Hi all, just wondering if there is a way of reading or hacking into protected PIC chips (12C508) to read the code?

There probably isn't but I thought i'd ask anyway.

Now why would you want to do that? ;)

Even with code protection on, the first 64 words and the last word in a 12C508 are still readable. So 'hacking' that part is pretty easy :). Disassemble this code to get an idea of what the chip does.

Gaining access to the the rest of the code is a lot trickier. You can re-program the first 64 words, but only from '1's to '0's. Even if you could put a useful routine in there, it still can't read the program memory. All you can do is try CALLing different locations, and see what happens. This might give some idea of what's in there, but won't enable you to accurately reconstruct the code.

The next step is to try removing the protection bit. It may be possible to do this by applying a voltage spike just large enough to disable the protection, but without destroying the chip (IIRC this technique was used to hack into the 16C84). You would probably need a good supply of chips, since the chances of catastrophic failure are high :(.

OK, so presume that didn't work (or you can't afford to fry the chip) so now it's time to get serious. Find a solvent that dissolves away the plastic case, but leaves the bare chip unharmed. Use a microscope to identify the area on the chip that contains the configuration cells, then irradiate it with UV light (being careful to avoid the main program memory). This should reset the protection bit.

In Newer PICs this trick may not work, as the configuration cells are shielded from UV (guess why?). Sooo... simply attach probes to various points on the chip, and apply appropraiate voltages to read out the state of charge in each EPROM cell!

In the end, you could be looking at a lot of work to recover a mere 447 program words. It might be quicker to simply write your own code to do the same job. Of course there may be cases where this is not possible, eg. where the chip contains a secret encryption routine :eek:.

I had some 12c508 chips examined by Microchip a few years ago. They were performing a root cause analysis on a series of failures linked to a batch of faulty silicon. The code protection bit was set. Microchip's solution was to strip the epoxy with nitric acid and then microprobe the chip to read the code (to compare it to the code file that I supplied).

This is a complicated procedure requiring some very specialized equipment and detailed knowledge of the internal architecture of the chip, which only the designer can know.

I'm sure Microchip would have used a simpler method if one existed.

Now why would you want to do that? ;)

He probably wants to copy the code for an FMS interface - LOL :D :D

Thanks guys, it is as i thought, near to impossible for me.

I will just have to resort to learning to program the chips myself :confused: and try to mimic the results of this one that is protected. :eek:

...
OK, so presume that didn't work (or you can't afford to fry the chip) so now it's time to get serious. Find a solvent that dissolves away the plastic case, but leaves the bare chip unharmed. Use a microscope to identify the area on the chip that contains the configuration cells, then irradiate it with UV light (being careful to avoid the main program memory). This should reset the protection bit.

In Newer PICs this trick may not work, as the configuration cells are shielded from UV (guess why?). Sooo... simply attach probes to various points on the chip, and apply appropraiate voltages to read out the state of charge in each EPROM cell!
...


Wow, I never knew & thought of something like that. I've always thought the silicon part are very sensitive and not touchable unless it's done by machine.

What kind of solvent that could disolve the plastic case? I'm interested to how it looks like without the case :)


Thanh

so what does the one you have do ? you may find that someone has already written some code that does a similar thing ?

Copy Protection in Modern Microcontrollers (and how to break it) www.break-ic.com (http://www.break-ic.com/topics/break-ic.asp)

thanh ... hot nitric acid. It takes a long time and must be done carefully using a special machine for the job. Gets rid of the epoxy but will not have any effect on the silicon.
bruce... embedded controller manufacturer's reputations are founded on the security of their copy protection. It's all a question of the return for effort. If you want to crack the code for an intelligent toaster, then be my guest. You will need a couple of mil of equipment and some inside knowledge and all you get is another intelligent toaster exactly the same as the one you copied!!!
On the other hand, if the device is a security key for a satellite tv decoder, the return may be worth the effort. The chip manufacturers aren't idiots - they know this too and they are not in the business of making it easy for pirates.

Thanks jFitter. I would stay away from acid now ;)
Wow, the doc. Bruce provided reveals so many secret behind the technics. I read and imagined if Holywood story writer would read it and use it to make some movies about some smart guys hacking something ;)

thanh

Wow...that is almost scary what is being done to steal software.

I guess it would be ridiculous to ask why people can't write their own code??




-Matt

Matt,

I don't think people will go to all that trouble for something such as an FMS interface or something like that. But where its something like an ECU for a car, or an assembly like robot etc then hacking a competitors chip is often cheaper and quicker than employing a team of software engineers to write the millions of lines of code.

Millions of lines of code - that's a bit of a stretch!!!

This whole issue must be viewed in the correct context. After you have gone to all of the trouble and expense of ripping off your competitor's code, what you now have is a very large quantity of NUMBERS. They mean NOTHING AT ALL to humans.

You have two options. The first is make the competing product and use the code just as it is without changes and without even understanding it. This approach is full of hidden dangers because just having the code is not necessarily enough - what programming options were used on the chip, secret hardware gotchas, etc. Even IF you are successful, then what do you get - a market share. You don't have a new or improved product - you just have another copy of a product that currently has a market - so you just divide the pie into one extra piece. The original designer still has the upper hand - he can improve the product and trump you - if he is smart, the improved version is ready for production waiting for just such an eventuality!!!

The second option is to disassemble the code so you can figure out what it does (lots and lots of work - believe me!!). You can then make changes and improvements to it. This is by far the best method. All you need to do this is the complete same set of skills as the original designer. Why not design a better one from scratch - it's quicker.

Millions of lines of code - that's a bit of a stretch!!!

Ok then.. probably a few thousand :rolleyes:

I guess it would be ridiculous to ask why people can't write their own code??




-Matt

If I knew how to write the codes for a 12C508/9 chip, I would do so. but alas I dont know the first thing about writing the codes.

If I knew how to write the codes for a 12C508/9 chip, I would do so. but alas I dont know the first thing about writing the codes.
There's this idea called "Learning". I know you understand it because you're here trying to learn how to steal the code out of a protected PIC. Instead you could learn how to write your own program. From the sound of it doing that could even be easier than digging into the protected chip ;).

And there are plenty of people here willing to help you learn the programming :).

Steve

Hi pete

:p as you deal with 12C508 ... one sure thing is: it does not do lots of things !!!

SO ...learning a bit about i.e. PBP ( PicBasic from Melabs ...) could lead you in a short period to write your own equivalent program, to burn a compatible 8 pins PIC !!!

BUT ... il you had told us what your precious chip does, may be a free similar downloaded program could have been found on the web, courtesy to fair hobbyists PIC programmers...
It's really incredible, all that can be found on the Web ...

But, if it was a CIA Secret Program ... I could understand we do not have to know !!!

Alain

"If I knew how to write the codes for a 12C508/9 chip, I would do so. but alas I dont know the first thing about writing the codes."

In that case, you know even LESS about what is needed to USE the cracked code, as mentioned above.... :D

I wish I knew how to get rich, but alas I do not.
I do, however know a great deal about programming emebedded controllers.
You don't steal my code, and I don't steal your money.
I guess we all just have our place in this world!!!

Even in the days when we blew readble E-proms, it was practice to add in odd bits of garbage, and watch dog codes in between bits of valid code to confuse diassemblers.

Trying to unPICk a PIC :D :D sounds like a definite waste of time to me.

A quick deviation from the subject of hacking PICs:

Recently, I've decided to do the PICNAV Project on RC-CAM's website. The problem is that his project uses a 508, and I only have a few 509s laying around. I can't find anything on his site that describes the compatability between the 508 and it's big-brother 509. Can I just burn the 509 with the 508 code? I assume that the only difference is that the 509 has double the memory, am I correct?

Thanks,

Steve

Can I just burn the 509 with the 508 code? In the NavLight project's text is this helpful hint:
"The chosen microcontroller is from the vast offerings of Microchip Technology. Actually, your exact PIC choices have some flexibility. You can use a PIC12C508, PIC12C508A, PIC12C509, and PIC12C509A."

So, yes you can do that, as long as your programmer is set for a '509 (or 509A, if that is what you will be using).

RC-CAM

"If I knew how to write the codes for a 12C508/9 chip, I would do so. but alas I dont know the first thing about writing the codes."

In that case, you know even LESS about what is needed to USE the cracked code, as mentioned above.... :D

Yes I do know how to write the code to a chip as far as burning them with the appropiate code, so I do know a little more than you suggest.

The code I was referring to was for a LMA similar to the one MR RC Cam has produced, except this particular one in question is no longer produced. It also uses a piezeo, but not an internal oscilating one and these particular ones are so much louder than the internal osiclating ones.
Phew this is gonna get long winded.
The reason I was looking at hacking/stealing the code was for the fact that the sound output onto this piezeo is similar to a phone ringing, ie. the pitch raises and lowers. This in my mind is an easier sound to hear than a std monotone type sound, esp when you struggle to find a lost model with the wind blowing etc.

I will do some research into picbasic as this has been suggested to me for a starter, and see what I can come up with.

Thanks for all the constructive critisim.

Reading the post it would seem that you have the HEX code for this LMA that you want to build, if so then some of the burning applications such as winpic or ICprog have the option to display the HEX as ASY code. However what you don't get is all the comments as to what is going on in the program so you need to have a very good understanding of PIC assembly code to follow it through.

I've not checked RC-Mans website recently, but I know that some projects have the source code provided, so it would be a matter to try and modify the code to make the buzzer sound the way you want it.

Hi, pete

I'm a bit confused about so much noise ( A mouse born from an Elephant ...could we say ).
Writing a LMA program needs so little time ...and PBP permits you to program every tune you want...

Cavalry arriving, i.e.

Little notice : from the Hex code MPLAB permits to read the assembler lines ... some quick investigations will lead you to the Buzzer section.
a little added GOTO - GOTO to jump around this section, will lead you to your Wagnerian tunes ...

a 12C509 will allow you enough room for all that ...

as you do know how to write code ... it's no problem.

Alain

Hi, pete

I'm a bit confused about so much noise ( A mouse born from an Elephant ...could we say ).
Writing a LMA program needs so little time ...and PBP permits you to program every tune you want...

Cavalry arriving, i.e.

Little notice : from the Hex code MPLAB permits to read the assembler lines ... some quick investigations will lead you to the Buzzer section.
a little added GOTO - GOTO to jump around this section, will lead you to your Wagnerian tunes ...

a 12C509 will allow you enough room for all that ...

as you do know how to write code ... it's no problem.

Alain

Thanks for the info, the chip in question for this particular LMA is a 12C508 and the buzzer is connected across several pins, one pair on one side and either 2 or 3 on the other, cant remember at the mo wich ones as it is out in the workshop.
I have been told by someone else tht this chip is not protected, but my programmer would not read all the code from it. Maybee I should try again.

I use a Dontronics K150 unit for the hardware and MicroPro for the software with it.

The sounds are something like this, beep beep beep, whirr going up in tone a little), beep beep beep (higher tone than the first 3 beeps) , then reverses the process (the whirr going down in tone) and back to the origonal sounding beeps, and then starts all over again. Does this make some sort of sence?

Pete,

I just went to Mr Cam's site ...

this : http://www.rc-cam.com/lma.htm seems to be the best starting point.

But, I hope you do not want to sell your gadget ... will you ???

i go to siesta now ...

Bye

Alain

Pete,

It sounds like he's driving the piezo element directly. A piezo has a center frequency that it really works well at, but you can deviate from it somewhat if you drive it differently.

Take a picture of the output with an oscilloscope. You'll see exactly what I mean. It really only takes 2 leads to do it. You drive one high, the other low. Then you swap high and low. This causes a 10V change (pretty loud) across it, causing physical distortion. Then you swap it back again. The time between the swaps will give you the tone - just vary the time to change the pitch.

Andy

Hi all, I just thought I'd post a pic of the schematic of the LMA in question.
The buzzer is a QMB 111P and does not have an internal oscilator. This alarm screams in comparison to others that have been developed like MR RC Cam's one.

http://homepages.paradise.net.nz/kiwipete/33380800.png

This has been asked before, but my memory sucks; what is one of the better FREE :D software packages I should look at in an attempt to learn how to write code for these 12C508 PIC chips?

The only free ones are for ASM... which is a pain to learn, and the syntax is all blurry compared to other langs

MPLAB IDE v7.20 (http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1406&dDocName=en019469&part=SW007002)

:rolleyes: Hi,

a little look for a ( cheap ... ) basic compiler here ???

http://www.digimok.com/basicpicpro/setupdemo.exe

Alain

You can download a free C compiler from www.htsoft.com.

I have used their PICC since before it was released and have been VERY happy.

Andy

In response to post #22:
Thanks RC-CAM. I'll go ahead and try building your project.

Current Dicussion:

I've tried MikroC with some success. I got a led to blink, but got stuck with anything beyond that. The website is www.mikroelektronika.co.yu/ english/product/compilers/mikroc

Thanks and good luck

Steve

A number of the "commercial" PIC C compilers have "limited" versions available
for free. Usually the limitations aren't much of a problem for the typical hobbyist
application. I've used cc5x with some success:
http://www.bknd.com/cc5x/index.shtml

People just coming on the scene might want to skip the 12C50x chips in favor of
the new 12F50x chips. They have the same architecture but are flash based
(which means you can erase and reprogram them many times, which is very handy
for beginners.) On top of that, they're actually cheaper than the 12C parts (MUCH
cheaper than the UV erasable 12C parts!)

BillW