Die photo

Bond wires: usually aluminum

No direct way to verify security set. Secure reads as FF

IIRC BP does not continuity check

These labs were written with 8751H in mind, although other 8751 variations should also work

Die photo

PDIP bond wires: gold

These can also be bought as CDIPs for development

This lab was written with PIC16C57 in mind, although PIC16C57C may work just as well

Die photo: TODO grab from flylogic blog

Bond wires: copper

1. Select an Intel D8751H (glass frit)
2. If necessary, UV erase
3. Program with a counting test pattern
4. Decap using procedure here
5. Readback
   1. If applicable: verify no continuity errors
   2. Verify expected pattern

1. Select an Intel C8751 (brazed lid)
2. If necessary, UV erase
3. Program with a counting test pattern
4. Decap using procedure here
5. Readback
   1. If applicable: verify no continuity errors
   2. Verify expected pattern

1. Select a Microchip PIC16C57/P (PDIP)
2. Program with a counting test pattern
   1. Note: “OTP” device (can be UV erased after decap)
3. Decap using procedure here
4. Readback
   1. If applicable: verify no continuity errors
   2. Verify expected pattern

1. Select a Microchip PIC16F558
2. Program with a counting test pattern
3. Decap using procedure here
4. Readback
   1. If applicable: verify no continuity errors
   2. Verify expected pattern

1. Select either of the following:
   • Microchip PIC16C57
     • May be easier as it directly reports security status
   • Intel 8751
   • If needed, look at the solution below and then use the other as practice
2. If not already done so, decap the chip
3. Quick security evaluation
   1. Program with all 0's and secure it
   2. UV erase the chip (30 min?)
   3. Verify that the chip is no longer secure and is filled with FF
      • This means the chip should be trivially UV attackable
4. Put the die under a microscope (inspection is fine) and identify the EPROM and SRAM regions
   1. SRAM has a rougher texture
   2. EPROM has a smoother texture
5. Use techniques from this page to only mask the EPROM area
   1. TODO: this page needs polishing / cleanup
6. UV erase for 30 minutes
7. Readback pattern
8. Verify security fuse is clear
   1. If not, use acetone to clean mask and try again
9. Verify pattern was not corrupted
   1. If it is, consider making the mask larger

Extra credit: no corruption

1. Use a pattern of all 0's and secure the device
2. Execute above attack
3. Read back the device
4. Verify device still shows all 0's

Extra credit: find the fuse

1. Experiment with different masks outside of the EPROM area to narrow down the fuse location
2. Alternatively, look at the fuse under a microscope

Solutions:

• 8751
• PIC16C57

1. Select either of the following:
   • Microchip PIC18F1320
     • Classic choice
   • Microchip PIC16C74
2. Quick security evaluation
   1. Program with all 0's and secure it
   2. UV erase the chip for 60 min
   3. Observe chip status. It should still be secure or maybe even bricked
3. Place a chip at a 30 degree angle
4. UV erase for 60 min
5. Check security status
6. If security fuse is not clear, try adjusting angle and re-erasing

Extra credit: dump the firmware

1. Do above, but apply masks
2. Verify no bits are erased despite erasing at an angle

Solutions:

• PIC18F1320
• PIC16C74

TODO: what would be a good choice here?

1. Select either of the following:
   • Microchip PIC16F84
   • Microchip 87C51I or 87C51FAD
   • PIC16F84 probably easier as 87C51 doesn't directly indicate protection status
2. Select laser
   1. Green 5 mW laser pointer will likely work well
3. Put programmer in a read loop
   1. Ex: using Linux minipro command line
4. Shine randomly across the die and observe responses
   • You should see the read result get corrupted sometime
   • You will possibly see a firmware dump, but don't expect it
5. Put programmer under microscope
6. Aim laser pointer at exposed die using helping hands or similar
   • WARNING: do not look into microscope
   • Use a camera to observe laser
7. Slowly move chip around (using hands or XY stage) and observe responses as you move it around
8. Scan across the chip until you find a vulnerable area

Extra credit: automated XY scan

1. Use a motorized XY scan to read out all chip locations and automatically find vulnerable locations
2. Sample workflow using LinuxCNC

Solutions

• PIC16F84
• 87C51

Start with basic probing in U3L1. Then find a way to remove passivation:

• Use a microscope laser if you have one
• Use chemical etching if you can

Probe pads / bond wires to get basic familiarity with your probe

TODO: is there a well known device we could activate a debug port on?

Professional / recommended solution but may not be accessible to all students

Untested, but I think I can make this work

Use needle to scratch off passivation as noted by…Sergei I think?

If you have one or maybe build one