Crack Pic
======================
by Dejan Kaljevic 1998.
mailto:-Remove-dejan~NOSPAM~ at net.yu
web: http://www.net.yu/~dejan
In this file you will find out more about the theory on which my CrackPic
software is based.
Theory on which CrackPic is based
***************************************
1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:
s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word
b = lower 7 bits from 14-bit word
NXOR Table:
x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1
2. Program is stored into EPROM. When this EPROM is erased, he has all of its
bits set to 1, which means that value of all words stored into it is 3fffh.
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough
to erase lower 7 bits (b=0), which makes:
for equation 1. if b=0
s1 = a NXOR 0 = NOT a
s1 = NOT a 2.)
----------
equation 1. can be written as
s = (NOT a) XOR b 3.)
-----------------
Combining equations 2 and 3
s = s1 XOR b
b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit)
======================
a = (NOT s1) AND 127
====================
The original word is:
w = a*128 + b
********************************************************
* w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) *
********************************************************
--------------------------------------------------------------------
"s" is obtained by simple reading the PIC.
Obtaining "s1" is a problem.
Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough
to write 3f80h (11 1111 1000 000 bin) into every of these words,
thus making b=0.
The rest of the memory is protected from the writing, so it is necessary
to find a way to do it somehow.
I accidentally discovered the way to write the following word into the
rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin
(More about you can find in CrackPic.a32 writen in ASM).
I cannot reset the highest bit in b, and from the previous equations it is
obvious that it influences 14th and 7th bit in the original word. This
means that for a given "s" we can calculate two pairs of different
combinations for one instruction code (since bit 7 in b can be either 0 or 1):
possible value
bit for the bit
7 "s" 14 7 "w"
--------------------------------------------------------------
0 0 1 code 1
1 0 code 2
1 1 1 code 1
0 0 code 2
Because of that you will get 2 codes of which one is the correct. You will
have to manually determine the correct instruction, but they differs a
lot, and it should be easy to filter out wrong ones. I have made software
(CrackPic.exe) that generate DEX.LST file which contains pairs of
instructions, and enables you to easy pick the correct ones.
Some helpfull notes
*********************
If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh
files (16c71,61,84, etc.), than it is probably code 1 0, because
instructions with 0 1 code works with files 40h - 7fh, which are not
supported in these PIC`s. Of course, after reading this text anyone can
use this kind of instruction which has no other purpose but to fool you.
Anyway, this program is not something special, but if you need inverse
engineering of the PIC`s, and you`re experienced PIC programmer who
can not pay 1000$ - 5000$ to the professionals, I believe that this FREE
software will be of some use to you ;)
*******************************************************************************
F.A.Q.
*******************************************************************************
Q: Does CrackPic physically destroys PIC?
A: NO! CrackPic resets one part of the program stored in PIC.
If you have windowed PIC you can delete its contest with a UV lamp,
and use it again!
Q: Is Your algorithm applicable on some other Programmer?
A: Yes,it is, on any one!
Q: May I use Your algorithm from CrackPic?
A: Yes, it's completely free if you mention my name somewhere in your
final product.
(Source can be found in CrackPic.zip at:
http://www.net.yu/~dejan )
Q: Do you know how to crack parallel programmed PIC`s (16c54,55,56,etc.)?
A: Not yet, but while working on them, I have made one interesting
discovery, which maybe can be used to directly read protected program!
Q: Can you tell me more about the algorithm you're using?
A: Yes. You can find more detailed explanations in this file.
Q: Do you know how to reset that 7th bit?
A: No. If know that I would publish it right away.
I have some ideas about it, if someone is willing to try...
==========================================================================
Theory of other PIC-s
==========================================================================
Theory of hacking 12-bit data parallel programed PIC-s:
---------------------------------------------------------------------------
16c54,16c55,16c56,16c57,16c58
*****************************
PASS 1 Getting S
-----------------
Reading code protected parts data will be scrambled by equation:
S = a XOR b XOR c
-----------------
XOR Table:
x y |z
------
0 0 |0
1 0 |1
0 1 |1
1 1 |0
MSB LSB
Origin W = aaaa bbbb cccc
S 4 bit ;scrambled data
a MSB 4 bit ;a,b,c parts from origin W (12bit)
b 4 bit
c LSB 4 bit
PASS 2 Getting S1
------------------
If we write to PIC "1111 1111 0000" (0ff0h) c=0 !
Reading code protected part data will be scrambled by equation:
S1 = a XOR b XOR c=0
S1 = a XOR b
------------
PASS 3 Getting S2
-----------------
If we write to PIC "1111 0000 0000" (0f00h) b=0 c=0 !
