Microcontrollers are everywhere, including the oddest of places, such as a razor—the Schick Hydro Power Select customizable power razor, to be precise. I’m not sure why you’d need microcontroller-controlled customizable power or the packaging, waterproofing, and power issues that go along with it, but I gave it a shot. After all, Schick promises it “allows men to interact with their razor in a new way.” I never realized that I longed to interact with my razor in new ways, but Schick has created a demand—a craving, if you will—and I just had to try it. Alas! It wasn’t all that much better than interacting with my regular arm-powered, hand-controlled razor, so I instead took it apart. It’s a bit more interesting to go inside and see how the designers implemented a wet razor, powered from one AAA battery and featuring three vibration settings, easy-to-read indicators, and a haptic sensor. Why they would do it is another question.


Most interesting thing abou this gadget is that it is powered by two microchip products one is the microcontroller PIC10F222 which generates the PWM signals and other is the boost controller MCP1624 from microchip which makes the system to run with single AAA size batter i.e. 1.2volt (NiCD rechargable).

1. A three-stage power button sets the vibration. The razor rotates through all three settings and then goes into off mode. It required too much pressure to activate due to its sealing cap.

2. A vibration-stage indicator uses LEDs.

3. Batteries are inserted here…..Read more

Have you ever thought about this, Unlike humans they have more options than us, they can Sleep, Standby, Hibernate, Restart and the last one Shutdown !! !

These things is available at both softaware (OS) level and hardware level. In your desktop or laptop u must have used all these options

In this article I will explain both for general computer user and the embedded developers.

In Operating Systems:

Lets first see what happens in MS Windows OS.

StandBy: This option sets the screen off and harddisk stops. All other services continues except those dedicated to the user.

Sleep: This is a bit more than standby useful for power saving. This stops the hard disk, switch off the screen, switch off most of the parts and sets the clock speed low so as to lower power consumption.

Hibernate: Hibernate its very useful if u need your system to start from the last files u r working with as it is, and quick mode. What it does is

As you click hibernate it saves all the Data in RAM into a file Hiberfile.sys (which has size same as RAM size) and write an extra line in the Master Boot Record.

Next you start your PC it starts from MBR as normal but the extra line written in the previous session tells the system that it was hibernated in the previous session. So it searches for hyberfile.sys and loads that data onto RAM, while showing a screen message System Resuming ….

N.B.:There was a similar option in RHEL linux which was very similar to hibernate but not same in bachground. It saves all the session information(which files opened what edited….) and on next start it resumes according to that data, so it is a bit slower and some processes like games videos will not supports this.

 

In Microcontrollers and Microprocessors:

After dinner…. wait

 

Wings as temperature sensor

Nanostructured Wings as temperature sensor

Many of the shimmering colors in a butterfly’s wings are produced not with pigments, like the melanin that tints our skin, but with nanostructures (pdf). The scales on their wings are patterned with nanoscale channels, ridges, and cavities made of a protein called chitin. Unlike pigments, which create color by absorbing some wavelengths of light and reflecting the rest, the nanostructures are shaped so that they physically bend and scatter light in different directions, sending particular colors back to our eyes. That scattering can also make the wing scales iridescent–meaning the color changes with the angle you see it from.

When heat, in the form of invisible infrared radiation, hits the chitin nanostructures, they expand, changing their shape and therefore the colors they display. Scientists at GE are working to harness this property to make hypersensitive thermal imaging sensors, useful for night vision. By coating the wings of a Blue Morpho butterfly with carbon nanotubes that magnify the effect, researchers there made an insect into a sensor that changes color when its temperature changes a mere 1/25th of a degree.

Before implementing a webserver in microcontroller, I was searching whether I could try
the same on a PC and I got this actually I was searching for raw packet sending method. What I got is as below

  1. import httplib
  2. h2 = httplib.HTTPConnection(‘xtronix.in’)
  3. h2.connect()
  4. h2.request(“GET”, “/index.php”)
  5. r2 = h2.getresponse()
  6. print r2.status
  7. 200 (Server Reply)
  8. print r2.reason
  9. OK   (Server Reply)
  10. print r2.read()
    now you will get the html code on console window

I will Publish more on this some other day

Useful Tools: Wireshark Network Analyser(Free OpenSource) , Python (OpenSource),
Device Monitoring Studio(30 days Trial)

Now-a-days most of the sensors comes with an I2C or SPI interface. All sensors and supporting interface devices, energy meter ICs, Network analyzer chips have the I2C port. So it is now a bit complex than before as the interface was Serial (UART). Although all the advance microcontrollers have some extra support for this but for the People interfacing devices to PCs it needs a bit tweaking with the available ports i.e. parallel or serial or USB.

In most of the links on internet people choosed the parallel port although parallel port is rare things on modern PCs, again there is no True USB to Parallel Converter. But u may add a PCI-Parallel port interface in your desktop board.

In all version of windows(for vista and win7 you need some extra tweak to break the security walls) you can test the I/O ports directly from the command prompt with debug tool. You can test the I2C device only with the command prompt also.

Goto cmd type debug the prompt will change from C:/Docum———/user>_ to –

-i 378

The above command will read from port 378 (378 is the pc parallel port base address)

-o 378 FF

This will output FF on the port

If we connect the I2C device as below

http://www.maxim-ic.com/images/appnotes/3230/3230Fig01.gif

then with the following command we can start the communication

i 378 Read the Data Byte.
-o 378 00 Write the Data Byte to 00h. This will make SDA and SCL output a logic high.
-i 378 Read the Data Byte. This should return 00 since we just wrote it to 00.
-o 378 01 This will make SCL low and SDA high.
-o 378 02 This will make SDA low and SCL high.
-o 378 03 This will make both SDA and SCL low
-o 378 00 Make sure SDA high before executing the following command.
-i 379 This returns the state of SDA. If bit 5 is 0, then SDA is high. If 1, then SDA is low. Keep

in mind that to read SDA, Data Byte bit 1 should first be written to a 0 so SDA will be

released by inverter U1A. If nothing external is pulling SDA low, then bit 5 should read as a 0.
-o 378 02 Now force SDA low.
-i 379 Read the state of SDA again. This time bit 5 should read as a 1.

 

You may try SPI interface with parallel Port there are schematics and supported driver and GUI interfaces for these, below is link to one from freescale and some other site

Freescale SPIGen or SPI Simulator driver for windows

http://www.vb-pic-sd-spi.com/home/main.htm

Software

Parallel Port Utilty Software

References

http://www.i2ctools.com/Downloads/LPTtoI2C/LPT-to-I2C_Hardware_Users_Manual.pdf

How to Use PC Parallel Port as I2C interface to PC

For those who haven’t tried it yet, pull Google up on your browser and type in the words “let it snow.” Then enjoy a snow flurry right on your computer screen.

To keep the wintery fun going, Google also added a frosty element to the experience: As the snow continues to fall, your computer screen will fog up. Click the “defrost” button to clear it, or use a mouse to draw hearts, or initials or whatever else you want in the fog. You can click defrost at any time to start over again.

A spokeswoman from the company sent the following statement about the Let It Snow trick in poem form:

“Through the fog, you have to peer 
Because it’s the most wonderful time of the year 
Your page turned into a winter wonderland 
When you typed in that search command 
You can always defrost the window 
Or just let it snow, let it snow, let it snow!”

Well, it’s not a poetry house, but they do like to have fun.

Google has some other neat tricks up its sleeve, and if your work is slow for the holidays, now might be a perfect time to try them.

1. Type in the word “askew” into the search engine. Tilt your head and enjoy.

2. Type in the word “tilt.” Hold your head askew and enjoy.

3. Type in the word “recursion.” Google will wonder if perhaps you meant to type the word “recursion.”

4. Google didn’t forget Jews. Type in the word “Hannukah” for some festive non-Christmas holiday screen decor.

5. Type in “anagram.” Google will wonder if perhaps you meant “nag a gram.”

Unfortunately, some of the Google classic tricks are no longer functioning. It used to be that if you typed in the words “Chuck Norris” you would get a statement that says, “You don’t find Chuck Norris, he finds you.”

There was also a time when if you typed the word “Gravity” into the search engine you’d watch all the copy on the page plunk to the bottom. It doesn’t do that anymore, but you can see what you missed here: http://mrdoob.com/projects/chromeexperiments/google_gravity/ .

Merry Christmas!

Sensor Fusion:

A Potential Application of the Ersatz Brain Architecture

 

One possible application of our Ersatz Brain architecture is to the important and difficult problem called sensor fusion.

 

Sensor fusion roughly means integration of information from different types of sensor into a unified interpretation.

 

Humans are so effective at doing information integration that it is not appreciated how hard it is to do.

 

This observation also has been made, usually after the futile expenditure of great amounts of money, for:

 

  • computer vision,
  • machine translation,
  • natural language processing, and
  • text comprehension.

 

 

 

The De-Interleaving Problem.

 

About a decade ago, I was involved in a project in collaboration with, at first, Texas Instruments and, later, with a local company called Distributed Data Systems, Inc.

 

The project was an attempt to solve the de-interleaving problem
in radar signal processing using a neural net.

 

This problem is from military electronics but in fact is a cognitive one.

 

In a complex radar environment, the problem is to determine how many radar emitters are present and whom they belong to.

 

Biologically, this corresponds to the behaviorally important question, “Who is looking at me?”

 

To be followed, of course, by “And what am I going to do about it?”

Radar

 

A receiver for radar pulses provide several kinds of quantitative data:

 

  • frequency,
  • intensity,
  • pulse width,
  • angle of arrival, and
  • time of arrival.

 

 

The user of the radar system wants to know qualitative information:

 

  • How many emitters?
  • What type are they?
  • Who owns them?
  • Has a new emitter appeared?

 

The way we proposed to solve the problem was by using a “concept forming” model from cognitive science.

 

Concepts are labels for a large class of members that may differ substantially from each other. (For example, birds, tables, furniture.)

 

We built a system where a nonlinear network developed an attractor structure where each attractor corresponded to an emitter.

 

That is, emitters were valid concepts.

 

 

 

Problems.

 

A weakness is that it does not allow development of the kind of structures that characterize human concepts.

 

One of the most useful computational properties of human concepts is that they often show a hierarchical structure.

 

 

Examples might be:

 

animal > bird > canary > Tweetie

 

or

 

artifact > motor vehicle > car > Porsche > 911.

 

 

 

 

Sensor Fusion with the Ersatz Brain.

 

We can do a kind of sensor fusion in a simple and way in the Ersatz Brain.

 

Let us use a radar-like example.

 

The data representation we suggest is directly based on the topographic data representations used in the brain.

 

The appropriate software approach to the Ersatz Brain array it is topographic computation.

 

Spatializing the data, that is letting it find a natural topographic organization that reflects the relationships between data values, is a technique of great potential power.

 

It is a natural and effective way to compute for the two dimensional cortex.

 

And our two dimensional Ersatz Brain architecture.

 

Spatializing the problem also provides a way of “programming” a parallel computer.

 

(See our arithmetic application, Anderson, 2003).

 

Topographic Data Representation

 

 

We initially will use a simple bar code to code the value of a single parameter.

 


 

 

The precision of this coding is low.

 

This was one of the aspects of our approach that most disturbed traditional radar engineers: we deliberately threw out their hard won precision.

 

 

 

Demo

 

For our demo Ersatz Brain program, we will assume we have four parameters from the source.

 

An “object” is characterized by values of these four parameters, coded as bar codes on the edges of the array of CPUs.

 

 


 

Our architecture assumes local linear transmission of patterns from module to module.

 

 

 

The geometry we have used for the demonstration gives many two parameter interference patterns, the straight lines.

 

Each pair of input patterns gives rise to an interference pattern, a line perpendicular to the midpoint of the line between the pair of input locations.

 

 


 

 

Higher Level Features.

 

 

There are often places where three or even four features coincide at a module.

 

The higher-level combinations represent partial or whole aspects of relations of data in the input pattern. T

 

In this sense the higher level combinations have literally fused a number of spatial relations of the input pattern.

 

They have represented it as a new activity pattern at a specific location.

 


 

 

 

Formation of Ersatz Hierarchical Concepts.

 

This approach allows for the formation of what look like hierarchical concept representations.

 

Suppose we have a set of “objects”.

 

We have three parameter values that are fixed for each object and one value that varies widely from example to example.

 

The system develops two different types of spatial codes.

 

  • In the first, a number of high order feature combinations are fixed since the three input core patterns never change.

 

  • In the second, based on the additional spatial relations generated by the widely different examples, there is a varying set of feature combinations corresponding to the details of each specific example of the object.

 

Two kinds of pattern can potentially be learned.

 

  • The first learned pattern corresponds to the unchanging core and might correspond to an abstraction of the commonalities of many examples.

 

  • The second learned set of patterns corresponds to the core, plus the patterns associated with each specific learned example.

 

  • The specific examples are related by their common core pattern.

Core Representation

 

Three Input Patterns.

 


 

The group of coincidences in the center of the array is due to the three input values arranged around the left, top and bottom edges.

 

There is no right hand value.

 

This group of three constant values plus their feature combinations constitutes the core.

Examples

 

Below are two examples when there is a value on the right side of the array.

 

Examples Core


 


Note the presence of a number of new three or four
feature coincidences.

 

The original group based on the three core values is still present as we would expect it to be.

 

There are many more feature coincidences present with all four values. The coding rapidly becomes richer in terms of its possibilities for interaction as more information is added because there are more possible coincidences.

Development of A “Hierarchy” with Spatial Localization.

 

 

The coincidences due to the core (three values) and to the examples (all four values) are spatially separated.

 

We have the possibility of using the core as an abstraction and representation of the examples since it is present in all of them.

 

We could use it by itself as the descriptor of the entire set of examples.

 

It acts as the higher level in a simple hierarchy, that is, all examples contain the core.

 

The many-to-one relationship here – many low level examples, fewer high level examples — is typical of hierarchical semantic networks.

 

 

Conclusions

 

The Ersatz Brain Project has led us down an interesting path.

 

If we start to require software to use the general constraints that we feel characterize a real brain-like computer,

 

Then some new ways to tackle old problems emerge.

 

  • New “analog” control structures: Programming patterns to do arithmetic. Looks more like attention than anything else.

 

  • Spatializing problem data both as initial representations and to form feature combinations.

 

  • Potential emergence of hierarchical structure.

 

  • Disambiguation using context and semantic networks.

 

But these tasks are elements of some important software applications.

 

These ideas might be of value for current computers.

 

But I feel that their real domain of application will be to the computers of the future.

  import javax.swing.*;
  import javax.swing.event.*;
  import java.awt.*;
  import java.awt.event.*;
   /** 
     This class demonstrates the basics of setting up a Java Swing GUI uisng the
     BorderLayout. You should be able to use this program to drop in other
       components when building a GUI 
  */
  public class BasicGui{
      // Initialize all swing objects.
      private JFrame f = new JFrame("Basic GUI"); //create Frame
      private JPanel pnlNorth = new JPanel(); // North quadrant 
      private JPanel pnlSouth = new JPanel(); // South quadrant
      private JPanel pnlEast = new JPanel(); // East quadrant
      private JPanel pnlWest = new JPanel(); // West quadrant
      private JPanel pnlCenter = new JPanel(); // Center quadrant
  
      // Buttons some there is something to put in the panels
      private JButton btnNorth = new JButton("North");
      private JButton btnSouth = new JButton("South");
      private JButton btnEast = new JButton("East");
      private JButton btnWest = new JButton("West");
      private JButton btnCenter = new JButton("Center");
  
     // Menu
      private JMenuBar mb = new JMenuBar(); // Menubar
      private JMenu mnuFile = new JMenu("File"); // File Entry on Menu bar0
      private JMenuItem mnuItemQuit = new JMenuItem("Quit"); // Quit sub item
      private JMenu mnuStore = new JMenu("Store");
      private JMenu mnuHelp = new JMenu("Help"); // Help Menu entry
      private JMenuItem mnuItemAbout = new JMenuItem("About"); // About Entry
  
      /** Constructor for the GUI */
     public BasicGui(){
         // Set menubar
         f.setJMenuBar(mb);
         
         //Build Menus
          mnuFile.add(mnuItemQuit);  // Create Quit line
          mnuHelp.add(mnuItemAbout); // Create About line
          mb.add(mnuFile);        // Add Menu items to form
          mb.add(mnuHelp);
          mb.add(mnuStore);
  
          // Add Buttons
          pnlNorth.add(btnNorth);
          pnlSouth.add(btnSouth);
          pnlEast.add(btnEast);
         pnlWest.add(btnWest);
          pnlCenter.add(btnCenter);
          
         // Setup Main Frame
         f.getContentPane().setLayout(new BorderLayout());
         f.getContentPane().add(pnlNorth, BorderLayout.NORTH);
          f.getContentPane().add(pnlSouth, BorderLayout.SOUTH);
          f.getContentPane().add(pnlEast, BorderLayout.EAST);
          f.getContentPane().add(pnlWest, BorderLayout.WEST);
          f.getContentPane().add(pnlCenter, BorderLayout.CENTER);
          
         // Allows the Swing App to be closed
          f.addWindowListener(new ListenCloseWdw());
        
          //Add Menu listener
          mnuItemQuit.addActionListener(new ListenMenuQuit());
      }
      
     public class ListenMenuQuit implements ActionListener{
          public void actionPerformed(ActionEvent e){
             System.exit(0);         
         }
      }
      
      public class ListenCloseWdw extends WindowAdapter{
          public void windowClosing(WindowEvent e){
              System.exit(0);         
          }
      }
     
      public void launchFrame(){
          // Display Frame
          f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
          f.pack(); //Adjusts panel to components for display
          f.setVisible(true);
     }
      
      public static void main(String args[]){
         BasicGui gui = new BasicGui();
          gui.launchFrame();
      }
  }

Programming in Java To introduce you to developing Java programs, we
break the process down into three steps. To program in Java, you need to:

Introduction to GUI Building

Contributed by Saleem Gul and Tomas Pavek

This beginner tutorial teaches you how to create a simple graphical user interface and add simple back-end functionality. In particular we will show how to code the behavior of buttons and fields in a Swing form.

We will work through the layout and design of a GUI and add a few buttons and text field. The text fields will be used for receiving user input and also for displaying the program output. The button will initiate the functionality built into the front end. The application we create will be a simple but functional calculator.

For a more comprehensive guide to the GUI Builder’s design features, including video demonstrations of the various design features, see Designing a Swing GUI in NetBeans IDE.

Expected duration: 15 minutes

Contents

 

To complete this tutorial, you need the following software and resources.

Software or Resource

Version Required

NetBeans IDE with Java SE version 6.9, 6.8, or 6.7
Java Development Kit (JDK) version 6

Exercise 1: Creating a Project

The first step is to create an IDE project for the application that we are going to develop. We will name our project NumberAddition.

  1. Choose File > New Project. Alternatively, you can click the New Project icon in the IDE toolbar.
  2. In the Categories pane, select the Java node. In the Projects pane, choose Java Application. Click Next.
  3. Type NumberAddition in the Project Name field and specify a path e.g. in your home directory as the project location.
  4. (Optional) Select the Use Dedicated Folder for Storing Libraries checkbox and specify the location for the libraries folder. SeeSharing Project Libraries for more information on this option.
  5. Ensure that the Set as Main Project checkbox is selected.
  6. Deselect the Create Main Class checkbox if it is selected.
  7. Click Finish.

Exercise 2: Building the Front End

To proceed with building our interface, we need to create a Java container within which we will place the other required GUI components. In this step we’ll create a container using the JFrame component. We will place the container in a new package, which will appear within the Source Packages node.

Create a JFrame container

  1. In the Projects window, right-click the NumberAddition node and choose New > Other.
  2. In the New File dialog box, choose the Swing GUI Forms category and the JFrame Form file type. Click Next.
  3. Enter NumberAdditionUI as the class name.
  4. Enter my.numberaddition as the package.
  5. Click Finish.

The IDE creates the NumberAdditionUI form and the NumberAdditionUI class within the NumberAddition application, and opens the NumberAdditionUI form in the GUI Builder. The my.NumberAddition package replaces the default package.

Adding Components: Making the Front End

Next we will use the Palette to populate our application’s front end with a JPanel. Then we will add three JLabels, three JTextFields, and three JButtons. If you have not used the GUI Builder before, you might find information in the Designing a Swing GUI in NetBeans IDE tutorial on positioning components useful.

Once you are done dragging and positioning the aforementioned components, the JFrame should look something like the following screenshot.

 

If you do not see the Palette window in the upper right corner of the IDE, choose Windows > Palette.

  1. Start by selecting a JPanel from the Palette and drop it onto the JFrame.
  2. While the JPanel is highlighted, go to the Properties window and click the ellipsis (…) button next to Border to choose a border style.
  3. In the Border dialog, select TitledBorder from the list, and type in Number Addition in the Title field. Click OK to save the changes and exit the dialog.
  4. You should now see an empty titled JFrame that says Number Addition like in the screenshot. Look at the screenshot and add three JLabels, three JTextFields and three JButtons as you see above.

Renaming the Components

In this step we are going to rename the display text of the components that were just added to the JFrame.

  1. Double-click jLabel1 and change the text property to First Number
  2. Double-click jLabel2 and change the text to Second Number
  3. Double-click jLabel3 and change the text to Result
  4. Delete the sample text from jTextField1. You can make the display text editable by right-clicking the text field and choosing Edit Text from the popup menu. You may have to resize the jTextField1 to its original size. Repeat this step for jTextField2 and jTextField3.
  5. Rename the display text of jButton1 to Clear. (You can edit a button’s text by right-clicking the button and choosing Edit Text. Or you can click the button, pause, and then click again.)
  6. Rename the display text of jButton2 to Add.
  7. Rename the display text of jButton3 to Exit.

Your Finished GUI should now look like the following screenshot:

 

Exercise 3: Adding Functionality

In this exercise we are going to give functionality to the Add, Clear, and Exit buttons. The jTextField1 and jTextField2 boxes will be used for user input and jTextField3 for program output – what we are creating is a very simple calculator. Let’s begin.

Making the Exit Button Work

In order to give function to the buttons, we have to assign an event handler to each to respond to events. In our case we want to know when the button is pressed, either by mouse click or via keyboard. So we will use ActionListener responding to ActionEvent.

  1. Right click the Exit button. From the pop-up menu choose Events > Action > ActionPerformed. Note that the menu contains many more events you can respond to! When you select the actionPerformed event, the IDE will automatically add an ActionListener to the Exit button and generate a handler method for handling the listener’s actionPerformed method.
  2. The IDE will open up the Source Code window and scroll to where you implement the action you want the button to do when the button is pressed (either by mouse click or via keyboard). Your Source Code window should contain the following lines:
  3. We are now going to add code for what we want the Exit Button to do. You will have to type System.exit(0); to the above code, replacing the TODO line. Your finished Exit button code should look like this:
  4. Click the Design tab at the top of your work area to go back to the Form Design
  5. Right click the Clear button (jButton1). From the pop-up menu select Events > Action > actionPerformed.
  6. We are going to have the Clear button erase all text from the jTextFields. To do this, you will add some code like above. Your finished source code should look like this:
3.           private void jButton3ActionPerformed(java.awt.event.ActionEvent evt) {
4.               //TODO: Add your handling code here:
                }
6.           private void jButton3ActionPerformed(java.awt.event.ActionEvent evt) {
7.               System.exit(0);
                }

Making the Clear Button Work

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt){
    jTextField1.setText("");
    jTextField2.setText("");
    jTextField3.setText("");
                }

The above code changes the text in all three of our JTextFields to nothing, in essence it is overwriting the existing Text with a blank.

Making the Add Button Work

The Add button will perform three actions.

  1. It is going to accept user input from jTextField1 and jTextField2 and convert the input from a type String to a float.
  2. It will then perform addition of the two numbers and finally,
  3. it will convert the sum to a type String and place it in jTextField3.

Lets get started!

  1. Click the Design tab at the top of your work area to go back to the Form Design.
  2. Right-click the Add button (jButton2). From the pop-up menu, select Events > Action > actionPerformed
  3. We are going to add some code to have our Add button work. The finished source code shall look like this:
4.           private void jButton2ActionPerformed(java.awt.event.ActionEvent evt){
5.               // First we define float variables.
6.               float num1, num2, result;
7.               // We have to parse the text to a type float.
8.               num1 = Float.parseFloat(jTextField1.getText());
9.               num2 = Float.parseFloat(jTextField2.getText());
10.           // Now we can perform the addition.
11.           result = num1+num2;
12.           // We will now pass the value of result to jTextField3.
13.           // At the same time, we are going to
14.           // change the value of result from a float to a string.
15.           jTextField3.setText(String.valueOf(result));
                    }

Our program is now complete we can now build and run it to see it in action.

Exercise 4: Running the Program

To run the program in the IDE:

  1. Choose Run > Run Main Project
  2. If you get a window informing you that Project NumberAddition does not have a main class set, then you should select my.NumberAddition.NumberAdditionUI as the main class in the same window and click the OK button.

To run the program outside of the IDE:

  1. Choose Run > Clean and Build Main Project (Shift-F11) to build the application JAR file.
  2. Using your system’s file explorer or file manager, navigate to the NumberAddition/dist directory.
  3. Double-click the NumberAddition.jar file.

After a few seconds, the application should start.

Note: If double-clicking the JAR file does not launch the application, see this article for information on setting JAR file associations in your operating system.

You can also launch the application from the command line.

To launch the application from the command line:

  1. On your system, open up a command prompt or terminal window.
  2. In the command prompt, change directories to the NumberAddition/dist directory.
  3. At the command line, type the following statement:
java -jar  NumberAddition.jar

How Event Handling Works

This tutorial has showed how to respond to a simple button event. There are many more events you can have your application respond to. The IDE can help you find the list of available events your GUI components can handle:

  1. Go back to the file NumberAdditionUI.java in the Editor. Click the Design tab to see the GUI’s layout in the GUI Builder.
  2. Right-click any GUI component, and select Events from the pop-up menu. For now, just browse the menu to see what’s there, you don’t need to select anything.
  3. Alternatively, you can select Properties from the Window menu. In the Properties window, click the Events tab. In the Events tab, you can view and edit events handlers associated with the currently active GUI component.
  4. You can have your application respond to key presses, single, double and triple mouse clicks, mouse motion, window size and focus changes. You can generate event handlers for all of them from the Events menu. The most common event you will use is an Action event. (Learn best practices for Event handling from Sun’s Java Events Tutorial.)

How does event handling work? Everytime you select an event from the Event menu, the IDE automatically creates a so-called event listener for you, and hooks it up to your component. Go through the following steps to see how event handling works.

  1. Go back to the file NumberAdditionUI.java in the Editor. Click the Source tab to see the GUI’s source.
  2. Scroll down and note the methods jButton1ActionPerformed()jButton2ActionPerformed(), andjButton3ActionPerformed() that you just implemented. These methods are called event handlers.
  3. Now scroll to a method called initComponents(). If you do not see this method, look for a line that says Generated Code; click the + sign next to it to expand the collapsed initComponents() method.
  4. First, note the blue block around the initComponents() method. This code was auto-generated by the IDE and you cannot edit it.
  5. Now, browse through the initComponents() method. Among other things, it contains the code that initializes and places your GUI components on the form. This code is generated and updated automatically while you place and edit components in the Design view.
  6. In initComponents(), scroll down to where it says
7.           jButton3.setText("Exit");
8.           jButton3.addActionListener(new java.awt.event.ActionListener() {
9.               public void actionPerformed(java.awt.event.ActionEvent evt) {
10.                  jButton3ActionPerformed(evt);
11.           }
            });

This is the spot where an event listener object is added to the GUI component; in this case, you register an ActionListener to the jButton3. The ActionListener interface has an actionPerformed method taking ActionEvent object which is implemented simply by calling your jButton3ActionPerformed event handler. The button is now listening to action events. Everytime it is pressed an ActionEvent is generated and passed to the listener’s actionPerformed method which in turn executes code that you provided in the event handler for this event.

Generally speaking, to be able to respond, each interactive GUI component needs to register to an event listener and needs to implement an event handler. As you can see, NetBeans IDE handles hooking up the event listener for you, so you can concentrate on implementing the actual business logic that should be triggered by the event.

 

INTRODUCTION

A lot of microcontrollers are used in modern equipment and electronic devices. Some of them are used by amateurs to build small devices for fun, others are used by small companies in control, measurement or other equipment, others are used for serious applications by the military, security services, banks, medical services etc. Each microcontroller executes the algorithm or program uploaded into its memory. Usually this algorithm is written in Assembler (even if you write the program in C it will be translated into Assembler during compilation); rarely the algorithm is written in Basic or Java.

If you write a program for a microcontroller you are interested in your work being protected against unauthorized access or copying, so you want to control distribution of your devices. For this purpose microcontroller manufacturers developed special features which if selected allows software authors to prevent people downloading their program from their microcontroller if activated. This is Copy protection or Lock feature. Each microcontroller should be programmed before using. There are different techniques to do it depend on manufacturer and type of microcontroller. For evaluation purposes there are reprogrammable versions of microcontrollers, for production in small quantities there are one-time programmable (OTP) versions which is cheaper than reprogrammable one, and for large amount there are factory programmed versions which are very cheap but you have to purchase at least 1000 items. After the program for microcontroller is written and successfully compiled it should be uploaded into correspondent microcontroller integrated circuit. For this purpose you have to use special hardware device called programmer unit. For most microcontrollers this device could be very simple, cheap and consist of a power supply adapter, a few transistors, several resistors and a connector to RS232 or Parallel port. For other microcontrollers you have to use special programmer units distributed only by manufacturers, but these microcontrollers are not popular. Of course, if you want your device to be working properly for years (especially for OTP versions of microcontrollers) it would be better to use industrial programmer units which are approved by the most of manufacturers. You can find all necessary information about this devices on manufacturers’ web-sites in the Internet.

Attack Technologies

1. Introduction

An increasing number of large and important systems, from pay-TV through GSM mobile phones and prepayment gas meters to smartcard electronic wallets, rely to a greater or lesser extent on the tamper resistance properties of microcontrollers, smartcards and other special security processors.

This tamper resistance is not absolute: an opponent with access to semiconductor test equipment can retrieve key material from a chip by direct observation and manipulation of the chip’s components. It is generally believed that, given sufficient investment, any chip-sized tamper resistant device can be penetrated in this way.

So the level of tamper resistance offered by any particular product can be measured by the time and cost penalty that the protective mechanisms impose on the attacker. Estimating these penalties is clearly an important problem, but is one to which security researches, evaluators and engineers have paid less attention than perhaps it deserves.

We can distinguish four major attack categories:

Microprobing techniques can be used to access the chip surface directly, thus we can observe, manipulate, and interfere with integrated circuit
Software attack use normal communication interface of the processor and exploit security vulnerabilities found in the protocols, cryptographic algorithms, or their implementation
Eavesdropping techniques monitor, with high time resolution, the analog characteristics of all supply and interface connections and any other electromagnetic radiation by the processor during normal operation
Fault generation techniques use abnormal environmental conditions to generate malfunctions in the processor that provide additional access
All microprobing techniques are invasive attacks. They require hours or weeks in specialized laboratory and in the process they destroy the packaging. The other three are non-invasive attacks. The attacked card is not physically harmed during these attacks and the equipment used in the attack can usually be disguised as a normal smartcard reader.

Non-invasive attacks are particularly dangerous in some applications for two reasons. Firstly, the owner of the compromised card might not notice that the secret keys have been stolen, therefore it is unlikely that the validity of the compromised keys will be revoked before they are abused. Secondly, non-invasive attacks often scale well, as the necessary equipment can usually be reproduced and updated at low cost.

The design of most non-invasive attacks requires detailed knowledge of both the processor and software. On the other hand, invasive microprobing attacks require very little initial knowledge and usually work with a similar set of techniques on a wide range of products. Attacks therefore often start with invasive reverse engineering, the result of which then help to develop cheaper and faster non-invasive attacks.

2. Non-Invasive attacks

The most widely used non-invasive attacks include playing around supply voltage and clock signal. Under-voltage and over-voltage attacks could be used to disable protection circuit or force processor to do wrong operation. For these reasons, some security processors have voltage detection circuit, but as a rule this circuit does not react to transients. So fast signals of various kinds may reset the protection without destroying the protected information.

Power and clock transients can also be used in some processors to affect the decoding and execution of individual instructions. Every transistor and its connection paths act like an RC element with a characteristic time delay; the maximum usable clock frequency of a processor is determined by the maximum delay among its elements. Similarly, every flip-flop has a characteristic time window (of a few picoseconds) during which it samples its input voltage and changes its output accordingly. This window can be anywhere inside the specified setup cycle of the flip-flop, but is quite fixed for an individual device at a given voltage and temperature. So if we apply a clock glitch (a clock pulse much shorter than normal) or a power glitch (a rapid transient in supply voltage), this will affect only some transistors in the chip. By varying the parameters, the CPU can be made to execute a number of completely different wrong instructions, sometimes including instructions that are not even supported by the microcode. Although we do not know in advance which glitch will cause which wrong instruction in which chip, it can be fairly simple to conduct a systematic search.

Another possible way of attack is current analysis. Using 10 – 15 ohm resistor in the power supply, we can measure with an analog/digital converter the fluctuations in the current consumed by the card. Preferably, the recording should be made with at least 12-bit resolution and the sampling frequency should be an integer multiple of the card clock frequency.

Drivers on the address and data bus often consist of up to a dozen parallel inverters per bit, each driving a large capacitive load. They cause a significant power-supply short circuit during any transition. Changing a single bus line from 0 to 1 or vice versa can contribute in the order of 0.5 – 1 mA to the total current at the right time after the clock edge, such that a 12-bit ADC is sufficient to estimate the number of bus bits that change at a time. SRAM write operations often generate the strongest signals. By averaging the current measurements of many repeated identical transactions, we can even identify smaller signals that are not transmitted over the bus. Signals such as carry bit states are of special interest, because many cryptographic key scheduling algorithms use shift operations that single out individual key bits in the carry flag. Even if the status-bit changes cannot be measured directly, they often cause changes in the instruction sequencer or microcode execution, which then cause a clear change in the power consumption.

The various instructions cause different levels of activity in the instruction decoder and arithmetic units and can often be quite clearly distinguished, such that parts of algorithms can be reconstructed. Various units of the processor have their switching transients at different times relative to the clock edges and can be separated in high-frequency measurements.

Other possible threat to secure devices is data remanence. This is the capability of volatile memory to retain information stored in it for some period of time after power was disconnected. Static RAM contained the same key for a long period of time could reveal it on next power on. Other possible way is to ‘freeze’ state of the memory cell by applying low temperature to the device. In this case static RAM could retain information for several minutes at -20ºC or even hours at lower temperature.

3. Invasive attacks

Despite to more complexity of invasive attacks some of them could be done without using expensive laboratory equipment. Low-budget attackers are likely to get a cheaper solution on the second-hand market for semiconductor test equipment. With patience and skill it should not be too difficult to assemble all the required tools for even under ten thousand US dollars by buying a second-hand microscope and using self-designed micropositioners. The laser is not essential for first results, because vibrations in the probing needle can also be used to break holes into passivation.

Invasive attacks start with the removal of the chip package. Plastic over the chip could be removed by knife. Epoxy resin around the chip could be removed using fuming nitric acid. Hot fuming nitric acid dissolves the package without affecting the chip. The procedure should preferably be carried out under very dry conditions, as the presence of water could corrode exposed aluminium interconnects. The chip is then washed with acetone in an ultrasonic bath, followed optionally by a short bath in deionized water and isopropanol. After that chip could be glued into a test package and bonded manually. Having enough experience it might be possible to remove epoxy without destroying bonding wires and smartcard contacts.

Once the chip is opened it is possible to perform probing or modifying attacks. The most important tool for invasive attacks is a microprobing workstation. Its major component is a special optical microscope with a working distance of at least 8 mm between the chip surface and the objective lens. On a stable platform around a socket for the test package, we install several micropositioners , which allow us to move a probe arm with submicrometer precision over a chip surface. On this arm, we install a probe needle. These elastic probe hairs allow us to establish electrical contact with on-chip bus lines without damaging them.

On the depackaged chip, the top-layer aluminium interconnect lines are still covered by a passivation layer (usually silicon oxide or nitride), which protects the chip from the environment and ion migration. On top of this, we might also find a polyimide layer that was not entirely removed by HNO3 but which can be dissolved with ethylendiamine. We have to remove the passivation layer before the probes can establish contact. The most convenient depassivation technique is the use of a laser cutter. The UV or green laser is mounted on the camera port of the microscope and fires laser pulses through the microscope onto rectangular areas of the chip with micrometer precision. Carefully dosed laser flashes remove patches of the passivation layer. The resulting hole in the passivation layer can be made so small that only a single bus line is exposed. This prevents accidental contacts with neighboring lines and the hole also stabilizes the position of the probe and makes it less sensitive to vibrations and temperature changes.

It is usually not practical to read the information stored on a security processor directly out of each single memory cell, except for ROM. The stored data has to be accessed via the memory bus where all data is available at a single location. Microprobing is used to observe the entire bus and record the values in memory as they are accessed.

It is difficult to observe all (usually over 20) data and address bus lines at the same time. Various techniques can be used to get around this problem. For instance we can repeat the same transaction many times and use only two to four probes to observe various subsets of the bus lines. As long as the processor performs the same sequence of memory accesses each time, we can combine the recorded bus subset signals into a complete bus trace. Overlapping bus lines in the various recordings help us to synchronize them before they are combined.

In order to read all memory cells without the help of the card software, we have to abuse a CPU component as an address counter to access all memory cells for us. The program counter is already incremented automatically during every instruction cycle and used to read the next address, which makes it perfectly suited to serve us as an address sequence generator. We only have to prevent the processor from executing jump, call, or return instructions, which would disturb the program counter in its normal read sequence. Tiny modifications of the instruction decoder or program counter circuit, which can easily be performed by opening the right metal interconnect with a laser, often have the desired effect.

Another approach to understand how particular microcontroller or smartcard work is to reverse engineer it. The first step is to create a map of a new processor. It could be done by using an optical microscope with a CCD camera to produce several meter large mosaics of high-resolution photographs of the chip surface. Basic architecture structures, such as data and address bus lines, can be identified quite quickly by studying connectivity patterns and by tracing metal lines that cross clearly visible module boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.). All processing modules are usually connected to the main bus via easily recognizable latches and bus drivers. The attacker obviously has to be well familiar with CMOS VLSI design techniques and microcontroller architectures, but the necessary knowledge is easily available from numerous textbooks.

Photographs of the chip surface show the top metal layer, which is not transparent and therefore obscures the view on many structures below. Unless the oxide layers have been planarized, lower layers can still be recognized through the height variations that they cause in the covering layers. Deeper layers can only be recognized in a second series of photographs after the metal layers have been stripped off, which could be achieved by submerging the chip for a few seconds in hydrofluoric acid (HF) in an ultrasonic bath. HF quickly dissolves the silicon oxide around the metal tracks and detaches them from the chip surface. HF is an extremely dangerous substance and safety precautions have to be followed carefully when handling it.

Where the implementation is familiar, there are a number of ways to extract information from the chip by targeting specific gates or fuses or by overwriting specific memory locations. Even where this is not possible, memory cells can be attacked; this can also be done on a relatively modest budget.

Most currently available microcontrollers and smartcard processors have feature sizes of 0.5 – 1 µm and only two metal layers. These can be reverse-engineered and observed with the manual and optical techniques described in the previous sections. For future chip generations with more metal layers and features below the wavelength of visible light, more expensive tools additionally might have to be used.

A focused ion beam (FIB) workstation consists of a vacuum chamber with a particle gun, comparable to a scanning electron microscope (SEM). Gallium ions are accelerated and focused from a liquid metal cathode with 30 kV into a beam of down to 5 – 10 nm diameter, with beam currents ranging from 1 pA to 10 nA. FIBs can image samples from secondary particles similar to a SEM with down to 5 nm resolution. By increasing the beam current, chip material can be removed with the same resolution. Better etch rates can be achieved by injecting a gas like iodine via a needle that is brought to within a few hundred micrometers from the beam target. Gas molecules settle down on the chip surface and react with removed material to form a volatile compound that can be pumped away and is not redeposited. Using this gas-assisted etch technique, holes that are up to 12 times deeper than wide can be created at arbitrary angles to get access to deep metal layers without damaging nearby structures. By injecting a platinum-based organometallic gas that is broken down on the chip surface by the ion beam, platinum can be deposited to establish new contacts. With other gas chemistries, even insulators can be deposited to establish surface contacts to deep metal without contacting any covering layers.

Using laser interferometer stages, a FIB operator can navigate blindly on a chip surface with 0.15 µm precision, even if the chip has been planarized and has no recognizable surface structures. Chips can also be polished from the back side down to a thickness of just a few tens of micrometers. Using laser interferometer navigation or infrared laser imaging, it is then possible to locate individual transistors and contact them through the silicon substrate by FIB editing a suitable hole. This rear-access technique has probably not yet been used by pirates so far, but the technique is about to become much more commonly available and therefore has to be taken into account by designers of new security chips. FIBs are used by attackers today primarily to simplify manual probing of deep metal and polysilicon lines. A hole is drilled to the signal line of interest, filled with platinum to bring the signal to the surface, where a several micrometer large probing pad or cross is created to allow easy access. Modern FIB workstations (for example the FIB 200xP from FEI) cost less than half a million US$ and are available in over hundred organizations. Processing time can be rented from numerous companies all over the world for a few hundred dollars per hour.

References

[1] Ross J. Anderson, Markus G. Kuhn: Tamper Resistance – a Cautionary Note, The Second USENIX Workshop on Electronic Commerce, Oakland, California, November 18-21, 1996

[2] Ross J. Anderson, Markus G. Kuhn: Low Cost Attacks on Tamper Resistant Devices, in M.Lomas et al. (ed.), Security Protocols, 5th International Workshop, Paris, France, April 7-9, 1997

[3] Oliver K�mmerling, Markus G. Kuhn: Design Principles for Tamper-Resistant Smartcard Processors, USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10-11, 1999

Microcontrollers Overview

Firstly, let’s separate all microcontrollers into two types – ordinary and secure microcontrollers. Secure microcontrollers are designed for security applications (the military, banks, medical service etc.) and used in Smartcards or security modules. They provide different modes of operation, different access levels, encryption of data communication not only outside the chip but also inside it by using bus encryption, signals hiding etc. Attacks on this microcontrollers require very sophisticated and expensive equipment, very high skill of knowledge and should be discussed separately. Ordinary microcontrollers as a rule also have security protection against reading out the program and/or data (in case of microcontrollers with Data memory) but developers should be aware that sometimes this protection is very weak. Before discussing possible ways of attacks on ordinary microcontrollers it would be better to divide them into different classes by type of memory. Next table shows differences between microcontrollers with different type of program memory and also advantages and disadvantages of each type.

Type of program memory Programming method Possibility to update program code Memory access time (CPU core speed) Programming speed/
Time to erase Data retention Price of microcontroller/
programmer unit
Mask ROM
(ROM) Factory programmed
(min order – 1000 items) No possibility 10 ns (100MHz) 2 – 4 weeks/
N/A Unlimited Min/Not used
One Time Programmable ROM
(OTP ROM) Using Programmer Unit No possibility 100 ns (10MHz) 50 words/sec/
N/A 10 years Med/Med
Ultra-Violet Erasable Programmable ROM
(UV EPROM) Using Programmer Unit or InCircuit Programming Up to 100 times 100 ns (10MHz) 50 words/sec/
10-30 minutes 10 years High/Med
Electrically Erasable Programmable ROM
(EEPROM) Using Programmer Unit or InCircuit Programming Up to 10,000 times 200 ns (5MHz) 100 words/sec/
10 ms 40 years High/Low
Flash Erasable Programmable ROM
(Flash EPROM) Using Programmer Unit or InCircuit Programming Up to 100,000 times 100 ns (10MHz) 500 words/sec/
5 ms 100 years High/Low
Ferroelectric RAM
(FRAM) Using Programmer Unit or InCircuit Programming Up to 10¹² times 200 ns (5MHz) 2 Mbytes/sec/
Not necessary 40 years High/Low
Static RAM
(SRAM) InCircuit Programming Unlimited 20 ns (50MHz) 20 Mbytes/sec/
Not necessary 5 years (battery life) High/Low
There are two ways of attacks on microcontrollers – invasive and non-invasive. The first one involves depackaging of the chip followed by exposing certain part of the chip to laser or ion beam, or/and probing under microscope on probing station. Non-invasive attacks include playing around the signals applied to the chip to obtain all necessary information.

If microcontroller has a Mask ROM then as a rule any access is denied by the manufacturer at the stage of production. Meanwhile there might be the way to overcome it if there is some kind of test monitor program on the chip to test the Mask ROM after production. Generally it is very difficult to find it and the fastest way to extract the program is to depackage the chip and read out memory contents optically. Sometimes to increase security manufacturers use transistors with different threshold voltage instead of using presence or absence of a transistor to create cells with 0’s and 1’s. This kind of ROM cannot be read optically. In this case memory contents could be read using microprobing techniques or using selective chemical etching.

If microcontroller has an OTP ROM then end-user can select code protection facility during programming. If it was enabled then it is still possible to apply both invasive and non-invasive attacks. Invasive attacks as a rule include exposing certain part of the chip into Ultra-Violet light, cutting lock lines by laser or restoring security fuses on probing station. Non-Invasive attacks include applying different signals to make internal protection scheme “forget” about protection.

In case of microcontrollers with UV EPROM situation is the same as with OTP ones, because usually they have absolutely the same structure and difference is only in their package.

If microcontroller has an EEPROM memory it is more stable for invasive attacks, because it is very difficult to handle with electrical charge rather than with transistors. Although the same attacks as for OTP microcontrollers could be applied. It is still possible to probe bus lines inside the chip but it requires high skill of attacker. In the same time, non-invasive attacks could be applied very easily. It takes place because EEPROM cell has very specific behavior and very sensible to control signals and to timings of the control signals. That allows the attacker to find ways of overcoming security protection either by selective erasing of the security fuses or by causing the security control scheme get wrong state of the security fuses.

Situation with Flash EPROM microcontrollers practically the same as with EEPROM microcontrollers. Sometimes their security could be easily broken, sometimes harder but the situation still bad. So, there are ways to break the security in almost any Flash and EEPROM microcontroller.

Recently introduced FRAM microcontrollers seems to be more secure due to specific structure of the memory. Although it is still possible to apply microprobing in order to obtain contents of the memory.

Microcontrollers with SRAM quite stable to invasive attacks because any tampering into the device will cause disconnection of the power supply from SRAM with following vanishing of the information. But due to some bugs in hardware and software implementation there is possibility to apply non-invasive attacks on such microcontrollers. For example, secure microcontroller chip DS5002FP from the Dallas Semiconductor is one of the processors for which a way to bypass the security bit was found. You can find explanation of this attack in the next paper:
Markus G. Kuhn: Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP. IEEE Transactions on Computers, Vol. 47, No. 10, October 1998, pp. 1153-1157.

The most serious threat for microcontrollers with security protection is non-invasive attacks, because in general they are cheaper than invasive. If you can write your own program or legally buy preprogrammed version of microcontroller you will find it cheaper than doing invasive attacks. Meantime, some kind of invasive attacks might be reasonably cheap. For example, if the security bits are vulnerable to UV light. So, designing something using microcontroller you have to assess your work and choose microcontroller with appropriate protection. It is not possible to get perfect protection but you can make hacking of your device to be useless due to high price of attack.

Non-Invasive Attacks on Microcontrollers

I have been investigating into copy protection mechanisms in different microcontrollers since 1996. PIC16F84 was one of the first microcontrollers I have unprotected. Occasionally I do some research in this area and provide testing of new microcontrollers and renew testing of old.

Now let me introduce what sort of equipment I have been using for non-invasive attacks on microcontrollers. I built my own designed programmer device controlled by my software program. It operates on IBM PC under MS-DOS or Windows 95/98 and it was written in C++. Hardware of my programmer allows me to rapidly change power supply and programming voltages in wide range causing different power glitches. This is quite essential if you provide attacks on microcontrollers. Signal block of the programmer generates 32 output digital signals with adjustable logic levels and some of them has open-drain output. Also this block inputs 16 signals at correct logic levels. This is quite enough for most of microcontrollers. Another part of the programmer is the board with different IC sockets for most of microcontrollers I have tested. For some microcontrollers I use additional socket adapters.

Here is some pictures of my device.

The next table shows all microcontrollers I have already tested and found them vulnerable for non-invasive attacks.
Microcontroller Features Attack method Comments
Motorola HC05

MC68HC05B6
MC68HC05B8
MC68HC05B16
(MC68HC05B32)
(MC68HC05X4)
MC68HC05X16
MC68HC05X32 Mask ROM
Data EEPROM
EEPROMed Security bit shared with Data memory Power Glitch or
Clock Glitch Have Write Protection against accidental Erase of Data memory
Motorola HC11

MC68HC11A8
MC68HC11E9
(MC68HC11E20)
MC68HC11L6
(MC68HC11KA2)
(MC68HC11KA4)
(MC68HC11KG2)
(MC68HC11KG4) Mask ROM
Data EEPROM
EEPROMed Security bit Power Glitch Bootloader with autoerasing of the Data memory if Security is enabled
Microchip PIC

PIC16C84 Program EEPROM
Data EEPROM
EEPROMed Security bit Power Overstress or
Power Glitch Chip Erase mode erases CP bits with Program and Data memories
Microchip PIC

PIC16F83
PIC16F84
HCS512 Program Flash EPROM
Data EEPROM
EEPROMed Security Bit Power Glitch Chip Erase mode erases CP bits with Program and Data memories
Microchip PIC

PIC16F84A
PIC16F627
PIC16F628
(PIC16F870)
(PIC16F871)
(PIC16F872)
PIC16F873
PIC16F874
PIC16F876
PIC16F877 Program Flash EPROM
Data EEPROM
EEPROMed Security Bits Power Glitch Chip Erase mode erases CP bits with Program and Data memories
Have improved protection mechanism
Atmel 8051

AT89C51
AT89C52
AT89C55
AT89C1051
AT89C2051
(AT89C4051) Program Flash EPROM
EEPROMed Security Bits Power Glitch Chip Erase mode erases Lock bits with Program memory
Atmel AVR

AT90S1200
AT90S2313
AT90S2323
(AT90S2343)
AT90S8515 Program Flash EPROM
Data EEPROM
EEPROMed Security Bits Power Glitch Chip Erase mode erases Lock bits with Program and Data memories
NEC 78K/0S

(uPD78F9026)
(uPD78F9046)
uPD78F9116
(uPD78F9136) Program Flash EPROM
No Memory Read Function Power Glitch Chip Erase mode erases Program memory
Texas Instruments MSP430

MSP430F110
MSP430F112
MSP430F1101
MSP430F1121
MSP430F122
MSP430F123
MSP430F133
MSP430F135
MSP430F147
MSP430F148
MSP430F149
MSP430F412
MSP430F413 Program Flash EPROM
Data Flash EPROM
EEPROMed Password Clock Glitch Mass Erase mode erases Password with Program and Data memories
Microcontroller in brackets means it has not been tested yet but expecting the same behaviour
Presense of a microcontroller in this table only means that it has some vulnerabilities to non-invasive attacks. It might be possible that newer versions of the same microcontroller do not have such security problems
For some microcontrollers I know a few methods to overcome protection. Some of them give very reliable results, another has less than 20% of success (these methods sometimes appear in the Internet and, moreover, using these methods you could not only burn the chip but programmer unit too).

Invasive Attacks on Microcontrollers

WARNING! I do not carry any responsibility for using further information in order to break your microcontroller. It is only brief short explanation of my experiments. If you are trying to repeat this work you are doing it on your own risk!

1. Introduction

It is commonly believed that invasive attacks are very complicated and require a lot of sophisticated equipment. It is not the case. Of course invasive attacks should cost more than non-invasive because involve depackaging of the chip and applying different physical methods. But sometimes they could be done quite easily without using expensive laboratory equipment. It reveals a huge threat to a device based on microcontroller which was assumed to be strong to non-invasive attacks but nothing related with invasive attacks was evaluated.

Let me break the myth which says that the minimum cost of invasive attack is ten thousand US$, therefore if microcontroller you use is not vulnerable to non-invasive attack you have proper protection against copying of your code. The aim is to make developers to be aware that proper evaluation should be performed before using certain microcontroller.

Let me show how PIC12C508A device could be broken and then you can estimate how difficult it is and how much could it cost. Then I will introduce an attack on PIC16F874 which requires more equipment but could be done using only microscope with probing needle.

2. Attack on PIC12C508A

Firstly we have to depackage the chip. It could be done in two ways: dissolving everything around the chip or removing plastic only above the silicon die. The last one is more intelligent but requires some level of knowledge and experience, while the first way will force you to bond the chip on a test package and it is not possible to carry out it without having access to a bonding station.

So the only convenient way for us is to remove plastic above the chip die. It is possible to do this using fuming nitric acid which dissolves epoxy plastic (material of the package) without affecting the chip and bonding wires. Exhausted acid should be removed by an acetone followed by cleaning the sample in an ultrasonic bath, wash in water to remove remain salts and drying. If you do not have an ultrasonic bath you can skip this operation. In this case the chip surface will remain slightly dirty but it still be transparent to UV light. Meanwhile the ultrasonic bath could be easily built using simple frequency generator connected to ferrite antenna coil and appropriate metal dish for bath.

Here is some pictures of this process.

Next stage is to expose protection fuses to UV light. In order to do this you have to find where they are. If you have a microscope with at least 100x magnification you can easily find them just tracing the wire from the pin for programming voltage input. If you do not have a microscope you can do simple search exposing different part of the chip to UV light and observing the result. Once you have found them you can apply it to protected chip. You should use opaque paper in order to protect Program memory from UV light. Five to ten minutes under UV light should give you proper result and you would be able to read Program memory using any available programmer unit.

Another possible attack requires additional equipment like microscope and laser cutter/thin needle. Once you have found protection fuse you can find all signal lines coming to this part of circuit. Due to design mistake it is possible to disable copy protection just by cutting one line from protection fuse to rest of the circuit. For unknown reason this line is sufficiently far away from other lines. That makes possible to cut this line not only using expensive laser cutter but also scratching surface above this line by a needle until the wire will be cut.

3. Attack on PIC16F874

First stage – depackaging is absolutely the same as for PIC12C508A.
Because this chip uses shielded EEPROM cells for protection it is not possible to reset protection using a UV light. So we should try to use microprobing technique in order to read the memory contents. Once you have depackaged the chip you should look onto it under a microscope. You can easily find data lines going from memory array to rest of the circuit. For unknown reason copy protection doesn’t lock access to the memory in programming mode so if you put probing needle on top of the data line you will see all necessary data. Restarting read operation in programming mode and connecting probing needle to different data lines you can read all the information from both Program and Data memories.

Threat of Attack and Defense Technologies

Now having information about different attack methods we can divide these attacks by threat to device based on microcontroller.

Non-invasive attacks introduce very high level of threat therefore if microcontroller is vulnerable to such attacks it has minimum level of protection. The only equipment which attacker should have is a special programmer unit. For example, you can find such programmer units for PIC16C84 widely available for sale in the Internet for quite reasonable price.

Cheap invasive attacks also reveal big problem to designers. These attacks could be implemented by practically any person familiar with school chemistry course. All necessary equipment could be bought for 100 to 300 US$. And microcontrollers vulnerable to such attacks could not be enough secure.

Such invasive attacks as microprobing could be used only by well funded attackers. It makes microcontrollers vulnerable only to these attacks to be enough secured. But also, if you calculate price of equipment and time to break one microcontroller you will get price of attack not exceeding one thousand US$. So you cannot use such microcontrollers in expensive project where protection is the necessary requirement.

Reverse engineering is the most expensive invasive attack could be used. It gives all the necessary information about chip schematics and structure of protection circuit. But it takes long time and require very expensive equipment. So if microcontroller could not be broken by any of above mentioned attacks it should be good secured. Although maybe it was not broken due to mistake of attacker and other attacker could break it quite easily.

Now we get very awful situation where practically any standard microcontroller could be broken using one of the first three attack methods. Usually it is not possible to redesign project for secure microcontroller which can withstand practically any attack because of high price of such microcontrollers and incompatibility with ordinary microcontrollers. Usually secure microcontrollers are designed for smartcard applications where used only two pins for serial digital interface. Of course, you can use secure microcontroller to protect the project but if attacker interested only in certain part of the algorithm implemented in normal microcontroller he can extract it without a problem.

Another approach is to use hardware protection based on a programmable logic array (PAL, CPLD, EPLD) which usually has better protection and even if you break it you will spend a lot of time to understand how it works.

But why not to use undocumented features of the same microcontroller. If you are using OTP, UV EPROM, EEPROM or Flash microcontroller it is possible to use certain cells of its memory for protection. The idea behind this is the next. All these memories are analog memory, so each cell inside the array keeps charge instead of logic state. When memory cell is read this charge is translated into a logic signal by sense amplifier. If you charge cell to intermediate state corresponds to threshold value of sense amplifier then because of presence of a noise you will read different value from the same cell. This feature could be used as additional protection to ordinary security feature of a microcontroller.

Another possible way of increasing protection is to destroy possibility of further programming. It could be done mechanically by cutting certain pins or electrically by applying high voltage to these pins to blow up bonding wire. Although it does not provide any protection against invasive attacks.

More intelligent way is to destroy certain part of the control circuit dedicated for programming mode. Although in order to do such a thing you should reverse engineer certain part of the chip or apply microprobing technique to learn how it works. But sometimes it might cost more than the value of your project.

Further Research

The other interesting way of research is evaluation of the security in Programmable Logic Arrays (PLA) and Programmable Logic Devices (PLD). They also have security protection feature but it was not tested by the same methods like microcontrollers. Sometimes this devices are used for complex projects in parallel to FPGA chips but only to prevent unauthorised copying because FPGA chip does not have any protection facility due to external loading of configuration. In this case attacks on EEPROMed PLA/PLD also could be serious threat for such devices.

Currently I am trying to sum up the results, make another experiments and prepare the article.

If you are interested in your sample chips to be tested and evaluated we could discuss possible ways of collaboration. Beforehand I want to mention that I am not a commercial company specializing in breaking security in microcontrollers. I am just providing research work and consulting.

The details of my research into microcontrollers security and all the results are confidential until they will be published or disclosed in my PhD thesis. Usually I provide some information and doing specific research only for companies who supports my research or gives me necessary equipment to continue my research into hardware security. It could be done as a sponsoring, giving certain grant or as a consulting.

I’ve spent a huge amount of time and correspondently money doing such research and as I want to publish it in the future I’ll keep it under the secret. At the same time I am opened to any possible contract for building special programmer for testing purposes without sharing all the information.

I always reply to personal emails. But sometimes due to server problems mail could be losted. Therefore please resend me your message if I have not replied within one week. In case of important messages I would prefer you to forward copy of your letter to my Hushmail account.