PIC单片机芯片的解密原理介绍 (上).txt PIC单片机芯片的解密原理介绍 (上) In this file you will find out more about the theory on which my CrackPic software is based. Theory on which CrackPic is based *************************************** 1. Some of the PIC models allow scrambled data reading when they are protected, according to the formula: s = a NXOR b NXOR Table: x y |z -----0 0 |1 1 0 |0 0 1 |0 1 1 |1 2. Program is stored into EPROM. When this EPROM is erased, he has all of its bits set to 1, which means that value of all words stored into it is 3fffh. During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT the other way around. Combining 1. and 2. You can conclude that to unscramble the word it is enough to erase lower 7 bits (b=0), which makes: for equation 1. if b=0 s1 = a NXOR 0 = NOT a s1 = NOT a 2.) ---------equation 1. can be written as s = (NOT a) XOR b ----------------3.) 1.) where: a = higher 7 bits from 14-bit word b = lower 7 bits from 14-bit word
Combining equations 2 and 3 s = s1 XOR b b = (s XOR s1) AND 127 ====================== a = (NOT s1) AND 127 ==================== The original word is: w = a*128 + b ******************************************************** * w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) * ******************************************************** -------------------------------------------------------------------"s" is obtained by simple reading the PIC. Obtaining "s1" is a problem. Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough to write 3f80h (11 1111 1000 000 bin) into every of these words, thus making b=0. The rest of the memory is protected from the writing, so it is necessary to find a way to do it somehow. I accidentally discovered the way to write the following word into the 第 1 页 4.) (AND 127 extracts 7th bit)
PIC单片机芯片的解密原理介绍 (上).txt rest of the EPROM: (xx xxxx x x 00 0000 bin), thus making b=(x00 0000)bin (More about you can find in CrackPic.a32 writen in ASM). I cannot reset the highest bit in b, and from the previous equations it is obvious that it influences 14th and 7th bit in the original word. This means that for a given "s" we can calculate two pairs of different combinations for one instruction code (since bit 7 in b can be either 0 or 1): bit possible value for the bit

下一页