Crack Pic 
			======================
			by Dejan Kaljevic 1998.
			mailto:dejan@net.yu
			web: http://www.net.yu/~dejan
			



In this file you will find out more about the theory on which my CrackPic 
software is based.

                      Theory on which CrackPic is based
                   ***************************************

1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:

        s = a NXOR b     1.)   where: a = higher 7 bits from 14-bit word 
                                      b = lower 7 bits from 14-bit word 
   
	NXOR Table:

	x y |z
	------
	0 0 |1
	1 0 |0
	0 1 |0
	1 1 |1

2. Program is stored into EPROM. When this EPROM is erased, he has all of its 
bits set to 1, which means that value of all words stored into it is 3fffh. 
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT 
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough 
to erase lower 7 bits (b=0), which makes:


	for equation 1. if b=0
	
	s1 = a NXOR 0 = NOT a

	s1 = NOT a	2.)
	----------


	equation 1. can be written as
	
	s = (NOT a) XOR b   3.)
	-----------------


	Combining equations 2 and 3
	s = s1 XOR b 

	b = (s XOR s1) AND 127  4.)	(AND 127 extracts 7th bit)
	======================	

	a = (NOT s1) AND 127
	====================

	The original word is:
	
	w = a*128 + b  

        ********************************************************
        *  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)  *
        ********************************************************	
	

--------------------------------------------------------------------

	"s" is obtained by simple reading the PIC.
	Obtaining "s1" is a problem.

Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough  
to write 3f80h (11 1111 1000 000 bin) into every of these words, 
thus making b=0.

The rest of the memory is protected from the writing, so it is necessary 
to find a way to do it somehow.

I accidentally discovered the way to write the following word into the 
rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin
(More about you can find in CrackPic.a32 writen in ASM).
 
I cannot reset the highest bit in b, and from the previous equations it is 
obvious that it influences 14th and 7th bit in the original word. This 
means that for a given "s" we can calculate two pairs of different 
combinations for one instruction code (since bit 7 in b can be either 0 or 1):

                                       possible value
          bit                          for the bit

           7       "s"                 14       7        "w"
      --------------------------------------------------------------
                    0                  0        1       code 1
                                       1        0       code 2
                    1                  1        1       code 1
                                       0        0       code 2

Because of that you will get 2 codes of which one is the correct. You will 
have to manually determine the correct instruction, but they differs a 
lot, and it should be easy to filter out wrong ones. I have made software 
(CrackPic.exe) that generate DEX.LST file which contains pairs of 
instructions, and enables you to easy pick the correct ones.

	
                   Some helpfull notes
                  *********************

If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh 
files (16c71,61,84, etc.), than it is probably code 1 0, because 
instructions with 0 1 code works with files 40h - 7fh, which are not 
supported in these PIC`s. Of course, after reading this text anyone can 
use this kind of instruction which has no other purpose but to fool you.

Anyway, this program is not something special, but if you need inverse  
engineering of the PIC`s, and you`re experienced PIC programmer who
can not pay 1000$ - 5000$ to the professionals, I believe that this FREE 
software will be of some use to you ;)
	

*******************************************************************************


				F.A.Q.
*******************************************************************************

      Q: Does CrackPic physically destroys PIC?
      A: NO! CrackPic resets one part of the program stored in PIC. 
         If you have windowed PIC you can delete its contest with a UV lamp, 
         and use it again!
	
      Q: Is Your algorithm applicable on some other Programmer?
      A: Yes,it is, on any one!

      Q: May I use Your algorithm from CrackPic?
      A: Yes, it's completely free if you mention my name somewhere in your 
	 final product.
	(Source can be found in CrackPic.zip at: 
                         http://www.net.yu/~dejan              )

      Q: Do you know how to crack parallel programmed PIC`s (16c54,55,56,etc.)?
      A: Not yet, but while working on them, I have made one interesting 
	 discovery, which maybe can be used to directly  read protected program!


