Not exactly sure whether you mean use the password once and it's unlocked till locked again, or each write, or each 2 second time you can write. But regardless of which, it will be likely to suffer a major fault. Throw a code at it, any code. Wait time X after the code. Change supply voltage to Y. Vary time X and voltage Y till you hit on the right conditions to make the processor screw up and think the code was valid when it wasn't. May take extra variables like strange voltages on I/O pins etc to get it to work. May still only get you in one time in a thousand, but reduces the time to get in from years to hours or days. And once one person finds it, everyone else finds out fast. Even if it's done as an 'only internal' thing where only internal code can see the other locations properly, it still greatly increases the chances of finding a way in. Monitor the chips power consumption, wait till it's programming a location (so has done a right code) and see if you can slam it into normal programming mode with code protect off. Hard enough just to make the simple code protection truly secure, much more so to make something designed to let you in on one condition bullet proof to all other planned and unplanned events.. Wasn't it the 8751 (4k internal eprom 8051, very similar to a slow pic) that had some way to get your own little snippet of code into the chip and then spill it's guts, even though code protected? I think I remember seeing programs to do that somewhere. Even just being able read other locations lowers security tremendously, because then if you do find a way to get some code in, all security is gone instantly. Just keep browning out the chip till you get the PC into your code loop to send a header and then all the internal code out the serial port etc. I imagine this is why they chose to have code protection work inside as well as outside. Alan Tony Nixon wrote: > > Just some musings.... > > I was trying to figure out why Microchip didn't allow you to have code > protection when rewriting the flash ROM, as with the now fashionable > Boot Loaders. > > Obviously it can't be done unless there is a way to temporarily unlock > the code protection, and in that case everyone is capable of doing it, > thus rendering the scheme useless. > > There is an oscillator available that has a 2 second timeout (WDT). If > there was a 32 bit register somewhere on the chip which enables password > access to the ROM, and is only useable once each time the 2 second timer > resets, then it would take anywhere from seconds, (a fluke), to 272 > years to crack the code. > > That shouldn't be too hard for the chip guru's to implement. > > Actually, one of these guru's had a look at my software and thought it > was amazing. What I thought was amazing, is that this person said he > could design just about any digital chip you like, but would have no > idea or interest on how to use it when finished. > > -- > Best regards > > Tony > > http://www.picnpoke.com > mailto:sales@picnpoke.com