?? theory.txt
字號:
Crack Pic
======================
by Dejan Kaljevic 1998.
mailto:dejan@net.yu
web: http://www.net.yu/~dejan
In this file you will find out more about the theory on which my CrackPic
software is based.
Theory on which CrackPic is based
***************************************
1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:
s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word
b = lower 7 bits from 14-bit word
NXOR Table:
x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1
2. Program is stored into EPROM. When this EPROM is erased, he has all of its
bits set to 1, which means that value of all words stored into it is 3fffh.
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough
to erase lower 7 bits (b=0), which makes:
for equation 1. if b=0
s1 = a NXOR 0 = NOT a
s1 = NOT a 2.)
----------
equation 1. can be written as
s = (NOT a) XOR b 3.)
-----------------
Combining equations 2 and 3
s = s1 XOR b
b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit)
======================
a = (NOT s1) AND 127
====================
The original word is:
w = a*128 + b
********************************************************
* w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) *
********************************************************
--------------------------------------------------------------------
"s" is obtained by simple reading the PIC.
Obtaining "s1" is a problem.
Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough
to write 3f80h (11 1111 1000 000 bin) into every of these words,
thus making b=0.
The rest of the memory is protected from the writing, so it is necessary
to find a way to do it somehow.
I accidentally discovered the way to write the following word into the
rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin
(More about you can find in CrackPic.a32 writen in ASM).
I cannot reset the highest bit in b, and from the previous equations it is
obvious that it influences 14th and 7th bit in the original word. This
means that for a given "s" we can calculate two pairs of different
combinations for one instruction code (since bit 7 in b can be either 0 or 1):
possible value
bit for the bit
7 "s" 14 7 "w"
--------------------------------------------------------------
0 0 1 code 1
1 0 code 2
1 1 1 code 1
0 0 code 2
Because of that you will get 2 codes of which one is the correct. You will
have to manually determine the correct instruction, but they differs a
lot, and it should be easy to filter out wrong ones. I have made software
(CrackPic.exe) that generate DEX.LST file which contains pairs of
instructions, and enables you to easy pick the correct ones.
Some helpfull notes
*********************
If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh
files (16c71,61,84, etc.), than it is probably code 1 0, because
instructions with 0 1 code works with files 40h - 7fh, which are not
supported in these PIC`s. Of course, after reading this text anyone can
use this kind of instruction which has no other purpose but to fool you.
Anyway, this program is not something special, but if you need inverse
engineering of the PIC`s, and you`re experienced PIC programmer who
can not pay 1000$ - 5000$ to the professionals, I believe that this FREE
software will be of some use to you ;)
*******************************************************************************
F.A.Q.
*******************************************************************************
Q: Does CrackPic physically destroys PIC?
A: NO! CrackPic resets one part of the program stored in PIC.
If you have windowed PIC you can delete its contest with a UV lamp,
and use it again!
Q: Is Your algorithm applicable on some other Programmer?
A: Yes,it is, on any one!
Q: May I use Your algorithm from CrackPic?
A: Yes, it's completely free if you mention my name somewhere in your
final product.
(Source can be found in CrackPic.zip at:
http://www.net.yu/~dejan )
Q: Do you know how to crack parallel programmed PIC`s (16c54,55,56,etc.)?
A: Not yet, but while working on them, I have made one interesting
discovery, which maybe can be used to directly read protected program!
Q: Can you tell me more about the algorithm you're using?
A: Yes. You can find more detailed explanations in this file.
Q: Do you know how to reset that 7th bit?
A: No. If know that I would publish it right away.
I have some ideas about it, if someone is willing to try...
==========================================================================
Theory of other PIC-s
==========================================================================
Theory of hacking 12-bit data parallel programed PIC-s:
---------------------------------------------------------------------------
16c54,16c55,16c56,16c57,16c58
*****************************
PASS 1 Getting S
-----------------
Reading code protected parts data will be scrambled by equation:
S = a XOR b XOR c
-----------------
XOR Table:
x y |z
------
0 0 |0
1 0 |1
0 1 |1
1 1 |0
MSB LSB
Origin W = aaaa bbbb cccc
S 4 bit ;scrambled data
a MSB 4 bit ;a,b,c parts from origin W (12bit)
b 4 bit
c LSB 4 bit
PASS 2 Getting S1
------------------
If we write to PIC "1111 1111 0000" (0ff0h) c=0 !
Reading code protected part data will be scrambled by equation:
S1 = a XOR b XOR c=0
S1 = a XOR b
------------
PASS 3 Getting S2
-----------------
If we write to PIC "1111 0000 0000" (0f00h) b=0 c=0 !
Reading code protected part data will be scrambled by equation:
S2 = a XOR b=0 XOR c=0
S2 = a
------
Now a = S2
b = S2 XOR S1
c = S1 XOR S
Now we can get origin W by equation:
*************************************************************************
* W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15) *
*************************************************************************
You can read explanation of how to write data to protected PIC at the end of
this file!
Theory of hacking 14-bit data serial programed PIC-s:
---------------------------------------------------------------------------
16c61,16c62,16c64,16c65,16c71,16c73,16c74,16c84
***********************************************
PASS 1 Getting S
-----------------
Reading code protected parts data will be scrambled by equation:
s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word
b = lower 7 bits from 14-bit word
NXOR Table:
x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1
PASS 2 Getting S1
-----------------
2. Program is stored into EPROM. When this EPROM is erased, he has all of its
bits set to 1, which means that value of all words stored into it is 3fffh.
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough
to erase lower 7 bits (b=0), which makes:
for equation 1. if b=0
s1 = a NXOR 0 = NOT a
s1 = NOT a 2.)
----------
equation 1. can be written as
s = (NOT a) XOR b 3.)
-----------------
Combining equations 2 and 3
s = s1 XOR b
b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit)
======================
a = (NOT s1) AND 127
====================
The original word is:
w = a*128 + b
********************************************************
* w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) *
********************************************************
-------------------------------------------------------------------------------
Theory of writing data to protected PIC-s
========================================================
In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of
energy to the Gate of the FET in memory cell.
There are (to my knowledge) three ways to do it:
1. Applying short length EM wave, like UV light, X-rays, and similar.
To use UV light, you'll have to access the core of the chip. You can gain
this access by corroding it with some highly corrosive acid.
With this method, memory cell is being slowly and permanently erased!
2. Increasing PIC power supply, but if you overdo it, you can easily
destroy the chip. (Use no more than 10 - 20V, with a 50-100mA
HIGH SPEED LIMITED CURRENT !!!)
This method changes memory cell state ONLY during the time the voltage
is increased, and this change takes effect almost instantly (because of
the difference between memory cell structure and the structure of the
rest of chip logic). When voltage drops back to the normal level, memory
cells states also returns to their previous value.
IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN
YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS,
SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!!
3. Increasing the temperature of the chip (no more than 140 degrees of
Celsius. At 155 to 200 degrees substrate will change its structure,
and will be permanently destroyed!
Remarks for this method are the same as for the previous one
(increasing PIC power supply),
but this method has lesser effect on the memory cell.
In my opinion this is the best way:
-----------------------------------
First we read protected PIC, and acquire "S" with standard reading.
To acquire "S1" ("S2"):
----------------------------------
First you should try with the voltage change. In most cases it is quite
enough to set protected bit in PIC.
But be aware that during the programming, applying 10 -15 V
power supply generates too big current that can destroy the chip, so
you`ll have to supply the chip with limited 50 to 100 mA current.
If this method gives no result, try this way:
Temperature should be constant and about 110 Celsius.
Vdd = 6-9 V (limit 100mA)
Adjust UV light power so that it takes about 10 minutes to erase PIC.
(You can regulate this by simply changing the distance between UV light
source and chip)
(Temperature remains 110 degrees of Celsius)
1 Expose between 20 - 30 sec
2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C
check is PIC protection bit set.
3 Repeat steps 1 and 2 until this bit is set.
4 Expose for another 5-10 sec
5 Stop with the exposure (Now it is possible to program the whole PIC)
6 With a programmer at a 110 degrees of Celsius temperature and
Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word.
7 Slowly cool down the PIC to -10 C to -20 C
8 Read PIC at a temperature of -20 C and voltage of 3-4 V,
unless you have not gone too far with the erasure of the PIC,
all data will be intact (as before the erasure), even the protection
bit will be 0! BUT, lower 7 bits in every word will be 0!,
and we have acquired "s1"!
Bigger voltage and temperature difference will result in better
compensation of single bits erasure non-linearity on whole PIC.
By using this equation we can decode the whole PIC:
w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)
==================================================
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IMPORTANT!
I do not consider myself responsible for any kind of damage induced by using
or not using information's from this file!!!
*******************************************************************************
If you are going to use my source (or some parts of it) or some of the
techniques I've described here for some project of yours, will you please
mention my name somewhere on it.
If you use software and techniques I've described on some PIC`s
other than 16c71, or if you know another way how to reset the 7th bit,
will you please email your experiences to me. Also email me any other PIC
inverse engineering technique that you may know.
mailto:dejan@net.yu
If you want me to publish your results on my site, I will guarantee
that you'll stay anonymous if you wish so. Also, I will NOT publish anything
you sent me, if you don't allow me that!
-------------------------------------------------------------------------------
Dejan Kaljevic 1998.
start_crack_pic:
_printm 8,0,1eh,'Pass 1: Reading...'
;====================================== pass 1
call start_pic
mov edi,bafer_1
mov ecx,pic_size
__nex_vc: mov bl,4
call send_cmd
call read_data
shr bx,1
and bh,not 0c0h
mov [edi],bx
add edi,2
mov bl,6
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -