theory.txt

单片机解密的书籍

			      Crack Pic 
			======================
			by Dejan Kaljevic 1998.
			mailto:dejan@net.yu
			web: http://www.net.yu/~dejan
			



In this file you will find out more about the theory on which my CrackPic 
software is based.

                      Theory on which CrackPic is based
                   ***************************************

1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:

        s = a NXOR b     1.)   where: a = higher 7 bits from 14-bit word 
                                      b = lower 7 bits from 14-bit word 
   
	NXOR Table:

	x y |z
	------
	0 0 |1
	1 0 |0
	0 1 |0
	1 1 |1

2. Program is stored into EPROM. When this EPROM is erased, he has all of its 
bits set to 1, which means that value of all words stored into it is 3fffh. 
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT 
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough 
to erase lower 7 bits (b=0), which makes:


	for equation 1. if b=0
	
	s1 = a NXOR 0 = NOT a

	s1 = NOT a	2.)
	----------


	equation 1. can be written as
	
	s = (NOT a) XOR b   3.)
	-----------------


	Combining equations 2 and 3
	s = s1 XOR b 

	b = (s XOR s1) AND 127  4.)	(AND 127 extracts 7th bit)
	======================	

	a = (NOT s1) AND 127
	====================

	The original word is:
	
	w = a*128 + b  

        ********************************************************
        *  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)  *
        ********************************************************	
	

--------------------------------------------------------------------

	"s" is obtained by simple reading the PIC.
	Obtaining "s1" is a problem.

Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough  
to write 3f80h (11 1111 1000 000 bin) into every of these words, 
thus making b=0.

The rest of the memory is protected from the writing, so it is necessary 
to find a way to do it somehow.

I accidentally discovered the way to write the following word into the 
rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin
(More about you can find in CrackPic.a32 writen in ASM).
 
I cannot reset the highest bit in b, and from the previous equations it is 
obvious that it influences 14th and 7th bit in the original word. This 
means that for a given "s" we can calculate two pairs of different 
combinations for one instruction code (since bit 7 in b can be either 0 or 1):

                                       possible value
          bit                          for the bit

           7       "s"                 14       7        "w"
      --------------------------------------------------------------
                    0                  0        1       code 1
                                       1        0       code 2
                    1                  1        1       code 1
                                       0        0       code 2

Because of that you will get 2 codes of which one is the correct. You will 
have to manually determine the correct instruction, but they differs a 
lot, and it should be easy to filter out wrong ones. I have made software 
(CrackPic.exe) that generate DEX.LST file which contains pairs of 
instructions, and enables you to easy pick the correct ones.

	
                   Some helpfull notes
                  *********************

If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh 
files (16c71,61,84, etc.), than it is probably code 1 0, because 
instructions with 0 1 code works with files 40h - 7fh, which are not 
supported in these PIC`s. Of course, after reading this text anyone can 
use this kind of instruction which has no other purpose but to fool you.

Anyway, this program is not something special, but if you need inverse  
engineering of the PIC`s, and you`re experienced PIC programmer who
can not pay 1000$ - 5000$ to the professionals, I believe that this FREE 
software will be of some use to you ;)
	

*******************************************************************************


				F.A.Q.
*******************************************************************************

      Q: Does CrackPic physically destroys PIC?
      A: NO! CrackPic resets one part of the program stored in PIC. 
         If you have windowed PIC you can delete its contest with a UV lamp, 
         and use it again!
	
      Q: Is Your algorithm applicable on some other Programmer?
      A: Yes,it is, on any one!

      Q: May I use Your algorithm from CrackPic?
      A: Yes, it's completely free if you mention my name somewhere in your 
	 final product.
	(Source can be found in CrackPic.zip at: 
                         http://www.net.yu/~dejan              )

      Q: Do you know how to crack parallel programmed PIC`s (16c54,55,56,etc.)?
      A: Not yet, but while working on them, I have made one interesting 
	 discovery, which maybe can be used to directly  read protected program!


