[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fuseable Links - no guarantees??



>At 11:44 PM 6/14/96 -0400, Warren wrote:
>>I have never paid much attention to the protection of firmware or the
>>technical issues revolving around such schemes...was wondering:
>>
>>I recently saw an add for a UK based group that says they can take a PIC
>>OTP micro and read the prom (for a fee, of course) - How the heck is this
>>done?? I have my suspicion that they (somehow) magically peel off the
>>ceramic coating (without destroying the chewy center), get a circuit mask
>>and 'micro probe' the I/O of the IC...they then download the secret recipe
>>to the afore mentioned 'chewy center'.

The advert was probably for a device/program called PICBUSTER. This is
basically a technique of popping the PIC16C84 microcontroller. The chip is
an EEPROM micro. There are a few ways of popping the chip but the simplest
is to ensure that there is set the supply voltage to the programming voltage
less about 0.7 Volts. This is generally done with the aid of a diode such as
the 1N4148. Then the fuses are reset. For normal programming there should be
at least 5 Volts differential. The smaller differential seems to only allow
the protection to be popped. It is not a fusible link as such.

If you want to read the details they are on
http://www.iol.ie/~kooltek/picbust.html

>>
>>Is this close to accurate?? How is it 'done' ???
>
>
>While I have never come even close to needing to attempt this kind of thing, 
>long ago it occurred to me that if the "no read" bit was stored in a 
>programmable bit, and if the location of that bit was known or could be 
>identified, you could expose that particular bit through a tiny mask hole 
>and cause the part to be readable again.  Locating that bit (assuming 
>there's just one) would be relatively simple:  Take a test part, program it, 
>read-lock it, and then expose it to a VERY slowly sliding mask with UV 
>behind.  Do this for both axes, to find the bit's location on the chip.

Apparently the protection fuse in the EPROM versions of the microcontrollers
are fairly readily identifiable. Most of the OTP microcontrollers are
essentially EPROM types without the quartz glass window. 

The commonest procedure for popping these is to first remove the coating and
then to measure accurately where the protection fuse is. Then, with another
that is to be popped, a small hole is drilled over the fuse area. The
drilling operation stops before reaching the silicon die. Then some strong
acid, either Sulphuric or Nitric is dropped in to disolve the coating. Then
a UV lamp is shone on the fuse to reset it.

The latter techique for popping chips is by far the most dangerous. It
requires proper acid handling procedures and good ventilation. 

Another technique is to fool the microncontroller into switching from
internal to external EPROM and then back. This hack generally works on the
8051, 8751, 8052 and 8752 microcontrollers.

I was coincidentally just finishing a section on popping chips for a book
that I am working on :-)

Regards...jmcc
(John McCormac)
********************************************
John McCormac            * Hack Watch News
[email protected]       * 22 Viewmount, 
Voice&Fax: +353-51-73640 * Waterford,
BBS: +353-51-50143       * Ireland
********************************************

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAzAYPNsAAAEEAPGTHaNyitUTNAwF8BU6mF5PcbLQXdeuHf3xT6UOL+/Od+z+
ZOCAx8Ka9LJBjuQYw8hlqvTV5kceLlrP2HPqmk7YPOw1fQWlpTJof+ZMCxEVd1Qz
TRet2vS/kiRQRYvKOaxoJhqIzUr1g3ovBnIdpKeo4KKULz9XKuxCgZsuLKkVAAUX
tCJKb2huIE1jQ29ybWFjIDxqbWNjQGhhY2t3YXRjaC5jb20+tBJqbWNjQGhhY2t3
YXRjaC5jb20=
=sTfy
-----END PGP PUBLIC KEY BLOCK-----