Reading code protected part data will be scrambled by equation:
S2 = a XOR b=0 XOR c=0
S2 = a
------
Now a = S2
b = S2 XOR S1
c = S1 XOR S
Now we can get origin W by equation:
*************************************************************************
* W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15) *
*************************************************************************
You can read explanation of how to write data to protected PIC at the end of
this file!
Theory of hacking 14-bit data serial programed PIC-s:
---------------------------------------------------------------------------
16c61,16c62,16c64,16c65,16c71,16c73,16c74,16c84
***********************************************
PASS 1 Getting S
-----------------
Reading code protected parts data will be scrambled by equation:
s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word
b = lower 7 bits from 14-bit word
NXOR Table:
x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1
PASS 2 Getting S1
-----------------
2. Program is stored into EPROM. When this EPROM is erased, he has all of its
bits set to 1, which means that value of all words stored into it is 3fffh.
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough
to erase lower 7 bits (b=0), which makes:
for equation 1. if b=0
s1 = a NXOR 0 = NOT a
s1 = NOT a 2.)
----------
equation 1. can be written as
s = (NOT a) XOR b 3.)
-----------------
Combining equations 2 and 3
s = s1 XOR b
b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit)
======================
a = (NOT s1) AND 127
====================
The original word is:
w = a*128 + b
********************************************************
* w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) *
********************************************************
-------------------------------------------------------------------------------
Theory of writing data to protected PIC-s
========================================================
In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of
energy to the Gate of the FET in memory cell.
There are (to my knowledge) three ways to do it:
1. Applying short length EM wave, like UV light, X-rays, and similar.
To use UV light, you'll have to access the core of the chip. You can gain
this access by corroding it with some highly corrosive acid.
With this method, memory cell is being slowly and permanently erased!
2. Increasing PIC power supply, but if you overdo it, you can easily
destroy the chip. (Use no more than 10 - 20V, with a 50-100mA
HIGH SPEED LIMITED CURRENT !!!)
This method changes memory cell state ONLY during the time the voltage
is increased, and this change takes effect almost instantly (because of
the difference between memory cell structure and the structure of the
rest of chip logic). When voltage drops back to the normal level, memory
cells states also returns to their previous value.
IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN
YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS,
SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!!
3. Increasing the temperature of the chip (no more than 140 degrees of
Celsius. At 155 to 200 degrees substrate will change its structure,
and will be permanently destroyed!
Remarks for this method are the same as for the previous one
(increasing PIC power supply),
but this method has lesser effect on the memory cell.
In my opinion this is the best way:
-----------------------------------
First we read protected PIC, and acquire "S" with standard reading.
To acquire "S1" ("S2"):
----------------------------------
First you should try with the voltage change. In most cases it is quite
enough to set protected bit in PIC.
But be aware that during the programming, applying 10 -15 V
power supply generates too big current that can destroy the chip, so
you`ll have to supply the chip with limited 50 to 100 mA current.
If this method gives no result, try this way:
Temperature should be constant and about 110 Celsius.
Vdd = 6-9 V (limit 100mA)
Adjust UV light power so that it takes about 10 minutes to erase PIC.
(You can regulate this by simply changing the distance between UV light
source and chip)
(Temperature remains 110 degrees of Celsius)
1 Expose between 20 - 30 sec
2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C
check is PIC protection bit set.
3 Repeat steps 1 and 2 until this bit is set.
4 Expose for another 5-10 sec
5 Stop with the exposure (Now it is possible to program the whole PIC)
6 With a programmer at a 110 degrees of Celsius temperature and
Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word.
7 Slowly cool down the PIC to -10 C to -20 C
8 Read PIC at a temperature of -20 C and voltage of 3-4 V,
unless you have not gone too far with the erasure of the PIC,
all data will be intact (as before the erasure), even the protection
bit will be 0! BUT, lower 7 bits in every word will be 0!,
and we have acquired "s1"!
Bigger voltage and temperature difference will result in better
compensation of single bits erasure non-linearity on whole PIC.
By using this equation we can decode the whole PIC:
w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)
==================================================
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IMPORTANT!
I do not consider myself responsible for any kind of damage induced by using
or not using information's from this file!!!
*******************************************************************************
If you are going to use my source (or some parts of it) or some of the
techniques I've described here for some project of yours, will you please
mention my name somewhere on it.
