Extract MCU embedded firmware need to use a series of different processes which can cause the attention from security fuse. Before The security fuse of memorizer be removed completely, there is some security flaws are still exist. Even after the elimination of security fuse, there is still no effective data can be read directly. But hereby the power glitch measure can still play its role.
For example, if the security fuse expose in the ultra-violet is over seven minutes, VDD under 2.2v can read the content from memorizer of extract mcu at89c52 heximal unspoiled. But the security fuse can be effective even after the voltage over 4.8v.
When MCU extractor can attain the precise moment of switch the data from memorizer to the migration storage and check the status of security fuse. It can probably through low down the power supply voltage to 2V and lock the memorizer and increase the voltage to 5V to get the content from extracted microcontroller at89c55 code and deactivate the security fuse.
Another trick is restore the content inside the memorizer of MCU, even if there is no overlap between security fuse elimination and unspoiled memorizer. For instance, we found the new samples of same MCU can start to disturb the content inside the memorizer before the elimination of security fuse in which the power glitch will be used to recover the content inside the MCU after extraction.
Only through the tunning and debugging threshold value in the transistors to extract chip firmware. Control the programming time in the memorizer carefully can inject certain amount of ions into the floating gate of MCU. Generally speaking, EPROM memorizer’s programming can be operated by external signals and all the sequence are all controlled by programming unit. Which makes the MCU cracker can have chance to inject the ions into the floating gate to change the threshold value and ensure the data can be extracted and read when the security fuse is secure and active.