      Q: Can you tell me more about the algorithm you're using?
      A: Yes. You can find more detailed explanations in this file.
 	
      Q: Do you know how to reset that 7th bit?
      A: No. If know that I would publish it right away.
	 I have some ideas about it,  if someone is willing to try...



==========================================================================
                        Theory of other PIC-s
==========================================================================


         Theory of hacking 12-bit data parallel programed PIC-s:
---------------------------------------------------------------------------
                     16c54,16c55,16c56,16c57,16c58
                     *****************************


PASS 1  Getting S
-----------------
Reading code protected parts data will be scrambled by equation:

                  S = a XOR b XOR c		
                  -----------------

	XOR Table:

	x y |z
	------
	0 0 |0
	1 0 |1
	0 1 |1
	1 1 |0

		   MSB      LSB
	Origin W = aaaa bbbb cccc

S 4 bit 		;scrambled data

a    MSB	4 bit	;a,b,c parts from origin W (12bit)
b	4 bit
c    LSB 	4 bit   


PASS 2	Getting S1
------------------
If we write to PIC "1111 1111 0000" (0ff0h)  c=0 !
Reading code protected part data will be scrambled by equation:

	S1 = a XOR b XOR c=0
	S1 = a XOR b
	------------


PASS 3 Getting S2
-----------------
If we write to PIC "1111 0000 0000" (0f00h)  b=0 c=0 !
Reading code protected part data will be scrambled by equation:

	S2 = a XOR b=0 XOR c=0
	S2 = a
	------

Now	a = S2
	b = S2 XOR S1
	c = S1 XOR S  

Now we can get origin W by equation:

    *************************************************************************
    *  W = (S2 AND 15)*256 + ((S2 XOR S1) AND 15)*16 + ((S1 XOR S) AND 15)       * 
    *************************************************************************

You can read explanation of how to write data to protected PIC at the end of  
this file!


           Theory of hacking 14-bit data serial programed PIC-s:
---------------------------------------------------------------------------
              16c61,16c62,16c64,16c65,16c71,16c73,16c74,16c84
	      ***********************************************


PASS 1  Getting S
-----------------
Reading code protected parts data will be scrambled by equation:

        s = a NXOR b     1.)   where: a = higher 7 bits from 14-bit word 
                                      b = lower 7 bits from 14-bit word 
   
	NXOR Table:

	x y |z
	------
	0 0 |1
	1 0 |0
	0 1 |0
	1 1 |1



PASS 2 Getting S1
-----------------
2. Program is stored into EPROM. When this EPROM is erased, he has all of its 
bits set to 1, which means that value of all words stored into it is 3fffh. 
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT 
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough 
to erase lower 7 bits (b=0), which makes:


	for equation 1. if b=0
	
	s1 = a NXOR 0 = NOT a

	s1 = NOT a	2.)
	----------


	equation 1. can be written as
	
	s = (NOT a) XOR b   3.)
	-----------------


	Combining equations 2 and 3
	s = s1 XOR b 

	b = (s XOR s1) AND 127  4.)	(AND 127 extracts 7th bit)
	======================	

	a = (NOT s1) AND 127
	====================

	The original word is:
	
	w = a*128 + b  

	********************************************************
	*  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)  *
	********************************************************	



-------------------------------------------------------------------------------

		Theory of writing data to protected PIC-s
	========================================================
	
In order to set bit in EPROM from 0 to 1 you have to apply appropriate amount of 
energy to the Gate of the FET in memory cell.
There are (to my knowledge) three ways to do it:

1.	Applying short length EM wave, like UV light, X-rays, and similar.
	To use UV light, you'll have to access the core of the chip. You can gain
	this access by corroding it with some highly corrosive acid.

	With this method, memory cell is being slowly and permanently erased!

	
2. 	Increasing PIC power supply, but if you overdo it, you can easily
	destroy the chip. (Use no more than 10 - 20V, with a 50-100mA 
	HIGH SPEED LIMITED CURRENT !!!) 

	This method changes memory cell state ONLY during the time the voltage 
	is increased, and this change takes effect almost instantly (because of 
	the difference between  memory cell structure and the structure of the 
	rest of chip logic). When voltage drops back to the normal level, memory 
	cells states also returns to their previous value.

	IT IS IMPORTANT TO TAKE CARE OF THE SUPPLY DIFFERENCE BETWEEN
	YOUR PROGRAMMER AND PIC!!! YOU HAVE TO CONSTRUCT LEVEL TRANSLATORS,
	SO THAT YOUR PROGRAMMER WILL NOT BE DAMAGED !!!

3.	Increasing the temperature of the chip (no more than 140 degrees of 
	Celsius. At 155 to 200 degrees substrate will change its structure,
	and will be permanently  destroyed!

	Remarks for this method are the same as for the previous one 
	(increasing PIC power supply),
	but this method has lesser effect on the memory cell.


	In my opinion this is the best way: 
	-----------------------------------

	First we read protected PIC, and acquire "S" with standard reading.

              To acquire "S1" ("S2"):
	----------------------------------

	First you should try with the voltage change. In most cases it is quite 
	enough to set protected bit in PIC.

	But be aware that during the programming, applying 10 -15 V
	power supply generates too big current that can destroy the chip, so
	you`ll have to supply the chip with limited 50 to 100 mA current.

	If this method gives no result, try this way:

	  Temperature should be constant and about 110 Celsius.
	  Vdd = 6-9 V (limit 100mA)
	  
        Adjust UV light power so that it takes about 10 minutes to erase PIC.
        (You can regulate this by simply changing the distance between UV light
        source and chip)
	
		(Temperature remains 110 degrees of Celsius)
	
	1 Expose between 20 - 30 sec
	2 Interrupt exposure, and with programmer Vdd=6-9 V T=110 C 
	  check is PIC protection bit set.
	3 Repeat steps 1 and 2 until this bit is set.	
	4 Expose for another 5-10 sec
	5 Stop with the exposure (Now it is possible to program the whole PIC)
 	6 With a programmer at a 110 degrees of Celsius temperature and                   
	  Vdd = 6-9 V program the WHOLE PIC with 3f80h for every word.
	7 Slowly cool down the PIC to -10 C to -20 C 
	8 Read PIC at a temperature of -20 C and voltage of 3-4 V,                     
	  unless you have not gone too far with the erasure of the PIC,                    
	  all data will be intact (as before the erasure), even the protection                     
	  bit will be 0! BUT, lower 7 bits in every word will be 0!,                     
	  and we have acquired "s1"!


  Bigger voltage and temperature difference will result in better  
  compensation of single bits erasure non-linearity on whole PIC.


	  By using this equation we can decode the whole PIC:

	  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)
	  ==================================================

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
	  
	IMPORTANT!

I do not consider myself responsible for any kind of damage induced by using 
or not using information's from this file!!!

*******************************************************************************

	If you are going to use my source (or some parts of it) or some of the 
techniques I've described here for some project of yours, will you please 
mention my name somewhere on it.

	If you use software and techniques I've described on some PIC`s 
other than 16c71, or if you know another way how to reset the 7th bit, 
will you please email your experiences to me. Also email me any other PIC 
inverse engineering technique that you may know.

		mailto:dejan@net.yu

	If you want me to publish your results on my site, I will guarantee 
that you'll stay anonymous if you wish so. Also, I will NOT publish anything 
you sent me, if you don't allow me that! 
	 
-------------------------------------------------------------------------------
			Dejan Kaljevic  1998.
			






start_crack_pic:

	_printm	8,0,1eh,'Pass 1: Reading...'
;======================================	pass 1
		call start_pic

		mov edi,bafer_1
		mov ecx,pic_size

__nex_vc:	mov bl,4
		call send_cmd
		call read_data

		shr bx,1
		and bh,not 0c0h
		mov [edi],bx
		add edi,2
		mov bl,6