Break IC, Recover MCU, Microcontroller Reverse Engineering

Archive for February, 2012

We can break IC ATMEGA88V internal flash, please view the IC ATMEGA88V features for your reference:
This documentation contains simple internal flash examples that briefly show how to use various parts of the device. These internal flash examples assume that the part specific header file is included before compilation. Be aware that not all C compiler vendors include bit definitions in the header files and interrupt handling in C is compiler dependent.

Please confirm with the C compiler documentation for more details. For I/O Registers located in extended I/O map, “IN”, “OUT”, “SBIS”, “SBIC”, “CBI”, and “SBI” instructions must be replaced with instructions that allow access to extended I/O. Typically “LDS” and “STS” combined with “SBRS”, “SBRC”, “SBR”, and “CBR”.
This section discusses the AVR core architecture in general. The main function of the CPU core is to ensure correct program execution. The CPU must therefore be able to access memories, perform calculations, control peripherals, and handle interrupts before Break IC ATmega88V Internal Flash.
In order to maximize performance and parallelism, the AVR uses a Harvard architecture – with separate memories and buses for program and data. Instructions in the program memory are executed with a single level pipelining. While one instruction is being executed, the next instruction is pre-fetched from the program memory.
This concept enables instructions to be executed in every clock cycle. The program memory is In-System Reprogrammable Flash memory. The fast-access Register File contains 32 x 8-bit general purpose working registers with a single clock cycle access time. This allows single-cycle Arithmetic Logic Unit (ALU) operation. In a typical ALU operation, two operands are output from the Register File, the operation is executed, and the result is stored back in the Register File – in one clock cycle.
Six of the 32 registers can be used as three 16-bit indirect address register pointers for Data Space addressing – enabling efficient address calculations. One of the these address pointers can also be used as an address pointer for look up tables in Flash program memory. These added function registers are the 16-bit X-, Y-, and Z-register, described later in this section before Break IC ATmega88V Internal Flash.
The ALU supports arithmetic and logic operations between registers or between a constant and a register. Single register operations can also be executed in the ALU. After an arithmetic operation, the Status Register is updated to reflect information about the result of the operation.
Program flow is provided by conditional and unconditional jump and call instructions, able to directly address the whole address space. Most AVR instructions have a single 16-bit word format. Every program memory address contains a 16- or 32-bit instruction.
Program Flash memory space is divided in two sections, the Boot Program section and the Application Program section. Both sections have dedicated Lock bits for write and read/write protection. The SPM instruction that writes into the Application Flash memory section must reside in the Boot Program section when Break IC ATmega88V Internal Flash.

We can restore Atmel controller ATMEGA88P source code, please view the Atmel controller ATMEGA88P features for your reference:
The interrupt execution response for all the enabled AVR interrupts is four clock cycles minimum. After four clock cycles the source code vector address for the actual interrupt handling routine is executed. During this four clock cycle period, the source code Counter is pushed onto the Stack.
The vector is normally a jump to the interrupt routine, and this jump takes three clock cycles. If an interrupt occurs during execution of a multi-cycle instruction, this instruction is completed before the interrupt is served. If an interrupt occurs when the MCU is in sleep mode, the interrupt execution response time is increased by four clock cycles if Restore Atmel Controller ATmega88P Source Code.
This increase comes in addition to the start-up time from the selected sleep mode. A return from an interrupt handling routine takes four clock cycles. During these four clock cycles, the source code Counter (two bytes) is popped back from the Stack, the Stack Pointer is incremented by two, and the I-bit in SREG is set.
The ATmega48/88/168 contains 4/8/16K bytes On-Atmel controller In-System Resource codemable Flash memory for source code storage. Since all AVR instructions are 16 or 32 bits wide, the Flash is organized as 2/4/8K x 16. For software security, the Flash source code memory space is divided into two sections, Boot Loader Section and Application source code Section in ATmega88.
ATmega48 does not have separate Boot Loader and Application source code sections, and the SPM instruction can be executed from the entire Flash. The Flash memory has an endurance of at least 10,000 write/erase cycles. The ATmega48/88/168 source code Counter (PC) is 11/12/13 bits wide, thus addressing the 2/4/8K source code memory locations. The operation of Boot source code section and associated Boot Lock bits when Restore Atmel Controller ATmega88P Source Code.
The ATmega48/88/168 is a complex microcontroller with more peripheral units than can be supported within the 64 locations reserved in the Opcode for the IN and OUT instructions. For the Extended I/O space from 0x60 – 0xFF in SRAM, only the ST/STS/STD and LD/LDS/LDD instructions can be used.
The lower 768/1280/1280 data memory locations address both the Register File, the I/O memory, Extended I/O memory, and the internal data SRAM. The first 32 locations address the Register File, the next 64 location the standard I/O memory, then 160 locations of Extended I/O memory, and the next 512/1024/1024 locations address the internal data SRAM before Restore Atmel Controller ATmega88P Source Code.
The five different addressing modes for the data memory cover: Direct, Indirect with Displacement, Indirect, Indirect with Pre-decrement, and Indirect with Post-increment. In the Register File, registers R26 to R31 feature the indirect addressing pointer registers.
The direct addressing reaches the entire data space. The Indirect with Displacement mode reaches 63 address locations from the base address given by the Y- or Z-register. When using register indirect addressing modes with automatic pre-decrement and post-increment, the address registers X, Y, and Z are decremented or incremented. The 32 general purpose working registers, 64 I/O Registers, 160 Extended I/O Registers, and the 512/1024/1024 bytes of internal data SRAM in the ATmega48/88/168 when RECOVER MCU.