If you use software and techniques I've described on some PIC`s
other than 16c71, or if you know another way how to reset the 7th bit,
will you please email your experiences to me. Also email me any other PIC
inverse engineering technique that you may know.
mailto:-Remove-dejan~NOSPAM~ at net.yu
If you want me to publish your results on my site, I will guarantee
that you'll stay anonymous if you wish so. Also, I will NOT publish anything
you sent me, if you don't allow me that!
-------------------------------------------------------------------------------
Dejan Kaljevic 1998.
start_crack_pic:
_printm 8,0,1eh,'Pass 1: Reading...'
;====================================== pass 1
call start_pic
mov edi,bafer_1
mov ecx,pic_size
__nex_vc: mov bl,4
call send_cmd
call read_data
shr bx,1
and bh,not 0c0h
mov [edi],bx
add edi,2
mov bl,6
call send_cmd
loop __nex_vc
call end_pic
;--------------------------------------
_printm 9,0,1eh,'Writing to file: DEX_PIC1.HEX'
mov esi,bafer_1
mov edi,bafer_6
mov ecx,pic_size
lea edx,file_1
call baf_2_hex ;save in HEX
_printm 10,0,1eh,'Pass 2: R&W...'
;====================================== ;pass 2
call start_pic
mov bl,2
call send_cmd ;Load data
mov bx,3f80h
call send_data
mov bl,8
call send_cmd ;Begin prog
mov edi,bafer_2
mov ecx,pic_size
;--------------------------------------
x__nex_vc: mov bl,4 ;Read data
call send_cmd
call read_data
shr bx,1
and bh,not 0c0h
mov [edi],bx
add edi,2
mov bl,6
call send_cmd ;Inc addr
loop x__nex_vc
call itime_h
call end_pic
;--------------------------------------
_printm 11,0,1eh,'Writing to file: DEX_PIC2.HEX'
mov esi,bafer_2
mov edi,bafer_6
mov ecx,pic_size
lea edx,file_2
call baf_2_hex ;Save in HEX
_printm 12,0,1eh,'Pass 3: Reading...'
;-------------------------------------- pass 3
call itime_h
call start_pic
mov edi,bafer_3
mov ecx,pic_size
xx__nex_vc: mov bl,4
call send_cmd
call read_data
shr bx,1
and bh,not 0c0h
mov [edi],bx
add edi,2
mov bl,6
call send_cmd
loop xx__nex_vc
call end_pic
_printm 13,0,1eh,'Writing to file: DEX_PIC3.HEX'
mov esi,bafer_3
mov edi,bafer_6
mov ecx,pic_size
lea edx,file_3
call baf_2_hex
;======================================
_printm 14,0,1eh,'Decoding...'
xor edx,edx
mov ecx,pic_size
mov esi,bafer_1
mov ebx,bafer_3
mov edi,bafer_4
mov ebp,bafer_5
zre1: mov ax,[ebx]
cmp dword ptr brojac_1,40h
jb nisu_isti
push eax
xor al,[esi]
and al,40h
pop eax
jz isti_su
nisu_isti: mov dx,ax
not ax
and ax,7fh
xor dx,[esi]
and dx,7fh
shl ax,7
or ax,dx
stosw
mov ax,-1
jmp izl1
isti_su: mov dx,ax
not ax
and ax,7fh
xor dx,[esi]
and dx,7fh
shl ax,7
or ax,dx
stosw
test ah,20h
jnz nula_b
or word ptr es:[edi-2],2040h
and ax,not 2040h
jmp izl1
nula_b: or byte ptr es:[edi-1],20h
and byte ptr es:[edi-2],not 40h
or al,40h
and ah,not 20h
izl1: mov word ptr es:[ebp],ax
add esi,2
add ebx,2
add ebp,2
inc dword ptr brojac_1
loop zre1
;--------------------------------------
_printm 15,0,1eh,'Writing to file: DEX_COD1.HEX'
mov esi,bafer_4
mov edi,bafer_6
mov ecx,pic_size
lea edx,file_4
call baf_2_hex
_printm 16,0,1eh,'Writing to file: DEX_COD2.HEX'
mov esi,bafer_5
mov edi,bafer_6
mov ecx,pic_size
lea edx,file_5
call baf_2_hex
;======================================
_printm 17,0,1eh,'Disassembling...'
