Comment by tuankiet65
4 years ago
The fuses aren't being protected from modifications by the firmware, but they are physically burnt - no way to reverse that.
4 years ago
The fuses aren't being protected from modifications by the firmware, but they are physically burnt - no way to reverse that.
Yes, and they are part of the SoC so there is also no way to "replace" them.
There have been attacks against eFuses implemented as flash by way of decapping and using UV light. (I'm on mobile and don't have links at hand. Sorry!)
The article that gp linked mentions that it's stored in non-volatile memory that supposedly is "programmable" only once. Obviously, it depends on the chipset, but how is non-reversibility guaranteed in this case?
From https://en.wikipedia.org/wiki/Programmable_ROM#Programming :
The bit cell is programmed by applying a high-voltage pulse not encountered during a normal operation across the gate and substrate of the thin oxide transistor (around 6 V for a 2 nm thick oxide, or 30 MV/cm) to break down the oxide between gate and substrate. The positive voltage on the transistor's gate forms an inversion channel in the substrate below the gate, causing a tunneling current to flow through the oxide. The current produces additional traps in the oxide, increasing the current through the oxide and ultimately melting the oxide and forming a conductive channel from gate to substrate.
So, basically, they intentionally apply an out-of-spec voltage on the cell's output port, overloading the gate and causing a permanent short to ground. The cell always reads as 0 afterwards.
Ah, the "melting" part is what makes it irreversible. Thanks.
I don't see the "non-volatile" part at first, sorry about that. I guess non-volatile just means the data persists across resets, not necessarily that the fuses are stored in flash or something that can be modified.