Home Page PCB Copy Contact Us FAQ Search
Break Microcontroller
Everything they make, we can break!


Design Principles for Tamper-Resistant Smartcard Processors

Oliver Kommerling & Markus G. Kuhn



We describe techniques for extracting protected software and data from smartcard processors. This includes manual microprobing, laser cutting, focused ion-beam manipulation, glitch attacks, and power analysis. Many of these methods have already been used to compromise widely- elded conditional-access systems, and current smartcards o er little protection against them. We give examples of lowcost protection concepts that make such attacks considerably more difficult.

1 Introduction
Smartcard piracy has become a common occurrence. Since around 1994, almost every type of
smartcard processor used in European, and later also American and Asian, pay-TV conditional-access systems has been successfully reverse engineered. Compromised secrets have been sold in the form of illicit clone cards that decrypt TV channels without revenue for the broadcaster. The industry has had to update the security processor technology several times already and the race is far from over.

Smartcards promise numerous security bene ts. They can participate in cryptographic protocols, and unlike magnetic stripe cards, the stored data can be protected against unauthorized access. However, the strength of this protection seems to be frequently overestimated.

In Section 2, we give a brief overview on the most important hardware techniques for breaking into smartcards. We aim to help software engineers without a background in modern VLSI test techniques in getting a realistic impression of how physical tampering works and what it costs. Based on our observations of what makes these attacks particularly easy, in Section 3 we discuss various ideas for countermeasures. Some of these we believe to be new, while others have already been implemented in products but are either not widely used or have design flaws that have allowed us to circumvent them.

2 Tampering Techniques
We can distinguish four major attack categories:

A. Microprobing techniques can be used to access the chip surface directly, thus we can observe, manipulate, and interfere with the integrated circuit.

B. Software attacks use the normal communication interface of the processor and exploit security vulnerabilities found in the protocols, cryptographic algorithms, or their implementation.

C. Eavesdropping techniques monitor, with high time resolution, the analog characteristics of all supply and interface connections and any other electromagnetic radiation produced by the processor during normal operation.

D. Fault generation techniques use abnormal environmental conditions to generate malfunctions
in the processor that provide additional access.

All microprobing techniques are invasive attacks. They require hours or weeks in a specialized laboratory and in the process they destroy the packaging. The other three are non-invasive attacks. After we have prepared such an attack for a speci c processor type and software version, we can usually reproduce it within seconds on another card of the same type. The attacked card is not physically harmed and the equipment used in the attack can usually be
disguised as a normal smartcard reader.

Non-invasive attacks are particularly dangerous in some applications for two reasons. Firstly, the owner of the compromised card might not notice that the secret keys have been stolen, therefore it is unlikely that the validity of the compromised keys will be revoked before they are abused. Secondly, non-invasive attacks often scale well, as the necessary equipment (e.g., a small DSP board with special software) can usually be reproduced and updated at low cost.

The design of most non-invasive attacks requires detailed knowledge of both the processor and software. On the other hand, invasive microprobing attacks require very little initial knowledge and usually work with a similar set of techniques on a wide range of products. Attacks therefore often start with invasive reverse engineering, the results of which then
help to develop cheaper and faster non-invasive attacks. We have seen this pattern numerous times on the conditional-access piracy market.

Non-invasive attacks are of particular concern in applications where the security processor is primarily required to provide tamper evidence, while invasive attacks violate the tamper resistance characteristics of a card [1]. Tamper evidence is of primary concern in applications such as banking and digital signatures, where the validity of keys can easily be revoked and where the owner of the card has already all the access that the keys provide anyway. Tamper resistance is of importance in applications such as copyright enforcement, intellectual property protection, and some electronic cash schemes, where the security of an entire system collapses as soon as a few cards are compromised.

To understand better which countermeasures are of practical value, we rst of all have to understand the techniques that pirates have used so far to break practically all major smartcard processors on the market. In the next section, we give a short guided tour through a typical laboratory of a smartcard pirate.

2.1 Invasive Attacks

2.1.1 Depackaging of Smartcards
Invasive attacks start with the removal of the chip package. We heat the card plastic until it becomes flexible. This softens the glue and the chip module can then be removed easily by bending the card. We cover the chip module with 20{50 ml of fuming nitric acid heated to around 60 C and wait for the black epoxy resin that encapsulates the silicon die to completely dissolve (Fig. 1). The procedure should preferably be carried out under very dry conditions,
as the presence of water could corrode exposed aluminium interconnects. The chip is then washed with acetone in an ultrasonic bath, followed optionally by a short bath in deionized water and isopropanol. We remove the remaining bonding wires with tweezers, glue the die into a test package, and bond its pads manually to the pins (Fig. 2). Detailed descriptions of these and other preparation techniques are given in [2, 3].

Figure 1: Hot fuming nitric acid (> 98% HNO3)
dissolves the package without a ecting the chip.
Figure 2: The depackaged smartcard processor is glued into a test package, whose pins are then connected to the contact pads of the chip with ne aluminium wires in a manual bonding machine.

2.1.2 Layout Reconstruction
The next step in an invasive attack on a new processor is to create a map of it. We use an optical microscope with a CCD camera to produce several meter large mosaics of high-resolution photographs of the chip surface. Basic architectural structures, such as data and address bus lines, can be identied quite quickly by studying connectivity patterns and by tracing metal lines that cross clearly visible module boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.). All processing modules are usually connected to the main bus via easily recognizable latches and bus drivers. The attacker obviously has to be well familiar with CMOS VLSI design techniques and microcontroller architectures, but the necessary knowledge is easily available from numerous textbooks [4, 5, 6, 7].

Photographs of the chip surface show the top metal layer, which is not transparent and therefore obscures the view on many structures below. Unless the oxide layers have been planarized, lower layers can still be recognized through the height
variations that they cause in the covering layers. Deeper layers can only be recognized in a second series of photographs after the metal layers have been stripped o , which we achieve by submerging the chip for a few seconds in hydrofluoric acid (HF) in an ultrasonic bath [2]. HF quickly dissolves the silicon oxide around the metal tracks and detaches them from the chip surface. HF is an extremely dangerous substance and safety precautions have to be followed
carefully when handling it.

Figure 3: Left: CMOS AND gate imaged by a confocal microscope. Right: same gate after removal of metal layer (HF wet etching). Polysilicon interconnects and di usion areas are now fully visible. Figure 4: The vias in this structure found in a ST16F48A form a permutation matrix between the memory readout column lines and the 16:1 demultiplexer. The applied mapping remains clearly visible.

Figure 3 demonstrates an optical layout reconstruction of a NAND gate followed by an inverter. These images were taken with a confocal microscope (Zeiss Axiotron-2 CSM), which assigns di erent colors to di erent focal planes (e.g., metal=blue,
polysilicon=green) and thus preserves depth information [8]. Multilayer images like those shown in Fig. 3 can be read with some experience almost as easily as circuit diagrams. These photographs help us in understanding those parts of the circuitry that are relevant for the planned attack.

If the processor has a commonly accessible standard architecture, then we have to reconstruct the layout only until we have identi ed those bus lines and functional modules that we have to manipulate to access all memory values. More recently, designers of conditional-access smartcards have started to add proprietary cryptographic hardware functions that forced the attackers to reconstruct more complex circuitry involving several thousand transistors before the system was fully compromised. However, the use of standard-cell ASIC designs allows us to easily identify logic gates from their di usion area layout, which makes the task signi cantly easier than the reconstruction of a transistor-level netlist.

Some manufacturers use nontandard instruction sets and bus-scrambling techniques in their security processors. In this case, the entire path from the EEPROM memory cells to the instruction decoder and ALU has to be examined carefully before a successful disassembly of extracted machine code becomes possible. However, the attempts of bus scrambling that we encountered so far in smartcard processors were mostly only simple permutations of lines that can be spotted easily (Fig. 4).

Any good microscope can be used in optical VLSI layout reconstruction, but confocal microscopes have a number of properties that make them particularly suited for this task. While normal microscopes produce a blurred image of any plane that is out of focus, in confocal scanning optical microscopes, everything outside the focal plane just becomes dark [8]. Confocal microscopes also provide better resolution and contrast. A chromatic lens in the system can
make the location of the focal plane wavelength dependent, such that under white light different layers of the chip will appear simultaneously, but in di erent colors.

Automatic layout reconstruction has been demonstrated with scanning electron microscopy [9]. We consider confocal microscopy to be an attractive alternative, because we do not need a vacuum environment, the depth information is preserved, and the option of oil immersion allows the hiding of unevenly removed oxide layers. With UV microscopy, even chip structures down to 0.1 um can be resolved.

With semiautomatic image-processing methods, signi cant portions of a processor can be reverse engineered within a few days. The resulting polygon data can then be used to automatically generate transistor and gate-level netlists for circuit simulations.

Optical reconstruction techniques can also be used to read ROM directly. The ROM bit pattern
is stored in the di usion layer, which leaves hardly any optical indication of the data on the chip surface. We have to remove all covering layers using HF wet etching, after which we can easily recognize the rims of the di usion regions that reveal the stored bit pattern (Fig. 5).

Figure 5: The data of this NOR ROM becomes clearly visible when the covering metal and polysilicon access lines plus the surrounding eld oxide have been removed (HF wet etching). The image shows 1610 bits in an ST16xyz. Every bit is represented by either a present or missing di usion layer connection. Figure 6: The implant-mask layout of a NAND ROM can be made visible by a dopant-selective crystallographic etch (Dash etchand [2]). This image shows 16  14 bits plus parts of the row selector of a ROM found on an MC68HC05SC2x CPU. The threshold voltage of 0-bit p-channel transistors (stained dark here) was brought below 0 V through ion implantation.

Some ROM technologies store bits not in the shape of the active area but by modifying transistor threshold voltages. In this case, additional dopant-selective staining techniques have to be applied to make the bits visible (Fig. 6). Together with an understanding of the (sometimes slightly scrambled, see Fig. 4) memory-cell addressing, we obtain disassembler listings of the entire ROM content. Again, automated processing techniques can be used to extract the data from photos, but we also know cases where an enthusiastic smartcard hacker has reconstructed several kilobytes of ROM manually.

While the ROM usually does not contain any cryptographic key material, it does often contain enough I/O, access control, and cryptographic routines to be of use in the design of a non-invasive attack.

2.1.3 Manual Microprobing
The most important tool for invasive attacks is a microprobing workstation. Its major component is a special optical microscope (e.g., Mitutoyo FS-60) with a working distance of at least 8 mm between the chip surface and the objective lens. On a stable platform around a socket for the test package, we install several micropositioners (e.g., from Karl Suss, Micromanipulator, orWentworth Labs), which allow us to move a probe arm with submicrometer precision over a chip surface. On this arm, we install a \cat whisker" probe (e.g., Picoprobe T-4-10). This is a metal shaft that holds a 10 m diameter and 5 mm long tungsten-hair, which has been sharpened
at the end into a < 0:1 m tip. These elastic probe hairs allow us to establish electrical contact with on-chip bus lines without damaging them. We connect them via an ampli er to a digital signal processor card that records or overrides processor signals and also provides the power, clock, reset, and I/O signals needed to operate the processor via the pins of the
test package.

On the depackaged chip, the top-layer aluminium interconnect lines are still covered by a passivation layer (usually silicon oxide or nitride), which protects the chip from the environment and ion migration. On top of this, we might also nd a polyimide layer that was not entirely removed by HNO3 but which can be dissolved with ethylendiamine. We have to remove the passivation layer before the probes can establish contact. The most convenient depassivation technique is the use of a laser cutter (e.g., from New Wave Research).
Figure 7: This image shows 9 horizontal bus lines on a depackaged smartcard processor. A UV laser (355 nm, 5 ns) was used to remove small patches of the passivation layer over the eight data-bus lines to provide for microprobing access.

The UV or green laser is mounted on the camera port of the microscope and res laser pulses through the microscope onto rectangular areas of the chip with micrometer precision. Carefully dosed laser flashes remove patches of the passivation layer. The resulting hole in the passivation layer can be made so small that only a single bus line is exposed (Fig. 7). This prevents accidental contacts with neighbouring lines and the hole also stabilizes the position of the probe and makes it less sensitive to vibrations and temperature changes.

Complete microprobing workstations cost tens of thousands of dollars, with the more luxurious versions reaching over a hundred thousand US$. The cost of a new laser cutter is roughly in the same region.

Low-budget attackers are likely to get a cheaper solution on the second-hand market for semiconductor test equipment. With patience and skill it should not be too dicult to assemble all the required tools for even under ten thousand US$ by buying a second-hand microscope and using self-designed micropositioners. The laser is not essential for rst results, because vibrations in the probing needle can also be used to break holes into the passivation.

2.1.4 Memory Read-out Techniques
It is usually not practical to read the information stored on a security processor directly out of each single memory cell, except for ROM. The stored data has to be accessed via the memory bus where all data is available at a single location. Microprobing is used to observe the entire bus and record the values in memory as they are accessed.

It is difficult to observe all (usually over 20) data and address bus lines at the same time. Various techniques can be used to get around this problem. For instance we can repeat the same transaction many times and use only two to four probes to observe various subsets of the bus lines. As long as the processor performs the same sequence of memory accesses each time, we can combine the recorded bus subset signals into a complete bus trace. Overlapping bus lines in the various recordings help us to synchronize them before they are combined.

In applications such as pay-TV, attackers can easily replay some authentic protocol exchange with the card during a microprobing examination. These applications cannot implement strong replay protections in their protocols, because the transaction counters required to do this would cause an NVRAM write access per transaction. Some conditional-access cards have to perform over a thousand protocol exchanges per hour and EEPROM technology allows only 10sq4-10sq6 write cycles during the lifetime of a storage cell. An NVRAM transaction counter would damage the memory cells, and a RAM counter can be reset by the attacker easily by removing power. Newer memory technologies such as FERAM allow over 10sq9 write cycles, which should solve this problem.

Just replaying transactions might not suce to make the processor access all critical memory locations. For instance, some banking cards read critical keys from memory only after authenticating that they are indeed talking to an ATM. Pay-TV card designers have started to implement many different encryption keys and variations of encryption algorithms in every card, and they switch between these every few weeks. The memory locations of algorithm and key variations are not accessed by the processor before these variations have been activated by a signed message from the broadcaster, so that passive monitoring of bus lines will not reveal these secrets to an attacker early.

Sometimes, hostile bus observers are lucky and encounter a card where the programmer believed that by calculating and verifying some memory checksum after every reset the tamper-resistance could somehow be increased. This gives the attacker of course easy immediate access to all memory locations on the bus and simpli es completing the read-out operation considerably. Surprisingly, such memory integrity checks were even suggested in the smartcard security literature [10], in order to defeat a proposed memory rewrite attack technique [11]. This demonstrates the importance of training the designers of security processors and applications in performing a wide range of attacks before they start to design countermeasures. Otherwise, measures against one attack can far too easily back re and simplify other approaches in unexpected ways.

In order to read out all memory cells without the help of the card software, we have to abuse a CPU component as an address counter to access all memory cells for us. The program counter is already incremented automatically during every instruction cycle and used to read the next address, which makes it perfectly suited to serve us as an address sequence generator [12]. We only have to prevent the processor from executing jump, call, or return instructions, which would disturb the program counter in its normal read sequence. Tiny modi cations of the instruction decoder or program counter circuit, which can easily be performed by opening the right metal interconnect with a laser, often have the desired effect.

2.1.5 Particle Beam Techniques
Most currently available smartcard processors have feature sizes of 0.5{1 m and only two metal layers. These can be reverse-engineered and observed with the manual and optical techniques described in the previous sections. For future card generations with more metal layers and features below the wavelength of visible light, more expensive tools additionally might have to be used.

A focused ion beam (FIB) workstation consists of a vacuum chamber with a particle gun, comparable to a scanning electron microscope (SEM). Galliumions are accelerated and focused from a liquid metal cathode with 30 kV into a beam of down to 5{10 nm diameter, with beam currents ranging from 1 pA to 10 nA. FIBs can image samples from secondary particles similar to a SEMwith down to 5 nm resolution. By increasing the beam current, chip material can be removed with the same resolution at a rate of around 0.25 m3 nA?1 s?1 [13]. Better etch rates can be achieved by injecting a gas like iodine via a needle that is brought to within a few hundred micrometers from the beam target. Gas molecules settle down on the chip surface and react with removed material to form a volatile compound that can be pumped away and is not redeposited. Using this gas-assisted etch technique, holes that are up to 12 times deeper than wide can be created at arbitrary angles to get access to deep metal layers without damaging nearby structures. By injecting a platinum-based organo-metallic gas that is broken down on the chip surface by the ion beam, platinum can be deposited to establish new contacts. With other gas chemistries, even insulators can be deposited to establish surface contacts to deep metal without contacting any covering layers.

Using laser interferometer stages, a FIB operator can navigate blindly on a chip surface with 0.15um precision, even if the chip has been planarized and has no recognizable surface structures. Chips can also be polished from the back side down to a thickness of just a few tens of micrometers. Using laser-interferometer navigation or infrared laser imaging, it is then possible to locate individual transistors and contact them through the silicon substrate by FIB editing a suitable hole. This rear-access technique has probably not yet been used by pirates so far, but the technique is about to become much more commonly available and therefore has to be taken into account by designers of new security chips.

FIBs are used by attackers today primarily to simplify manual probing of deep metal and polysilicon lines. A hole is drilled to the signal line of interest, filled with platinum to bring the signal to the surface, where a several micrometer large probing pad or cross is created to allow easy access (Fig. 11). Modern FIB workstations (for example the FIB 200xP from FEI) cost less than half a million US$ and are available in over hundred organizations. Processing time can be rented from numerous companies all over the world for a few hundred dollars per hour.

Another useful particle beam tool are electron-beam testers (EBT) [14]. These are SEMs with a
voltage-contrast function. Typical acceleration voltages and beam currents for the primary electrons are 2.5 kV and 5 nA. The number and energy of secondary electrons are an indication of the local electric eld on the chip surface and signal lines can be observed with submicrometer resolution. The signal generated during e-beam testing is essentially the
low-pass ltered product of the beam current multiplied with a function of the signal voltage, plus noise. EBTs can measure waveforms with a bandwidth of several gigahertz, but only with periodic signals where stroboscopic techniques and periodic averaging can be used. If we use real-time voltage-contrast mode, where the beam is continuously directed to a single spot and the blurred and noisy stream of secondary electrons is recorded, then the signal bandwidth is limited to a few megahertz [14]. While such a bandwidth might just be sucient for observing a single signal line in a 3.5 MHz smartcard, it is too low to observe an entire bus with a
sample frequency of several megahertz for each line.

EBTs are very convenient attack tools if the clock frequency of the observed processor can be reduced below 100 kHz to allow real-time recording of all bus lines or if the processor can be forced to generate periodic signals by continuously repeating the same transaction during the measurement.

2.2 Non-invasive Attacks
A processor is essentially a set of a few hundred flipflops (registers, latches, and SRAM cells) that dene its current state, plus combinatorial logic that calculates from the current state the next state during every clock cycle. Many analog e ects in such a system can be used in non-invasive attacks. Some examples are:

 Every transistor and interconnection have a capacitance and resistance that, together with factors such as the temperature and supply voltage, determine the signal propagation delays. Due to production process fluctuations, these values can vary signi cantly within a single chip and between chips of the same type.

 A flipflop samples its input during a short time interval and compares it with a threshold voltage derived from its power supply voltage. The time of this sampling interval is fixed relative to the clock edge, but can vary between individual flipflops.

 The flipflops can accept the correct new state only after the outputs of the combinatorial logic have stabilized on the prior state.

 During every change in a CMOS gate, both the p- and n-transistors are open for a short time,
creating a brief short circuit of the power supply lines [15]. Without a change, the supply current remains extremely small.

 Power supply current is also needed to charge or discharge the load capacitances when an output changes.

 A normal flipflop consists of two inverters and two transmission gates (8 transistors). SRAM
cells use only two inverters and two transistors to ground one of the outputs during a write operation. This saves some space but causes a significant short-circuit during every change of a bit.

There are numerous other e ects. During careful security reviews of processor designs it is often necessary to perform detailed analog simulations and tests and it is not sucient to just study a digital abstraction. Smartcard processors are particularly vulnerable to non-invasive attacks, because the attacker has full control over the power and clock supply lines. Larger security modules can be equipped with backup batteries, electromagnetic shielding, low-pass lters, and autonomous clock signal generators to reduce many of the risks to which smartcard processors are particularly exposed.

2.2.1 Glitch Attacks
In a glitch attack, we deliberately generate a malfunction that causes one or more flipflops to adopt the wrong state. The aim is usually to replace a single critical machine instruction with an almost arbitrary other one. Glitches can also aim to corrupt data values as they are transferred between registers and memory. Of the many fault-induction attack techniques on smartcards that have been discussed in the recent literature [11, 12, 16, 17, 18], it has been our experience that glitch attacks are the ones most useful in practical attacks.

We are currently aware of three techniques for creating fairly reliable malfunctions that a ect only a very small number of machine cycles in smartcard processors: clock signal transients, power supply transients, and external electrical eld transients.

Particularly interesting instructions that an attacker might want to replace with glitches are conditional jumps or the test instructions preceding them. They create a window of vulnerability in the processing stages of many security applications that often allows us to bypass sophisticated cryptographic barriers by simply preventing the execution of the code that detects that an authentication attempt was unsuccessful. Instruction glitches can also be used to extend the runtime of loops, for instance in serial port output routines to see more of the memory after the output buffer [12], or also to reduce the runtime of loops, for instance to transform an iterated cipher function into an easy to break single-round variant [11].

Clock-signal glitches are currently the simplest and most practical ones. They temporarily increase the clock frequency for one or more half cycles, such that some flipflops sample their input before the new state has reached them. Although many manufacturers claim to implement high-frequency detectors in their clock-signal processing logic, these circuits are often only simple-minded lters that do not detect single too short half-cycles. They can be circumvented by carefully selecting the duty cycles of the clock signal during the glitch.

In some designs, a clock-frequency sensor that is perfectly secure under normal operating voltage ignores clock glitches if they coincide with a carefully designed power fluctuation. We have identi ed clock and power waveform combinations for some widely used processors that reliably increment the program counter by one without altering any other processor state. An arbitrary subsequence of the instructions found in the card can be executed by the attacker this way, which leaves very little opportunity for the program designer to implement e ective countermeasures in software alone.

Power fluctuations can shift the threshold voltages of gate inputs and anti-tampering sensors relative to the unchanged potential of connected capacitances, especially if this occurs close to the sampling time of the flipflops. Smartcard chips do not provide much space for large bu er capacitors, and voltage threshold sensors often do not react to very fast transients.

