F2/F4 Security against reverse engineering

estersci2 · ‎2015-09-28

Posted on September 28, 2015 at 21:58

There are facilities in china where you can hire resources for 200 US dollars an hour to reverse engineer microprocessors even if the flash protection bits are set or fuses blown - for example one technique is to pop the lid, isolated the program counter and increment it to scan through memory on the CPU buses (using dual beam fib/sem equipment and laying down platinum circuitry with the beam). I once got a quote of USD 16k to reverse engineer an F2.

I was just wondering how secure f2/f4 is when all is said and down. I know there are things we can do like tie each image to a given chip by matching against the hash of the unique id (because using the id straight would be too easy to find in the raw hex). Wondering if there are any other interesting tricks or features, and also interested to see if there are any horror stories here of people having their (f2/f4) products cloned?

Thanks

qwer.asdf · ‎2015-09-29

Posted on September 29, 2015 at 11:40

ST's own ST-Link v2 was dumped and cloned (or maybe extracted from the update package, I don't know), But I'm sure there is no 100% secure way of protecting your firmware against serious adversary, though ST's

http://www.st.com/st-web-ui/static/active/en/resource/technical/document/application_note/DM00186528.pdf

should be good enough for regular cloners. So don't bother protecting, just go open source ;)

P.S.

This was just my opinion, I don't have actual information whether ST's protection is 100% secure or not.

AvaTar · ‎2015-09-29

Posted on September 29, 2015 at 12:48

ST's own ST-Link v2 was dumped and cloned (or maybe extracted from the update package, I don't know), But I'm sure there is no 100% secure way of protecting your firmware against serious adversary, though ST's

http://www.st.com/st-web-ui/static/active/en/resource/technical/document/application_note/DM00186528.pdf

should be good enough for regular cloners. So don't bother protecting, just go open source ;)

I basically agree with this opinion. If your project is commercial, keep the development going, to be ahead of the copyists. You might approach ST directly, and given enough momentum (bought silicon p.a.), you might get a satisfying answer. But even ST will admit they can just raise the bar substantially, but not prevent attacks with ''unlimited'' ressources.

Microchip is said to have elaborate methods to keep physical reverse-engineering at bay, but I view their portfolio as heading towards a dead end - but that is just my opinion, too.

estersci2 · ‎2015-09-29

Posted on September 29, 2015 at 13:00

Hi,

Has anyone on here had their commercial project copied from an f2? Is it that common an occurance?

I am planning to pair my f2/f4 with a very secure smartcard, which will contain some of the core application logic.

Amel NASRI · ‎2015-09-29

Posted on September 29, 2015 at 13:08

Hi new guy,

There are some preventive actions based on protection techniques that you may apply to secure your device.

I recommend you have a look to ''

http://www.st.com/web/en/catalog/tools/FM147/CL1794/SC961/SS1743/LN1920/PF262417

''.

It may help you to to select the appropriate way in order to protect your code.

-Mayla-

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Tesla DeLorean · ‎2015-09-29

Posted on September 29, 2015 at 18:06

Surely someone with enough motivation and equipment could read the charge levels off the flash array, or break enough cells in the design to access the content.

People have broken smart cards with equipment in their basement.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

estersci2 · ‎2015-09-29

Posted on September 29, 2015 at 19:17

Yes but there are rating systems for smart card security - they are not all the same, and not just memory either.

estersci2 · ‎2015-09-29

Posted on September 29, 2015 at 19:20

Mayla,

This is not secure. It only protects from the jtag port side of things. With FIB/SEM, you can perform surgury that lets you come at the image as if you were the on-chip cpu, via the unprotected bus. You can use the cpu program counter to scan out the protected code, and off the chip via newly added tracks. Fee for this in china is 16,000 usd.