We can reverse engineering IC ATMEGA169 internal memory, please view the IC ATMEGA169 features for your reference:
The AVR core combines a rich instruction set with 32 general purpose working registers. All the 32 registers are directly connected to the Arithmetic Logic Unit (ALU), allowing two independent registers to be accessed in one single instruction executed in one clock cycle.
The resulting architecture is more internal memory efficient while achieving throughputs up to ten times faster than conventional CISC microcontrollers. The ATmega169 provides the following features: 16K bytes of In-System Programmable Flash with Read-While-Write capabilities, 512 bytes EEPROM, 1K byte SRAM, 54 general purpose I/O lines, 32 general purpose working registers, a JTAG interface for Boundary-scan, On-chip Debugging support and programming, a complete On-chip LCD controller with internal step-up voltage, three flexible Timer/Counters with compare modes, internal and external interrupts, a serial programmable USART, Universal Serial Interface with Start Condition Detector, an 8-channel, 10-bit ADC, a programmable Watchdog Timer with internal Oscillator, an SPI serial port, and five software selectable power saving modes when Reverse Engineering IC ATmega169 Internal Memory.
The Idle mode stops the CPU while allowing the SRAM, Timer/Counters, SPI port, and interrupt system to continue functioning. The Power-down mode saves the register contents but freezes the Oscillator, disabling all other chip functions until the next interrupt or hardware reset.
In Power-save mode, the asynchronous timer and the LCD controller continues to run, allowing the user to maintain a timer base and operate the LCD display while the rest of the device is sleeping. The ADC Noise Reduction mode stops the CPU and all I/O modules except asynchronous timer, LCD controller and ADC, to minimize switching noise during ADC conversions.
In Standby mode, the crystal/resonator Oscillator is running while the rest of the device is sleeping. This allows very fast start-up combined with low-power consumption. The device is manufactured using Atmel’s high density non-volatile memory technology if Reverse Engineering IC ATmega169 Internal Memory.
The On-chip ISP Flash allows the program memory to be reprogrammed In-System through an SPI serial interface, by a conventional non-volatile memory programmer, or by an On-chip Boot program running on the AVR core. The Boot program can use any interface to download the application program in the Application Flash memory.
Software in the Boot Flash section will continue to run while the Application Flash section is updated, providing true Read-While-Write operation. By combining an 8-bit RISC CPU with In-System Self-Programmable Flash on a monolithic chip, the Atmel ATmega169 is a powerful microcontroller that provides a highly flexible and cost effective solution to many embedded control applications.
The ATmega169 AVR is supported with a full suite of program and system development tools including: C Compilers, Macro Assemblers, Program Debugger/Simulators, In-Circuit Emulators, and Evaluation kits after Microcontroller Reverse Engineering.