In a potential alternative glitch technique that we have yet to explore fully, we place two metal needles on the card surface, only a few hundred micrometers away from the processor. We then apply spikes of a few hundred volts for less than a microsecond on these needles to generate electrical elds in the silicon substrate of sucient strength to temporarily shift the threshold voltages of nearby transistors.

2.2.2 Current Analysis
Using a 10{15 resistor in the power supply, we can measure with an analog/digital converter the fluctuations in the current consumed by the card. Preferably, the recording should be made with at least 12-bit resolution and the sampling frequency should be an integer multiple of the card clock frequency.

Drivers on the address and data bus often consist of up to a dozen parallel inverters per bit, each driving a large capacitive load. They cause a significant power-supply short circuit during any transition. Changing a single bus line from 0 to 1 or vice versa can contribute in the order of 0.5{1 mA to the total current at the right time after the clock
edge, such that a 12-bit ADC is sucient to estimate the number of bus bits that change at a time. SRAM write operations often generate the strongest signals. By averaging the current measurements of many repeated identical transactions, we can even identify smaller signals that are not transmitted over the bus. Signals such as carry bit states are of special interest, because many cryptographic key scheduling algorithms use shift operations that single out indi-
vidual key bits in the carry flag. Even if the statusbit changes cannot be measured directly, they often cause changes in the instruction sequencer or microcode execution, which then cause a clear change in the power consumption.

The various instructions cause di erent levels of activity in the instruction decoder and arithmetic units and can often be quite clearly distinguished, such that parts of algorithms can be reconstructed. Various units of the processor have their switching transients at di erent times relative to the clock edges and can be separated in high-frequency measurements.

3 Countermeasures

3.1 Randomized Clock Signal
Many non-invasive techniques require the attacker to predict the time at which a certain instruction is executed. A strictly deterministic processor that executes the same instruction c clock cycles after each reset|if provided with the same input at every cycle|makes this easy. Predictable processor behaviour also simpli es the use of protocol reaction times as a covert channel.

The obvious countermeasure is to insert random-time delays between any observable reaction and critical operations that might be subject to an attack. If the serial port were the only observable channel, then a few random delay routine calls controlled by a hardware noise source would seem sufcient. However, since attackers can use cross correlation techniques to determine in real-time from the current fluctuations the currently executed instruction sequence, almost every instruction becomes an observable reaction, and a few localized delays will not suce.

We therefore strongly recommend introducing timing randomness at the clock-cycle level. A random bit-sequence generator that is operated with the external clock signal should be used to generate an internal clock signal. This will e ectively reduce the clock frequency by a factor of four, but most smartcards anyway reduce internally the 3.5 MHz provided for contact cards and the 13 MHz provided for contact-less cards.

Hardware random bit generators (usually the amplified thermal noise of transistors) are not always good at producing uniform output statistics at high bit rates, therefore their output should be smoothed with an additional simple pseudo-random bit generator.

The probability that n clock cycles have been executed by a card with a randomized clock signal after c clock cycles have been applied can be described as a binomial distribution:

So for instance after we have sent 1000 clock cycles to the smartcard, we can be fairly sure (probability > 1 ? 10?9) that between 200 and 300 of them have been executed. This distribution can be used to verify that safety margins for timing-critical algorithms|such as the timely delivery of a pay-TV control word|are met with suciently high probability.

Only the clock signals of circuitry such as the serial port and timer need to be supplied directly with the external clock signal, all other processor parts can be driven from the randomized clock.

A lack of switching transients during the inactive periods of the random clock could allow the attacker to reconstruct the internal clock signal from the consumed current. It is therefore essential that the processor shows a characteristic current activity even during the delay phases of the random clock. This can be accomplished by driving the bus with random values or by causing the microcode to perform a write access to an unused RAM location while the processor is inactive.

3.2 Randomized Multithreading
To introduce even more non-determinism into the execution of algorithms, it is conceivable to design a multithreaded processor architecture [19] that schedules the processor by hardware between two or more threads of execution randomly at a per-instruction level. Such a processor would have multiple copies of all registers (accumulator, program counter, instruction register, etc.), and the combinatorial logic would be used in a randomly alternating way to progress the execution state of the threads represented by these respective register sets.

The simple 8-bit microcontrollers of smartcards do not feature pipelines and caches and the entire state is de ned only by a very small number of registers that can relatively easily be duplicated. The only other necessary addition would be new machine instructions to fork o the other thread(s) and to synchronize and terminate them. Multithreaded applications could interleave some of the many independent cryptographic operations needed in security protocols. For the remaining time, the auxiliary threads could just perform random encryptions in order to generate an realistic current pattern during the delay periods of the main application.

3.3 Robust Low-frequency Sensor
Bus-observation by e-beam testing becomes much easier when the processor can be clocked with only a few kilohertz, and therefore a low-frequency alarm is commonly found on smartcard processors. However, simple high-pass or low-pass RC elements are not sucient, because by carefully varying the duty cycle of the clock signal, we can often prevent the activation of such detectors. A good low-frequency sensor must trigger if no clock edge has been seen for
longer than some speci ed time limit (e.g., 0.5 s). In this case, the processor must not only be reset immediately, but all bus lines and registers also have to be grounded quickly, as otherwise the values on them would remain visible sufficiently long for a voltage-contrast scan.

Even such carefully designed low-frequency detectors can quite easily be disabled by laser cutting or FIB editing the RC element. To prevent such simple tampering, we suggest that an intrinsic self-test be built into the detector. Any attempt to tamper with the sensor should result in the malfunction of the entire processor. We have designed such a circuit that
tests the sensor during a required step in the normal reset sequence. External resets are not directly forwarded to the internal reset lines, but only cause an additional frequency divider to reduce the clock signal. This then activates the low-frequency detector, which then activates the internal reset lines, which nally deactivate the divider. The processor has now passed the sensor test and can start normal operation. The processor is designed such that it
will not run after a power up without a proper internal reset. A large number of FIB edits would be necessary to make the processor operational without the frequency sensor being active.

Other sensor defenses against invasive attacks should equally be embedded into the normal operation of the processor, or they will easily be circumvented by merely destroying their signal or power supply connections.

3.4 Destruction of Test Circuitry

Microcontroller production has a yield of typically around 95%, so each chip has to be thoroughly tested after production. Test engineers|like microprobing attackers|have to get full access to a complex circuit with a small number of probing needles. They add special test circuitry to each chip, which is usually a parallel/serial converter for direct access to many bus and control lines. This test logic is accessible via small probing pads or multiplexed via the normal I/O pads. On normal microcontrollers, the test circuitry remains fully intact after the test. In
smartcard processors, it is common practice to blow polysilicon fuses that disable access to these test circuits (Fig. 8). However, attackers have been able to reconnect these with microprobes or FIB editing, and then simply used the test logic to dump the entire memory content.
Figure 8: The interrupted white line at the bottom of the cavity in this FIB secondary-electron image is a blown polysilicon fuse next to a test pad
(MC68HC05SC2x processor).

Therefore, it is essential that any test circuitry is not only slightly disabled but structurally destroyed by the manufacturer. One approach is to place the test interface for chip n onto the area of chip n + 1 on the wafer, such that cutting the wafer into dies severs all its parallel connections. A wafer saw usually removes a 80{200 m wide area that often only contains a few process control transistors. Locating essential parts of the test logic in these cut areas would eliminate any possibility that even substantial FIB edits could reactivate it.

3.5 Restricted Program Counter
Abusing the program counter as an address pattern generator signi cantly simpli es reading out the entire memory via microprobing or e-beam testing.

Separate watchdog counters that reset the processor if no jump, call, or return instruction is executed for a number of cycles would either require many transistors or are too easily disabled.

Instead, we recommend simply not providing a program counter that can run over the entire address space. A 16-bit program counter can easily be replaced with the combination of a say 7-bit o - set counter O and a 16-bit segment register S, such that the accessed address is S + O. Instead of overflowing, the o set counter resets the processor after reaching its maximum value. Every jump, call, or return instruction writes the destination address into S and resets O to zero. The processor will now be completely unable to execute more than 127 bytes of machine code without a jump, and no simple FIB edit will change this. A simple machine-code post-processor must be used by the programmer to insert jumps to the next address wherever unconditional branches are more than 127 bytes apart.

With the program counter now being unavailable, attackers will next try to increase the number of iterations in software loops that read data arrays from memory to get access to all bytes. This can for instance be achieved with a microprobe that performs a glitch attack directly on a bus-line. Programmers who want to use 16-bit counters in loops should keep
this in mind.

3.6 Top-layer Sensor Meshes
Additional metallization layers that form a sensor mesh above the actual circuit and that do
not carry any critical signals remain one of the more e ective annoyances to microprobing attackers. They are found in a few smartcard CPUs such as the ST16SF48A or in some battery-bu ered SRAM security processors such as the DS5002FPM and DS1954.

A sensor mesh in which all paths are continuously monitored for interruptions and short-circuits while power is available prevents laser cutter or selective etching access to the bus lines. Mesh alarms should immediately trigger a countermeasure such as zeroizing the non-volatile memory. In addition, such meshes make the preparation of lower layers more dicult, because since the etch progresses unevenly through them, their pattern remains visible in the layers below and therefore they complicate automatic layout reconstruction. Finally, a mesh on
top of a polished oxide layer hides lower layers, which makes navigation on the chip surface for probing and FIB editing more tedious.

Figure 9: Escape route for imprisoned crypto bits: The ST16SF48A designers generously added this redundant extension of the bus several micrometers beyond the protected mesh area, providing easy probing access. Figure 10: Every second line is connected to VCC or GND at one end and open at the other. Not all are used to supply lower layers and therefore some can safely be opened with a laser for probing access to the bus lines below.

The implementations of sensor meshes in elded products however show a number of quite surpris-
ing design flaws that signi cantly reduce the protection (Fig. 9 and 10). The most signi cant flaw is that a mesh breach will only set a flag in a status register and that zeroization of the memory is left completely to the application software. We noted in Section 2.1.4 that a common read-out technique involves severely disabling the instruction decoder, therefore software checks for invasive attacks are of little use. A well-designed mesh can make attacks by manual microprobing alone rather dicult, and more sophisticated FIB editing procedures will be required to bypass it. Several techniques can be applied here. The resolution of FIB drilling is much smaller than the mesh line spacings, therefore it is no problem to establish contact through three or more metal layers and make deeply buried signals accessible for microprobing via a platinum or tungsten pad on top of the passivation layer (Fig. 11). Alternatively, it is also possible to etch a larger window into the mesh and then reconnect the loose ends with FIB metal deposits around it.

Figure 11: A FIB was used here to drill a ne hole to a bus line through the gap between two sensor mesh lines, re ll it with metal, and place a metal cross on top for easy microprobing access.

4 Conclusion
We have presented a basis for understanding the mechanisms that make microcontrollers partic-
ularly easy to penetrate. With the restricted program counter, the randomized clock signal, and
the tamper-resistant low-frequency sensor, we have shown some selected examples of low-cost countermeasures that we consider to be quite e ective against a range of attacks.

There are of course numerous other more obvious countermeasures against some of the commonly
used attack techniques which we cannot cover in detail in this overview. Examples are current regulators and noisy loads against current analysis attacks and loosely coupled PLLs and edge barriers against clock glitch attacks. A combination of these together with e- eld sensors and randomized clocks or perhaps even multithreading hardware in new processor designs will hopefully make high-speed non-invasive attacks considerably less likely to succeed. Other
countermeasures in elded processors such as light and depassivation sensors have turned out to be of little use as they can be easily bypassed.

We currently see no really e ective short-term protection against carefully planned invasive tampering involving focused ion-beam tools. Zeroization mechanisms for erasing secrets when tampering is detected require a continuous power supply that the credit-card form factor does not allow. The attacker can thus safely disable the zeroization mechanism before powering up the processor. Zeroization remains a highly e ective tampering protection for larger security modules that can a ord to store secrets in battery-backed SRAM (e.g., DS1954 or IBM 4758), but this is not yet feasible for the smartcard package.




Lattice ISP LSI 1016, 1024, 1032
Lattice M4A3-32, M4A3-64, M4A3-128, M4A3-256
Lattice M4A5-32, M4A5-64, M4A5-128, M4A5-256

Xilinx XC9536, XC9572, XC95108, XC95144, XC95216, XC95288
Xilinx XC9536XL, XC9572XL, XC95144XL, XC95288XL


Atmel AT89C51, AT89C52, AT89C55, AT89C1051, AT89C2051, AT89C4051, AT89S51, AT89S52, AT87F51, AT87F54, AT87F58, P89C51, P89C52, P89C54, P89C58
Atmel AT90S1200, AT90S1200A, AT90S2313, AT90S2323, AT90S2343, AT90S2333, AT90S4433, AT90S4414, AT90S4434, AT90S8515, AT90S8515A, AT90S8535

AMD, Intel, and Others 8742, 8749, 8752, 87C51, 87C52, ETC.

copy protection protection removal Code protection remove
Dallas Semiconductor DS5000

Hitachi H8/3002, H8/3008, H8/3032, H8/3042, H8/3048, H8/3052, H8/3334, H8/3337, H8/3437, H8/3637, H8/3664, H8/3724, H8/3834

crypto processor code recovery antifuse retrieve code fuse blown Tamper resistant
Microchip 12C508, 12C508A, 12C509, 12C509A, 12CE516, 12C671, 12C672
Microchip 16C54, 16C54A, 16C54B, 16C54C, 16C55, 16C56, 16C56A, 16C57
Microchip 16C84, 16F84
Microchip 16C58, 16C58A
Microchip 16C62A, 16C62B
Microchip 16C620, 16C620A, 16C621, 16C621A, 16C622, 16C622A
Microchip 16F84A, 16F627, 16F628, 16F870, 16F871, 16F872, 16F873, 16F874, 16F876, 16F877

Motorola MC68705P3, MC68705P5
Motorola MC68HC705C8, MC68HC705C8A, MC68HC705C9, MC68HC705C9A
Motorola MC68HC05B6, MC68HC05B8, MC68HC05B16, MC68HC05B32
Motorola MC68HC05X16, MC68HC05X32
Motorola MC68HC11A8, MC68HC11E9, MC68HC11E20, MC68HC11L6, MC68HC11KA2, MC68HC11KA4, MC68HC11KG2, MC68HC11KG4

MC68HC11A8AB95T MC68HC11A8C96N MC68HC11A8D26E MC68HC11E203E22B MC68HC11E91B60R MC68HC11E9D82R MC68HC11E9E22B MC68HC11E9E28B MC68HC11EA92D47J MC68HC11F12F37E MC68HC11F1E87J MC68HC11K12D58N MC68HC11K41E62H MC68HC11K4OE75J MC68HC11KA41E59B MC68HC11KS20H95B MC68HC11KS40E57S MC68HC11KS40F60M MC68HC711E201H19S MC68HC711E94K81H MC68HC711E95C47M MC68HC711EA90D46J MC68HC711K4K59D MC68HC711PH80H30R MC68S711E95C47M MC68HC711KS81H96P MC68HC11P22E74J MC68HC711P21E53M

