Security fuses / reverse engineering

PLDs like the ATF16V8B from atmel have security fuses to prevent reverse-engineering. How difficult and expensive would it be to reverse-engineer a device where such a security fuse is used?

Philipp

Reply to
Philipp Klaus Krause
Loading thread data ...

Probably more trouble and expense than just doing the engineering.

Luhan

Reply to
Luhan

I did quite a ot of work on electron beam testers, so my approach would be to try and de-encapsulate the chip without wrecking it, which is expensive in its own right, then run the chip in the vacuum chamber of a stroboscopic electron microscope set up for voltage contrast imaging

- an electron beam tester. Schlumberger sold one for years, but they vanished into Credence a few years ago.

--
Bill Sloman, Nijmegen
Reply to
bill.sloman

Bribe a disgruntled former employee!

Luhan

Reply to
Luhan

If it's really a 16V8 or similar size device, just reverse-engineering the functionality (by brute force, if need be) is probably cheaper than actually trying to figure out how to read back the actual fuses... unless there's already a known exploit for the IC in question.

Reply to
Joel Kolstad

It is such a simple device. It can have up to 8 registered outputs. Since the register's outputs can be fed back into the device, the brute-force approach will be a little bit more complicated than just treating the inputs as adress lines, the outputs as data lines and thus the whole PLD like a ROM.

Philipp

Reply to
Philipp Klaus Krause

Possibly not very, but it depends. I suspect some of the other responders have been thinking of reverse engineering the chip. I'm guessing that you don't want to reverse engineer the chip, you simply want to read out the data programmed into it. If so, don't reverse engineer the chip, just replace the fuse.

The fuse material depends on the process - in modern CMOS processes, like you're probably dealing with here, the fuse is most likely made from a silicided poly layer. The fuse itself is a small section of poly - minimum width and maybe 2x or 3x longer than it is wide. It's contacted on both ends with a row of vias, with contacts extending up to M1, the first metal layer.

The poly can't be repaired, but the metal can be shorted with FIB - Focused Ion Beam. Time on an FIB machine will cost you around $500 per hour, and you're probably looking at 15 to 30 minutes to cut through the glass to expose the metal, then deposit the new metal. Before you do that, you're going to need to find where to make the repair. For that, you'll need someone with a good microscope and a reasonable idea of what the circuits look like. That will probably cost $100 per hour or more, and if you're looking for a precise answer, you'll probably have to spend $1000 or more for the engineer. If you're in luck, Atmel didn't cover their fuses with metal when they were done with them, and you'll be able to find them and get to them easily. If they did, you'll have to spend a little more time reverse engineering the fuse circuit (but not the entire chip). You could probably find out whether it's an easy or a hard job for less than $500, and if it's an easy job, it could probably be done for less than $1000 total. If Atmel made things a little more difficult to get to, it could cost much more.

-- Mike --

Reply to
Mike

This may be of interest to you

formatting link

martin

Reply to
martin griffith

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.