Fun with Masked ROMs – Atmel MARC4
At Aperture Labs we have Code Monkeys and Chip Monkeys. Chip Monkeys do the dangerous stuff, while we Code Monkeys sit in our nice safe offices playing with bits and bytes and other things that can’t hurt us…
Now, you’re probably wondering what could possible be ‘dangerous’ in an IT Security business, and that’s a perfectly fair question. How about boiling nitric acid for a start? Or fiddling with circuits that are directly connected to mains electricity? Exactly. Dangerous!
So when head Chip Monkey Zac Franken says to me: “Here are some pretty pictures of chips that I’ve dissolved in some lovely boiling nitric acid”, I am quite happy to be a Code Monkey and to leave the nasty smelly dissolvy stuff to him… 🙂
You might ask why you would want to dissolve chips in the first place? Usually, it’s because you are trying to do something like reset a fuse to allow reading/writing of protected areas or probe a data track to observe data being processed by the chip, or even trying to figure out the actual logic of a proprietary chip by viewing and reverse engineering it’s construction.
In our case it’s a combination of things, but the primary target at this stage is the program code that is stored in Masked ROM. The chip itself is using a known architecture and a published assembly language, so the only reverse engineering required is to recover the actual instructions stored in the ROM. As we can see from the picture below, this should be relatively easy as ‘data’ is clearly discernible:
If we zoom in we can see what looks like blobs of solder connecting vias, and we can guess that the presence of a blob represents a ‘0’ or a ‘1’ and the absence vice-versa: