Inachis

Bypassing code protection on an Intel 8752

2018-05-01

Summary

The security bits that enforce code protection on the Intel 8752 can be cleared with UV, while keeping the main program memory mostly intact by applying a UV mask (nail polish) to the EPROM regions of the die.

The results are not surprising considering the age of the chip (1985) and that the 8751 code protection (the same family as the 8752) can be bypassed with the same technique, but nonetheless this publication serves to provide confirmation and steps to replicate the process. In this attempt, I lost a few bits likely due to a corner of the EPROM not being fully covered with a UV mask.


Introduction

Intel 8752BH Package

Intel 8752BH Package

The Intel 8752 is a general purpose MCU that was manufactured in the 1980s. Similar to the Intel 8751, it features a security setting: once set, anyone attempting to dump the EPROM will read out a seemingly blank EPROM, while the original EPROM contents on the MCU is intact for normal operation. This sort of feature is attractive to vendors who want to hide sensitive information (such as symmetric keys), prevent pirate copies, and increase the difficulty of vulnerability analysis of a program.

The 8751’s code protection has been bypassed by exposing the security bits to UV, while protecting the rest of the EPROM from UV erasure with nail polish.1 2 Since the 8752 is in the same family as the 8751, it isn’t a surprise that the same method works on the 8752.

I first learned about the technique through Bunnie’s blog, and then refined the technique with John McMaster at his house. McMaster let me use his equipment, materials and lab space to perform this research as well as teaching me some of his technique.

Clearing security bits via UV is a fairly old technique. Modern chips implement mitigations such as shielding and security meshes to make attacks more difficult to reliably preform.


Preparation

I don’t have a program handy, so instead I have to fill the entire program memory with 0xCA bytes. The goal here is to read them back after setting the security bit and clearing it with UV. Before enabling code protection, I read back the pattern to make sure the chip is correctly programmed.

0xCA test pattern

0xCA test pattern

Once verified, I enable code protection and re-read the chip.

Readout from a secured 8752

Readout from a secured 8752

This is expected behavior from a code protected 8752. Unlike most modern chips with code protection, there is no feedback or “security bit” to be read via the programmer.


Decapping Ceramic DIP (CDIP)

The target is a ceramic DIP (CDIP) with a fused quartz window that visually exposes the die. EPROM cannot be electrically erased, so these windows were intended for programmers to erase program memory through UV exposure for 20 - 60 minutes. The UV causes ionization that dissipates stored charges from the floating gates in the EPROM, which makes them available for re-programming. Since I would like to clear the security bit(s) without affecting program memory, it would be ideal to have physical access to the EPROM to mask it with nail polish, so I need to do a decap.

This ceramic package is composed of two ceramic halves (top, bottom) held together by glass frit. The top ceramic half protects the die. The goal is to heat the chip to a sufficient temperature to preheat the package and workholder, then hit the top ceramic half with a propane flame until the glass holding the two halves together melts.

Ceramic chip decapping rig

Ceramic chip decapping rig

McMaster taught me his technique for thermally decapping ceramic 40 pin packages, which is as follows:

  1. Place the chip on a machining block. I don’t recall the measurements for this one, but I used a Starrett 154C Adjustable Parallel and adjusted it to create a firm fit against the pins, leaving room under the ceramic body for expansion.

  2. Place the block and chip on a vice and clamp against the pins. Leave some room under the ceramic body, otherwise the package might fracture while expanding. Ideally this setup will also help diffuse heat from the pins, so a vice with a high thermal mass is preferred. If the pins and/or bottom get too hot, I might end up lifting the pins off while removing the top ceramic half.

  3. Place a clamp, with the teeth / tip of the clamp grabbing the top ceramic half, like so:

    Example of another ceramic chip with the proper clamp placement.
    The clamp primarily serves to lift the top ceramic half when the glass frit melts. It might also help with distributing the heat across the top ceramic piece.

  4. Aim the heatgun close and towards the top of the chip (X/Y plane). Try to ensure the heat will evenly / symmetrically cover the top of the chip while the heatgun is active.

  5. Set the heatgun to about 455 C (850 F) and heat the package for 20 minutes. Keep in mind that the duration depends on the thermal mass of the vice.

  6. Turn off the heatgun. The package should be pretty hot, but not hot enough to melt the glass holding the two halves together.

  7. See safety note below.

  8. Engage the propane torch about 5 cm (2 inches) from the top ceramic half, as perpendicular as possible, and run it back and forth across the top and bottom of the half (towards and away from the notch on the package). The goal is to get an even heat distribution without heating the bottom ceramic half as much.

  9. If the propane torch is at a slight angle, switch sides every 2 - 4 seconds.

  10. Gently wiggle the clamp while engage the propane torch.

  11. Repeat steps 7 - 10.

  12. After a few shots with the torch, the top half should lift with almost no effort while wiggling the clamp. Immediately disengage the propane torch to avoid hitting the die / bond wires while lifting the top ceramic half. Too much force while lifting will risk removing pins along with the top ceramic half.

A note on safety: While decapping ceramic chips doesn’t involve handling corrosive substances / acids, there’s a risk of cracking the ceramic packaging. With the aforementioned method, the force from the clamp will then cause the ceramic piece to collapse and possibly jettison shards in various directions. Use an impact resistant face shield to reduce risk of bodily harm.
Decapped Intel 8752BH

Decapped Intel 8752BH


Identifying EPROM

Some general features of the die are visible under the inspection microscope. In particular I’m interested in identifying and masking the EPROM portions of the die while keeping the rest of it intact. The assumption is that the security bit is not in the EPROM region itself.

Intel 8752BH die under an inspection scope

Intel 8752BH die under an inspection scope

The four blocks are of interest due to their repetitive structure, characteristic of memory arrays. However, the die contains both SRAM and EPROM. SRAM arrays have a rougher pattern, which is visible on the lower part of the die, so I want to mask the two blocks on top of the die.


Masking EPROM

Nail polish can be used to protect features of the die from UV light, so I’m going to carefully apply it to the EPROM region. If I apply too little or miss a spot on the EPROM, that section will get corrupted during the UV erasure. Too much, I’ll risk covering the security bit and prevent it from getting erased. Generally the latter is preferred, since the mask can be re-applied and we don’t want to corrupt our program.

Mask application setup

Mask application setup

McMaster suggested putting the chip in a bowl and pouring a bit of acetone in it (not necessarily on the die itself, although that might be useful in some cases). The acetone vapors significantly slows the drying of the nail polish, and makes it more fluid when applied to the die region. I had to experiment to find the right amount of acetone for this setup. Too much acetone makes the nail polish too fluid and difficult to contain. It is sort of like the difference between watercolor and oil painting, where more acetone gives more of the watercolor consistency. The acetone pool can also be used for cleaning off the brush.

The brush is a single strand of short animal hair attached to tweezers.

The process is as follows:

  1. Place the chip and a small block in a small bowl. The block will be used as a nail polish pallet, to avoid removing the brush from the bowl and drying it out.

  2. Pour a little bit of acetone into the bowl. The exact amount requires experimentation.

  3. Place the bowl under an inspection microscope and set the focus on the die.

  4. Put some nail polish on the pallet.

  5. Take a brush (I used a 5 mm strand of animal hair attached to a handle) and dip it in the nail polish pallet. After this point, do not remove the brush from the bowl until it is no longer of use.

  6. Proceed to apply nail polish to the EPROM region until fully covered. It is likely OK to cover the row decoders surrounding the EPROM memory arrays.

  7. If satisfied with the result, remove the chip from the bowl to dry the nail polish. Clean the brush with acetone and remove it from the bowl.

  8. To redo the process, spray acetone on the die until all the nail polish is removed. Make sure not to spray it too hard as it increases the risk of breaking the bond wires.

Intel 8752BH after application of nail polish

Intel 8752BH after application of nail polish

Note that the top right corner of one of the EPROM blocks is insufficiently covered. The bottom left of the other might be as well. This explains some of the memory corruption I’ll get after the UV erasure.


UV Erasure

Now it’s time to test my luck. I place the chip under UV and set the timer for one hour. The time for the UV erasure to be effective varies from chip to chip: longer won’t damage the chip but shorter may have prevented the corruption I experienced. I decided on longer as I prefer not to wonder whether my assumptions were wrong or if I accidentally covered the security bit with nail polish.

Placement of a decapped Intel 8752BH into a UV eraser

Placement of a decapped Intel 8752BH into a UV eraser

I recommend programming, securing, then applying UV to the chip before applying the mask, first. If the security bit doesn’t reset in this case, then there might be a shield over the security bit or another technique would be required. Otherwise proceed with the steps described in this article.


Results

Time to place the chip back on the programmer socket and attempt a read.

Cleared security bit with slight data loss

Cleared security bit with slight data loss

While I’m getting most of my 0xCA’s back, a few bits ended up flipping due to not covering some of the corners particularly well. Nonetheless, I did end up flipping the security bit, and a more careful mask application would likely let me dump the program memory unaffected.


Appendix: Failed attempt

I ended up covering a bit more than EPROM on my first attempt. After UV erasure, the security bit did not flip with this mask. That means that diffing the two masking attempts can give a rough idea where the security bit is on the 8752, and further analyzed with a high magnification microscope.

UV masking attempt which ended up covering the security bit

UV masking attempt which ended up covering the security bit


  1. Caps0ff: 8751 Rampage [return]
  2. John McMaster: Silicon photonics [return]


Return to blog home

Please send all feedback and errata to blog@inach.is

Twitter RSS