Archive for April, 2013
PIC16F84A Microcontroller Chip Attack
April 8th, 2013 | 
Author: PIC16F84A Microcontroller Chip Attack
It is not always necessary for the power glitches to be outside the specified power supply voltage range. For example, in the same PIC16F84A microcontroller the protection mechanism can be defeated by applying a mere 50 mV glitch after the chip erase operation has started which will cause the failure of PIC16F84A Microcontroller Chip Attack. That causes termination of the program memory erase operation but not the fuse erase.
PIC16F84A Microcontroller Chip Attack
All the above examples of glitch attacks show how powerful such attacks can be unless special countermeasures are implemented. These could be voltage and clock monitor circuits which reset the CPU if the voltage or clock frequency go out of range. Clock-monitoring circuits are normally used in smartcards but very few microcontrollers have them.
Winbond MCU W78E365 Heximal Data Restoration
Winbond MCU W78E365 Heximal Data Restoration means the content from both the eeprom and flash can be extracted and read out by the programmer directly,
The W78E365 architecture consists of a core controller surrounded by various registers, four general purpose I/O ports, one special purpose programmable 4-bits I/O port, 512 bytes of RAM, three timer/counters, a serial port, and an internal 74373 latch and 74244 buffer which can be switched to port2.
The processor supports 111 different opcodes and references both a 64K program address space and a 64 K data storage space.
The internal data RAM in the W78E62B is 512 bytes. It is divided into two banks: 256 bytes of scratchpad RAM and 256 bytes of AUX-RAM. These RAMs are addressed by different ways.
RAM 0H-127H can be addressed directly and indirectly as the same as in 8051. Address pointers are R0 and R1 of the selected register RAM 128H-255H can only be addressed indirectly as the same as in 8051 when Winbond MCU W78E365 Heximal Data Restoration.
Address pointers are R0, R1 of the selected registers internal program memory, an access to AUX-RAM will not affect the Ports P0, P2, WR and RD.
AUX-RAM 0H-255H is addressed indirectly as the same way to access external data memory with the MOVX instruction. Address pointer are R0 and R1 of the selected register bank and DPTR register.
An access to external data memory locations higher than 255H will be performed with the MOVX instruction in the same way as in the 8051. The AUX-RAM is disable after a reset.
Setting the bit 4 in CHPCON register will enable the access to AUX-RAM. When AUX-RAM is enabled the instructions of “MOVX @Ri” will always access to on-chip AUX-RAM after Winbond MCU W78E365 Heximal Data Restoration.
Break Microprocessor W78E052 Locked Program
In the process of Break Microprocessor W78E052 Locked Program, first of all we should have a general understanding about Microprocessor W78E052.
The W78E052 is an 8-bit microcontroller which has an in-system programmable MTP-ROM for firmware updating. The instruction set of the W78E62B is fully compatible with the standard 8052. The W78E052 contains a 64K bytes of main MTP-ROM and a 4K bytes of auxiliary MTP-ROM which allows the contents of the 64KB main MTP-ROM to be updated by the loader program located at the 4KB auxiliary MTP-ROM;
512 bytes of on-chip RAM; four 8-bit bi-directional and bit-addressable I/O ports; an additional 4-bit port P4; three 16-bit timer/counters; a serial port. These peripherals are supported by a eight sources two-level interrupt capability.
To facilitate programming and verification, the MTP-ROM inside the W78E052 allows the program memory to be programmed and read electronically after Break Microprocessor W78E052 Locked Program. Once the code is confirmed, the user can protect the code for security.
The W78E052 microcontroller has two power reduction modes, idle mode and power-down mode, both of which are software selectable. The idle mode turns off the processor clock but allows for continued peripheral operation.
The power-down mode stops the crystal oscillator for minimum power consumption. The external clock can be stopped at any time and in any state without affecting the processor.
Fully static design 8-bit CMOS microcontroller up to 40
64K bytes of in-system programmable MTP-ROM for Application Program (APROM).
4K bytes of auxiliary MTP-ROM for Loader Program (LDROM).
Low standby current at full supply before Break Microprocessor W78E052 Locked Program
512 bytes of on-chip RAM. (including 256 bytes of AUX-RAM, software selectable)
64K bytes program memory address space and 64K bytes data memory address
Four 8-bit bi-directional
One 4-bit multipurpose programmable
Build-in 74373 and 74244 logical functions on Port 2.(software programmable)
Three 16-bit timer/counters
One full duplex serial port
Eight-sources, two-level interrupt capability
Built-in power management
Code protection
Port 4, SFR P4 at address D8H, is a 4-bit multipurpose programmable I/O port. Each bit can be configured individually by software. The Port 4 has four different operation mode:
In mode 0, P4.0-P4.3 is a bi-directional I/O port which is same as port 1. P4.2 and P4.3 also serve as external interrupt INT3 and INT2 if enabled.
In mode 1, P4.0-P4.3 are read data strobe signals which are synchronized with RD signal at specified addresses. These signals can be used as chip-select signals for external peripherals.
Extract PIC16F84 MCU Firmware
Extract PIC16F84 MCU Firmware from Microcontroller PIC16F84 flash and eeprom memory, reset the microprocessor status to unlocked one by crack MCU fuse bit and copy MCU’s code to new one;
Another example is an old PIC16F84 microcontroller from Microchip. The chip erase operation removes the security protection but at the same time erases the contents of program and data memories on the chip. The hardware design of the security protection circuit is made such that the memory is always erased before the security fuse is reset to the initial state.
However it was found that if during the chip erase operation the power supply voltage is increased to about 10 V for a few milliseconds it causes the memory erase process to terminate but the security fuse reset finishes as usual making it possible to read the contents of the memory. Such a high voltage pulse should be applied carefully as increasing its length could permanently damage the chip. The later revision of this microcontroller, PIC16F84A, has protection against under- and over-voltage attacks. Any memory modification operations performed via the programming interface are immediately terminated if the power supply voltage goes below 3 V or above 6 V.
Posted in Break IC | 
Tags: extract dsp ic binary, extract dsp ic code, extract dsp ic content, extract dsp ic data, extract dsp ic eeprom, extract dsp ic file, extract dsp ic firmware, extract dsp ic flash, extract dsp ic heximal, extract dsp ic program | 
Comments Closed
Break Nuvoton W78E054 MCU Flash Memory
Reduce EMI Emmission can help us to better locate the status of Flash and Eeprom memory which provide a way to Break Nuvoton W78E054 MCU Flash Memory,
Because of on-chip Flash EPROM, when a program is running in internal ROM space, the ALE will be unused. The transition of ALE will cause noise, so it can be turned off to reduce the EMI emission if it is useless.
Turning off the ALE signal transition only requires setting the bit 0 of the AUXR SFR, which is located at 08Eh. When ALE is turned off, it will be reactivated when the program accesses external ROM/RAM data or jumps to execute an external ROM code FROM Break Nuvoton W78E054 MCU Flash Memory.
The ALE signal will turn off again after it has been completely accessed or the program returns to internal ROM code space. The AO bit in the AUXR register, when set, disables the ALE output. In order to reduce EMI emission from oscillation circuitry, W78E054 allows user to diminish the gain of on-chip oscillator amplifiers by using programmer to clear the B7 bit of security register.
Once B7 is set to 0, a half of gain will be decreased. Care must be taken if user attempts to diminish the gain of oscillator amplifier, reducing a half of gain may affect the external crystal operating improperly at high frequency above 24 MHz. The value of R and C1, C2 may need some adjustment while running at lower gain.
The Watchdog timer is a free-running timer which can be programmed by the user to serve as a system monitor, a time-base generator or an event timer. It is basically a set of dividers that divide the system clock. The divider output is selectable and determines the time-out interval if Break Nuvoton W78E054 MCU Flash Memory.
When the time-out occurs, a system reset can also be caused if it is enabled. The main use of the Watchdog timer is as a system monitor. This is important in real-time control applications. In case of power glitches or electro- magnetic interference, the processor may begin to execute errant code.
If this is left unchecked the entire system may crash. The watchdog time-out selection will result in different time-out values depending on the clock speed. The Watchdog timer will be disabled on reset. In general, software should restart the Watchdog timer to put it into a known state. The control bits that support the Watchdog timer are discussed below.
Watchdog Timer Control Register
ENW : Enable watch-dog if set.
CLRW : Clear watch-dog timer and prescaler if set. This flag will be cleared automatically
WIDL : If this bit is set, watch-dog is enabled under IDLE mode. If cleared, watch-dog is disabled under IDLE mode. Default is cleared.
PS2, PS1, PS0: Watch-dog prescaler timer select. Prescaler is selected when set PS2~0 as follows:
Enable watch-dog if set