PIC单片机芯片的解密原理介绍 (上).txt
In this file you will find out more about the theory on which my CrackPic
software is based.
Theory on which CrackPic is based
***************************************
1. Some of the PIC models allow scrambled data reading when they are protected,
according to the formula:
s = a NXOR b 1.) where: a = higher 7 bits from 14-bit word
b = lower 7 bits from 14-bit word
NXOR Table:
x y |z
------
0 0 |1
1 0 |0
0 1 |0
1 1 |1
2. Program is stored into EPROM. When this EPROM is erased, he has all of its
bits set to 1, which means that value of all words stored into it is 3fffh.
During the EPROM programming it is ONLY possible to change 1 into 0, AND NOT
the other way around.
Combining 1. and 2. You can conclude that to unscramble the word it is enough
to erase lower 7 bits (b=0), which makes:
for equation 1. if b=0
s1 = a NXOR 0 = NOT a
s1 = NOT a 2.)
----------
equation 1. can be written as
s = (NOT a) XOR b 3.)
-----------------
Combining equations 2 and 3
s = s1 XOR b
b = (s XOR s1) AND 127 4.) (AND 127 extracts 7th bit)
======================
a = (NOT s1) AND 127
====================
The original word is:
w = a*128 + b
********************************************************
* w = ((NOT s1) AND 127)*128 + ((s XOR s1 ) AND 127) *
********************************************************
--------------------------------------------------------------------
"s" is obtained by simple reading the PIC.
Obtaining "s1" is a problem.
Some PIC`s (16c71,61,.) allow writing into first 64 words, so it is enough
to write 3f80h (11 1111 1000 000 bin) into every of these words,
thus making b=0.
The rest of the memory is protected from the writing, so it is necessary
to find a way to do it somehow.
I accidentally discovered the way to write the following word into the