      Q: Can you tell me more about the algorithm you're using?
      A: Yes. You can find more detailed explanations in this file.
 	
      Q: Do you know how to reset that 7th bit?
      A: No. If know that I would publish it right away.
	 I have some ideas about it,  if someone is willing to try...



==========================================================================
                        Theory of other PIC-s
==========================================================================


         Theory of hacking 12-bit data parallel programed PIC-s:
---------------------------------------------------------------------------
                     16c54,16c55,16c56,16c57,16c58
                     *****************************


PASS 1  Getting S
-----------------
Reading code protected parts data will be scrambled by equation:

                  S = a XOR b XOR c		
                  -----------------

	XOR Table:

	x y |z
	------
	0 0 |0
	1 0 |1
	0 1 |1
	1 1 |0

		   MSB      LSB
	Origin W = aaaa bbbb cccc

S 4 bit 		;scrambled data

a    MSB	4 bit	;a,b,c parts from origin W (12bit)
b	4 bit
c    LSB 	4 bit   


PASS 2	Getting S1
------------------
If we write to PIC "1111 1111 0000" (0ff0h)  c=0 !
Reading code protected part data will be scrambled by equation:

	S1 = a XOR b XOR c=0
	S1 = a XOR b
	------------


PASS 3 Getting S2
-----------------
If we write to PIC "1111 0000 0000" (0f00h)  b=0 c=0 !
Reading code protected part data will be scrambled by equation:

	S2 = a XOR b=0 XOR c=0
	S2 = a
	------

Now	a = S2
	b = S2 XOR S1
	c = S1 XOR S  

Now we can get origin W by equation:

    *************************************************************************
    *  W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15)       * 
    *************************************************************************

You can read explanation of how to write data to protected PIC at the end of  
this file!


           Theory of hacking 14-bit data serial programed PIC-s:
---------------------------------------------------------------------------
              16c61,16c62,16c64,16c65,16c71,16c73,16c74,16c84
	      ***********************************************


PASS 1  Getting S
-----------------
Reading code protected parts data will be scrambled by equation:

        s = a NXOR b     1.)   where: a = higher 7 bits from 14-bit word 
                                      b = lower 7 bits from 14-bit word 
   
	NXOR Table:

	x y |z
	------
	0 0 |1
	1 0 |0
	0 1 |0
	1 1 |1



PASS 2 Getting S1
-----------------
2. Program is stored into EPROM. When this EPROM is erased, he has all of its 
bits set to 1, which means that value of all words stored into it is 3fffh. 
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT 
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough 
to erase lower 7 bits (b=0), which makes:


	for equation 1. if b=0
	
	s1 = a NXOR 0 = NOT a

	s1 = NOT a	2.)
	----------


	equation 1. can be written as
	
	s = (NOT a) XOR b   3.)
	-----------------


	Combining equations 2 and 3
	s = s1 XOR b 

	b = (s XOR s1) AND 127  4.)	(AND 127 extracts 7th bit)
	======================	

	a = (NOT s1) AND 127
	====================

	The original word is:
	
	w = a*128 + b  

	********************************************************
	*  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)  *
	********************************************************	



-------------------------------------------------------------------------------

		Theory of writing data to protected PIC-s
	========================================================
	
In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of 
energy to the Gate of the FET in memory cell.
There are (to my knowledge) three ways to do it:

1.	Applying short length EM wave, like UV light, X-rays, and similar.
	To use UV light, you'll have to access the core of the chip. You can gain
	this access by corroding it with some highly corrosive acid.

	With this method, memory cell is being slowly and permanently erased!

	
2. 	Increasing PIC power supply, but if you overdo it, you can easily
	destroy the chip. (Use no more than 10 - 20V, with a 50-100mA 
	HIGH SPEED LIMITED CURRENT !!!) 

	This method changes memory cell state ONLY during the time the voltage 
	is increased, and this change takes effect almost instantly (because of 
	the difference between  memory cell structure and the structure of the 
	rest of chip logic). When voltage drops back to the normal level, memory 
	cells states also returns to their previous value.

	IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN
	YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS,
	SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!!

3.	Increasing the temperature of the chip (no more than 140 degrees of 
	Celsius. At 155 to 200 degrees substrate will change its structure,
	and will be permanently  destroyed!

	Remarks for this method are the same as for the previous one 
	(increasing PIC power supply),
	but this method has lesser effect on the memory cell.


	In my opinion this is the best way: 
	-----------------------------------

	First we read protected PIC, and acquire "S" with standard reading.

              To acquire "S1" ("S2"):
	----------------------------------

	First you should try with the voltage change. In most cases it is quite 
	enough to set protected bit in PIC.

	But be aware that during the programming, applying 10 -15 V
	power supply generates too big current that can destroy the chip, so
	you`ll have to supply the chip with limited 50 to 100 mA current.

	If this method gives no result, try this way:

	  Temperature should be constant and about 110 Celsius.
	  Vdd = 6-9 V (limit 100mA)
	  
        Adjust UV light power so that it takes about 10 minutes to erase PIC.
        (You can regulate this by simply changing the distance between UV light
        source and chip)
	
		(Temperature remains 110 degrees of Celsius)
	
	1 Expose between 20 - 30 sec
	2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C 
	  check is PIC protection bit set.
	3 Repeat steps 1 and 2 until this bit is set.	
	4 Expose for another 5-10 sec
	5 Stop with the exposure (Now it is possible to program the whole PIC)
 	6 With a programmer at a 110 degrees of Celsius temperature and                   
	  Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word.
	7 Slowly cool down the PIC to -10 C to -20 C 
	8 Read PIC at a temperature of -20 C and voltage of 3-4 V,                     
	  unless you have not gone too far with the erasure of the PIC,                    
	  all data will be intact (as before the erasure), even the protection                     
	  bit will be 0! BUT, lower 7 bits in every word will be 0!,                     
	  and we have acquired "s1"!


  Bigger voltage and temperature difference will result in better  
  compensation of single bits erasure non-linearity on whole PIC.


	  By using this equation we can decode the whole PIC:

	  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)
	  ==================================================

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
	  
	IMPORTANT!

I do not consider myself responsible for any kind of damage induced by using 
or not using information's from this file!!!

*******************************************************************************

	If you are going to use my source (or some parts of it) or some of the 
techniques I've described here for some project of yours, will you please 
mention my name somewhere on it.

	If you use software and techniques I've described on some PIC`s 
other than 16c71, or if you know another way how to reset the 7th bit, 
will you please email your experiences to me. Also email me any other PIC 
inverse engineering technique that you may know.

		mailto:dejan@net.yu

	If you want me to publish your results on my site, I will guarantee 
that you'll stay anonymous if you wish so. Also, I will NOT publish anything 
you sent me, if you don't allow me that! 
	 
-------------------------------------------------------------------------------
			Dejan Kaljevic  1998.
			






start_crack_pic:

	_printm	8,0,1eh,'Pass 1: Reading...'
;======================================	pass 1
		call start_pic

		mov edi,bafer_1
		mov ecx,pic_size

__nex_vc:	mov bl,4
		call send_cmd
		call read_data

		shr bx,1
		and bh,not 0c0h
		mov [edi],bx
		add edi,2
		mov bl,6
		call send_cmd
		loop __nex_vc

		call end_pic
;--------------------------------------
		_printm	9,0,1eh,'Writing to file: DEX_PIC1.HEX'

		mov esi,bafer_1
		mov edi,bafer_6
		mov ecx,pic_size
		lea edx,file_1
		call baf_2_hex		;save in HEX 


		_printm 10,0,1eh,'Pass 2: R&W...'
;====================================== ;pass 2
		call start_pic

		mov bl,2
		call send_cmd		;Load data
		mov bx,3f80h
		call send_data
		mov bl,8
		call send_cmd		;Begin prog

		mov edi,bafer_2
		mov ecx,pic_size

;--------------------------------------
x__nex_vc:	mov bl,4		;Read data
		call send_cmd
		call read_data

		shr bx,1
		and bh,not 0c0h
		mov [edi],bx
		add edi,2
		mov bl,6
		call send_cmd		;Inc addr
		loop x__nex_vc

		call itime_h
		call end_pic
;--------------------------------------
		_printm	11,0,1eh,'Writing to file: DEX_PIC2.HEX'

		mov esi,bafer_2
		mov edi,bafer_6
		mov ecx,pic_size
		lea edx,file_2
		call baf_2_hex		;Save in HEX


		_printm 12,0,1eh,'Pass 3: Reading...'

;-------------------------------------- pass 3
		call itime_h
		call start_pic

		mov edi,bafer_3
		mov ecx,pic_size

xx__nex_vc:	mov bl,4
		call send_cmd
		call read_data

		shr bx,1
		and bh,not 0c0h
		mov [edi],bx
		add edi,2
		mov bl,6
		call send_cmd
		loop xx__nex_vc

		call end_pic

		_printm	13,0,1eh,'Writing to file: DEX_PIC3.HEX'

		mov esi,bafer_3
		mov edi,bafer_6
		mov ecx,pic_size
		lea edx,file_3
		call baf_2_hex

;======================================
		_printm	14,0,1eh,'Decoding...'

		xor edx,edx
		mov ecx,pic_size	
		mov esi,bafer_1
		mov ebx,bafer_3
		mov edi,bafer_4
		mov ebp,bafer_5

zre1:		mov ax,[ebx]

	       	cmp dword ptr brojac_1,40h
		jb nisu_isti

		push eax
		xor al,[esi]
		and al,40h
		pop eax
		jz isti_su


nisu_isti:	mov dx,ax
		not ax
		and ax,7fh
		xor dx,[esi]
		and dx,7fh
		shl ax,7
		or ax,dx
		stosw
		mov ax,-1
		jmp izl1

isti_su:	mov dx,ax
		not ax
		and ax,7fh
		xor dx,[esi]
		and dx,7fh
		shl ax,7
		or ax,dx
		stosw
		test ah,20h
		jnz nula_b
		or word ptr es:[edi-2],2040h
		and ax,not 2040h
		jmp izl1

nula_b:		or byte ptr es:[edi-1],20h
		and byte ptr es:[edi-2],not 40h
		or al,40h
		and ah,not 20h
		
izl1:		mov word ptr es:[ebp],ax
		add esi,2
		add ebx,2
		add ebp,2		
		inc dword ptr brojac_1
		loop zre1

;--------------------------------------
		_printm	15,0,1eh,'Writing to file: DEX_COD1.HEX'

		mov esi,bafer_4
		mov edi,bafer_6
		mov ecx,pic_size
		lea edx,file_4
		call baf_2_hex

		_printm	16,0,1eh,'Writing to file: DEX_COD2.HEX'

		mov esi,bafer_5
		mov edi,bafer_6
		mov ecx,pic_size
		lea edx,file_5
		call baf_2_hex
;======================================

		_printm	17,0,1eh,'Disassembling...'


		mov ecx,pic_size
		xor esi,esi
		mov edi,bafer_6

		lea ebx,info
		call copy_string
		dec edi

next_dis:	mov eax,brojac
		call ax_2_hex
		mov eax,'   :' 
		stosw
		inc dword ptr brojac
		
		mov ebx,bafer_1
		mov ax,word ptr [esi+ebx]
		call ax_2_hex
		mov ax,'  '
		stosw
		mov ebx,bafer_2
		mov ax,word ptr [esi+ebx]
		call ax_2_hex
		mov ax,'  '
		stosw
		mov ebx,bafer_3
		mov ax,word ptr [esi+ebx]
		call ax_2_hex
		mov eax,'    '
		stosd
		;stosw

		mov ebx,bafer_4
		mov ax,word ptr [esi+ebx]
		call ax_2_hex
		mov ax,'  '
		stosw

		push ecx
		push edi
		push esi
		lea esi,[esi+ebx]
		call decode
		pop esi
		mov eax,edi
		pop ecx
		sub eax,ecx
		mov ecx,25
		sub ecx,eax
		mov al,' '
		rep stosb

		mov ebx,bafer_5
		mov ax,word ptr [esi+ebx]
		cmp ax,-1
		je ok_oo

		call ax_2_hex
		mov ax,'  '
		stosw

		push esi
		lea esi,[esi+ebx]
		call decode
		pop esi
ok_oo:		mov ax,0a0dh
		stosw
		pop ecx
		add esi,2
		loop next_dis		
;--------------------------------------
		_printm	18,0,1eh,'Writing to file: DEX.LST'


		lea edx,file_6
		call createfile
		mov bx,ax

		mov ecx,edi
		mov edx,bafer_6
		sub ecx,edx
		call writefile
		call closefile

		_printm	19,0,1eh,'Done!'

		ret






ax_2_hex:	push eax 
		push eax
		mov al,ah
		call hexax
		xchg al,ah
		stosw
		pop eax
		call hexax
		xchg al,ah
		stosw
		pop eax
		ret





;--------------------------------------
start_pic:	mov dx,port_dx

		call mclr_0
		call itime
		call clk_0
		call data_0

		call itime_h
		call mclr_13
	
		call itime_h
		ret


;--------------------------------------
end_pic:	call mclr_0
		call itime_h
		call clk_3
		call data_3
		call itime_h
		ret

;--------------------------------------
read_data:	push ecx
		call itime
		mov ecx,16

_nex_cmds:	call clk_1
		call itime
		call clk_0

		inc dx
		in al,dx
		dec dx
		shr al,7	
		rcr bx,1

		call itime

		loop _nex_cmds

		call data_3

		call itime
		pop ecx
		ret

;--------------------------------------
send_data:	shl bx,1
		and bh,not 80h

send_data_16:	push ecx
		call itime
		mov ecx,16

		jmp nex_cmds

;--------------------------------------
send_cmd:	push ecx
		call clk_0
		call data_0

		call itime

		mov ecx,6

nex_cmds:	shr bx,1
		jc cm_o
		call data_0
		jmp cm_oo
cm_o:		call data_1
cm_oo:		

		call clk_1
		call itime
		call clk_0
		call itime

		loop nex_cmds

		call data_3

		call itime
		pop ecx
		ret

;---------------------------------------
clk_0:		and byte ptr port_x,0ddh
		mov al,byte ptr port_x
		out dx,al
		ret

clk_1:		and byte ptr port_x,0ddh
		or byte ptr port_x,2
		mov al,byte ptr port_x
		out dx,al
		ret


clk_3:		or byte ptr port_x,22h
		mov al,byte ptr port_x
		out dx,al
		ret
;---------------------------------------

data_0:		and byte ptr port_x,0fah
		mov al,byte ptr port_x
		out dx,al
		ret

data_1:		and byte ptr port_x,0fah
		or byte ptr port_x,1
		mov al,byte ptr port_x
		out dx,al
		ret

data_3:		or byte ptr port_x,5h
		mov al,byte ptr port_x
		out dx,al
		ret

;---------------------------------------
mclr_5:		and byte ptr port_x,0e7h
		mov al,byte ptr port_x
		out dx,al
		ret

mclr_0:		and byte ptr port_x,0e7h
		or byte ptr port_x,10h
		mov al,byte ptr port_x
		out dx,al
		ret

mclr_13:	and byte ptr port_x,0e7h
		or byte ptr port_x,8h
		mov al,byte ptr port_x
		out dx,al
		ret
;---------------------------------------



;--------------------------------------
itime:		push ecx
		mov ecx,400
		loop $
		pop ecx
		ret
;--------------------------------------
itime_h:	push ecx
		mov ecx,100
n_it:		call itime
		loop n_it
		pop ecx
		ret
;--------------------------------------




Interested:

See:

Questions:

Comments:

See also: