Tom Bachmann wrote:
-------------------------------
We use serial EEPROMs in several applications. Used to store phone numbers, user profiles, timer settings, etc.

- - - - - - - - - - - - - - - -
I first used them back in 1984 before the specifications were available; you can image the fun I had discovering the special end of read switch. :)

Tom Bachmann wrote:
-------------------------------
Interesting comment on writing 00's to unused internal CPU program memory.

- - - - - - - - - - - - - - - -
I started hacking computers about 25 years ago but stopped years later when they made it illegal. With that experence and some gained messing around in cryptanalysis, I developed an unusual gift for spotting vulnerabilities many would miss.

I learned too that they are two basic types of minds, those that are good at thinking up systems and another that are good at anti-thinking them. For example in encryption, the mathematicians that think them up become so convinced in their created secuirity that they become completely blind to the ability to spot its vulnerabilities. It takes a different type of mind. Luckily they team them in professional situations.

This two-mindset applies here with chip manufacturers' understanding of IP security features. They put in a reasonable protection IN THEIR VIEW because they don't know how anyone would attack their system. This is dangerous if you need their micros to protect your IP.

I wrote to a major 8051 manufacturer about a security bug I perceived in their FLASH unit and had a series of correspondence as it kept getting bumped higher and higher. Because they didn't really understand the hacker approach, their design added the ability to append new code after the security bits had been set (it took a trick to get there).

They phoned to assure me that once the security bit was set, the code would not be presented to the outside pins and therefore no programming unit could be used to read the protected code. We were on the phone and I responded, "You don't get it... I don't care about that because you allowed me to link in some new program in FLASH and now I'm going to use the MOVC command to read all that protected codespace into the accumulator a byte at a time and pipe in right out the serial port to my waiting computer."

DEAD SILENCE ON THE PHONE.

A couple of weeks later I got a letter from their lawyers denying that a vulnerability I **DIDN'T** suggest, didn't exist in the chip. I considered that good lawyering... confuse the target with an accurate denial and hope he didn't realize the true denial had nothing to do with the actual vulnerability. :)

Needless to say, I didn't use their FLASH 8051 product and though they never admitted anything they obsoleted the part in a few months and said a new part would be available 6 to 9 months later.

Around the office we chuckled and hoped they'd hire us as contractors so they could buy our silence. We had our Porsches picked out. :)

Now legally I have to say here that I BELIEVE their denials and so don't make any inferances about the quality of any of their products. :)

Now, we could extend this chip hacking discussions to ways to overwrite codespace 1 bits into 0 bits to change opcodes into links to appended codespace that could then collect a partial codespace dump for planning an even better second pass attack to get the remaining codespace dump.

NAWWWW! Better to stick with OTP in production and FLASH only for the development lab.

aka j