

# Reverse Engineering Custom ASICs by Exploiting Potential Supply-Chain Leaks



#### \$ whoami





## Outline

At a glance:

- Introduction & motivation important notes
- Dangers of supply-chains
- Reverse engineering methods
  - Deductive reasoning probing methods
  - Deeper insights
- Live debugging & demo
- Fun fact
- Conclusion



## Introduction

#### What is an ASIC?

- → Application Specific Integrated Circuit
- → Can also be a System on Chip solution with customized peripherals (theoretically everything)

#### Who cares?

- → Vendors, security researchers, blackhat hackers...
  Where is it used?
- → In every (embedded) computer system. There are more precise names for the specific applications like SoC, ASIP, NoC and so on.







## Introduction

It gets hard when there are **complete custom** chips without public documentation.

This means:

- → Architecture is **unknown**
- → Pinout is **unknown**
- $\rightarrow$  I/O memory map is **unknown**
- → Additional constraints are **unknown**
- $\rightarrow$  Sometimes, even the vendor is **unknown**





#### **Motivation**

A textbook example for custom ASICs can be found inside of industrial products like the PLC series S7-1200. There are even different hardware versions of this PLC series, and two different main chips. **Can we identify the JTAG port?** 





#### **Motivation**

**Expensive option:** Decapping, FIB or SEM and delayering, recover the hardware. *From silicon die... to hardware description.* 







Source: https://www.capovani.com



## **Motivation**

**Cheap option:** Search for similar hardware with the **same chip** on the internet. Good sources are: strange online shops, eBay, AliExpress and Taobao (淘宝网) **Multiple PCBs** with the **same chip** are even better to reverse engineer each pin functionality. The possibility to identify debug ports by having multiple different PCBs with the same chip is higher.

#### Bad:

Not all secrets of the hardware can be revealed in that way.

#### Good:

No need for super expensive equipment!





## Dangers of supply-chains





## **Dangers of supply-chains**

#### Where are the dangers of losing IP?

#### **Aftermarket issues:**

A product, which is hard to unearth (very expensive or just available when you have a contract with the vendor) is available in big cheap batches from a re-seller. This enables you to do reverse engineering even with a small budget.



 $\rightarrow$  Cheap option from previous slide!



Searching for the label of the ASIC used in the older S7 1200v1 on Google gave some results, one of them was Taobao:





MB87M2230



Taobao just sells stuff inside China. Colleagues and friends from Singapore and China came to the rescue!





Two batches were ordered one after the other.



#### The first batch (MB87M2230)





#### The first batch (MB87M2230)









#### The first batch (MB87M2230)





Searching for the label of the ASIC used in the newer S7 1200v4 on Google gave some results, one of them was Taobao, again from the same seller:





The second batch (A5E30235063)





#### The second batch (A5E30235063)









Looks not like the PCB I ordered...







...which is similar to some profile pics on dating websites.



#### Reverse engineering methods – First batch of PCBs

Collecting datasheets by looking at the PCB:







Remove all parts from one PCB to be able to track all connections.

Determining the obvious Vdd pins.







#### **Reverse engineering methods – Deductive reasoning**

Actively probing for debug interfaces, in this case for JTAG. Some pins were excluded from this test because of the prior step.





These pins are often pulled to Vdd by using a pull-up resistor! They may be close to SPI or UART!



After finding such a JTAG port, the ID-code can be fetched and interpreted:



Refer to JEDEC "JEP106AV"!





Besides JTAG, another challenging task is the detection of reset pins (SRST not TRST).

Common design patterns can help here, e.g.:

- The reset pin might be **bound to Vdd by** the **same** pull-up **resistor value** like all other ICs.
- The reset pin might be switched from Vdd to GND by using a transistor.
- $\rightarrow$  These two cases are very likely!

**Quick test**: Short circuit the pin to GND (be sure to not kill the power IC) **BINGO!**  $\rightarrow$  When the CPU jumps to its reset vector!





#### Reverse engineering methods – Deductive reasoning

Whether a pin is an input, output or inout pin, can be determined by measuring the resistance of a pin. This is different from chip to chip and can be used as last step to identify the possible purpose of a pin.





## **Deeper insights**

#### Delicious cooking in sulfuric acid!



https://www.fujitsu.com/downloads/MICRO/fma/pdfmcu/packageguide-contents-x1.pdf

Title: SEC Consult – Reverse Engineering Custom ASICs by Exploiting Potential Supply-Chain Leaks | Responsible: T. Weber | Version / Date: V1.1/2019-08 | Confidentiality Class: public © 2019 SEC Consult | All rights reserved



#### Don't do that at home!



#### **Deeper insights**

The labels on the bare die sometimes reveal important information.

For this chip, it was good to verify the JTAG output – it was designed by Fujitsu.







## Deeper insights – Digging through the literature

#### So many possibilities!





http://docplayer.net/4207609-Right-sized-solutions-forembedded-applications.html

Other MB8xMxxxx chips have ARC Tangent processors, or Fujitsu RISC (FR). It can also be F<sup>2</sup>MC....



## **Deeper insights**

Removing the flash memory and reading out its content always helps.







## **Deeper insights**



By combining the information of the used CPU core, the year and the available IP cores from Fujitsu at that time we can be pretty sure that ARM926/ARM946 is used.



The second batch of PCBs can be analyzed in the same way as the first one.





## The different architectures of SPI flash + NAND flash were one of the first observations.



The bootloader, which is located at the SPI flash memory was dumped and loaded into IDA Pro:

| Functions window |         |          | . 8      | ×      |                                                   | IDA View-A  |          |         | Pseudocode          | А 🔝               | 5           | Strings    | window   | 83       | 0                  | Hex Vie         | H-1                 | 0      | A      | Structure | s 🖸        |
|------------------|---------|----------|----------|--------|---------------------------------------------------|-------------|----------|---------|---------------------|-------------------|-------------|------------|----------|----------|--------------------|-----------------|---------------------|--------|--------|-----------|------------|
| unction name     | Segment | Start    | Length   | ^      | • 148                                             |             | 100E0(v  | 19, 3); | ;                   |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_35C8         | ROM     | 000035C8 | 00000240 |        | 149<br>158                                        | v2 =        | A61      |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_CA3C         | ROM     | 0000CA3C | 00000240 |        | 150                                               | 1           |          |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_6088         | ROM     | 00006088 | 00000244 |        | • 152                                             | if ( v2 -   | e 8x188  | 1       |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_29F0         | ROM     | 000029F0 | 0000024C |        | 153                                               | (           |          | 1       |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_708C         | ROM     | 00007090 | 00000258 |        | • 154                                             | v24 = 3     | 20 * v2  | 1       |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_E740         | ROM     | 0000E740 | 00000258 |        | 0 155                                             |             |          |         | * v2 + 268          |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_2558         | ROM     | 00002558 | 00000250 |        | 156                                               |             |          | 8(*(um  | signedir            | t16 *)(2          | 6 * v2      | + 0x1      | 8038012  | 2), &v3  | 4, <b>&amp;</b> v3 | 7, <b>B</b> v36 | <b>, &amp;</b> v38, | , 2686 | 56540, | &v35, #   | ), &v(39); |
| sub_FA78         | ROM     | 0000FA78 | 00000260 |        | <ul> <li>157</li> <li>158</li> </ul>              | if (v       |          | Rep     |                     | 11                |             |            |          |          |                    |                 | 1.1                 |        |        |           |            |
| sub_SDA4         | ROM     | 00005DA4 | 00000270 |        | 158                                               | v27 #       |          | .es bi  | age read fa         | 11 8x264.         | 4X ,        | CDWOR      | 0 -)(20  | 1 7 V2   | + 0x10             | 030010)         | );                  |        |        |           |            |
| sub_FCD8         | ROM     | 0000FCD8 | 00000294 |        | 168                                               |             | 34. l= v | 1 22    |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_880          | ROM     | 00000890 | 00000284 |        | 161                                               | 1           |          | 1       |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_6824         | ROM     | 00006824 | 00000288 |        | • 162                                             | V26         | = 2;     |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_11218        | ROM     | 00011218 | 000002C8 |        | 0 163                                             | sub         | F478(2,  | "GR cr  | ne error ex         | %4.4X 0x          | XX OxX      | EX BARX    | ", "(    | NORD *   | )(20 *             | V2 + 0          | x100300             | 910),  | v2, v3 | 4, v35);  |            |
| sub_532C         | ROM     | 00005320 | 20200000 |        | • 164                                             | V27         | · v34;   |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_1FE4         | ROM     | 00001FE4 | 0000031C |        | 165                                               | }           | and the  |         | COLUMN THE PARTY OF | 241203332         | 1000        |            |          |          |                    |                 |                     |        |        |           |            |
| sub_E998         | ROM     | 0000E998 | 00000344 |        | 166                                               |             |          |         | 8 * v2 + 8x         | 10030014          | ):          |            |          |          |                    |                 |                     |        |        |           |            |
| sub_10DFC        | ROM     | 00010DFC | 00000350 |        | <ul> <li>167</li> <li>168</li> </ul>              | 74 ( V      | 27 != vi | 20.)    |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_785C         | ROM     | 0000785C | 00000368 |        | 0 169                                             | sub i       | F478/2   | "68 C   | nc mismatch         | avita ax          | evix.       | evix e     | dix".    | ( Theore | 0.110              | a • v2          | + 81186             | 130810 | 10.425 | 107.00    | 14.88      |
| sub_F628         | ROM     | 0000F628 | 00000368 |        | • 170                                             | V26         |          | -       |                     | Service of a loss | a picture . | Stitute at | cirars p | [        | . //.              |                 |                     |        | //     |           | -//        |
| sub_10298        | ROM     | 00010298 | 0000046C |        | 171                                               | 1           |          |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_BF7C         | ROM     | 0000BF7C | 00000574 |        | • 172                                             |             |          |         | 9 * v2 + 8x         | 10030010          | );          |            |          |          |                    |                 |                     |        |        |           |            |
| sub_050          | ROM     | 00000050 | 0000061C |        | 173                                               | if ( v      | 36 1= vi | 29)     |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_1071C        | ROM     | 0001071C | 000006E0 |        | 174                                               | 1           |          |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| sub_A3DC         | ROM     | 0000A3DC | 00800700 | ~      | <ul> <li>175</li> <li>176</li> </ul>              | sub_<br>v26 |          | "GR VI  | ersion mism         | atch 8x%          | 4.4X 8      | actor and  | XX 8XX   | C +C     | ONORD              | -)(20 -         | V2 + 6              | 3x1003 | 8010), | V2, V38   | , v29);    |
| - and and a      | 10011   |          | )        |        | 177                                               | 1 020       | - 2;     |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
| e 171 of 172     |         |          |          |        | • 178                                             |             |          |         | 9 * v2 + 8x         | 10030018          | );          |            |          |          |                    |                 |                     |        |        |           |            |
| Graph overview   |         |          |          | ×      | 179<br>188                                        | 1f ( v      | 37 l= v. | 30)     |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |
|                  |         |          |          | 15.711 | <ul> <li>181</li> <li>182</li> <li>183</li> </ul> | sub_<br>v26 |          | "GR s   | ize mismato         | h 0x%4.4          | X exa       | ( 8x8x )   | 8×%X°,   | *(_040   | (* DB              | 20 * v2         | + 0x10              | 903901 | 0), v2 | , v37, v  | /30);      |
|                  |         |          |          |        | • 184                                             | if ( *      | DWORD    | *)(20   | * v2 + 0x1          | 0030020)          | == ()       | 38 8 0     | xFF) )   |          |                    |                 |                     |        |        |           |            |
|                  |         |          |          |        | 185                                               | {           | 1000     |         | 100.000             | 0.0000000000      | in a start  | 510805     | 1.1      |          |                    |                 |                     |        |        |           |            |
|                  |         |          |          |        | 186                                               | 14 1        | 1/26 )   |         |                     |                   |             |            |          |          |                    |                 |                     |        |        |           |            |

Most strings were referenced immediately, ARM big endian was used here too.



It turned out that the newer chip (A5E30235063) was designed by Renesas.





There are some similarities to ERTEC 200P/400 (Siemens/Renesas).



#### By brute forcing the 10-pin header of the PCB a JTAG port was found!

Connecting to target via JTAG TotalIRLen = 4. IRPrint = 0x01 JTAG chain detection found 1 devices: #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP Scanning AP map to find all available APs AP[3]: Stopped AP scan as end of AP map has been reached AP[0]: AHB-AP (IDR: 0x44770001) AP[1]: APB-AP (IDR: 0x24770002) AP[2]: JTAG-AP (IDR: 0x14760010) Iterating through AP map to find AHB-AP to use AP[0]: Skipped. Not an APB-AP AP[1]: APB-AP found ROMTbl[0][0]: CompAddr: 80008000 CID: B105900D, PID:04-003BB907 ETB ROMTbl[0][1]: CompAddr: 80003000 CID: B105900D, PID:04-003BB906 CTI ROMTbl[0][2]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF ROMTb1<mark>[0][3]: CompAdd</mark>r: 80002000 CID: B105900D, PID:04-007BBC14 Cortex-R4 Found Cortex-R4 r1p3 8 code breakpoints, 8 data breakpoints Debug architecture ARMv7.0 Data endian: big Main ID register: 0x411FC143 I-Cache L1: 16 KB, 128 Sets, 32 Bytes/Line, 4-Way D-Cache L1: 16 KB, 128 Sets, 32 Bytes/Line, 4-Way TCM Type register: 0x00010001 MPU Type register: 0x00000C00 System control register: Instruction endian: big Level-1 instruction cache disabled Level-1 data cache disabled MPU disabled Branch prediction enabled Memory zones: Default Default access mode AHB-AP (AP0) DMA like acc. in AP0 addr. space APB-AP (AP1) DMA like acc. in AP1 addr. space Cortex-R4 identified.



ARM Cortex R4 was identified. Now it was easy to trace the connections back to the chip!



After removing the chip of an original S7 1211C, the traces can be followed back to the backside. JTAG can be enabled by adding an additional header to the PCB.



Beware, when you attach the debugger! It seems that Siemens have implemented a hardware module for deleting the flash memory when the CPU is stopped!!!



## **Demo time!**

To provide a proof of concept, a small assembly program was written and uploaded to the PLC via the JTAG interface.





Special thanks goes to Dr. Ali Abbasi for providing me the UART MMIO address.

https://www.syssec.ruhr-uni-bochum.de/chair/staff/aliabbasi/



Few days before publishing our research, we received the following statement from Siemens:

"The boards purchased by SEC Consult were not development boards but previously used or refurbished boards from Siemens devices. Siemens does not see a supply chain leak."

As it turns out, I was looking at boards from another series. The seller from Taobao fooled me. He offered boards from the older **S7-200 SMART** series labeled as **S7-1200** series ... but no bad feelings: the board had **JTAG**!



#### **Fun Fact**

#### Can you spot the similarities?





S7-200 SMART http://www.plcweixiu.com/news/html/390.html







## Thank you!

Find the full blogpost here:

https://sec-consult.com/en/blog/2019/02/reverse-engineering-architecture-pinout-plc/

