Cracking / Guarding PICs

Its amost always harder to break copy protection on a PIC (and/or more expensive) than just hireing a programmer to duplicate the function of the original...

...and then its legal. <GRIN>

SxPilot450 wrote:

The problem with PIC microcontrollers is their configuration fuses are too easilly spottable. On the newest devices you can delayer the chips and spot them right away. New or old PICs are not very secure.

Andrew Warren [fastfwd at ix.netcom.com] of Fast Forward Engineering - San Diego, California

In the older PICs, the copy- protect bit was erasable, which allowed unscrupulous people to defeat the code-protection. The newer PICs shield the code-protection memory cells from UV in order to prevent that.

Windowed and non-windowed PICs contain the same silicon, so Microchip can't make "development" versions of the PICs that don't contain that copy-protection feature.

Wagner Lipnharski says:

If you consider the fact that any "field programmable unit" (eprom, eeprom and flash) has a kind of "volatile" protection bits, while the ROM type has fuses (that are not reversible), then all e2prom, eprom and flash devices can be considered "more vulnerable" to piracy.

There is one way, very hard to hack, but it cost. We can produce for you a tinny board over ceramic, glass or even FE4, using your circuit with chips in die form. The final encapsulation is in metal it turns to be a large chip, 1x1 inch or bigger. All a hacker hates is a customized proprietary chip. In this large substrate we can also accommodate SMT resistors, capacitors and gates in general. Today almost all manufacturers can supply their chips in die form. If you are interested for a small large production <g> email me.

You have to pay about US$2000 to Microchip as MASK production and buy 10000 pieces in a year to get ROM production

Craig Lee [clee@ATTCANADA.NET] says

I have found cracking procedure for the following chips:
16c54,16c55,16c56,16c57,16c58,16c61,16c62,16c64,16c65,16c71,16c73,
16c74,16c84

The procedure supposedly gives you some bits of the instruction word and you are left to select one of two possible instructions by context. Also, the procedures seem to be generic and should work on all 12bit and 14bit chips.

The [older versions of the] Pic chip (PIC16C84) can in fact have it's program and data memory read after the config fuses have been set to code protection on. Try the following:

and hey presto, data in unprotected format should now be available.

Lance Allen says:

There is another possibility here for security than just code protection alone. I have seen some manufacturers disguise what the chip actually is, either by sanding off the lettering or painting it, encapsulating in epoxy etc.

Tony Nixon says:

Maybe bend all the pins of the chip the other way around and solder the chip upside down. You can do this once without the leads breaking. The pinout may be confusing as well.

As for the epoxy approach, make sure you use stuff that doesn't shrink or set rock hard. Otherwise you run the risk of overstressing and/or cracking components.

The Old Crow says

I've had success by "blowing" the data pin out on PICs. Example: a 12C508. Ground every pin but pin 7, then put 10VDC on pin 7 for a second. Bond wire fried. You lose the use of pin 7 forever, but as it is the data I/O pin for programming, considerably hampers reading the rom save for those who can desurface the chip package and probe the die.

Not strictly recommended for commercial apps, but I've never lost a PIC to this procedure yet.

Napoleon Bonaparte says:

"Never ascribe to malice that which is adequately explained by incompetence"

Sherlock Holmes

"What one man can invent, another man can discover."

See also:

Also:

Archive:

Questions:

Comments:

Interested: