458
edits
As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
no edit summary
This page describes the setup of the 87C51 target and shows how it can be used to perform these two types of attacks.
== Hardware Details ===== Programming Microcontroller ===
The target board contains an ATMega165PA/ATMega325PA (referred to as the 'AVR' hereafter), which can be used for performing program verification. It is also used to generate trigger points for attacks such as encryption table read-out & inserting glitches into the program read logic. The programming interface contains the following limitations:
* Address lines A0 - A13 are mapped to the AVR. The upper two lines are shared with LED1/LED2 outputs. (A14 and A15 aren't needed because the 87C51 model that's used only has 16 KB = 2^14 bytes of memory.)
=== Target Microcontroller ===
The default target device is an Intel EE87C51RB1 (16K EPROM, 512 RAM). Useful references:
'''NOTE:''' The 87C51 devices are either EPROM memories. Some may have a UV window but some don't, those without the UV window are OTP devices. You may wish to use a 89C51 device instead in some cases. See note below about 89C51 devices.
==== Using 89C51 Devices ====
The 89C51 devices are also possible to be used with this board, which can be more easily reprogrammed. The 89C51 devices do not normally have the "XOR encryption table" however, so you cannot attempt attacks on that encryption table.
=== Jumpers ===
A number of jumpers are present on the target board. They are mostly used to select different features and options on the target board. First, there are 7 jumpers that connect to the IO lines of the two microcontrollers
Finally, the baseboard's "Target-Defined Programming" header (J15) is connected to some of the 8051 pins. P3.3, P3.4, and P3.5 are connected to H2, H4, and H6. Normally, these pins are all pulled down to ground (logic 0). When a jumper is mounted to H1-H2, H3-H4, or H5-H6, these pins are instead connected to VCC (logic 1).
== AVR Firmware ==
The AVR on the target board has its own firmware to control the 87C51 code verification process. This firmware is one Atmel Studio project in the Git repository. The compiled hex file can be programmed onto the AVR using the AVR Programmer in the capture software.
To program these, the AVR programmer will have to use Slow Clock Mode. Once these fuses are set, slow clock mode can be disabled again.
== 87C51 Firmware ===== Developing Firmware for the 87C51 ===
There are a number of tools that can be used to develop firmware for the 87C51 processor. The best 8051-specific software can be pretty expensive, but it is possible to get by with free software:
'''Programmer''': To write a program into the code EPROM, an EPROM programmer is needed. We used a [http://minipro.txt.si/index.php?title=Main_Page MiniPro TL866 programmer] along with their free software. However, any programmer compatible with the 87C51 should be fine.
=== Example Firmware ===
We've written a couple of firmware examples and put them together into one big 87C51 project. Combining multiple pieces of code together means that we can use one chip for all of the side channel attacks - we don't need separate processors to work on different pieces of firmware. This project has six different parts:
* <code>print</code>: prints "Testing 1\nTesting 2\nTesting 3...". Easy to confirm that the processor is running correctly.
|}
== Code Verification ===== Verification Process ===
The process to read back code from the 87C51's EPROM memory is described in the NXP datasheet (in the EPROM Characteristics section). However, there's a lot of info in this section about ''writing'' to the EPROM memory, which we can't do on the target board. The bare minimum to verify code bytes is repeated here:
5. Write P2.7 to 1 to stop reading the device.
=== Security ===
There are two security features built into the 87C51 to stop end-users from reading the firmware out of EPROM. Companies might use these features as an anti-piracy measure: if they can keep their competitors from reading their source code, then they can avoid giving away any of their trade secrets. Both of these security features can be enabled using the Minipro programmer.
The most critical of these locks is the second: it stops all verification.
=== Gotchas ===
This section describes a few quirks/caveats that we found with the 87C51 and its target board.