1

# Firmware Protection and Attacks Against the ATmega Microcontrollers

Dionisio Perez-Mavrogenis

**Abstract**—This paper will review some of the attacks used against microcontrollers in order to obtain access to cryptographic material (keys or algorithms) or the firmware of the device, both of which have serious implications. Defence techniques developed against the attacks will also be reviewed, in an attempt to show the co-evolutionary nature of the attack-defence ecosystem. We conclude by presenting a working attack against a microcontroller and by discussing why completely securing a microcontroller is impossible and that manufacturers should focus on making hacking the microcontroller "hard enough" in terms of money and cost.

Index Terms—Microcontroller attacks, firmware dumping, reverse engineering, microprobing, microcontroller protection, defense engineering

review wherever I say working attack against the atmega to possible attack. reduce structure of things, merge sentences together. also make sure that spaces between Fig. or Table and number are unbreakable using the tilde. also consistently name abbreviations, could have abbreviation table. mention book pages from books from which info was taken. rename decaping to Decapsulation

#### 1 Introduction

This paper will present an overview of the current attack methods for tampering with MCUs (MicroController Unit) in order to obtain access to IP (Intellectual Property). IP refers to the firmware of the MCU and information that could be obtained from that, i.e. implementation secrets or proprietary algorithms that help a manufacturer achieve higher performance over their competitors. Firmware tampering (or theft) detection and prevention of a MCU is a popular problem with active research, as successfully addressing it would benefit a lot of parties (including the government and the military).

A distinction between ordinary and secure MCUs should be made[14] and, due to the sophistication of the protective mechanisms and the attacks, a broad classification of attackers as[1]:

- Home Hackers Clever and curious people with a very limited budget, with some degree of knowledge and no time restrictions.
- Semi-Professional Crackers Professionals skilled on electronics with access to specialised equipment and resources. Their time allowance and funding might be limited.
- Funded Organisations Organisations with access to MCU manufacturing equipment. Their funding is usually unconstrained and their time schedule is usually tight.

Firmware tampering has a number of consequences, the most obvious being an attacker downloading the code from a MCU and flashing it onto a MCU that they sell, effectively avoiding development and testing costs but still offering the same product as other manufacturers[6]. A less obvious, but perhaps more important, case is the case of back-dooring<sup>1</sup> a MCU by re-flashing on it a modified version of the firmware with coded added by the attacker in order to accomplish their malicious intents. Furthermore MCU firmware might contain government or industrial secrets whose integrity and value is more valuable than the integrity of the MCU.

Current attack technologies and methods will be reviewed (Sec. 3) and the defensive techniques (Sec. 4 developed to counter these. These are described to give a (brief) overview of the current state of affairs and, once the ATmega MCU features have been reviewed (Sec. 2), a working attack against the ATmega will be presented (Sec. 5). This paper will conclude (Sec. 6) by summarising the material presented and explaining why securing a device is hard.

# 2 THE AVR MCU SERIES

The Atmel AVR series is an enhanced-RISC architecture MCU family that consists of the ATtiny, ATmega and ATxmega sub-categories and derivatives of the above, including 32-bit AVRs and application specific FPGAs<sup>2</sup>. The models have varying degrees of hardware capabilities and large operating voltage windows in order to accommodate demand and integrate well with peripherals<sup>34</sup>.

Developing software for an AVR is easy as the AVRs benefit from the free avr-libc high-performance C

- 1. The act of adding code to a system without the user's knowledge or approval, usually to accomplish nefarious tasks.
  - 2. info:AVR family link
- 3. info:https://www.newbiehack.com
- 4. info:http://www.atmel.com/v2PFResults.aspx

run-time library(optimised for the AVR RISC architecture), the avr-gcc and avr-gdb compiler and debugger(both based on very popular and high quality GNU software tools), the avrdude programming software(or Atmel's proprietary AVRStudio) and Simulavr simulator software. Additionally, Atmel provides proprietary APIs for interacting with the AVR and the developers can choose from a wide variety of programmer units available for working with the AVRs[15].

# 2.1 ATMega Architecture and Features

# 2.1.1 Important Feature Overview

The ATmega series of MCUs is a relatively large family of MCUs and the focus of this paper is on the ATmega644 and ATmega1284. The only differences between then 1284 and the 644 is that the 1284 has got more memory available and an hardware extra timer. A summary of (some) of the features of the two units is give in Table 1[7].

Both MCUs are an enhanced-RISC Harvard architecture 8-bit CPU. Figure 2 shows the conceptual difference between a Von Neuman (most modern PCs) and a Harvard architecture, where the key distinction lies in the separation of application code and program data into different memory sections (Harvard) and tasking the CPU with distinguishing between code and data that lives in the same memory region (Von Neuman). The 644/1284 implement a Harvard architecture for both power and computational efficiency, being designed to access more than one registers simultaneously (due to the physical wiring of the CPU), enabling them to execute an instruction per cycle. Their operating voltages can vary between 1.8V and 5.5V (maximum operating frequency 20 MHz).

# 2.1.2 Memory Organisation

The 644/1284 are equipped with an EEPROM, flash memory, SRAM, a large number of general purpose registers and a large number of I/O registers (in order to be able to perform I/O) and all memory (including I/O memory mapped images) is linear, i.e. it follows the flat memory model.

The flash memory is separated into two regions, the bootloader section and application code section. The boundary between the two sections can be configured by programming the appropriate fuses, and the page size can also be configured that way as well. Both sections hold code, however code residing in the bootloader section can execute a special instruction (SPM<sup>5</sup>) which allows the bootloader code to write to *any* section in the flash memory and hence possibly modify itself(designed for purposes such as firmware upgrades). The bootloader code can be triggered by a direct jump from the application section or by programming the reset vector via the reset fuse to point to the appropriate section of the bootloader code.

5. SPM = Store Program Code, assembly instruction for the AVR.

# **Data Memory**



Fig. 1: SRAM layout for the ATmega 644 and 1284. **Reproduced from** [7].

TABLE 1: Memory differences for the AVR ATmega644/1284

| Model      | EEPROM (Kb) | SRAM (Kb) | Flash (Kb) |
|------------|-------------|-----------|------------|
| ATmega644  | 2           | 4         | 64         |
| ATmega1284 | 4           | 16        | 128        |

The EEPROM is memory for data that needs to persist between reboots of the MCU and hence it is (widely) used to hold configuration variables and other non-temporary preferences the application code (or the bootloader) may need, having an average lifespan is 100,000 write cycles per page.

The SRAM is volatile storage and is used as the stack and heap for the software (either application code or bootloader code) as well as for storing the Register File (i.e. the 32 GP registers) I/O and Extended I/O Memory. The reserved register locations exist in order to support the use of peripheral units as well as hold program status information (e.g. the Stack Pointer can be found in one of the GP registers). Figure 1 gives an overview of the SRAM hierarchy, which is slightly different (in terms of region sizes) for the 644 and the 1284 as the 1284 offers more SRAM.

## 2.2 ATMega Security Features

The AVR ATmega644/1284, even though not meant to be secure hardware modules, posses certain security features. In particular, each board provides six Lock bits responsible for controlling access to the board's memory and prevent reading or modifying the memory (e.g. prevent code executing from the bootloader section to read/write the application code section via the SPM instruction). This access control is not permanent, as that would limit the usefulness of the MCU and therefore one has the option to reset the lock bits (i.e. having no protection scheme enabled) by issuing a Chip Erase command, which has the effect of completely erasing the Flash, EEPROM and Lock bits.

The erasing is performed with the sequence of events presented above and this is important, as one does not want to remove the access protection before removing all sensitive data and hence the Lock bits are set to 1



(a) Schematic of a Von Neuman architecture.



(b) Schematic of a Harvard architecture.

Fig. 2: A comparison of different machine architectures. Source:[9].

TABLE 2: Security lock bits offered by the ATmega644 and ATmega1284. BLB stands for Boot Lock Bit and LB for Lock Bit.

| Lock Bit Byte | Bit Number | Default |
|---------------|------------|---------|
| BLB12         | 5          | 1       |
| BLB11         | 4          | 1       |
| BLB02         | 3          | 1       |
| BLB01         | 2          | 1       |
| LB2           | 2          | 1       |
| LB1           | 1          | 1       |

only after the whole program memory has been erased. Even though the flash memory has an average lifespan of 10,000 write cycles (as well as programming being relatively expensive as an operation) this approach makes sense as the ultimate goal is to preserve the intellectual property on the board rather than the board itself.

Table 2 provides an outline of the available Lock bits provided by the ATmega series. The functionality of the BLB1 group is to control access and modification of the bootloader section, group BLB0 bits control access to the application code section and group LB bits are responsible for controlling modifications on the EEPROM and Flash.A detailed explanation of their functionality and how to use them is given in [7].

## 3 ATTACKS ON HARDWARE

make this flow with previous paragraphs. make sure you mention that you have to know what chip you are trying to reverse ([14] and hardware reveng course). for chemicals see for delayering see :http://siliconpr0n.org/wiki/doku.php?id=chemical:start, http://siliconpr0n.org/wiki/doku.php?id=delayer:start

A distinction between *passive* and *active* attacks should be made. In the former the attacker simply monitors the chip's normal operation and tries to infer the input-output mapping whereas in the latter case the attacker actively manipulates either the chip or its operating environment with the aim of obtaining insight on the chips inner workings.

Attacks on MCUs may attempt to recover a number of artefacts, including cryptographic keys the firmware and do not need to necessarily attack the hardware itself but can exploit flaws in algorithmic design and implementation and protocol failures or inter-component communi-

cation patterns[1][11], obtain information by corrupting the memory or exploiting memory remanence[14][8]. The following discussion closely follows [14].

## 3.1 Non-Invasive Attacks

mention other non-invassive attacks as well and SCA, such as exposure to abnormal temperatures, exposure to radiation or using lasers damage/alter/heat specific portions of the chip. make this more technical. [12] Non-invasive attacks are attacks which require no depackaging or special preparation of the chip and hence attacks under this category leave little tamper evidence behind. These attacks might be very time consuming to find and are not guaranteed to be successful, but are very easy and cheap to replicate once found. Furthermore, non-invasive attacks could target badly implemented communication, bugs or security protocols in order to bypass security restrictions.

# 3.1.1 Power Analysis

need sampling equipment with at least double the operating frequency to get a measurement per clock cycle and also check out Correlational Power Analysis [?][12]. could also include image from DPA paper showing DES rounds. also say set up, how and where you place the resistors. see DPA paper again. Also mention EM radiation detection. Different instructions executing on a CPU require different amounts of power also because of CMOS nature 0 takes less power than 1, and hence one can infer which instruction is executing on a CPU by analysing a power trace generated by the MCU. These attacks are easy and relatively inexpensive to perform as they only require widely available tools.

Simple Power Analysis(SPA) involves direct observation of the MCU when it performs cryptographic operations and can leak information about both the keys and the cryptographic operations themselves (i.e. nature or structure of the algorithm)[11][2].

Differential Power Analysis(DPA) extracts sensitive information by using statistical techniques on very large traces. The techniques involves obtaining power traces of known cipher-texts(but not necessarily knowing the corresponding plain-texts) and individual bits of the key are recovered by analysing the differences in power consumption[11][2].

One can generally avoid noise in their power measurements by sampling the voltage (usually) on the ground line[14].

## 3.1.2 Glitch Attacks

say that glitch is inserted somewhere and that somewhere can be shown tracked down by power trace analysis. trial and error, repetitive process and can systematically be explored [12] *Power glitches* and *clock glitches* aim to make the CPU skip or execute incorrect instructions by applying transients. This attack can target in individual components of an MCU and a systematic search can deduce which components are affected by a given glitch sequence.

Clock glitches involve increasing the clock signal frequency so that some flip flops sample their input before being updated and hence report an incorrect value. Clock glitches are mainly aimed against software-based protection mechanisms, affecting CPU operation by supplying the CPU with incorrect data.

Power glitches work by supplying either too much power or too little, shifting transistors' threshold and causing flip-flops to read their state incorrectly. Power glitches need to be carefully synchronised with the internal clock and prolonged attacks might damage the board.

Glitch attacks are especially dangerous as they may abuse the program counter in order to map out the memory, which is linear as described in 2.

## 3.1.3 Data Remanence

explain more, make more technical Prolonged exposure of SRAM cells to the same values can make the cells 'remember' their state, due to material properties and stress[8]. Furthermore, cooling the memory down can prolong the time for the data to leave the memory [8][13][14]. If, for example, a start-up routine always writes security keys to the same memory location, after some time they key will be recoverable by looking at the physical state of the memory or by cooling down the chip, starting it and then reading the memory.

EEPROM suffers as well, but to a lesser extent, as material-wise one can only tell virgin-cells from used cells[14].

### 3.1.4 Timing Attacks

Timing attacks exploit the software implementation of cryptographic algorithms. Compiler optimisations (avoiding unnecessary branches, register and cache usage) and other implementation choices make the execution time of an algorithm dependent on the input and the secret key, rather being fixed for any input. For example, when input is compared byte-wise with a key and rejected when the first non-matching byte is found, rather than first consuming the whole input string.

Different instructions take different time to execute(e.g. MOV eax, [eax] is considerably slower than

INC eax) and thus one could collect timing information for various input messages and systematically deduce the correct key.

If timing information is correlated with power analysis then defences such as constant instruction execution time could be defeated. One might use NOPs in the case of a wrong key in order for rejection and confirmation responses to have constant execution time but NOP consumes substantially less power than INC eax and correlating timing and power consumption information would reveal this.

#### 3.2 Semi-Invasive Attacks

Semi-invasive attacks require depackaging of the chip but do not destroy the passivation layer as no electrical contact with the chip is needed. Semi-invasive attacks can be automated and can yield results faster and cheaper than invasive attacks.

# 3.2.1 UV Light Exposure

Older chips and chips that are designed to withstand low-cost non-invasive (i.e. no depackaging) attacks are susceptible to having parts of the memory altered if it is exposed under UV light. Security fuses that prevent read-back of the memory could have their state reset by sufficient exposure under UV light. The attacker must locate the security fuse though, which can be very tricky.

## 3.2.2 Backside Imaging

Backside imaging involves shining IR light on the rear side of the chip and imaging it from this angle, since it is a mirror-image of the front side. This is possible because, usually, light shown through the backside does not have to go though multiple layers and hence protective metal meshes(discussed in Section 4) or normal chip layers are avoided. On some chips it is possible to extract ROM contents via this technique.

# 3.2.3 Photo Carrier Stimulation

Optical Beam Induced Current and Light Induced Voltage Alteration are the two most common techniques for failure analysis that take advantage of the photoelectric effect. These techniques involve shining lasers on the semiconductor surface in order to alter some property; in OBIC a slight current is created and by analysing this one can deduce the device's properties (including defects and anomalies) and produce an image of the the board being scanned, while in LIVA the board is connected to constant power supply and changes in the power supply are monitored as laser is shone on the device, allowing one to deduce the device's characteristics and construct an image[5].

Similar to Backside Imaging, lasers can be used to read the state of memory cells in CMOS SRAM.

#### 3.3 Invasive Attacks

reduce structure Invasive attacks require direct access to the board's surface and as a result destroy the packaging in the process, therefore leaving tamper evidence. Invasive attacks usually aim to understand how a MCU works and then develop cheaper attacks for that chip, as invasive attacks are laborious, require expensive equipment and highly skilled attackers. look at lecture 1 of HWRevEng course and http://siliconpr0n.org/wiki/doku.php?id=decap:epoxy

3.3.0.1 Exposing the die surface: This usually involves destroying the packaging by using chemicals or drilling(or other methods). While this is a process that is not very complicated[14], one might have trouble finding the chemicals required. An alternative for depackaging the chip is to send it to a failure analysis lab[10].

3.3.0.2 Reverse engineering: both hardware and the software. Hardware reverse engineering requires using reflected light microscopes or SEM (Scanning Electron Microscope) for constructing a complete image of the surface. Layer removal might be required if deeper layers are not visible in order to have a complete view of the device. Software reverse engineering can be accomplished when one has obtained access to the memory.

3.3.0.3 Micro-probing and Modification: In micro-probing sub-micrometer thickness probes are used to establish contact with the bus lines in order to observe and manipulate bus signals. To achieve reliable results a micro-probing workstation<sup>6</sup> is used, consisting of a microscope, micro-positioners for the probes, a movable base and a test socket to place the chip. In order to establish contact with the bus lines the passivation layer should be removed, usually done with UV or green lasers, and access to bus lines of deeper layers can be achieved by using a FIB workstation.

Modifications to the MCU's components (adding new interconnects or destroying circuits) are not always necessary, but could prove useful[2]. For chip modifications to be successful, the attacker must be sophisticated and must have at least partially reverse-engineered the board.

# 4 COUNTERMEASURES TO KNOWN ATTACKS

As demonstrated in the previous section a manufacturer has to guard against a multitude of attacks. For designing effective defensive mechanisms one has to enumerate the likely attack scenarios and methods, type of attacker they will be facing and decide the type and extend of confidentiality they would like to provide[14][11].

A common first line of defence that is often encountered in attempts to secure systems, with questionable effectiveness, is security by obscurity and in the case of MCUs can be achieved in a number of different ways. As a starting point, the manufacturers can simply avoid

6. all moving components should have micrometer precision provide citation

printing their logos or model numbers on parts they produce, as this will make information gathering for he chip trickier. Some vendors take this even further by printing on their products identifiers of more secure or expensive products <sup>7</sup> or even try to make their MCUs look like ASICs 8 in order to scare away potential attackers by making their product appear more secure[14]. A further step in making the MCU harder to analyse is hardware obfuscation, where a group of gates commonly placed in well known structures for performing a given task (for example DES circuitry) is intentionally made more complicated and physically placed in a different locations or additional circuitry is added in order to thwart analysis[1]. Vendors also try to make information on their products hard to find by selling only to selected partners or under non-disclosure agreements[14].

Security through obscurity has received lots of criticism, and rightfully so, as it will do little to stop experienced or determined attackers. Despite its financial appeal a more effective approach is security in depth, a model in which information is protected by a number of (potentially) different defence mechanisms and in this scenario could be employed at different levels of the chip, from its external potting (or encasing) to its layered architecture. Given the attack categories presented in Sec. 3, it would be useful to broadly categorize defences in a similar fashion.

Non-invasive attacks are the least sophisticated type of attack but protection against them is a relatively laborious process[1]. To start with, one has to mask all the side-channel leakage and this means mask all relationships between data input and power consumption, thermal and electromagnetic radiation and timing relationships[11][14]. Given the software release model and the power of MCUs it's not unreasonable to strive for efficiency, both in terms of consumption and components, and bytecode optimizations performed by compilers and the hardware architecture of the instruction pipeline of an MCU might introduce leakage [11][14] by how branches are performed, instructions pre-fetched or not take constant time for operations (or execution of different instructions). Even if constant time for cryptographic operations is taken for correct and erroneous keys, or random delays are introduced such that timing relationships are masked, storing intermediate results still poses a problem due to the fact that a 0 and a 1 consume different power when handled (due to the physical nature of CMOS transistors) and hence the power consumed in a given operation is proportional to the amount of 1 bits, a concept known as "Hamming weight"[12][11]<sup>9</sup>. More approaches to thwarting power analysis include using a lower operating voltage so that power fluctuations are less evident or is introducing

<sup>7.</sup> Related legal issues discussed in Sec. 6hardware reveng legal issues

<sup>8.</sup> abbreviation?

<sup>9.</sup> maybe read this about CPA as well https://www.iacr.org/archive/ches2004/31560016/31560016.pdf

noise by means of a random number generator with variable power consumption[11][16][11]. Electromagnetic or thermal emission detection can be avoided by packaging that is appropriately shielded[4][11]. also destroying circuitry and lock bits to prevent reading

also have self health tests to detect chip modification [2]

Protection against invasive and non-invasive attacks is a lot harder because these attacks involve a range of chip modifications (from decapsulation to modification of the die), requiring varied anti-tampering mechanisms; we will proceed to give a description in the order in which decapsulation occurs. Thwarting decapsulation can get very creative as decapsulation is dependent on the material from which the chip packaging is made from (varied from pure plastic to ceramic or metal) and its physical construction. tries

In order to protect from semi-invasive attacks (such as exposure to radiation or optical inspection-doping can also reduce light penetration to reduce imaging attacks [14])

top metal conductive mesh, alert on power loss or short circuit (Atmel ATSHA204) conductive packaging and internal battery powered SRAM ,(instability reference [1]) optical sensors ([14], IBM reference, [16] glitch sensors (power/radiation/temperature/clock) - use of multiple clocks metal circuitry , protective metal mesh on top of memories, Planarization defeats optical inspection with microscope [14].

moving lock bits around and introducing multiple lock bits[14] careful placement [16] things also shrink

not perfect: give example for failure of oprical sensors Scatter unshielded phototransistors around Trigger when illuminated May not detect laser glitching in a dark room

# 4.1 Physical Protection

asic glue logic design, protective metal-mesh layer, shrink things, mesh of wires, encase in epoxy, make layers destroy each other if removed.

## 4.1.1 Protection circuits

keep keys in own, self powered module.

perhaps review some popular secure chips ?? IBM 4758 is a secure device <sup>10</sup>, some Dallas chips and perhaps more

thermally enhanced packaging: makes difficult to microprobe chips as they need to be cooled or they'll fry [slides of hardware reveng module] and careful decaping needed

ceramic packaging (Al2O3 is common, often mixed with SiO2, AlN and BeO) is extremely chemical resistant and seals very good, but can crack

potting: protects board from environment[water/dirt] but might also make tampering harder and may need to

10. http://www.cl.cam.ac.uk/ rnc1/descrack/ibm4758.html

be removed conformal coating: same deal as potting, but it's a thin layer that doesn't fill the enclosure but just covers the top. underfill: provides stability but gets in the way as well(makes desoldering harder).

Tamper responses Freeze (gate clock) Reset Self-destruct (erase firmware/data/keys)

Flash erase Can be prevented Laser/FIB/etch out charge pump caps Cut/short write enable lines, HV outputs, etc No HV = no writes Zeroize battery-backed SRAM Much harder to prevent

## 5 ATTACKING THE ATMEGA

The ATmega is a typical MCU that is susceptible to a successful attack by the **Home-Hacker** class of attackers due to its weak protective mechanisms. While there is a way to deliver firmware updates to the MCU securely[6], keeping the firmware secure on the device is impossible.

The motivation behind attacking the ATmega 688/1284 is their popularity and to prove how easy it is

mention service that breaks chips. mention ChipWhisperer paper. perhaps mention pipeline/give examples of clock glitch. mention that no paper found targeting these devices. [3] this guy breaks and [?] and website of chinese dude that break atmels.

#### 5.1 Motivation

## 5.2 Attack Overview

\* added cost (in terms of \$\$, extra hardware and software implementation penalties/overhead)

### 6 EVALUATION

mention legal issues: HWRevEng mention why security is complicated No system is unbreakable and one can only harden their system enough to make the effort of breaking it unbearable to those they wish to protect against[1][14].

security is hard to do because one must carefully analyse and model all threats [11]

# 6.1 Attacks and Solutions overview

present how expensive it would be for someone to put together a probing station and in general give estimations of cost and skillset required for various attack categories

# 6.2 Conclusions

security/shielding adds to a device's cost and size [11] and there is a tradeoff [14]

## REFERENCES

- [1] Ross Anderson and Markus Kuhn. Tamper resistance: A cautionary note. In *Proceedings of the 2nd USENIX Workshop on Electronic Commerce Volume 2*, pages 1–11, Oakland, California, November 1996. USENIX
- [2] Ross Anderson and Markus Kuhn. Low cost attacks on tamper resistant devices. In Bruce Christianson, Bruno Crispo, Mark Lomas, and Michael Roe, editors, Security Protocols, volume 1361 of Lecture Notes in Computer Science, pages 125–136. Springer Berlin Heidelberg, 1998.
- [3] Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. An in-depth and black-box characterization of the effects of clock glitches on 8-bit mcus. In *Proceedings of the 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography*, FDTC '11, pages 105–114, Washington, DC, USA, 2011. IEEE Computer Society.
- [4] R. Clayton. Extracting a 3DES key from an IBM 4758. http://www.cl.cam.ac.uk/~rnc1/descrack/ibm4758.html, November 2001
- [5] Jr. Cole, E.I. Beam-based defect localization techniques. In Microelectronics Failure Analysis, Materials Park, Ohio, October 20011. ASM International.
- [6] Atmel Corporation. Atmel AVR231: AES Bootloader. Application Note 2589E-AVR-03/12, Atmel Corporation, 2012. www.atmel. com/Images/doc2589.pd.
- Atmel Corporation. ATmega164PA/324PA/644PA/1284P
  Datasheet. Datasheet 8272E-AVR-04/2013, Atmel Corporation, 2013. www.atmel.com/Images/8152s.pdf.
- [8] Peter Gutmann. Data remanence in semiconductor devices. In Proceedings of the 10th Conference on USENIX Security Symposium -Volume 10, SSYM'01, pages 4–4, Berkeley, CA, USA, 2001. USENIX Association.
- [9] Philipp Hof. A Primer To Microcontrollers. http://www.elec.canterbury.ac.nz/PublicArea/Staff/hof/p10-embed/p10-tutorial/index.html, March 2014.
- [10] Andrew Huang. Hacking the PIC 18F1320. http://www bunniestudios.com/blog/?page\_id=40, March 2014.
- [11] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. In Michael J. Wiener, editor, Advances in Cryptology -CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer, 1999.
- [12] S. Lawler. Power Analysis with Riscure. http://dontstuffbeansupyournose.com/2014/02/11/power-analysis-with-riscure/, February 2014.
- [13] Sergei Skorobogatov. Low temperature data remanence in static RAM. Technical Report UCAM-CL-TR-536, University of Cambridge, Computer Laboratory, June 2002.
- [14] Sergei P. Skorobogatov. Semi-invasive attacks A new approach to hardware security analysis. Technical Report UCAM-CL-TR-630, University of Cambridge, Computer Laboratory, April 2005.
- [15] Alan Trevennor. Practical AVR microcontrollers games, gadgets, and home automation with the microcontroller used in Arduino. Apress, Berkeley, CA New York, 2012.
- [16] Bulent Yener and Andrew Zonenberg. CSCI 4,74 / 6974: Hardware Reverse Engineering. Rensselaer Polytechnic Institute, lecture slides at: http://security.cs.rpi.edu/courses/hwre-spring2014/, 2014.