Tom Bachmann wrote:
-------------------------------
Interesting comment on writing 00's to unused internal CPU program memory.

- - - - - - - - - - - - - - - -
The reason for writing 00s is to deny someone from later using those idel FF bits to add in a RIDER routine. The process on most OTP storage is that you start with a blank chip of all FFs and when you burn it, you selectively turn some 1s into 0s to form the machine code.

If you've dealt with a IP Cracking firm, you'll notice that they request 2 or 3 copies of the target microcontroller (you may have to buy three products and desolder them). I'll explain why.

* * *
I'll skip past how they get in, if in fact they do at all. :)
* * *

So at this state, we have a hypothetical ability to overwrite any location in OTP codespace BUT we can't read any of it. This seems like a safe paradox and we could go no further... but hackers are not easily turned away.

The problem is to load your own bootstrap program (the RIDER) to dump memory out the serial port or a IO pin to a waiting PC for accumulation and disassembly. If you get your tiny RIDER program written into codespace (and you can't read it back to validate) you must next have the original codespace effectively branch to your RIDER so it can initialize and dump the codespace. The dump will include both the RIDER and SKID portion and the undisturbed portion.

Sounds like it requires a mindreader, doesn't it?

It doesn't. Its easy. Here are some of the characteristics that ASSIST the process. ONE, assemblers and compilers and chip programmers do not bother zeroing out unused codespace. This means that there are a lot of unburned bits out in code space that can still be selectively blown to create codespace for the RIDER. TWO, microcontroller designers have an uncontrollable urge to designate the 00 opcode as a NOP. It appeals to their sense of super-symmetry. :)

ONE above means that you place your RIDER code in high memory where you have the best chance of finding unused bits of FFs to blow. Once you have your RIDER installed, you need the running microcontroller that powers up at 0000h and initializes to enter your far and away addressed RIDER routine. Can you see how to do it? :)

TWO above is the key of course.

Starting just below your rider program you zero out a giant piece of codespace which can be even as much as half that available. This is called the SKID. It doesn't matter that you just abliterated some of the original codespace for good, that's what the second and third microcontroller is provided for. Usually zeroing out the top third of memory yet below your RIDER is sufficient. All that has to happen is for any otherwise existant program, subroutine, interrupt service routine to be called, jumped, or whatever in that now zeroed codespace.

Think what happens now that its zeroed out. Its all NOPs. The program counter will load and NOP consecuitively, addressed byte by addressed byte until it effectively SKIDS into the waiting RIDER routine which then reinitializes and startes dumping what's left in the original codespace.

In the first pass you may get about 2/3s of the code space and the zeroed portion you created. You disassemble the codespace and precisely find an existing codespace byte that can have 1s converted into 0s to create a jump to the high memory RIDER for the second pass.

Usually this is trivial because (point THREE) programmers often leave a lot of unused FFs around the interrupt vector space. This means with the second provided target microcontroller, you simply NOP-out the initial jump vector at 0000h and NOP-out the beginning codespace until you get a nice few bytes to make into a jump to the rider. The FFs left around the interrupt vectors are almost always available.

This second pass operation gives you the remaining block that was zeroed in the first pass.

There are a few advanced handling aspects, for locating your rider in different locations per pass but the third provided target microcontroller usually provides enough data to grab the complete code.

Of course, this is made more difficult by zeroing out the unused codespace. Actually, another bit pattern is probably more advantageous than 00 because 00 creates a SKID while making a RIDER much harder to place.

None of this would be possible if the chip manufacture correctly prohibits any code from being added after the security bits are blown. I couldn't say whether they do or not. :)

aka j