On a stable platform around a socket for the test package, we install several micropositioners e. These elastic probe hairs allow us to establish electrical contact with on-chip bus lines without damaging them. On the depackaged chip, the top-layer aluminum interconnect lines are still covered by a passivation layer usually silicon oxide or nitride , which protects the chip from the environment and ion migration.
On top of this, we might also find a polyimide layer that was not entirely removed by HNO3 but which can be dissolved with ethylendiamine. We have to remove the passivation layer before the probes can establish contact. The most convenient de-passivation technique is the use of a laser cutter e. The UV or green laser is mounted on the camera port of the microscope and res laser pulses through the microscope onto rectangular areas of the chip with micrometer precision.
Carefully dosed laser flashes remove patches of the passivation layer. The resulting hole in the passivation layer can be made so small that only a single bus line is exposed Fig. This prevents accidental contacts with neighboring lines and the hole also stabilizes the position of the probe and makes it less sensitive to vibrations and temperature changes.
The cost of a new laser cutter is roughly in the same region. Low-budget attackers are likely to get a cheaper solution on the second-hand market for semiconductor test equipment. The laser is not essential for best results, because vibrations in the probing needle can also be used to break holes into the passivation.
Memory Read-out Techniques It is usually not practical to read the information stored on a security processor directly out of each single memory cell, except for ROM. The stored data has to be accessed via the memory bus where all data is available at a single location. Micro probing is used to observe the entire bus and record the values in memory as they are accessed.
It is difficult to observe all usually over 20 data and address bus lines at the same time. Various techniques can be used to get around this problem. For instance we can repeat the same transaction many times and use only two to four probes to observe various subsets of the bus lines. As long as the processor performs the same sequence of memory accesses each time, we can combine the recorded bus subset signals into a complete bus trace. Overlapping bus lines in the various recordings help us to synchronize them before they are combined.
In applications such as pay-TV, attackers can easily replay some authentic protocol exchange with the card during a micro probing examination. These applications cannot implement strong replay protections in their protocols, because the transaction counters required to do this would cause an NVRAM write access per transaction. Newer memory technologies such as FERAM allow over write cycles, which should solve this problem. Just replaying transactions might not succeed to make the processor access all critical memory locations.
For instance, some banking cards read critical keys from memory only after authenticating that they are indeed talking to an ATM. Pay-TV card designers have started to implement many different encryption keys and variations of encryption algorithms in every card, and they switch between these every few weeks. The memory locations of algorithm and key variations are not accessed by the processor before these variations have been activated by a signed message from the broadcaster, so that passive monitoring of bus lines will not reveal these secrets to an attacker early.
Sometimes, hostile bus observers are lucky and encounter a card where the programmer believed that by calculating and verifying some memory checksum after every reset the tamper-resistance could somehow be increased. This gives the attacker of course easy immediate access to all memory locations on the bus and simplifies completing the read-out operation considerably.
Surprisingly, such memory integrity checks were even suggested in the smartcard security literature [10], in order to defeat a proposed memory rewrite attack technique [11]. This demonstrates the importance of training the designers of security processors and applications in performing a wide range of attacks before they start to design countermeasures.
Otherwise, measures against one attack can far too easily back re and simplify other approaches in unexpected ways. In order to read out all memory cells without the help of the card software, we have to abuse a CPU component as an address counter to access all memory cells for us. The program counter is already incremented automatically during every instruction cycle and used to read the next address, which makes it perfectly suited to serve us as an address sequence generator [12].
We only have to prevent the processor from executing jump, call, or return instructions, which would disturb the program counter in its normal read sequence. Tiny modifications of the instruction decoder or program counter circuit, which can easily be performed by opening the right metal interconnect with a laser, often have the desired effect.
Particle Beam Techniques Most currently available smartcard processors have feature sizes of 0. These can be reverse-engineered and observed with the manual and optical techniques described in the previous sections. For future card generations with more metal layers and features below the wavelength of visible light, more expensive tools additionally might have to be used. A focused ion beam FIB workstation consists of a vacuum chamber with a particle gun, comparable to a scanning electron microscope SEM.
By increasing the beam current, chip material can be removed with the same resolution at a rate of around 0. Better etch rates can be achieved by injecting a gas like iodine via a needle that is brought to within a few hundred micrometers from the beam target. Gas molecules settle down on the chip surface and react with removed material to form a volatile compound that can be pumped away and is not re-deposited.
Using this gas-assisted etch technique, holes that are up to 12 times deeper than wide can be created at arbitrary angles to get access to deep metal layers without damaging nearby structures. By injecting a platinum-based organo-metallic gas that is broken down on the chip surface by the ion beam, platinum can be deposited to establish new contacts.
With other gas chemistries, even insulators can be deposited to establish surface contacts to deep metal without contacting any covering layers. Using laser interferometer stages, a FIB operator can navigate blindly on a chip surface with 0.
Chips can also be polished from the back side down to a thickness of just a few tens of micrometers. Using laser interferometer navigation or infrared laser imaging, it is then possible to locate individual transistors and contact them through the silicon substrate by FIB editing a suitable hole.
This rear-access technique has probably not yet been used by pirates so far, but the technique is about to become much more commonly available and therefore has to be taken into account by designers of new security chips. FIBs are used by attackers today primarily to simplify manual probing of deep metal and polysilicon lines. A hole is drilled to the signal line of interest, filled with platinum to bring the signal to the surface, where a several micrometer large probing pad or cross is created to allow easy access Fig.
Processing time can be rented from numerous companies all over the world for a few hundred dollars per hour. Another useful particle beam tool are electron beam testers EBT [14]. These are SEMs with a voltage-contrast function. Typical acceleration voltages and beam currents for the primary electrons are 2. The number and energy of secondary electrons are an indication of the local electric field on the chip surface and signal lines can be observed with sub micrometer resolution.
The signal generated during e-beam testing is essentially the low-pass filtered product of the beam current multiplied with a function of the signal voltage, plus noise. EBTs can measure waveforms with a bandwidth of several gigahertz, but only with periodic signals where stroboscopic techniques and periodic averaging can be used. If we use real-time voltage contrast mode, where the beam is continuously directed to a single spot and the blurred and noisy stream of secondary electrons is recorded, then the signal bandwidth is limited to a few megahertz [14].
While such a bandwidth might just be sufficient for observing a single signal line in a 3. EBTs are very convenient attack tools if the clock frequency of the observed processor can be reduced below kHz to allow real-time recording of all bus lines or if the processor can be forced to generate periodic signals by continuously repeating the same transaction during the measurement.
Non-invasive Attacks A processor is essentially a set of a few hundred flip flops registers, latches, and SRAM cells that define its current state, plus combinatorial logic that calculates from the current state the next state during every clock cycle. Many analog effects in such a system can be used in non-invasive attacks. Some examples are: Every transistor and interconnection have a capacitance and resistance that, together with factors such as the temperature and supply voltage, determine the signal propagation delays.
Due to production process fluctuations, these values can vary significantly within a single chip and between chips of the same type. A flip flop samples its input during a short time interval and compares it with a threshold voltage derived from its power supply voltage.
The time of this sampling interval is fixed relative to the clock edge, but can vary between individual flip flops. The flip flops can accept the correct new state only after the outputs of the combinatorial logic have stabilized on the prior state.
During every change in a CMOS gate, both the p- and n-transistors are open for a short time, creating a brief short circuit of the power supply lines [15]. Without a change, the supply current remains extremely small. Power supply current is also needed to charge or discharge the load capacitances when an output changes. A normal flip flop consists of two inverters and two transmission gates 8 transistors.
SRAM cells use only two inverters and two transistors to ground one of the outputs during a write operation. This saves some space but causes a significant short-circuit during every change of a bit. There are numerous other effects. During careful security reviews of processor designs it is often necessary to perform detailed analog simulations and tests and it is not sufficient to just study a digital abstraction. Smartcard processors are particularly vulnerable to non-invasive attacks, because the attacker has full control over the power and clock supply lines.
Larger security modules can be equipped with backup batteries, electromagnetic shielding, low-pass filters, and autonomous clock signal generators to reduce many of the risks to which smartcard processors are particularly exposed. Glitch Attacks In a glitch attack, we deliberately generate a malfunction that causes one or more flip flops to adopt the wrong state.
The aim is usually to replace a single critical machine instruction with an almost arbitrary other one. Glitches can also aim to corrupt data values as they are transferred between registers and memory.
Of the many fault induction attack techniques on smartcards that have been discussed in the recent literature it has been our experience that glitch attacks are the ones most useful in practical attacks.
We are currently aware of three techniques for creating fairly reliable malfunctions that a effect only a very small number of machine cycles in smartcard processors: clock signal transients, power supply transients, and external electrical field transients. Particularly interesting instructions that an attacker might want to replace with glitches are conditional jumps or the test instructions preceding them. They create a window of vulnerability in the processing stages of many security applications that often allows us to bypass sophisticated cryptographic barriers by simply preventing the execution of the code that detects that an authentication attempt was unsuccessful.
Instruction glitches can also be used to extend the runtime of loops, for instance in serial port output routines to see more of the memory after the output buffer, or also to reduce the run time of loops, for instance to transform an iterated cipher function into an easy to break single-round variant.
Clock signal glitches are currently the simplest and most practical ones. They temporarily increase the clock frequency for one or more half cycles, such that some flipflops sample their input before the new state has reached them.