We can recover protected microcontroller ATMEGA169V internal memory, please view the protected microcontroller ATMEGA169V features for your reference:
In order to maximize performance and parallelism, the AVR uses a Harvard architecture – with separate memories and buses for program and data. Instructions in the program memory are executed with a single level pipelining. While one instruction is being executed, the next instruction is pre-fetched.
This concept enables instructions to be executed in every clock cycle. The program memory is In-System Reprogrammable internal memory memory. The fast-access Register File contains 32 x 8-bit general purpose working registers with a single clock cycle access time. This allows single-cycle Arithmetic Logic Unit (ALU) operation.
In a typical ALU operation, two operands are output from the Register File, the operation is executed, and the result is stored back in the Register File – in one clock cycle. Six of the 32 registers can be used as three 16-bit indirect address register pointers for Data Space addressing – enabling efficient address calculations before Recover Protected Microcontroller ATmega169V Internal Memory.
One of the these address pointers can also be used as an address pointer for look up tables in internal memory program memory. These added function registers are the 16-bit X-, Y-, and Z-register, described later in this section. The ALU supports arithmetic and logic operations between registers or between a constant and a register.
Single register operations can also be executed in the ALU. After an arithmetic operation, the Status Register is updated to reflect information about the result of the operation. Program flow is provided by conditional and unconditional jump and call instructions, able to directly address the whole address space before Recover Protected Microcontroller ATmega169V Internal Memory.
Most AVR instructions have a single 16-bit word format. Every program memory address contains a 16- or 32-bit instruction. Program internal memory space is divided in two sections, the Boot Program section and the Application Program section. Both sections have dedicated Lock bits for write and read/write protection.
The SPM instruction that writes into the Application internal memory memory section must reside in the Boot Program section. During interrupts and subroutine calls, the return address Program Counter (PC) is stored on the Stack. The Stack is effectively allocated in the general data SRAM, and consequently the Stack size is only limited by the total SRAM size and the usage of the SRAM if Recover Protected Microcontroller ATmega169V Internal Memory.
All user programs must initialize the SP in the Reset routine (before subroutines or interrupts are executed). The Stack Pointer (SP) is read/write accessible in the I/O space. The data SRAM can easily be accessed through the five different addressing modes supported in the AVR architecture when RECOVER MCU.

decrypt embedded microcontroller eeprom memory, as we mentioned above, embedded microcontroller decrypter can use laser scanning to read the status of transistors. And just embedded microcontroller decrypter expected, laser can scan the P and N type transistor’s source in the embedded microcontroller memorizer as well as the photocurrent generated from the drain electrode, un-transparent metal wire can be use to treat the lowest photocurrent.
The result of laser scanning can see the photocurrent in the inverse switch status of SRAM unit obviously whembedded microcontrollerh can be used to assure the embedded microcontroller memorizer status after decrypting it. In order to explain the result for the purpose of pursuit more proper scanning parameters, use DIODE-2D present the laser impulse to two dimension of reversor after Decrypt Embedded Microcontroller Eeprom Memory.

The length of narrow channel is assumed to be 1 micron, laser radiation strength is 1.104W/cm2. Other parameters, such as mixed density, P and N channel depth, use the standard 1 micron N type base CMOS technology parameter of embedded microcontroller.

Embedded microcontroller decrypter has simulate the two status of reversor, the laser with different wavelength on the various locations, their relationship with the power supply current can reveal that the current of transistor in the turn off exposure status could be much bigger than the current in the turn on exposure status when Decrypt Embedded Microcontroller Eeprom Memory. Turn up the shutdown transistor channel can increase the total current and its increasing amount is much bigger than the slightly decrease the open channel resistor slight.

clone microprocessor flash memory is a prevail technology in the industry of Electronic Product Reverse Engineering, Relevant protection mechanism has been established to protect microprocessor flash memory clone in the world. Asynchronous logic is a recently developed clone microprocessor flash memory protection technology, it has been introduced after the synchronous dual line logic promotion.

As we all know, traditional digital logic use only one clock to synchronize the operation. But accompany with acceleration of clock rate, this synchronized operation becomes more and more complicate. Due to this reason, it give rise to the self-synchronized or asynchronous design without the clock.

There is one way is to use random technology on the data line to prevent clone microprocessor flash memory, in the dual line logic, signal zero and one is not high and low electrical press on single line anymore, but a pair of signal combination on the line. Such as zero could probably LH, while one is probably HL, when in the application of synchronous circuit, LL signal means motionless.

The main drawback of all these simple arrangement is they are very fragile: un-wanted HH status could emerge due to the circuit disadvantage when clone microprocessor flash memory.

Self-asynchronous design can be used to fend off the clock noise microprocessor flash memory cloneing. If the serial interface need clock, it is relatively easier to separate the clock from sensitive circuit. Power supply noise microprocessor flash memory clone can seldom work on the asynchronous circuit, however, for those microprocessor flash memory with eeprom as memorizer won’t be protected and could be cloned.

Dual Line design can obtain the alerting signals from sensor modification reliably, and constrain the operation of microprocessor flash memory. The final result could be the deletion of sensitive data from microprocessor flash memory and trigger the alert, it can prevent the flaw injection microprocessor flash memory clone to gain success, microprocessor flash memory cloneer should inject two failure status simultaneously and make the status of transmitting line from LH switch to HL, which can cause the transmitting status enter into HH immediately and trigger the alert right away.

We can hack microchip processor TSC87C51 locked programe, please view the microchip processor TSC87C51 features for your reference:
TEMIC’s TSC87C51 is high performance CMOS EPROM version of the 80C51 CMOS single chip 8 bit microchip processor.
The fully static design of the TSC87C51 allows to reduce system power consumption by bringing the clock frequency down to any value, even DC, without loss of data.

The TSC87C51 retains all the features of the 80C51 with some enhancement: 4 K bytes of internal code memory (EPROM); 128 bytes of internal data memory (RAM); 32 I/O lines; two 16 bit timers; a 5-source, 2-level interrupt structure; a full duplex serial port with framing error detection; a power off flag; and an on-chip oscillator.
The TSC87C51 has 2 locked programe-selectable modes of reduced activity for further reduction in power consumption. In the idle mode the CPU is frozen while the RAM, the timers, the serial port and the interrupt system continue to function. In the power down mode the RAM is saved and all other functions are inoperative.
The TSC87C51 is manufactured using non volatile SCMOS process which allows it to run up to after hack microchip processor TSC87C51 locked programe:
33 MHz with VCC = 5 V ± 10%.
16 MHz with 2.7 V < VCC < 5.5 V.
4 Kbytes of EPROM
G Improved Quick Pulse programming algorithm
G Secret ROM by encryption
128 bytes of RAM
64 Kbytes program memory space
64 Kbytes data memory space
32 programmable I/O lines
Two 16 bit timer/counters
Programmable serial port with framing error detection
Power control modes
Two–level interrupt priority
Fully static design
0.8µ SCMOS non volatile process
ONCE Mode
Enhanced Hooks system for emulation purpose
Available temperature ranges:
G commercial
G industrial
Available packages:
PDIP40 (OTP)
PLCC44 (OTP)
PQFP44 (OTP) before hack microchip processor TSC87C51 locked programe
CQPJ44 (UV erasable)
CERDIP40 (UV erasable)
Port 2 is an 8 bit bi-directional I/O port with internal pullups. Port 2 pins that have 1’s written to them are pulled high by the internal pullups, and in that state can be used as inputs. As inputs, Port 2 pins that are externally being pulled low will source current (IIL, in the DC parameters section) because of the internal pullups.
Port 2 emits the high-order address byte during fetches from external Program Memory and during accesses to external Data Memory that use 16 bit addresses (MOVX @DPTR). In this application, it uses strong internal pullups when emitting 1’s. During accesses to external Data Memory that use 8 bit addresses (MOVX @Ri), Port 2 emits the contents of the P2 Special Function Register after hack microchip processor TSC87C51 locked programe.
Port 2 can sink/source three LS TTL inputs. It can drive CMOS inputs without external pullups. Some Port 2 pins receive the high–order address bits and control signals during EPROM programming and program verification if BREAK IC.

We can replicate locked IC TS80C52X2 heximal, please view the IC TS80C52X2 features for your reference:
TEMIC TS80C52X2 is high performance CMOS ROM, OTP, EPROM and ROMless versions of the 80C51 CMOS single chip 8-bit microcontroller. The TS80C52X2 retains all features of the TEMIC 80C51 with extended ROM/EPROM capacity (8 Kbytes), 256 bytes of internal RAM, a 6-source , 4-level interrupt system, an on-chip oscilator and three timer/counters.

In addition, the TS80C52X2 has a dual data pointer, a more versatile serial channel that facilitates multiprocessor communication (EUART) and a X2 speed improvement mechanism if replicate locked IC. The fully static design of the TS80C52X2 allows to reduce system power consumption by bringing the clock frequency down to any value, even DC, without loss of data before replicate locked IC TS80C52X2 heximal.

The TS80C52X2 has 2 software-selectable modes of reduced activity for further reduction in power consumption. In the idle mode the CPU is frozen while the timers, the serial port and the interrupt system are still operating. In the power-down mode the RAM is saved and all other functions are inoperative.
The TS80C52X2 core needs only 6 clock periods per machine cycle. This feature called ”X2” provides the following advantages: Divide frequency crystals by 2 (cheaper crystals) while keeping same CPU power. Save power consumption while keeping same CPU power (oscillator power saving). Save power consumption by dividing dynamically operating frequency by 2 in operating and idle modes when replicate locked IC TS80C52X2 heximal.

Increase CPU power by 2 while keeping same crystal frequency. In order to keep the original C51 compatibility, a divider by 2 is inserted between the XTAL1 signal and the main clock input of the core (phase generator). This divider may be disabled by software. The clock for the whole circuit and peripheral is first divided by two before being used by the CPU core and peripherals if replicate locked IC. This allows any cyclic ratio to be accepted on XTAL1 input. In X2 mode, as this divider is bypassed, the signals on XTAL1 must have a cyclic ratio between 40 to 60%. Figure 1. shows the clock generation block diagram. X2 bit is validated on XTAL1÷2 rising edge to avoid glitches when switching from X2 to STD mode.

Figure 2. shows the mode switching waveforms. The auto-reload mode configures timer 2 as a 16-bit timer or event counter with automatic reload. If DCEN bit in T2MOD is cleared, timer 2 behaves as in 80C52 (refer to the TEMIC 8-bit Microcontroller Hardware description) after replicate locked IC TS80C52X2 heximal.
If DCEN bit is set, timer 2 acts as an Up/down timer/counter as shown in Figure 4. In this mode the T2EX pin controls the direction of count. When T2EX is high, timer 2 counts up. Timer overflow occurs at FFFFh which sets the TF2 flag and generates an interrupt request. The overflow also causes the 16-bit value in RCAP2H and RCAP2L registers to be loaded into the timer registers TH2 and TL2.

When T2EX is low, timer 2 counts down. Timer underflow occurs when the count in the timer registers TH2 and TL2 equals the value stored in RCAP2H and RCAP2L registers. The underflow sets TF2 flag and reloads FFFFh into the timer registers. The EXF2 bit toggles when timer 2 overflows or underflows according to the the direction of the count. EXF2 does not generate any interrupt. This bit can be used to provide 17-bit resolution after RECOVER MCU.

We can break encrypted microprocessor TS83C51U2 eeprom content, please view the encrypted microprocessor TS83C51U2 features for your reference:
Some instructions operate internally as read followed by write operations. The BCF and BSF instructions, for example, read the entire port into the CPU, execute the bit operation and rewrite the result.
Caution must be used when these instructions are applied to a port where one or more pins are used as input/outputs. For example, a BSF operation on bit 2 of GPIO will cause all eight bits of GPIO to be read into the CPU, bit 2 to be set and the GPIO value to be written to the output latches.
If another bit of GPIO is used as a bidirectional I/O pin (say bit 0), and it is defined as an input at this time, the input signal present on the pin itself would be read into the CPU and rewritten to the data latch of this particular pin, overwriting the previous content before Break Encrypted Microprocessor TS83C51U2 Eeprom Content.
As long as the pin stays in the Input mode, no problem occurs. However, if bit 0 is switched into Output mode later on, the content of the data latch may now be unknown.
Example 5-1 shows the effect of two sequential Read-Modify-Write instructions (e.g., BCF, BSF, etc.) on an I/O port.
A pin actively outputting a high or a low should not be driven from external devices at the same time in order to change the level on this pin (“wired OR”, “wired AND”). The resulting high output currents may damage the chip.
The actual write to an I/O port happens at the end of an instruction cycle, whereas for reading, the data must be valid at the beginning of the instruction cycle (Figure 5-2) if Break Encrypted Microprocessor TS83C51U2 Eeprom Content.
Therefore, care must be exercised if a write followed by a read operation is carried out on the same I/O port. The sequence of instructions should allow the pin voltage to stabilize (load dependent) before the next instruction causes that file to be read into the CPU.
Otherwise, the previous state of that pin may be read into the CPU rather than the new state. When in doubt, it is better to separate these instructions with a NOP or another instruction not accessing this I/O port.
The Timer0 module has the following features:
8-bit timer/counter register, TMR0
Readable and writable
8-bit software programmable prescaler
Internal or external clock select:
– Edge select for external clock when Break Encrypted Microprocessor TS83C51U2 Eeprom Content
Figure 6-1 is a simplified block diagram of the Timer0 module.
Timer mode is selected by clearing the T0CS bit (OPTION<5>). In Timer mode, the Timer0 module will increment every instruction cycle (without prescaler).
If TMR0 register is written, the increment is inhibited for the following two cycles (Figure 6-2 and Figure 6-3). The user can work around this by writing an adjusted value to the TMR0 register.

We can reverse engineering microchip processor TS80C54X2 flash code, please view the microchip processor TS80C54X2 features for your reference:
The Timer0 module has the following features:
8-bit timer/counter register, TMR0 Readable and writable
8-bit software programmable prescaler Internal or external clock select:
– Edge select for external clock
– External clock from either the T0CKI pin or from the output of the comparator
Figure 7-1 is a simplified block diagram of the Timer0 module.
Timer mode is selected by clearing the T0CS bit (OPTION<5>). In Timer mode, the Timer0 module will increment every instruction cycle (without prescaler) after Reverse Engineering Microchip Processor TS80C54X2 Flash Code.
If TMR0 register is written, the increment is inhibited for the following two cycles (Figure 7-2 and Figure 7-3).
The user can work around this by writing an adjusted value to the TMR0 register.
There are two types of Counter mode. The first Counter mode uses the T0CKI pin to increment Timer0. It is selected by setting the T0CS bit (OPTION<5>), setting the CMPT0CS bit (CMCON0<4>) and setting the COUTEN bit (CMCON0<6>).
In this mode, Timer0 will increment either on every rising or falling edge of pin T0CKI. The T0SE bit (OPTION<4>) determines the source edge.
Clearing the T0SE bit selects the rising edge. Restrictions on the external clock input are discussed in detail in Section 7.1 “Using Timer0 with an External Clock (TS80C54X2)”.
The second Counter mode uses the output of the comparator to increment Timer0. It can be entered in two different ways. The first way is selected by setting the T0CS bit (OPTION<5>) and clearing the CMPT0CS bit (CMCON<4>) before Reverse Engineering Microchip Processor TS80C54X2 Flash Code;
(COUTEN [CMCON<6>]) does not affect this mode of operation. This enables an internal connection between the comparator and the Timer0.
The second way is selected by setting the T0CS bit (OPTION<5>), setting the CMPT0CS bit (CMCON0<4>) and clearing the COUTEN bit (CMCON0<6>).
This allows the output of the comparator onto the T0CKI pin, while keeping the T0CKI input active. Therefore, any comparator change on the COUT pin is fed back into the T0CKI input. The T0SE bit (OPTION<4>) determines the source edge before Reverse Engineering Microchip Processor TS80C54X2 Flash Code.
Clearing the T0SE bit selects the rising edge. Restrictions on the external clock input as discussed in Section 7.1 “Using Timer0 with an External Clock (TS80C54X2)”