A step-by-step guide to defeating the 74155 dual 2-line to 1-line data selector/multiplexer chip
The 74155 dual 2-line to 1-line data selector/multiplexer integrated circuit (IC) chip is a common component used in digital logic circuits. While robust against normal use, the 74155 can be susceptible to certain hacking techniques that allow an attacker to crack the chip and gain access to the data flowing through it.
In this comprehensive guide, we will walk through the step-by-step process of cracking a 74155 chip to defeat its security measures.
An overview of the 74155 dual 2-line to 1-line multiplexer
Before we dive into the details of how to crack the 74155, let’s first understand what this IC chip does and how it works.
The 74155 contains two independent 2-line to 1-line multiplexers. Each multiplexer has two data inputs (A and B), one data output (Y), and a select line (S) that chooses whether A or B is connected to Y.
Here is the logic table showing the function of each multiplexer:
S | Y |
---|---|
0 | A |
1 | B |
This allows the 74155 to select between two different data sources and output one of them. The dual multiplexer configuration gives added flexibility for routing signals in digital systems.
Some key specs and characteristics of the 74155:
- Dual 2-line to 1-line multiplexing
- 2 separate select inputs
- High noise immunity TTL compatible CMOS
- Wide operating voltage range of 3V to 15V
- 16-pin DIP package
Now that we understand how the 74155 functions, let’s look at how to crack it!
Step 1: Acquire a 74155 chip and identify the pins
The first step is to obtain a 74155 dual multiplexer chip. These can be scavenged from old electronics or purchased inexpensively from electronic component suppliers.
Once you have the physical IC, use the datasheet to identify each pin’s purpose:
Key pins:
- VCC: Power supply
- GND: Ground
- A, B: Data inputs
- S: Select pin
- Y: Data output
Step 2: Connect the 74155 chip to test circuitry
Next we’ll connect the 74155 to a simple circuit to test its operation before cracking it. This will allow sending data inputs and monitor the output.
We can use switches or a microcontroller to set the A, B, and S inputs. The Y output goes to an LED to visually check the output. Power the circuit with a 5V DC supply.
Verify the chip functions as expected per the logic table before moving to the cracking stage.
Step 3: Launch a clock glitching attack
Now for the fun part – glitching the 74155’s clock to induce faults and erratic behavior!
Clock glitching involves sending malformed clock signals to the chip to cause it to malfunction in predictable ways. This is a common hardware hacking technique.
We’ll glitch the 74155 by connecting its clock pin (CP) to an Arduino or microcontroller. The Arduino will rapidly pulse the clock line on and off.
Example Arduino clock glitching code:
c
Copy code
// Glitching function void glitch() { digitalWrite(clockPin, HIGH); // Set clock high delayMicroseconds(10); // Brief delay digitalWrite(clockPin, LOW); // Set clock low delayMicroseconds(10); // Brief delay } void loop() { // Loop continuously glitching the clock line while (true) { glitch(); } }
This rapid on-off clock signal will disrupt the internal timing of the 74155 and cause it to behave erratically.
Step 4: Test for faulty outputs
With the glitching set up, we can now test for faulty outputs from the 74155.
Monitor the Y output LED while glitching the clock. We should see the output flickering, stuck in certain states, or changing unexpectedly.
The goal is to induce a fault where the output gets stuck showing the data from the A or B inputs even when the select line changes. This indicates we have broken the multiplexing function.
If faulty outputs are not observed, try adjusting the Arduino glitch timing delays. Faster/slower or longer/shorter glitches may be more effective.
Step 5: Dump and capture the output data
Once a stable fault is achieved where the output is stuck on one data input, we can leverage this to dump and capture the data.
Connect the Y output to a microcontroller pin configured as an input. Then print any data seen on the output to the console or save it to a log file.
With the right timing, this will let us eavesdrop on the data flow through the A or B inputs even when the select line is choosing the other input!
Here is some sample Arduino code to demo reading the glitched output:
c
Copy code
void loop() { // Continuously glitch the clock glitch(); // Check if output is stuck and read any data if (digitalRead(outputPin) == HIGH) { Serial.println("Output stuck high!"); Serial.print("Data value: "); Serial.println(digitalRead(outputPin)); } }
By glitching and monitoring the output over time, we can extract data traversing through the 74155 that would normally be hidden from us.
Step 6: Restore chip functionality
After the hacking is done, we can stop the clock glitching to restore normal operation of the 74155 chip if desired.
Once the erratic clock signal is removed, the chip will go back to multiplexing the A and B inputs based on the select line as originally intended.
For repeat attacks,safely store the extracted output data and re-run the glitching. Or move on to exploiting other parts of the target system!
Variations of the 74155 cracking method
While clock glitching is our primary technique covered here, there are a few other methods that can be used to crack the 74155 chip:
- Voltage glitching – Similar to clock glitching, but involving glitching the power supply voltage input instead. This disrupts timing and causes faults.
- Optical fault injection – Shining a laser onto the surface of the 74155 can cause errors in internal logic. Effective for chips with visible dies not inside opaque packages.
- Ion beams – High energy beams of ions can be precisely targeted at chip internals to induce faults during operation.
- Temperature extremes – Heating or cooling the 74155 past its normal operating specs makes it more vulnerable to glitches.
With some creativity, the right equipment, and in-depth knowledge of the target chip, practically any IC can be glitched and cracked!
Countermeasures against 74155 hacks
Here are some countermeasures that can be implemented to protect 74