The ROM matrix revolutions: Unscrambling bits

Presented at REcon 2019, June 28, 2019, 11:30 a.m. (30 minutes).

A look at how sometimes it can be easy to descramble an encrypted ROM after optical extraction of bits from microscope photos.

Data in ROM can be extracted from chips using microscopes to visually identify individual bits on the silicon die. As a protection against readout of ROM contents, some manufacturers have offered chips that store ROM data in an encrypted format. This presentation will look at how some ROM encryption systems are easily defeated because of their simple design, and also how information from already hacked devices - even if they are used by a different customer for an entirely different market - can be used to break the security of other systems.

I will show images of bits in ROM and describe how visual patterns can provide clues useful for decrypting the ROM data. Software tools I've developed and used for analyzing and processing extracted ROM bits will be demonstrated and made available. This talk focuses on a specific (unnamed) family of smartcard chips, but the principles and techniques presented have been employed successfully to decrypt ROM contents from other chips as well.


Presenters:

  • Chris Gerlinsky
    Chris Gerlinsky is a hacker on Vancouver Island, Canada, whose interest in reverse engineering began with learning from pay TV security systems and pirate devices twenty years ago. From using microscopes to extract data from chips, power analysis and glitching to bypass security checks, and disassembling firmware, Chris has enjoyed opportunities to have hands-on experience with reverse engineering devices and cracking security systems.

Links:

Similar Presentations: