|
aholmes187
|
 |
« on: January 29, 2007, 07:49:42 PM » |
|
i just wanted to say that i find the efuse concept/working pretty intereasting and googling i found this..... http://www.priorartdatabase.com/IPCOM/000139312/"Efuse-based IC Security Scheme This article describes a reversible system for disabling scan chain access to an integrated circuit after manufacturing test. By using on-chip electronically programmable fuses, access to scan chains, which are typically used for test purposes, can be first disabled, and later, if needed, re-enabled. For example, scan chains may be re-enabled to perform diagnostics. " anyone think its worth the 40 bucks they want for the 3 pages? or has anyone allready read it? sorry if this seems like a repost....but tinkerer suggested that i start a new thread, he also found some neat information posted in the patents regarding the dubug part i believe. mabye some people with some superior knowledge would be intereasted anyways... |
|
|
|
|
Logged
|
oh trying to get a square peg in teh round hole huh? sounds like YOU need a bigger hammer.
|
|
|
|
aholmes187
|
|
« Reply #1 on: January 30, 2007, 08:13:49 PM » |
|
This is some more really intereasting (well i think it is anyway) its 3/4 of the way down, after fig. 13 titled "Test structure for electrically programmable fuse diagnostics" yea your thinking oooo...pictures http://www.research.ibm.com/journal/rd/504/ketchen.html"As a possible solution to this characterization challenge, we have designed a test structure for in-line characterization of eFuse using parametric testers with only dc I/Os [13]. A key component of this test structure is the pulse generator. The pulse width required for this application is five orders of magnitude greater than what can be practically generated with the scheme shown in Figure 3(d). A simplified schematic diagram of the pulse generator circuit developed for this application is shown in Figure 14. A ring oscillator with 241 stages is enabled by setting the input ENABLE = 1 and serves as an on-chip clock. A dc Launch signal creates a sharp rising edge for the pulse and initiates a resettable counter. At a selectable time after the generation of the first pulse edge, a signal is sent to create the falling edge of the pulse. A latch, LatchA, is used for creating the rising edge of the pulse, as shown in Figure 3(c). With a 1 preloaded into the data port of LatchA (via input Arm) and with its output at 0, all is quiet until the Launch input to the LatchA clock is of sufficient magnitude to allow the loaded 1 to pass to the output. The only requirement for the Launch input signal is that it must undergo a transition from 0 to 1 (the details of the waveform, including the duration of the transition, are unimportant). The output from LatchA is a very sharp edge that occurs at some point during the rise of the Launch signal, and subsequent events are self-timed with respect to this sharp edge. The LatchA output forms the leading edge of the pulse for the eFuse blow at the OUT terminal, preloads a 1 into the data port of LatchB, and also turns off the reset signal (r) to the resettable counter. The counter counts up to a specific time determined by the decoder inputs a1 and a2, and then sends a signal to the clock input of LatchB, which is waiting with the preloaded 1. Next, the output from LatchB is inverted and combined with the original LatchB output to form the falling edge of the pulse, which appears at the OUT terminal and is applied across the fuse. The resistance of the fuse is measured before and after the application of the pulse to quantify the performance of the eFuse structure. Table 1 gives an example of output pulse widths for various decoder inputs." |
|
|
|
|
Logged
|
oh trying to get a square peg in teh round hole huh? sounds like YOU need a bigger hammer.
|
|
|
|
aholmes187
|
|
« Reply #2 on: January 30, 2007, 08:23:50 PM » |
|
|
|
|
|
|
Logged
|
oh trying to get a square peg in teh round hole huh? sounds like YOU need a bigger hammer.
|
|
|
tinkerer15khz
Hacker
Posts: 73
Aaron: I am trying, okay, I really am here.
|
|
« Reply #3 on: January 31, 2007, 04:07:13 AM » |
|
nice link aholmes http://www.chipdesignmag.com/display.php?articleId=536"Another efuse disadvantage is that it can be easily reverse engineered by high-magnification visual inspection of the silicon, which compromises key security." |
|
|
|
|
Logged
|
I don't care about "backups". I don't have a modified dvd firmware on my system yet. I do agree with fairuse. Why do people keep buying the same movie over and over as the format changes? My Xbox 1s have XBMC and DOSBox etc.
|
|
|
|
probutus
|
|
« Reply #4 on: January 31, 2007, 05:49:54 AM » |
|
this would mean that the guys who decapped the CPU before could have a look with a microscope
|
|
|
|
|
Logged
|
|
|
|
|
|
|
speedy22
|
|
« Reply #6 on: January 31, 2007, 12:55:55 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Tiros
|
|
« Reply #7 on: January 31, 2007, 12:59:48 PM » |
|
This means the various layers would need to be removed in stages. It is possible but very expensive and out of range for the weekend hobbist.
I read quite a while back that those fuses are underneath metal for a reason. IIRC it was stated that removing those layers would render the chip inoperaple. Since the efuse config of each console is unique, even if you optically inspected, you would wind up with the key only for a dead unit. |
|
|
|
|
Logged
|
|
|
|
|
aholmes187
|
|
« Reply #8 on: January 31, 2007, 03:15:32 PM » |
|
speedy22....niice find on the pdf, haha gotta love diagrams.
@ tiros.....yes i do remember now that you bring it up about having to remove a layer at a time leaving it inoperable which is a shame. i wasnt trying to be like oooo efuse is the golden ticket. i just find the whole concept really cool.
Is there anyone in the medical field on here? i wonder if with the advancements in medical imaging it would be possible to image the chip with out destroying most of it? i wasnt really trying to say that visually inspecting them is a good choice, because after all trying to make some kind of useable diagram after visually inspecting like 2000? efuses...hahaha probably not that much fun
|
|
|
|
|
Logged
|
oh trying to get a square peg in teh round hole huh? sounds like YOU need a bigger hammer.
|
|
|
tinkerer15khz
Hacker
Posts: 73
Aaron: I am trying, okay, I really am here.
|
|
« Reply #9 on: February 03, 2007, 05:40:54 PM » |
|
While you would end up with a dead unit do you think part of the efuses would be the same across all 360s? Where is the initial bootcode for system in southbridge or in the cpu. If in cpu in efuse form wouldnt that code be the same for all boxes and the begining of each start up is unencrypted till it loads the decrypter for the boot loader right? If someone had some flashing red lights xboxes would could decap and get that second layer of metal off possibly.
|
|
|
|
|
Logged
|
I don't care about "backups". I don't have a modified dvd firmware on my system yet. I do agree with fairuse. Why do people keep buying the same movie over and over as the format changes? My Xbox 1s have XBMC and DOSBox etc.
|
|
|
|
|
tinkerer15khz
Hacker
Posts: 73
Aaron: I am trying, okay, I really am here.
|
|
« Reply #11 on: February 06, 2007, 02:35:00 PM » |
|
A search for patents with jtag AND fuse AND "international business machines" http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=0&p=1&f=S&l=50&Query=jtag+AND+fuse+AND+%22international+business+machines%22%0D%0A%0D%0A&d=PG011 20060136858 Utilizing fuses to store control parameters for external system components 2 20060136751 Using electrically programmable fuses to hide architecture, prevent reverse engineering, and make a device inoperable 3 20060131743 Changing chip function based on fuse states 4 20050242924 Method and apparatus for resisting hardware hacking through internal register interface 5 20050010788 System and method for authenticating software using protected master key from patent #5 "3. The method of claim 2 wherein the loading is performed by a processor and wherein the processor and the second memory area are located in a common semiconductor package. " 6 20050010767 System and method for authenticating software using hidden intermediate keys 7 20040263199 ADAPTIVE INTEGRATED CIRCUIT BASED ON TRANSISTOR CURRENT MEASUREMENTS 8 20020123854 JTAG-based software to perform cumulative array repair 9 20020069386 Joint test action group (JTAG) tester, such as to test integrated circuits in parallel |
|
|
|
« Last Edit: February 06, 2007, 02:51:22 PM by tinkerer15khz »
|
Logged
|
I don't care about "backups". I don't have a modified dvd firmware on my system yet. I do agree with fairuse. Why do people keep buying the same movie over and over as the format changes? My Xbox 1s have XBMC and DOSBox etc.
|
|
|
|
Dilber MC Theme by HarzeM