MC68HC705C4(A)/C8(A)SR3/JIA/P6A ... ...
MC68HC705C4 MC68HC705C4A MC68HC705C8 MC68HC705C8A MC68HC705C9 MC68HC705C9A MC68HC705SR3 MC68HC705J1A MC68HC705B16 MC68HC705B32 MC68HC705X16 MC68HC705X32 MC68HC05B6 MC68HC05B8 MC68HC05B16 MC68HC05B32 MC68HC05X16 MC68HC05X32 MC68HC05H120H57A

MC68HC908AB/AS/AZ ... ...
MC68HC908AZ602J74Y MC68HC908AZ604J74Y MC68HC908AZ60A3K85K MC68HC908AS603J74Y MC68HC908AS60A1L87J MC68HC908AB323K56G MC68HC08AZ601J35D MC68HC08AZ320J66D MC68HC08AZ321H56A MC68HC08AS200H94K MC68HC08AZ32A1L52H

MC9S12A/MC9S12C/MC9S12D/MC9S12DJ/MC9S12DG/MC9S12DP/MC9S12DT/MC9S12GC ... ...
MC68HC912DC128A3K91D MC68HC912DC1280K50E MC68HC912DG1285H55W MC68HC912DG128A3K91D MC68HC912DG1280K50E MC68HC912D60A2K38K MC68HC912D600K75F MC68HC912D600K13J MC68HC912D604F73K MC68HC912B324J54E MC68HC912B329H91F MC9S12DG128B0L85D MC9S12DT128B0L85D MC9S12A128B0L85D MC9S12DB128B0L85D MC9S12DT128B1L85D MC9S12DG256C2K79X MC9S12DT256C2K79X MC9S12H1281K78X MC9S12H2561K78X MC9S12DP256C2K79X MC9S12DT128B3L40K MC9S12DP5121L00M

NEC uPD78F9026, uPD78F9046, uPD78F9116, uPD78F9136

TI MSP430F110, MSP430F112, MSP430F1101, MSP430F1111, MSP430F1121,
MSP430F122, MSP430F123, MSP430F1222, MSP430F1232, MSP430F133,
MSP430F135, MSP430F147, MSP430F148, MSP430F149, MSP430F412,
MSP430F413, MSP430F435, MSP430F436, MSP430F437, MSP430F447,
MSP430F448, MSP430F449, bus encryption, cryptography, secure microprocessor, crypto processor

Ubicom/ Scenix SX18, SX20, SX28, SX48, SX52

P89c238, P89C638, HY97C51, HY97C52, HY97C2051

1. S4 8 bit (EPROM) lib. V3.00

27010 27128 27128A 2716 2716B 27256 2732 2732A 2732B 27512 2764 2764A 27C010 27C020 27C040 27C080 27C100 27C128 27C256 27C512 27C512L 27C64 27H010 27H256 27HB010 9716

27256 27C010 27C010L 27C011 27C020 27C040 27C080 27C128 27C256 27C256R 27C512 27C512R 27C513 27CL010 27HC256 27HC256R 27HC64 27LV010 27LV040 27LV256R 27LV512R

27010 27128A 27256 27512 2764A 27HC010 27HC256

27C128 27C256 27H010 27H256 27H512

27C040 27C256

27128 2716 2716H 27256 2732 2732A 2764 27C1000 27C1001 27C128 27C128P 27C256 27C256A 27C256H 27C32A 27C512 27C64

27128 27128A 2716 27256 27256A 27256H 2732 2732A 27512 2764 27C101 27C101-1BP 27C101A 27C256 27C256A 27C256H 27C301 27C301A 27C4001 27C512 27C64 HD647180

2764 27C64


27010 27011 27128 27128A 27128B 2716 27256 2732 2732A 27512 27513 2758 2764 2764A 27C010 27C011 27C020 27C040 27C100 27C128 27C256 27C512 27C513 27C64
87256 8764 8764 87C256 87C257 87C64

Holtek HT46R04 HT46R12 HT46R14 HT46R22 HT46R23 HT46R232 HT46R24 HT46R46 HT46R47 HT46R48 HT46R51 HT46R52 HT46R53 HT46R54 HT46R62 HT46R63 HT46R64 HT46R65 HT46R652 HT46R71 HT46R72 HT46R73 HT46R74 HT46R82 HT46R83 HT46R84 HT46RB50 HT46RB70 HT46RU25 HT46RU66 HT47R10 HT47R20 HT48R05 HT48R06 HT48R07 HT48R08 HT48R09 HT48R10 HT48R30 HT48R37 HT48R50 HT48R52 HT48R70 HT48RA0 HT48RA1 HT48RA3 HT48RA5 HT48RB8 HT48RU90 HT48X50 HT49R30 HT49R50 HT49R70 HT49R84 HT49RA0 HT49RB50 HT49RB70 HT49RU90 HT49RV3 HT49RV5 HT49RV7 HT49RV9 HT57R20
HT81R03 HT81R09 HT81R18 HT81R36 HT82A802 HT82A821 HT82A822 HT82A832 HT82J97E HT82J98E HT82K68E HT82K69E HT82K70E HT82K71E HT82K72E HT82K73E HT82K75E HT82K92E HT82K92E HT82K94E HT82K95E HT82K96E HT82M72E HT82M99E HT82M9AE HT82M9BE HT86384R HT86R192 HT86R384 HT89R10 HT94801 HT95A10P HT95A20P HT95A30P HT95A40P HT95C20P HT95C30P HT95C40P HT95L00P HT95L10P HT95L20P HT95L30P HT95L40P
HTG2130R HTG2150R HTG2160R HTG2190R HTG21A0R HTPK2U10 UI08VIP3 ZU01ZUP3 ZU01ZUP411 ZU01ZUP511 ZU02ZUP1 ZU04ZUP1 ZU07ZUP111

27C1000 27C1001 27C2000 27C256 27C4000 27C512 27C8000 27L1000 27L256 27L4000 27L512

27128 2764

27256 27C128 27C256 27C512 27C64 27HC256 27HC64

27128 27128 27128A 2716 27256 2732 2732A 27512 2764 2764 27C100 27C100P 27C101 27C101P 27C128 27C201 27C201P 27C256 27C256A 27C256AP 27C401 27C512 27C512A 27C512AP



271000 271001 27128 2716 27256 27256A 2732 2732A 27512 2764 27C1000 27C1000A 27C1001 27C1001A 27C1001AB 27C2001 27C2001B 27C256 27C256A 27C4001 27C512 27C64 27C8001

2716 27256B 2732 2732B 27512 27512A 2758 27C010 27C020 27C040 27C1023 27C128 27C128B 27C16 27C16B 27C16H 27C256 27C256B 27C32 27C32B 27C32H 27C512 27C512A 27C64 27C64B 27CP128 27LC256 27LV010 27P040 27P512 87C257

271000 27128 27128A 2716 27256 27512 2764 2764A 27C256 27C256H

27C256 27C512 27C64A

27C256 27C32 27C64


27128 27256 2764 27C256 5517A 5517AHbreak crack Microcontroller attack mcu hack program deprotect Source code deprotection

27128A 2716 27256 2732 2732A 27512 2764A 27C1000 27C1001 27C128 27C128A 27C2001 27C256 27C256B 27C32 27C4001 27C512 27C513 27C64 27C64A 27C801 27LV101 27LV201 27LV401 27LV512 87C257

27C1000 27C1001 27C256 27C512

27128 27128A 2716 27256 2732A 2764 27C010 27C010A 27C020 27C040 27C128 27C256 27C32 27C512 27C64 27PC010A 27PC128 27PC256 27PC512 28C64 87C257

27128 27128 27128A 27256 27256A 27256B 2732 27512 27512A 2764 2764 2764A 571000 571001 57256 57256A 574000 57512A 57H256

27C128 27C256 27C512 27C64

27C010L 27C020F 27C020L2 7C040L 27C128F 27C128L 27C256F 27C256L 27C512F 27C512L 27C64F 27C64L 27C65 57C256F 57C512F 57C64F

WMF128K8 WMF512K8


2. S4 8 bit (EEPROM/FLASH/NVRAM) lib. V1.12

29F002B 29F002T 29F040 29F200B 29F200T

2817A 2864A 2864B 28C256 28F010 28F010A 28F020 28F256 28F512 29F002BB 29F002BT 29F002NBB 29F002NBT 29F004BB 29F004BT 29F010A/B 29F040 29F200BB 29F200BT 29F400BB 29F400BT 5517 9864 9864-2 9864-20 9864-25 9864-3 9864-30 9864-35

290011T 29001T 290021T 29002T 29002U 29010 29040 29400TM 29400UM 29512

28C010 28C16 28C17 28C256 28C64 28C64B 28HC256 28HC64 28MC010 28MC020 28MC040 28PC64 29BV010A 29C010 29C010(5V) 29C020 29C040 29C040A 29C256 29C256(5V)
29C257 29C512 29C512(5V) 29LV010A 29LV020 29LV512 49F001 49F001A 49F001AN 49F001ANT 49F001AT 49F001N 49F001NT 49F001T 49F002 49F002A 49F002AN 49F002ANT 49F002AT 49F002N 49F002NT 49F002T 49F010 49F020 49F040

BQ4010Y BQ4011Y BQ4013Y BQ4014Y

29F020 29F040

28C17A 28C256 28C64A 28C65A 28C65B 28F010 28F020 28F512

DS1220 DS1225 DS1230Y DS1245Y DS1248 DS1249 DS1650Y


2864A 2865A

29F002B 29F002T 29F040A 29F200B 29F200T 29F400B 29F400T

58C1001 58C256 58C65 58C66



27F256 2817A 2817A-3 2864A 28F001BXB 28F001BXT 28F010 28F020 28F256 28F256A 28F512

26C1000A 26C512A 28F1000 28F2000 28F4000 29F001B 29F001T 29F002B 29F002T 29F004B 29F004T 29F022NB 29F022NT 29F040

28C17 28C17A 28C256 28C64 28C64A 28C64B

28C64A 28F101

Mosel V.
29C51002B 29C51002T

28C256 28C64

29F002B 29F002T 29F004B 29F004T

1208 FM1608 FM1808

2817A 2817AH 2864 2864H 28C256 28C64 28C65 5517A

28C17A 28C64 28C64C 28F101 28F201 28F256 28F512 29F002BB 29F002BT 29F002T 29F010B 29F040 29W040 M48T35 M48Z08

27SF010 27SF020 27SF256 27SF512 28SF040 28SF040A 29EE010 29EE011 29EE020 29EE512 29SF040 39SF010/A 39SF020/A 39SF040 39SF512

2817A 2864A 2864AH 2865A 2865AH 28C17 28C256 28C64


STK10C48 STK10C68 STK11C48 STK11C68 STK11C88 STK12C68 STK14C88 STK15C68 STK15C88 STK16C68 STK16C88 STK20C04 STK22C48


27C020M 27E010 27E040 27E257 27E512 29C011A 29C020 29C020C 29C040 29EE011 29EE512 39F010 49F002U 49F020

28256 2864A 2864B 2864H 28C010 28C256 28C256B 28C512 28C64 28HC256

U630H16 U632H64 U634H256 U635H16 U635H64 U63716 U637256 U63764 U637H256

3. S4 16 bit (EPROM/FLASH) lib. V1.01

27C1024 27C2048 27C400 27C4096 27C800 29F400BB 29F400BT bus encryption cryptography secure security microprocessor unlock eeprom memory extract

29400TM 29400UM 29800TM 29800UM

27C1024L 27HC1024 27HC4096 29C1024

27C1024 29F200B 29F200T 29F400B 29F400T 29F800B 29F800T

27C1024 27C4000 27C4096

27C210 27C220 27C240 27C400 28F200B 28F400B

27C1024 27C1100 27C2048 27C2100 27C4096 27C4100 29F100BMC 29F100TMC 29F1615 29F200BMC 29F200TMC 29F400BMC 29F400TMC


27C102K 27C202K 27C400K 27C402K 27C404K

27C1024A 27C8000

27C1024 27C2048 27C210 27C240

27C1024 27C160 27C202 27C4002 27C800

27C210A 27C240

5716200 574096 574200 578200 57H1024 57H1025


4. S4 AVR (Atmel) lib. V1.06 ? Requires AVR Modules

A. S4 ZIF programming
ATtiny10 ATtiny11 ATtiny12 ATtiny22 90S1200 90S2313 90S2323 90S2333 90S2343 90S4414 90S4433 90S4434 90S8515 90S8535

89C1051 89C1051U 89C2051 89C2051X2 89C4051

B. S4 ISP programming
ATtiny22 90S1200 90S2313 90S2323 90S2333 90S2343 90S4414 90S4433 90S4434 90S8515 90S8535

5. EPLD (UV & OTP) lib. V1.05 ? Requires GAL Module

1.ALTERA - windowed devices only, no OTP support!
EP310 (PLD2) EP320 (PLD2) EP600 (PLD2) EP610 (PLD2)

PALCE16V8H-25/4 PALCE16V8H-15/4 PALCE16V8H-10/4 PALCE16V8Q-25/4 PALCE16V8Q-15/4 PALCE16V8Q-10/5 PALCE16V8H-7/5 PALCE16V8Q-5/5 PALCE16V8Z-25/4 PALCE16V8Z-15/5

PALCE20V8H-25/4 PALCE20V8H-15/4 PALCE20V8Q-25/4 PALCE20V8Q-15/4 PALCE20V8Q-10/5 PALCE20V8H-10/4 PALCE20V8H-7/5 PALCE20V8H-5/5

PALCE22V10H-25/4 PALCE22V10H-15/4 PALCE22V10H-15/5 PALCE22V10H-10/5 PALCE22V10H-7/5 PALCE22V10H-5/5 PALCE22V10Q-25/4 PALCE22V10Q-15/5 PALCE22V10Q-10/5 PALCE22V10Z-25 PALCE22V10Z-15



ATF16V8C ATF16V8C (Ext.) ATF16V8CZ ATF16LV8C ATF16LV8C (Ext.) ATF22V10C ATF22V10C (Ext.) ATF22V10CZ ATF22LV10C ATF22LV10C (Ext.) ATF22LV10CZ

Windowed only, No OTP support!
AT22V10 (PLD2)



5C031 (PLD2) 5C032 (PLD2) 5C060 (PLD2)

GAL22V10 GAL22V10B GAL22V10B-QP GAL20RA10 GAL18V10/B GAL20XV10 GAL6001 GAL6001B



PL22V10 P5Z22V10


12.TEXAS INSTRUMENTS - Windowed only, No OTP support!


6. S4 GAL (Electronically Erasable) lib. V1.57 ? Requires GAL Module

1.ALTERA - windowed devices only, no OTP support!
EP310 (PLD2) EP320 (PLD2) EP600 (PLD2) EP610 (PLD2)

PALCE16V8H-25/4 PALCE16V8H-15/4 PALCE16V8H-10/4 PALCE16V8Q-25/4 PALCE16V8Q-15/4 PALCE16V8Q-10/5 PALCE16V8H-7/5 PALCE16V8Q-5/5 PALCE16V8Z-25/4 PALCE16V8Z-15/5

PALCE20V8H-25/4 PALCE20V8H-15/4 PALCE20V8Q-25/4 PALCE20V8Q-15/4 PALCE20V8Q-10/5 PALCE20V8H-10/4 PALCE20V8H-7/5 PALCE20V8H-5/5

PALCE22V10H-25/4 PALCE22V10H-15/4 PALCE22V10H-15/5 PALCE22V10H-10/5 PALCE22V10H-7/5 PALCE22V10H-5/5 PALCE22V10Q-25/4 PALCE22V10Q-15/5 PALCE22V10Q-10/5 PALCE22V10Z-25 PALCE22V10Z-15



ATF16V8C ATF16V8C (Ext.) ATF16V8CZ ATF16LV8C ATF16LV8C (Ext.) ATF22V10C ATF22V10C (Ext.) ATF22V10CZ ATF22LV10C ATF22LV10C (Ext.) ATF22LV10CZ ATF750C ATF750CL ATF750LVC

Windowed only, No OTP support!
AT22V10 (PLD2)



5C031 (PLD2) 5C032 (PLD2) 5C060 (PLD2)




PL22V10 P5Z22V10


12.TEXAS INSTRUMENTS - Windowed only, No OTP support!


7. S4 MCS-51 lib. V1.60 ? Requires MCS-51 Module

87C51 87C52

89C51 89C52 89C55 89LS53 89LS8252 89LV51 89LV52 89S51 89S52 89S53 89S8252 AT89C51ED2 AT89C51RD2 T89C51IB2 T89C51IC2 T89C51RB2 T89C51RC2 T89C51RD2

87C520 89C420

80C54 80C58 8751 8751BH 8752BH 87C51 87C51FA 87C51FB 87C51FC 87C54 87C58

87C451 87C504 87C51 87C51FA 87C51FB 87C51FC 87C51RA+ 87C51RA2 87C51RB+ 87C51RB2 87C51RC+ 87C51RC2 87C51RD+ 87C51RD2 87C51X2 87C52 87C524 87C528 87C52X2 87C54 87C54X2 87C552 87C58 87C58X2 87C592 87C598 87C652 87C654 87C654X2 87C660X2 87C661X2 89C51B 89C51RA+ 89C51RA2B 89C51RB+ 89C51RB2B 89C51RB2H 89C51RC+ 89C51RC2B 89C51RC2H 89C51RD+ 89C51RD2B 89C51RD2H 89C51U 89C51X2B 89C52B 89C52U 89C52X2B 89C54B 89C54U 89C54X2B 89C58B 89C58U 89C58X2B 89C660 89C662 89C664 89C668 89V51RD2 PXA-G39 PXA-G49

89C54 89C58


Temic microprobing
TS87C51RB2 TS87C51RC2 TS87C51RD2 TS87C51U2 TS87C52X2 TS87C54X2 TS87C58X2 TSC8751I2 TSC8754 TSC8758 TSC87C51 TSC87C52


8. S4 PIC (12/14/16/17) lib. V2.99 ?Requires PIC Module

12C508 12C508A 12C509 12C509A 12C671 12C672 12CE518 12CE519 12CE673 12CE674 12F629 12F675 14C000 16C505 16C505 NEW 16C52-OTP 16C54-OTP 16C54-UV 16C54A 16C54B/C 16C55-OTP 16C55-UV 16C554 16C556 16C558 16C55A 16C56-OTP 16C56-UV 16C56A 16C57-OTP 16C57-UV 16C57C 16C58A/B 16C61 16C62 16C620 16C620A 16C621 16C621A 16C622 16C622A 16C62A 16C62B 16C63 16C63A 16C64 16C641 16C642 16C64A 16C65 16C65A 16C65B 16C66 16C661 16C662 16C67 16C71 16C710 16C711 16C712 16C715 16C716 16C717 16C72 16C73 16C73A 16C73B 16C74 16C745 16C74A 16C74B 16C76 16C765 16C77 16C770 16C771 16C773 16C774 16C781 16C782 16C84 16C923 16C924 16C925 16C926 16CE623 16CE624 16CE625 16F627 16F627A 16F628 16F628A 16F630 16F648A 16F676 16F72
16F73 16F74 16F76 16F77 16F818 16F819 16F83 16F84 16F84A 16F870 16F871 16F872 16F873 16F873A 16F874 16F874A 16F876 16F876A 16F877 16F877A 16HV540 17C42 17C42A 17C43
17C44 17C756

9. S4 PIC (18) lib. V3.01 ? unlock Requires PIC Module

18C242 18C252 18C442 18C452 18C601 18C658 18C801 18C858 18F1220 18F1320 18F2220 18F2320 18F242 18F2439 18F248 18F252 18F2539 18F258 18F4220 18F4320 18F442 18F4439 18F448 18F452 18F4539 18F458 18F6520 18F6525 18F6585 18F6620 18F6621 18F6680
18F6720 18F8525 18F8585 18F8620 18F8621 18F8680 18F8720

dsPIC 30F2010 30F2011 30F2012 30F3010 30F3011 30F3012 30F3013 30F3014 30F4011 30F4012 30F4013 30F5011 30F5013 30F5015 30F5016 30F6010 30F6011 30F6011A 30F6012 30F6012A 30F6013 30F6013A 30F6014 30F6014A 30F6015

10. S4 Serial lib. V3.17 - Requires Serial Module

17C002 17C002A 17C010 17C010A 17C128 17C128A 17C256 17C256A 17C512 17C512A 17C65 17C65A 17LV002 17LV002A 17LV010 17LV010A 17LV128 17LV128A 17LV256 17LV256A 17LV512 17LV512A 17LV65 17LV65A 24C01 24C01A/B 24C02 24C04 24C08 24C128 24C16 24C164 crack
24C256 24C32 24C64 25010 25020 25040 25080 25128 25160 25256 25320 25640
25HP256 25HP512 25P1024 93C46 93C46A 93C46C 93C56 93C57 93C66 93C86

24C02 24C04 24C08 24C16 24WC128 24WC256 24WC32 24WC64 25C02 25C04 25C08 25C128 25C16 25C256 25C32 25C64 35C102 35C116 93C46 93C56 93C66

Exel attack
24C01 24C02 24C04 24C08 24C16 93C46 93C56


93C46 93C46A 93C56A 93C66A 93CX46 93CX66

24C01-3 24C02-3 24C04-3 24C08-3 24C128-3 24C16-3 24C32-3 24C64-3 25C32-3 25C64-3 93C46A-3 93C56-3 93C66-3

24AA128 24AA256 24AA512 24AA515 24AA64 24C02A 24C32 24C65 24FC128 24FC256 24FC512 24FC515 24LC00 24LC01B 24LC02B 24LC04B 24LC08B 24LC128 24LC164 24LC16B 24LC256 24LC512 24LC515 24LC64 24WC32 25AA040 25AA080 25AA160 25AA320 25AA640 25C040 25C080 25C160 25C320 25C640 25LC040 25LC080 25LC160 25LC320 25LC640 85C72 85C82 85C92 93C46 93C76 93C86 93LC56 93LC66

National hack
24C02 24C03 24C04 24C05 24C08 24C09 24C16 24C17 9306 9346 93C06 93C13 93C46 93C56 93C66 93C76 93C86

Philips PCF
85102 85116 8581 8582C 8594C 8598C


24L01 24L02 24L04 24L08 24L16 24L32 9010 9016 9020 9040 9080 93L46 93L56 93L66

24C01 24C02 24C04 24C08 24C16 24E16 24E32 24E65 9306 93C46A 93C56 95010 95020 95040 95128 95160 95256 95320 95640

2402 24022 2404 24042 24164 24645 24C02 24C04 24C08 24C16 24C44 24C45 25040 25640