pic单片机芯片的解密原理介绍 (上).txt

单片机解密的书籍

PIC单片机芯片的解密原理介绍 (上)
In this file you will find out more about the theory on which my CrackPic 
software is based.

                      Theory on which CrackPic is based
                   ***************************************

1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:

        s = a NXOR b     1.)   where: a = higher 7 bits from 14-bit word 
                                      b = lower 7 bits from 14-bit word 
   
NXOR Table:

x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1

2. Program is stored into EPROM. When this EPROM is erased, he has all of its 
bits set to 1, which means that value of all words stored into it is 3fffh. 
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT 
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough 
to erase lower 7 bits (b=0), which makes:


for equation 1. if b=0

s1 = a NXOR 0 = NOT a

s1 = NOT a 2.)
----------


equation 1. can be written as

s = (NOT a) XOR b   3.)
-----------------


Combining equations 2 and 3
s = s1 XOR b 

b = (s XOR s1) AND 127  4.) (AND 127 extracts 7th bit)
====================== 

a = (NOT s1) AND 127
====================

The original word is:

w = a*128 + b  

        ********************************************************
        *  w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127)  *
        ******************************************************** 


--------------------------------------------------------------------

"s" is obtained by simple reading the PIC.
Obtaining "s1" is a problem.

Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough  
to write 3f80h (11 1111 1000 000 bin) into every of these words, 
thus making b=0.

The rest of the memory is protected from the writing, so it is necessary 
to find a way to do it somehow.

I accidentally discovered the way to write the following word into the 
rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin
(More about you can find in CrackPic.a32 writen in ASM).

I cannot reset the highest bit in b, and from the previous equations it is 
obvious that it influences 14th and 7th bit in the original word. This 
means that for a given "s" we can calculate two pairs of different 
combinations for one instruction code (since bit 7 in b can be either 0 or 1):

                                       possible value
          bit                          for the bit

           7       "s"                 14       7        "w"
      --------------------------------------------------------------
                    0                  0        1       code 1
                                       1        0       code 2
                    1                  1        1       code 1
                                       0        0       code 2

Because of that you will get 2 codes of which one is the correct. You will 
have to manually determine the correct instruction, but they differs a 
lot, and it should be easy to filter out wrong ones. I have made software 
(CrackPic.exe) that generate DEX.LST file which contains pairs of 
instructions, and enables you to easy pick the correct ones.


                   Some helpfull notes
                  *********************

If 7th bit of "s" equals 0, and you're cracking the PIC that has up to 3fh 
files (16c71,61,84, etc.), than it is probably code 1 0, because 
instructions with 0 1 code works with files 40h - 7fh, which are not 
supported in these PIC`s. Of course, after reading this text anyone can 
use this kind of instruction which has no other purpose but to fool you.

Anyway, this program is not something special, but if you need inverse  
engineering of the PIC`s, and you`re experienced PIC programmer who
can not pay 1000$ - 5000$ to the professionals, I believe that this FREE 
software will be of some use to you ;)