IC Crack Service

What Is IC Crack?

IC Crack is also known as IC Unlock, IC Attack or IC Decryption. Normally, the IC of the final products are encrypted. IC unlock services is to decrypt the IC through the semiconductor reverse engineering approaches. The program of ICs will be readable by programmer after IC unlocking.

IC Crack Services

We will unlock your IC sample. You will receive IC code in Bin / Hex file for programming new ICs:

2 New IC Samples programmed and delivered to you for testing (100% refund if the samples do not pass the test)

Bin or Hex file extracted submission

*IC sample will be decapped and will not be in work condition after IC unlock.

What are the Methods of Cracking an IC?

There are a lot of approaches we using to attack an IC.

1. Software attacking

The technology typically attacking ICs by using the processor communication interfaces and exploits protocols, cryptographic algorithms, or security holes in these algorithms. A typical example of software attack was the attack on the early ATMELAT89C family of microcontrollers. The attacker took advantage of the loopholes in the timing design of the erasing operation of the series of microcontrollers: by using a self designed program, stopped the next step of erasing the program memory data, after erasing the encryption locking bit. The program became non encrypted and then just read out the on-chip program by programmer.

It also possible to utilize the encryption methods to attack IC, based on the development of new attacking devices, with some software to do software attacks. Recently, there has been attacking device in China named Kai Ke Di Technology 51 chip decryption equipment ( Developed by an IC attacking Pro from Chengdu, China), this device unlock IC mainly through SyncMos.Winbond, due to the loopholes in the IC production process. The method is to use some programmers to locate inserted bytes , Through this method to find whether the chip has a continuous slot (find the chip continuous FFFF bytes). The bytes inserted is able to to perform the instruction to send the internal program out, and then use the decryption device to intercrypt, to obtain the program.

2. electronic detection attacks:

The technology typically monitors the processor’s analog characteristics of all power and interface connections during normal operation with high temporal resolution and attacks by monitoring its electromagnetic radiation characteristics. Because the microcontroller is an active electronic device, the corresponding power consumption changes as it executes different instructions. This allows the attacker to acquire specific critical information in the microcontroller by analyzing and detecting these changes using special electronic measuring instruments and mathematical statistics. As for the RF programmer can directly read the old model of the encryption MCU program is to use this principle.

3. Error Generation Attack Technology:

The technology uses abnormal operating conditions to cause processor errors and then processor provides additional access to enable the attacks. The most widely used errors generation technologies include voltage and clock strikes. Low-voltage and high-voltage attacks can be used to disable the protection to circuit or force the processor to perform incorrect operations. A clock transition may reset the protection circuitry without disrupting the protected information. Power and clock transitions can affect the decoding and execution of a single instruction in some processors.

4. probe technology:

The technology is to directly expose the chip internal connections, and then observe, manipulate, interfere with the microcontroller to achieve the purpose of attack.

5. UV attack method:

UV attack, is to apply ultraviolet radiation on chip, and convert the encrypted chip into a non-encrypted chip, and then use the programmer to read the program directly. This method is suitable for OTP chips, engineers who designing microcontrollers know that OTP chips can only be erased by UV light. So to wipe off encryption need to use UV. At present, most OTP chips produced inTaiwancan be decrypted using this method. Half of the OTP chip ceramic package will have quartz window. This kind of IC can be directly irradiated with ultraviolet light. If it is plastic package, we need to open the chip first, the wafer can be exposed to ultraviolet light exposure . Because of this chip encryption is relatively poor, the basic decryption does not require any cost, so the market price of the chip decryption is very cheap, e.g SONIX SN8P2511 decryption, Infineon SCM decryption.

6. Chip loopholes:

Many chips have cryptographic vulnerabilities at design time. Such chips can exploit vulnerabilities to attack the chip to read out the code in memory, such as the exploit of the chip code mentioned in our another article: If we can find the continuous FF code that can be inserted bytes, we could reverse out the program. Or if some search code contains a special byte, if there is such a byte, we can use this byte to reverse the program out. The chips such as Winbond or Shimao MCU chips, for example, W78E516 decryption, N79E825 decryption, ATMEL 51 series AT89C51 decryption is to use the byte loopholes in the code to attack.

In addition there are some obvious loopholes in the chip, such as a pin in the encryption will become a non-encrypted chip, when adding the electronic signal. Because the attacking technology involves a Chinese MCU manufacturer, we will not listed the models out at here. Chip decryption devices that can be seen on the market today all utilize the loopholes in the chip or the program to realize IC unlock. However, the approaches that can be bought / shared outside is basically only able to unlock very limited number of models, as the detailed attacking approaches are highly confidential to each lab or companies. At Hiechpcba, we developed our own decryption equipment for internal uses only. We have the technology with our developed tools which is able to unlock e.g. MS9S09AW32, or the device that can specifically unlock LPC2119LPC2368 and other similar ARM IC. The outcomes will be very reliable by using the specialized approaches & tools for specific IC catalog.

7. FIB recovery encryption fuse method:

This method is suitable for many chips with fuse encryption, the most typical example is TI’s MSP430 unlocking. Because the MSP430 encryption is to burn fuse, as long as the fuse can be restored, then the IC changes to non-encrypted chips. More models such as MSP430F1101A, MSP430F149, MSP430F425 and so on. We normally use the probe to achieve the fuse re-connection. If there is no equipment, it’s still achievable by modifying lines contracting to semiconductor modification companies. General it could use the FIB (focused ion beam) Equipment to connect the line, or with a dedicated laser modification of equipment to restore the line. This approach is not a preferred solution because of the needs for equipment and consumables which increases the customers’ cost for IC unlock work. We will use the technology if there is no a better method.

8. Modifying the Encryption Circuit:

Currently on the market, CPLD and DSP chip design is complex, with high encryption performance, using the above method is difficult to do decryption. Then we need to make the previously mentioned analysis for the chip’s structure, and then find the encryption circuit, and use the chip circuit modifying equipment to make some changes, and to make  the encryption circuit fails. The encrypted DSP or CPLD then will be into a non-encrypted status which the codes can be read out. We use the technology   for   TMS320LF2407A, TMS320F28335, TMS320F2812 & etc.

IC Unlock Q&A

Q1: What is IC unlock?

A1: Other names for IC Unlock include IC Crack, IC Attack, and IC Decryption. The IC of finished items is often encrypted. IC unlock services include using semiconductor reverse engineering techniques to unlock the IC. After the IC crack, the programmer may read the IC's program.

Q2: How much price for IC crack?

A2: The price range of IC crack is relatively large, mainly depends on the specific model!

Since I was engaged in IC crackers, I have often received all kinds of questions from customers. Today, let’s explain why IC cracker is also aimed at chips, and there is such a big price difference? Some chips cost only a few dozens USD, while others cost tens of thousands or even hundreds of thousands?

Q3: Can we crack polished or fake IC?

A3: For this kind of IC, we need to open the cover of the chip and identify the real model of the chip. You can then determine whether successful cracking is supported. In this case, the original IC will be broken.

Q4: Why can not promise 100% success for any IC decryption？

A4: Important note: there are risks in IC decryption any chip. Many businesses promise a 100% success rate before decryption IC. That’s the past! The probability of success is also relative. Even a simple IC decryption process may fail because of one of the factors. Therefore, the success rate of 100% is the words of some advertisements. Please be prepared!

Q5: How to order to unlock IC?

A5: The customer sends the specific model of the chip – > quote – > send samples (1-2 pieces) – > we test – >confirm chip support unlock- > customer pays 50% of the deposit – > start work – > complete decryption – > send two new samples for test – customer pays the balance – > send the program to customer

Q6: Can I modify the program after MCU unlock?

A6: After MCU unlock, disassembly will get assembly language, not “C “or “Java”. If you can understand assembly language, you can certainly modify it. You can only modify simple in the hex file, such as name, model, quantity, etc.If you need to reverse program from burning files to C language programs, the cost is very high!

Q7: How to unlock soft encryption MCU?

A7: Some chips are usually found after hard unlocking, and the program is also encrypted. In this case, we need professional software engineers to repair the code so that it can work successfully! However, some too complex soft encryption MCU may not be 100% repaired successfully.

Q8: Can I get program directly after cracking IC?

A8: Important note: for chips with long sample delivery time, high freight cost, low IC crack price, and high IC crack success rate. Customers can request the program directly after decryption. However, if you test is not successful, the customer needs to provide the original product or PCB board for us. If you don’t cooperate with the test, we can’t refund it. After We try to determine that the program has problems or IC crack problems, we can refund customers!Especially for new customers, please consider carefully. There are risks in unlocking any chip. We can’t say 100% success!

Q9: Legal liability and confidentiality agreement for cracking MCU?

A9: As long as we ask MCU unlock customers to get MCU chips through legal channels, and It uses MCU crack in legal ways, such as repairing broken equipment, redeveloping programs, learning other people’s advanced programming methods, or retrieving their lost data, etc. When we crack MCU, the decryption association stipulates that customers must crack for legitimate purposes. MCU unlocks a legal means to understand information, but the learned information must comply with intellectual property law.

Q10: How to pay for chip decryption?

A10: Notes for chip decryption payment:

1. For simple and cheap chip projects, we can decryption and pay the full amount at one time, and we will send the program;

2. For complex and difficult chip decryption, it is recommended that the customer test new samples after paying 50% deposit. Make sure there is no problem and then pay the full amount. If the customer insists on paying the full amount, get the project procedure directly. Follow up work, customers must cooperate with our work! Otherwise, it will bring losses and bear the risks.

3. Payment method: PayPal, Alipay, WeChat Pay and other methods can be supported for small amounts, and bank T / T, must be used for large amounts.