Op 21 oktober 2018 14:21:57 schreef Kruimel:
Maar hoezo de vraag eigenlijk? Je kunt toch vrij makkelijk ontdekken wat de configuratie-instellingen zijn? Als hij niet uitgelezen kan worden is de 'code protect' bit aan, en afhankelijk van de bron van het kloksignaal (iets dat je op de PCB vrij aardig moet kunnen zien) is het één van de vier klokopties. Alleen de 'watchdog timer' bit is wat lastiger te herkennen, maar dan moet het je net om die bit gaan.
Wel daar haal je het aan, ik wil zelf testen of ik er één die ik code protect naderhand zou kunnen uitlezen, noem het maar een experimentje reverse engineering. Nu is de algemene teneur die ik lees dat die niet kunnen uitgelezen worden, dat de data die je terugkrijgt gescrambled is.
Nu bleek dat de 16C84 wel met een 'zwakheid' zat zodat het programma toch kon gelezen worden ook al was de CP bit geset. Werkwijze zou blijkbaar zijn:
Bron: http://www.brouhaha.com/~eric/pic/84security.html
Insert the PIC+socket into the ZIF on the programmer board and switch
> VDD to 5V.
> From the menu set the CP configuration fuse to OFF.
> Now set VDD to VPP-0.5V (approx 13.5 volts).
> Program the configuration fuses. (Reply on screen saying
> error invalid?? Ignore this error and set VDD back to 5V.)
> Switch VDD supply off at the power supply.
> Switch off programmer supply.
> Wait 10 to 20 secs.
> Switch on programmer supply.
> Switch the VDD supply to 5V.
> Read PIC.
>
> What may be confusing to people is the error message displayed
> when programming the configuration fuses, and next not waiting for
> the charge on the cells to fall back to 5 volts after setting the
> fuses. This is why I say switch off for 10 to 20 secs, but don't
> forget to reset the VDD supply to 5 volts first.
Als deze techniek zou werken dan begrijp ik niet goed welke methode hier toegepast wordt (door de VDD spanning te verhogen), wat er juist gebeurt met de geheugencellen en hoe die CP- bit dan gereset wordt.
Nu betreft het hier wel de 16c84 en niet de 16c54 maar misschien kan dezelfde truuk toegepast worden. Ben nog mijn programmer aan het ontwerpen/bouwen, dus ik kan het nog niet direct testen.
Andere info die ik heb gevonden is:
http://www.piclist.com/techref/microchip/crackpic.htm
Wie zin en tijd heeft kan het artikel eens doornemen, maar daar probeert men vanuit de gescrambelde data het origineel terug te halen:
Theory of hacking 12-bit data parallel programed PIC-s:
---------------------------------------------------------------------------
16c54,16c55,16c56,16c57,16c58
*****************************
PASS 1 Getting S
-----------------
Reading code protected parts data will be scrambled by equation:
S = a XOR b XOR c
-----------------
XOR Table:
x y |z
------
0 0 |0
1 0 |1
0 1 |1
1 1 |0
MSB LSB
Origin W = aaaa bbbb cccc
S 4 bit ;scrambled data
a MSB 4 bit ;a,b,c parts from origin W (12bit)
b 4 bit
c LSB 4 bit
PASS 2 Getting S1
------------------
If we write to PIC "1111 1111 0000" (0ff0h) c=0 !
Reading code protected part data will be scrambled by equation:
S1 = a XOR b XOR c=0
S1 = a XOR b
------------
PASS 3 Getting S2
-----------------
If we write to PIC "1111 0000 0000" (0f00h) b=0 c=0 !
Reading code protected part data will be scrambled by equation:
S2 = a XOR b=0 XOR c=0
S2 = a
------
Now a = S2
b = S2 XOR S1
c = S1 XOR S
Now we can get origin W by equation:
*************************************************************************
* W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15) *
*************************************************************************
Theory of writing data to protected PIC-s
========================================================
In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of
energy to the Gate of the FET in memory cell.
There are (to my knowledge) three ways to do it:
1. Applying short length EM wave, like UV light, X-rays, and similar.
To use UV light, you'll have to access the core of the chip. You can gain
this access by corroding it with some highly corrosive acid.
With this method, memory cell is being slowly and permanently erased!
2. Increasing PIC power supply, but if you overdo it, you can easily
destroy the chip. (Use no more than 10 - 20V, with a 50-100mA
HIGH SPEED LIMITED CURRENT !!!)
This method changes memory cell state ONLY during the time the voltage
is increased, and this change takes effect almost instantly (because of
the difference between memory cell structure and the structure of the
rest of chip logic). When voltage drops back to the normal level, memory
cells states also returns to their previous value.
IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN
YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS,
SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!!
3. Increasing the temperature of the chip (no more than 140 degrees of
Celsius. At 155 to 200 degrees substrate will change its structure,
and will be permanently destroyed!
Remarks for this method are the same as for the previous one
(increasing PIC power supply),
but this method has lesser effect on the memory cell.
In my opinion this is the best way:
-----------------------------------
First we read protected PIC, and acquire "S" with standard reading.
To acquire "S1" ("S2"):
----------------------------------
First you should try with the voltage change. In most cases it is quite
enough to set protected bit in PIC.
But be aware that during the programming, applying 10 -15 V
power supply generates too big current that can destroy the chip, so
you`ll have to supply the chip with limited 50 to 100 mA current.
If this method gives no result, try this way:
Temperature should be constant and about 110 Celsius.
Vdd = 6-9 V (limit 100mA)
Adjust UV light power so that it takes about 10 minutes to erase PIC.
(You can regulate this by simply changing the distance between UV light
source and chip)
(Temperature remains 110 degrees of Celsius)
1 Expose between 20 - 30 sec
2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C
check is PIC protection bit set.
3 Repeat steps 1 and 2 until this bit is set.
4 Expose for another 5-10 sec
5 Stop with the exposure (Now it is possible to program the whole PIC)
6 With a programmer at a 110 degrees of Celsius temperature and
Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word.
7 Slowly cool down the PIC to -10 C to -20 C
8 Read PIC at a temperature of -20 C and voltage of 3-4 V,
unless you have not gone too far with the erasure of the PIC,
all data will be intact (as before the erasure), even the protection
bit will be 0! BUT, lower 7 bits in every word will be 0!,
and we have acquired "s1"!
Bigger voltage and temperature difference will result in better
compensation of single bits erasure non-linearity on whole PIC.
By using this equation we can decode the whole PIC:
w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)
==================================================
Nu past men ook hier een spanningsmethode toe maar ook uv-belichting, maar ik weet niet goed wat er dan wel en niet gewist wordt. Alles je de hele chip belicht met uv-licht zou je toch verwachten dat het hele programma gewist wordt en dat zou volgens dit artikel. Ook wordt de chio verwarmt naar >100°