mov ecx,pic_size
xor esi,esi
mov edi,bafer_6
lea ebx,info
call copy_string
dec edi
next_dis: mov eax,brojac
call ax_2_hex
mov eax,' :'
stosw
inc dword ptr brojac
mov ebx,bafer_1
mov ax,word ptr [esi+ebx]
call ax_2_hex
mov ax,' '
stosw
mov ebx,bafer_2
mov ax,word ptr [esi+ebx]
call ax_2_hex
mov ax,' '
stosw
mov ebx,bafer_3
mov ax,word ptr [esi+ebx]
call ax_2_hex
mov eax,' '
stosd
;stosw
mov ebx,bafer_4
mov ax,word ptr [esi+ebx]
call ax_2_hex
mov ax,' '
stosw
push ecx
push edi
push esi
lea esi,[esi+ebx]
call decode
pop esi
mov eax,edi
pop ecx
sub eax,ecx
mov ecx,25
sub ecx,eax
mov al,' '
rep stosb
mov ebx,bafer_5
mov ax,word ptr [esi+ebx]
cmp ax,-1
je ok_oo
call ax_2_hex
mov ax,' '
stosw
push esi
lea esi,[esi+ebx]
call decode
pop esi
ok_oo: mov ax,0a0dh
stosw
pop ecx
add esi,2
loop next_dis
;--------------------------------------
_printm 18,0,1eh,'Writing to file: DEX.LST'
lea edx,file_6
call createfile
mov bx,ax
mov ecx,edi
mov edx,bafer_6
sub ecx,edx
call writefile
call closefile
_printm 19,0,1eh,'Done!'
ret
ax_2_hex: push eax
push eax
mov al,ah
call hexax
xchg al,ah
stosw
pop eax
call hexax
xchg al,ah
stosw
pop eax
ret
;--------------------------------------
start_pic: mov dx,port_dx
call mclr_0
call itime
call clk_0
call data_0
call itime_h
call mclr_13
call itime_h
ret
;--------------------------------------
end_pic: call mclr_0
call itime_h
call clk_3
call data_3
call itime_h
ret
;--------------------------------------
read_data: push ecx
call itime
mov ecx,16
_nex_cmds: call clk_1
call itime
call clk_0
inc dx
in al,dx
dec dx
shr al,7
rcr bx,1
call itime
loop _nex_cmds
call data_3
call itime
pop ecx
ret
;--------------------------------------
send_data: shl bx,1
and bh,not 80h
send_data_16: push ecx
call itime
mov ecx,16
jmp nex_cmds
;--------------------------------------
send_cmd: push ecx
call clk_0
call data_0
call itime
mov ecx,6
nex_cmds: shr bx,1
jc cm_o
call data_0
jmp cm_oo
cm_o: call data_1
cm_oo:
call clk_1
call itime
call clk_0
call itime
loop nex_cmds
call data_3
call itime
pop ecx
ret
;---------------------------------------
clk_0: and byte ptr port_x,0ddh
mov al,byte ptr port_x
out dx,al
ret
clk_1: and byte ptr port_x,0ddh
or byte ptr port_x,2
mov al,byte ptr port_x
out dx,al
ret
clk_3: or byte ptr port_x,22h
mov al,byte ptr port_x
out dx,al
ret
;---------------------------------------
data_0: and byte ptr port_x,0fah
mov al,byte ptr port_x
out dx,al
ret
data_1: and byte ptr port_x,0fah
or byte ptr port_x,1
mov al,byte ptr port_x
out dx,al
ret
data_3: or byte ptr port_x,5h
mov al,byte ptr port_x
out dx,al
ret
;---------------------------------------
mclr_5: and byte ptr port_x,0e7h
mov al,byte ptr port_x
out dx,al
ret
mclr_0: and byte ptr port_x,0e7h
or byte ptr port_x,10h
mov al,byte ptr port_x
out dx,al
ret
mclr_13: and byte ptr port_x,0e7h
or byte ptr port_x,8h
mov al,byte ptr port_x
out dx,al
ret
;---------------------------------------
;--------------------------------------
itime: push ecx
mov ecx,400
loop $
pop ecx
ret
;--------------------------------------
itime_h: push ecx
mov ecx,100
n_it: call itime
loop n_it
pop ecx
ret
;--------------------------------------
See:
Questions:
See also:
| file: /Techref/microchip/crackpic.htm, 21KB, , updated: 2012/5/18 09:41, local time: 2025/10/25 12:32,
216.73.216.188,10-3-157-36:LOG IN
|
| ©2025 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions? <A HREF="http://massmind.ecomorder.com/Techref/microchip/crackpic.htm"> Crack Pic</A> |
| Did you find what you needed? |
Welcome to ecomorder.com! |
|
The Backwoods Guide to Computer Lingo |
.