Crack Pic ====================== by Dejan Kaljevic 1998. mailto:dejan@net.yu web: http://www.net.yu/~dejan In this file you will find out more about the theory on which my CrackPic software is based. Theory on which CrackPic is based *************************************** 1. Some of the PIC models allow scrambled data reading when they are protected, according to the formula: s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word b = lower 7 bits from 14-bit word NXOR Table: x y |z ------ 0 0 |1 1 0 |0 0 1 |0 1 1 |1 2. Program is stored into EPROM. When this EPROM is erased, he has all of its bits set to 1, which means that value of all words stored into it is 3fffh. During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT the other way around. Combining 1. and 2. You can conclude that to unscramble the word it is enough to erase lower 7 bits (b=0), which makes: for equation 1. if b=0 s1 = a NXOR 0 = NOT a s1 = NOT a 2.) ---------- equation 1. can be written as s = (NOT a) XOR b 3.) ----------------- Combining equations 2 and 3 s = s1 XOR b b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit) ====================== a = (NOT s1) AND 127 ==================== The original word is: w = a*128 + b ******************************************************** * w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) * ******************************************************** -------------------------------------------------------------------- "s" is obtained by simple reading the PIC. Obtaining "s1" is a problem. Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough to write 3f80h (11 1111 1000 000 bin) into every of these words, thus making b=0. The rest of the memory is protected from the writing, so it is necessary to find a way to do it somehow. I accidentally discovered the way to write the following word into the rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin (More about you can find in CrackPic.a32 writen in ASM). I cannot reset the highest bit in b, and from the previous equations it is obvious that it influences 14th and 7th bit in the original word. This means that for a given "s" we can calculate two pairs of different combinations for one instruction code (since bit 7 in b can be either 0 or 1): possible value bit for the bit 7 "s" 14 7 "w" -------------------------------------------------------------- 0 0 1 code 1 1 0 code 2 1 1 1 code 1 0 0 code 2 Because of that you will get 2 codes of which one is the correct. You will have to manually determine the correct instruction, but they differs a lot, and it should be easy to filter out wrong ones. I have made software (CrackPic.exe) that generate DEX.LST file which contains pairs of instructions, and enables you to easy pick the correct ones. Some helpfull notes ********************* If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh files (16c71,61,84, etc.), than it is probably code 1 0, because instructions with 0 1 code works with files 40h - 7fh, which are not supported in these PIC`s. Of course, after reading this text anyone can use this kind of instruction which has no other purpose but to fool you. Anyway, this program is not something special, but if you need inverse engineering of the PIC`s, and you`re experienced PIC programmer who can not pay 1000$ - 5000$ to the professionals, I believe that this FREE software will be of some use to you ;) ******************************************************************************* F.A.Q. ******************************************************************************* Q: Does CrackPic physically destroys PIC? A: NO! CrackPic resets one part of the program stored in PIC. If you have windowed PIC you can delete its contest with a UV lamp, and use it again! Q: Is Your algorithm applicable on some other Programmer? A: Yes,it is, on any one! Q: May I use Your algorithm from CrackPic? A: Yes, it's completely free if you mention my name somewhere in your final product. (Source can be found in CrackPic.zip at: http://www.net.yu/~dejan ) Q: Do you know how to crack parallel programmed PIC`s (16c54,55,56,etc.)? A: Not yet, but while working on them, I have made one interesting discovery, which maybe can be used to directly read protected program! Q: Can you tell me more about the algorithm you're using? A: Yes. You can find more detailed explanations in this file. Q: Do you know how to reset that 7th bit? A: No. If know that I would publish it right away. I have some ideas about it, if someone is willing to try... ========================================================================== Theory of other PIC-s ========================================================================== Theory of hacking 12-bit data parallel programed PIC-s: --------------------------------------------------------------------------- 16c54,16c55,16c56,16c57,16c58 ***************************** PASS 1 Getting S ----------------- Reading code protected parts data will be scrambled by equation: S = a XOR b XOR c ----------------- XOR Table: x y |z ------ 0 0 |0 1 0 |1 0 1 |1 1 1 |0 MSB LSB Origin W = aaaa bbbb cccc S 4 bit ;scrambled data a MSB 4 bit ;a,b,c parts from origin W (12bit) b 4 bit c LSB 4 bit PASS 2 Getting S1 ------------------ If we write to PIC "1111 1111 0000" (0ff0h) c=0 ! Reading code protected part data will be scrambled by equation: S1 = a XOR b XOR c=0 S1 = a XOR b ------------ PASS 3 Getting S2 ----------------- If we write to PIC "1111 0000 0000" (0f00h) b=0 c=0 ! Reading code protected part data will be scrambled by equation: S2 = a XOR b=0 XOR c=0 S2 = a ------ Now a = S2 b = S2 XOR S1 c = S1 XOR S Now we can get origin W by equation: ************************************************************************* * W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15) * ************************************************************************* You can read explanation of how to write data to protected PIC at the end of this file! Theory of hacking 14-bit data serial programed PIC-s: --------------------------------------------------------------------------- 16c61,16c62,16c64,16c65,16c71,16c73,16c74,16c84 *********************************************** PASS 1 Getting S ----------------- Reading code protected parts data will be scrambled by equation: s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word b = lower 7 bits from 14-bit word NXOR Table: x y |z ------ 0 0 |1 1 0 |0 0 1 |0 1 1 |1 PASS 2 Getting S1 ----------------- 2. Program is stored into EPROM. When this EPROM is erased, he has all of its bits set to 1, which means that value of all words stored into it is 3fffh. During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT the other way around. Combining 1. and 2. You can conclude that to unscramble the word it is enough to erase lower 7 bits (b=0), which makes: for equation 1. if b=0 s1 = a NXOR 0 = NOT a s1 = NOT a 2.) ---------- equation 1. can be written as s = (NOT a) XOR b 3.) ----------------- Combining equations 2 and 3 s = s1 XOR b b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit) ====================== a = (NOT s1) AND 127 ==================== The original word is: w = a*128 + b ******************************************************** * w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) * ******************************************************** ------------------------------------------------------------------------------- Theory of writing data to protected PIC-s ======================================================== In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of energy to the Gate of the FET in memory cell. There are (to my knowledge) three ways to do it: 1. Applying short length EM wave, like UV light, X-rays, and similar. To use UV light, you'll have to access the core of the chip. You can gain this access by corroding it with some highly corrosive acid. With this method, memory cell is being slowly and permanently erased! 2. Increasing PIC power supply, but if you overdo it, you can easily destroy the chip. (Use no more than 10 - 20V, with a 50-100mA HIGH SPEED LIMITED CURRENT !!!) This method changes memory cell state ONLY during the time the voltage is increased, and this change takes effect almost instantly (because of the difference between memory cell structure and the structure of the rest of chip logic). When voltage drops back to the normal level, memory cells states also returns to their previous value. IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS, SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!! 3. Increasing the temperature of the chip (no more than 140 degrees of Celsius. At 155 to 200 degrees substrate will change its structure, and will be permanently destroyed! Remarks for this method are the same as for the previous one (increasing PIC power supply), but this method has lesser effect on the memory cell. In my opinion this is the best way: ----------------------------------- First we read protected PIC, and acquire "S" with standard reading. To acquire "S1" ("S2"): ---------------------------------- First you should try with the voltage change. In most cases it is quite enough to set protected bit in PIC. But be aware that during the programming, applying 10 -15 V power supply generates too big current that can destroy the chip, so you`ll have to supply the chip with limited 50 to 100 mA current. If this method gives no result, try this way: Temperature should be constant and about 110 Celsius. Vdd = 6-9 V (limit 100mA) Adjust UV light power so that it takes about 10 minutes to erase PIC. (You can regulate this by simply changing the distance between UV light source and chip) (Temperature remains 110 degrees of Celsius) 1 Expose between 20 - 30 sec 2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C check is PIC protection bit set. 3 Repeat steps 1 and 2 until this bit is set. 4 Expose for another 5-10 sec 5 Stop with the exposure (Now it is possible to program the whole PIC) 6 With a programmer at a 110 degrees of Celsius temperature and Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word. 7 Slowly cool down the PIC to -10 C to -20 C 8 Read PIC at a temperature of -20 C and voltage of 3-4 V, unless you have not gone too far with the erasure of the PIC, all data will be intact (as before the erasure), even the protection bit will be 0! BUT, lower 7 bits in every word will be 0!, and we have acquired "s1"! Bigger voltage and temperature difference will result in better compensation of single bits erasure non-linearity on whole PIC. By using this equation we can decode the whole PIC: w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) ================================================== !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT! I do not consider myself responsible for any kind of damage induced by using or not using information's from this file!!! ******************************************************************************* If you are going to use my source (or some parts of it) or some of the techniques I've described here for some project of yours, will you please mention my name somewhere on it. If you use software and techniques I've described on some PIC`s other than 16c71, or if you know another way how to reset the 7th bit, will you please email your experiences to me. Also email me any other PIC inverse engineering technique that you may know. mailto:dejan@net.yu If you want me to publish your results on my site, I will guarantee that you'll stay anonymous if you wish so. Also, I will NOT publish anything you sent me, if you don't allow me that! ------------------------------------------------------------------------------- Dejan Kaljevic 1998. start_crack_pic: _printm 8,0,1eh,'Pass 1: Reading...' ;====================================== pass 1 call start_pic mov edi,bafer_1 mov ecx,pic_size __nex_vc: mov bl,4 call send_cmd call read_data shr bx,1 and bh,not 0c0h mov [edi],bx add edi,2 mov bl,6 call send_cmd loop __nex_vc call end_pic ;-------------------------------------- _printm 9,0,1eh,'Writing to file: DEX_PIC1.HEX' mov esi,bafer_1 mov edi,bafer_6 mov ecx,pic_size lea edx,file_1 call baf_2_hex ;save in HEX _printm 10,0,1eh,'Pass 2: R&W...' ;====================================== ;pass 2 call start_pic mov bl,2 call send_cmd ;Load data mov bx,3f80h call send_data mov bl,8 call send_cmd ;Begin prog mov edi,bafer_2 mov ecx,pic_size ;-------------------------------------- x__nex_vc: mov bl,4 ;Read data call send_cmd call read_data shr bx,1 and bh,not 0c0h mov [edi],bx add edi,2 mov bl,6 call send_cmd ;Inc addr loop x__nex_vc call itime_h call end_pic ;-------------------------------------- _printm 11,0,1eh,'Writing to file: DEX_PIC2.HEX' mov esi,bafer_2 mov edi,bafer_6 mov ecx,pic_size lea edx,file_2 call baf_2_hex ;Save in HEX _printm 12,0,1eh,'Pass 3: Reading...' ;-------------------------------------- pass 3 call itime_h call start_pic mov edi,bafer_3 mov ecx,pic_size xx__nex_vc: mov bl,4 call send_cmd call read_data shr bx,1 and bh,not 0c0h mov [edi],bx add edi,2 mov bl,6 call send_cmd loop xx__nex_vc call end_pic _printm 13,0,1eh,'Writing to file: DEX_PIC3.HEX' mov esi,bafer_3 mov edi,bafer_6 mov ecx,pic_size lea edx,file_3 call baf_2_hex ;====================================== _printm 14,0,1eh,'Decoding...' xor edx,edx mov ecx,pic_size mov esi,bafer_1 mov ebx,bafer_3 mov edi,bafer_4 mov ebp,bafer_5 zre1: mov ax,[ebx] cmp dword ptr brojac_1,40h jb nisu_isti push eax xor al,[esi] and al,40h pop eax jz isti_su nisu_isti: mov dx,ax not ax and ax,7fh xor dx,[esi] and dx,7fh shl ax,7 or ax,dx stosw mov ax,-1 jmp izl1 isti_su: mov dx,ax not ax and ax,7fh xor dx,[esi] and dx,7fh shl ax,7 or ax,dx stosw test ah,20h jnz nula_b or word ptr es:[edi-2],2040h and ax,not 2040h jmp izl1 nula_b: or byte ptr es:[edi-1],20h and byte ptr es:[edi-2],not 40h or al,40h and ah,not 20h izl1: mov word ptr es:[ebp],ax add esi,2 add ebx,2 add ebp,2 inc dword ptr brojac_1 loop zre1 ;-------------------------------------- _printm 15,0,1eh,'Writing to file: DEX_COD1.HEX' mov esi,bafer_4 mov edi,bafer_6 mov ecx,pic_size lea edx,file_4 call baf_2_hex _printm 16,0,1eh,'Writing to file: DEX_COD2.HEX' mov esi,bafer_5 mov edi,bafer_6 mov ecx,pic_size lea edx,file_5 call baf_2_hex ;====================================== _printm 17,0,1eh,'Disassembling...' mov ecx,pic_size xor esi,esi mov edi,bafer_6 lea ebx,info call copy_string dec edi next_dis: mov eax,brojac call ax_2_hex mov eax,' :' stosw inc dword ptr brojac mov ebx,bafer_1 mov ax,word ptr [esi+ebx] call ax_2_hex mov ax,' ' stosw mov ebx,bafer_2 mov ax,word ptr [esi+ebx] call ax_2_hex mov ax,' ' stosw mov ebx,bafer_3 mov ax,word ptr [esi+ebx] call ax_2_hex mov eax,' ' stosd ;stosw mov ebx,bafer_4 mov ax,word ptr [esi+ebx] call ax_2_hex mov ax,' ' stosw push ecx push edi push esi lea esi,[esi+ebx] call decode pop esi mov eax,edi pop ecx sub eax,ecx mov ecx,25 sub ecx,eax mov al,' ' rep stosb mov ebx,bafer_5 mov ax,word ptr [esi+ebx] cmp ax,-1 je ok_oo call ax_2_hex mov ax,' ' stosw push esi lea esi,[esi+ebx] call decode pop esi ok_oo: mov ax,0a0dh stosw pop ecx add esi,2 loop next_dis ;-------------------------------------- _printm 18,0,1eh,'Writing to file: DEX.LST' lea edx,file_6 call createfile mov bx,ax mov ecx,edi mov edx,bafer_6 sub ecx,edx call writefile call closefile _printm 19,0,1eh,'Done!' ret ax_2_hex: push eax push eax mov al,ah call hexax xchg al,ah stosw pop eax call hexax xchg al,ah stosw pop eax ret ;-------------------------------------- start_pic: mov dx,port_dx call mclr_0 call itime call clk_0 call data_0 call itime_h call mclr_13 call itime_h ret ;-------------------------------------- end_pic: call mclr_0 call itime_h call clk_3 call data_3 call itime_h ret ;-------------------------------------- read_data: push ecx call itime mov ecx,16 _nex_cmds: call clk_1 call itime call clk_0 inc dx in al,dx dec dx shr al,7 rcr bx,1 call itime loop _nex_cmds call data_3 call itime pop ecx ret ;-------------------------------------- send_data: shl bx,1 and bh,not 80h send_data_16: push ecx call itime mov ecx,16 jmp nex_cmds ;-------------------------------------- send_cmd: push ecx call clk_0 call data_0 call itime mov ecx,6 nex_cmds: shr bx,1 jc cm_o call data_0 jmp cm_oo cm_o: call data_1 cm_oo: call clk_1 call itime call clk_0 call itime loop nex_cmds call data_3 call itime pop ecx ret ;--------------------------------------- clk_0: and byte ptr port_x,0ddh mov al,byte ptr port_x out dx,al ret clk_1: and byte ptr port_x,0ddh or byte ptr port_x,2 mov al,byte ptr port_x out dx,al ret clk_3: or byte ptr port_x,22h mov al,byte ptr port_x out dx,al ret ;--------------------------------------- data_0: and byte ptr port_x,0fah mov al,byte ptr port_x out dx,al ret data_1: and byte ptr port_x,0fah or byte ptr port_x,1 mov al,byte ptr port_x out dx,al ret data_3: or byte ptr port_x,5h mov al,byte ptr port_x out dx,al ret ;--------------------------------------- mclr_5: and byte ptr port_x,0e7h mov al,byte ptr port_x out dx,al ret mclr_0: and byte ptr port_x,0e7h or byte ptr port_x,10h mov al,byte ptr port_x out dx,al ret mclr_13: and byte ptr port_x,0e7h or byte ptr port_x,8h mov al,byte ptr port_x out dx,al ret ;--------------------------------------- ;-------------------------------------- itime: push ecx mov ecx,400 loop $ pop ecx ret ;-------------------------------------- itime_h: push ecx mov ecx,100 n_it: call itime loop n_it pop ecx ret ;--------------------------------------
Interested:
See:
Questions:
Comments:
See also: