PIC16C63A-04/SP Stupid Question time

[suityou69]

This probally shows my lack on knowledge in the area but please be gentle with the reply's

Ive dabled in all sorts of hacking and cracking over the years but this is a new one on me. Someone I know has some software running on a PIC16C63A-04/SP chip, its a basic programme that sends various commands to a screen and activates a toggle for a motor.

Thing is the guy that wrote the software is now dead and he copy protected it, he only wants to make a couple of slight tweaks to the motor toggle but to get it all re-written is going to cost and arm and a leg.

Is there anyway of getting round the protection on the chip, or is it dependant on the software and the way its been protected/written?

Sorry again for a dumbass question but didnt know where else to turn

Thanks in advance

An ever going grey

Suityou69

[doughboy]

http://www.chipcatalog.com/Doc/84C2D...A6C694A3E0.pdf

looks like it has built in code protection.

I wouldn't know how to change a register value of a pic chip though, in order to read out the memory.

[Twincharge]

There is another way, painstakingly remove the chip resin and then throw UV light on the protection fuse to disable it. Not an easy or quick job but do-able.

Also, usually only the first few bytes on the PIC chip are protected, you can usually work out the first few bytes if you spend a bit of time with it.

[suityou69]

For a simp like me - does it mean going thru each conbination of say the 1st line of code in order to be able to dump it, or should I be able to do a full dump, but that dump is protected in some way?

There is another way, painstakingly remove the chip resin and then throw UV light on the protection fuse to disable it. Not an easy or quick job but do-able.

Also, usually only the first few bytes on the PIC chip are protected, you can usually work out the first few bytes if you spend a bit of time with it.

[Twincharge]

For a simp like me - does it mean going thru each conbination of say the 1st line of code in order to be able to dump it, or should I be able to do a full dump, but that dump is protected in some way?

You must remember that the PIC chips are not just eeproms but processors with embedded eeprom also. Usually only the first few bytes of the eeprom are protected, so in effect you will be able to see a partial dump.

If you want to complete the missing bytes, I just follow the memory mappings based on the PIC processor arcitecture and attempt to 'complete' the code.

I will upload some more details tomorrow.

[suityou69]

Ahhh I see what you mean now, thanks for putting it in my terms and look forwards to your uploads.

I really appriciate the guidance and pointers - learning tons and loving it !

Steve

[keyscoob]

Here is my 12c508a deprotection tutorial that I put together a long while back now. The exact same technique would apply to your situation. The only difference may be the location of the CP fuses on the dye.

http://www.rampantapathy.co.uk/12c508a.html

It is not always the case that only 'first few' bytes of compiled code are protected. More often than not it is the other way around.

OTP (one time programmable) devices like yours tend to only have one set of CP (code protect fuses) and therefore are easier to attack. There is little chance of any passivation or anti-tamper mesh etc been present within your device.

You may find that your PIC is prone to power and/or glitch attacks but without the proper control software this would be very hard for you to do.

If you are decapsulating then use 100% Pure Fuming Nitric Acid to desolve the epoxy. Little else will work.

I suspect that the easiest route will be to 'blackbox' your PIC, by this I mean to log the input and output pins and emulate its function in software such as Proton BASIC etc.

Hope this helps.

Good Luck...