Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is common in modern embedded devices. Sometimes they're called eFuses.

https://imxdev.gitlab.io/tutorial/Burning_eFuses_on_i.MX/



Yeap, I think the Xbox 360 was the first (or one of the first) to implement this protection back in 2005 - https://www.youtube.com/watch?v=uxjpmc8ZIxM


Wii and PS3 too :)


Has there been any research on reseting these fuses via fault injection attacks?


These fuses are inside the CPU itself. They are programmed in a sense much like the firmware itself is.

These fuses have always been around in microcontrollers. They are used to configure various aspects of the microcontroller operations, like startup sequences, whether or not the contents of the chip can be read out, is their voltage monitoring (brownout detection) enabled, is there a watchdog timer enabled which could reset the chip automatically if needed, etc.

It is common that fuses like this can only be set to progressively stricter settings. And the only way to reset the fuses is to erase the entire chip, firmware and all. It sounds like these fuses in the Nvidia dont even allow this.


I believe it's irreversible, they need to be replaced not reset.


If it could be reset, it'd be a breaker, not a fuse. ;)


The fuses aren't being protected from modifications by the firmware, but they are physically burnt - no way to reverse that.


Yes, and they are part of the SoC so there is also no way to "replace" them.


There have been attacks against eFuses implemented as flash by way of decapping and using UV light. (I'm on mobile and don't have links at hand. Sorry!)


The article that gp linked mentions that it's stored in non-volatile memory that supposedly is "programmable" only once. Obviously, it depends on the chipset, but how is non-reversibility guaranteed in this case?


From https://en.wikipedia.org/wiki/Programmable_ROM#Programming :

The bit cell is programmed by applying a high-voltage pulse not encountered during a normal operation across the gate and substrate of the thin oxide transistor (around 6 V for a 2 nm thick oxide, or 30 MV/cm) to break down the oxide between gate and substrate. The positive voltage on the transistor's gate forms an inversion channel in the substrate below the gate, causing a tunneling current to flow through the oxide. The current produces additional traps in the oxide, increasing the current through the oxide and ultimately melting the oxide and forming a conductive channel from gate to substrate.

So, basically, they intentionally apply an out-of-spec voltage on the cell's output port, overloading the gate and causing a permanent short to ground. The cell always reads as 0 afterwards.


Ah, the "melting" part is what makes it irreversible. Thanks.


I don't see the "non-volatile" part at first, sorry about that. I guess non-volatile just means the data persists across resets, not necessarily that the fuses are stored in flash or something that can be modified.


yup, Samsung Phones have them as well.

a clever but despicable tool.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: