Silicon hacking

posted May 31st 2008 11:30pm by Juan Aguilar
filed under: misc hacks

Wired recently posted an article and video detailing our friend [Chris Tarnovsky]’s process for hacking smart cards. In the video, [Chris] shows how he strips away physical components of the chips inside the smartcards using various gadgets and chemicals.

The first step is to remove the chip from its plastic frame. After soaking it in acid for about 10 minutes, the epoxy is removed and the chip is exposed. After that the outer layer is loosened by soaking the chip in two solutions of acetone, the second being the “clean” one. Then the chip is placed on a hotplate where a drop of fuming nitric acid is applied with a dropper; the chip is washed again in an ultrasonic cleaner, removing any residue left.

[Chris] then returns the chip to the card. He will apply nail polish to act as a masking material. He scratches a hole through the polish with a needle held by a micro positioner in the area of interest. The hole is treated with hydrofluoric acid and then etched in short intervals until the desired layer of silicon is exposed. At this point, the card is fully prepped.

Now by powering the chip with the needle resting on the bus, [Chris] can read the code on the chip by sending it various commands and watching how it reacts. To see more of [Chris]’s reverse engineering work, check out Flylogic Engineering’s Analytical Blog. It’s a enjoyable read even if you’re new to silicon hacking.

Comments [9]

Reader Comments

sweet

Posted at 11:49 pm on May 31st, 2008 by Bp

does any one else think that ICs evolved to fast? i mean not to long ago we were using pcbs with tones and tones of can transistors and not to long b4 that we were useing tubes

Posted at 12:03 am on Jun 1st, 2008 by alex mccown

So you can read the information on the smart card?

Could you use this to create false credentials to log into a computer as a local administrator?

This sounds pretty dangerous, if misused. You can disable starting from Optical Drives and USB in order to defeat intrusion by way of live distributions, but it seems that for computers that require Smart Card logon you’re pretty much left wide open here.

Posted at 1:05 am on Jun 1st, 2008 by Will

Hydrofluoric acid…… wow, thats nasty stuff alright!

Very nice technique though! although I think its a bit extreme for a home job.

Posted at 3:18 am on Jun 1st, 2008 by edenist

I love reading the stuff on flylogic. but he hasn’t posted much in the last 2 months.

Posted at 6:37 am on Jun 1st, 2008 by anomaly95

Hi everyone!

Always nice to see positive comments. I will try to do more blogging. I’ve been overwhelmed with the stresses of work (which is a good thing).

fyi- I need to eventually get around to blogging on a few things: the Intel 4004 (nice hires images of a piece of history), some C64 devices, a declassified NSA cryptographic link controller, and a few other things that have come in.

Thanks to those who have contributed. I will find the time!

-Chris

Posted at 10:23 pm on Jun 1st, 2008 by Chris Tarnovsky

“O.k., now that we’re ‘in’, what do we do now?” -A hex dump is pretty useless unless you know what is what. I doubt the manufacturer is going to give you the memory map, register’s, or anything else for that matter. And, when you tied into the clock/data line, were those not already bonded out?

“You can do anything you want”. (skeptical).

Posted at 2:54 pm on Jun 2nd, 2008 by mike

Mike, what would you like to do? Using a second needle, I could take over the CPU’s decoding area and make it single step it’s code rendering every address onto the tip of the other needle. Do this 8 times and I have the full dump.

What else…Hrmmm… Study the code and understand how the UART works incase I don’t know ISO7618 but knew where VCC,RST,CLK,IO,GND were but didn’t understand their protocol… It’s clear in the code where a transmit and receive routine is from the software side of things..

As well, let’s say I write a small script and using a single needle, I wait until clock period n in time and change the instruction. Using this method (the preferred by myself), I can introduce a series of glitches into the software contained inside to maybe overwrite the stack, abuse a readout loop, force a bad signature good, and so on.. Anything imaginable is possible. Complete control with a single needle.

Make sure you come to Blackhat/Defcon for more of a hands-on!

Posted at 12:20 am on Jun 3rd, 2008 by chris tarnovsky

its awesome stuff like this that make me laugh a the proposal of nagra3

theres nothing you can do that we can’t undo

Posted at 8:48 pm on Jul 15th, 2008 by Steve DiRaddo

Silicon hacking

Recent Posts

Reader Comments

Leave a Reply

hacks

resources

rss newsfeeds

Most Commented On (60 days)

Recent Comments