Although many manufacturers claim to implement high-frequency detectors in their clock-signal processing logic, these circuits are often only simple minded filters that do not detect single too short half cycles. They can be circumvented by carefully selecting the duty cycles of the clock signal during the glitch. In some designs, a clock-frequency sensor that is perfectly secure under normal operating voltage ignores clock glitches if they coincide with a carefully designed power fluctuation.
We have identified clock and power waveform combinations for some widely used processors that reliably increment the program counter by one without altering any other processor state. At this time, key changes happened every couple weeks and also almost always before or during a large sporting event. Everyone was happy, and I watched the first Pirates of the Caribbean movie on pay-per-view probably a dozen times, just because I could.
The providers played some tricks around this time, like forcing software updates to the receivers that could detect the presence of AVRs, and neutralize the receiver. A message would appear on screen saying theres a problem with your receiver and to call the provider.
If you did, well, they know you are pirating their service. A lot of us simply flashed an older software version to our receivers, but since the upgrade is automatic, it would have to be done every few days.
Then the receiver learned how to detect the lock, so we installed a switch that could lock or unlock. Then the receiver started checking more, so we installed smart locks that could detect the check… what a game of cat and mouse it was. This was short-lived though because…. Because the smartcards were already using every trick up their sleeve, the providers realized that the only way to defeat the hackers was to change everyones smartcards for more powerful ones.
This was done late early , and effectively stopped satellite TV hacking. The Nagra 2 cards were a massive improvement over the first implementation. Uh oh. The coders have a LOT of work to do. Luckily, early versions of the Nagra 2 cards were glitchy and vulnerable to certain attacks, which hackers can use to fool the card into leaking its secrets or allow them to be reprogrammed.
Later versions of the cards had a lot more powerful security features, and were considered impractical to attack. For example, they could detect an attack and permanently disable themselves. The receiver uses information and commands from the stream to send commands to the smart card.
The smart card does some super secret processing and spits out a response. The receiver uses that response to do the things it needs to do, like decode the video, decide what channels you are allowed to watch, or send more commands to the smart card. These commands use a multitude of maps in specific orders to correctly calculate everything. The hackers eventually figured out those too, and the provider would switch to yet another set.
Once all the Maps were solved, the provider enacted a scheme to regularly switch the Maps around, and so the game of cat and mouse continued on and on. Every time the hackers figured something out, the provider would just change it.
It was around this time that Viewsat and other popular FTA receivers flooded the market. These companies made a killing selling perfectly legal equipment that could easily be reprogrammed to decode Nagra 2 streams.
Whenever the providers changed something which at this point was a couple times a week the end user only needed to pop a fresh program onto their receiver and continue watching TV. The hackers, being hobbyists with nothing to gain, were particularly angry over this.
For them it was a hobby, not unlike a jigsaw puzzle. You solve the riddles and share the results freely, only to have a company in South Korea earn millions of dollars because of your work.
Too late, though, its such a lucrative business that now they have their own hackers to keep them going. By this time corporate corruption and backdoor deals were rampant. I remember watching Map57 enter the stream, effectively killing all piracy, only to see it disappear from the stream a few days later, allowing everything to work again.
Word around the water cooler is that someone at Viewsat payed off an employee of one of the providers to lift it from the stream for a bit, so they could unload their inventory before everything went dark for good. Said employee was dismissed, and Map57 started to creep back into the stream, but due to security concerns because Map57 was also cracked by the same FTA manufacturer it was complimented with even more Maps.
The freelance hackers and coders had all abandoned the game, choosing instead to sit by and watch like I did after the card swap. Moved to Satellite :nerd:from general chat. Stupid question but is Nagra to do with cable? Dont even know how nagra 3 relates to sat. Click to expand Nagravision 3 is a conditional access system for cable and satellite.
Basically it's an encryption adopted thru-out the world by most of the major players in the industry. The original basic nagra was developed by the Murdoch Mafia using a company employing ex Israeli mossad code makers, it was hackd, then the next series was hacked but the latest released around seems to be unbreakable [so far] Rumours abound about it being hacked but all is hearsay, never proven [yet] A certain team in Italy seem to be closer than anyone else but?
Nagra cable yes not sat. Four versions of Nagravision are in common use for digital satellite television , known as Nagravision, Nagravision Cardmagedon, Nagravision Aladin and Nagravision Merlin. Nagravision Cardmagedon and Aladin are often confused with each other and used under the term "Nagravision 2" which technically does not exist. Nagravision Merlin is also known as Nagravision 3. Wabby69 Newbie. Wabby69 said:. Still confused so if nagra 3 is hacked then you wouldnt need any more lines then or card sharing?
Last edited: Jul 5, You had nagra nagra vision no such thing as nagra blah blah. Sculdugery 'twas lol. Fun cards--Titanium cards--matrix cams etc etc--ah those were the days. So without nagra 3 being hacked you need to card share to get lines then? Is that the point of nagra 3 being hacked or not?
0コメント