cost $100 per hour or more, and if you're
looking for a precise answer, you'll probably have to spend $1000 or more
for the engineer. If you're in luck, Atmel didn't cover their fuses with
metal when they were done with them, and you'll be able to find them and get
to them easily. If they did, you'll have to spend a little more time reverse
engineering the fuse circuit (but not the entire chip). You could probably
find out whether it's an easy or a hard job for less than $500, and if it's
an easy job, it could probably be done for less than $1000 total. If Atmel
made things a little more difficult to get to, it could cost much more.

-- Mike --
 
Top