At present, there are four main technologies for attacking single-chip microcomputers: (1) Software attack This technique typically uses a processor communication interface and exploits protocols, encryption algorithms, or security vulnerabilities in these algorithms to attack. A typical example of a successful software attack is the attack on early ATMEL AT89C series microcontrollers. The attacker exploited the vulnerability of the series of single-chip erasing operation timing design, and used the self-programming program to stop the next step of erasing the on-chip program memory data after erasing the encryption lock bit, thereby turning the over-encrypted MCU into The unencrypted MCU is then used to read the on-chip program using the programmer. (2) Electronic detection attack This technique typically monitors the analog characteristics of all power and interface connections of the processor during normal operation with high temporal resolution and performs attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, when it executes different instructions, the corresponding power consumption of the power supply changes accordingly. In this way, by using special electronic measuring instruments and mathematical statistical methods to analyze and detect these changes, specific key information in the microcontroller can be obtained. (3) Fault generation technology This technique uses abnormal working conditions to make the processor go wrong and then provides additional access to the attack. Attacks that use the widest range of faults include voltage surges and clock surges. Low voltage and high voltage attacks can be used to disable the protection circuit or force the processor to perform erroneous operations. Clock transients may reset the protection circuit without destroying the protected information. Power and clock transients can affect the decoding and execution of a single instruction in some processors. (4) Probe technology The technology directly exposes the internal wiring of the chip, and then observes, manipulates, and interferes with the single-chip microcomputer to achieve the purpose of attack. For the sake of convenience, the above four attack technologies are divided into two categories, one is intrusive attack (physical attack), which needs to destroy the package, and then in the specialized laboratory by means of semiconductor test equipment, microscope and micro locator It takes hours or even weeks to complete. All microprobe technologies are intrusive attacks. The other three methods are non-intrusive attacks, and the attacked microcontroller will not be physically damaged. Non-intrusive attacks are particularly dangerous in some cases because the equipment required for non-intrusive attacks can usually be self-made and upgraded, so it is very cheap. Most non-intrusive attacks require an attacker with good processor knowledge and software knowledge. In contrast, invasive probe attacks do not require much initial knowledge, and a wide range of similar techniques can often be used to deal with a wide range of products. As a result, attacks on microcontrollers often start with intrusive reverse engineering, and the accumulated experience helps to develop cheaper and faster non-intrusive attack techniques. General process of intrusive attacks The first step in an intrusive attack is to remove the chip package. There are two ways to do this: the first is to completely dissolve the chip package and expose the metal wires. The second is to remove only the plastic package on the silicon core. The first method requires binding the chip to the test fixture and operating it with the binding station. In addition to the knowledge and necessary skills of the attacker, the second method requires personal wisdom and patience, but it is relatively convenient to operate. The plastic on the chip can be uncovered with a knife, and the epoxy resin around the chip can be etched away with concentrated nitric acid. Hot concentrated nitric acid dissolves the chip package without affecting the chip and wiring. This process is generally carried out under very dry conditions, as the presence of water may attack the exposed aluminum wire connections. The chip was then first washed with acetone in an ultrasonic bath to remove residual nitric acid, then rinsed with water to remove salts and dried. Without an ultrasound pool, this step is generally skipped. In this case, the surface of the chip will be a bit dirty, but it does not affect the operation of the UV light on the chip. The final step is to find the location of the protective fuse and expose the protective fuse to ultraviolet light. Generally, a microscope with a magnification of at least 100 times is used to track the connection from the programming voltage input pin to find the protection fuse. If there is no microscope, a simple search is performed by exposing different parts of the chip to ultraviolet light and observing the results. An opaque sheet of paper is applied over the chip to protect the program memory from UV light. Exposing the protective fuse to UV light for 5 to 10 minutes can destroy the protection of the protection bit, and then the program memory can be read directly using a simple programmer. For a microcontroller that uses a guard layer to protect the EEPROM cell, it is not feasible to use a UV reset protection circuit. For this type of microcontroller, microprobe technology is typically used to read the memory contents. After the chip package is opened, placing the chip under the microscope makes it easy to find the data bus that is connected from the memory to the rest of the circuit. For some reason, the chip lock bit does not lock access to the memory in programming mode. With this defect, the probe can be placed on top of the data line to read all the desired data. In programming mode, all information in the program and data memory can be read by restarting the read process and connecting the probe to another data line. Another possible attack is to find a protective fuse with equipment such as a microscope and a laser cutter to find all the signal lines associated with this part of the circuit. Due to the design flaws, the entire protection function can be disabled by cutting off a certain signal line from the protection fuse to other circuits. For some reason, this line is very far from the other lines, so using a laser cutter can completely cut the line without affecting the adjacent line. In this way, the contents of the program memory can be read directly using a simple programmer. Although most common single-chip microcomputers have the function of fuse-breaking to protect the code in the single-chip microcomputer, since the general-purpose low-end single-chip microcomputers are not positioned to make security products, they often do not provide targeted preventive measures and have a low security level. In addition, the application of MCU is extensive, the sales volume is large, the commissioning of processing and technology transfer between manufacturers is frequent, and a large amount of technical data is leaked, which makes use of the design holes of the chip and the test interface of the manufacturer, and the intrusion type by modifying the fuse protection position. It is easier to use an attack or non-intrusive attack to read the internal program of the microcontroller. Switching Residual Current Transformer Switching Residual Current Transformer,Switching Transformer,Open Residual Current Transformer,Busbar Open Residual Current Transformer Zibo Tongyue Electronics Co., Ltd , https://www.tongyueelectron.com