1. Home
  2. Embedded Programming
  3. NEC 78K0 - reading program from chip

NEC 78K0 - reading program from chip

Hi There

I'm using a UPD78F0103, with the PG-FP4 programmer. I have a requirement to read the code from a chip in an old board that we need to upgrade. I know that officially the code cannot be read from these chips, but has anyone heard of a way by which this could be done?

Many thanks, Steve

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----

formatting link
The #1 Newsgroup Service in the World! 120,000+ Newsgroups

----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Reply to
Steve Krenek
Loading thread data ...

Short of decapsulating the chip, it can't be done. The flash programming system is apparently actually a little masked program on the main section of the die. It can't send data back to the host at all. In fact the only way to verify a chip is by sending the same data twice and having the target system do the verification.

Reply to
larwe

Does the bootloader tell you as soon as there's a byte mismatch? If so, it's fairly straightforward to write a program that can work out the contents of each byte, one at a time. On the average, it takes roughly 64*n times as long as doing a "normal" verify (where n is the number of bytes), but if you can leave it running overnight, it should be doable. If you can start the verify at points other than the beginning of memory, then this improves considerably, approaching 128 times as long as a normal verify.

-- Dave Tweed

Reply to
David Tweed

In article , David Tweed writes: |> Does the bootloader tell you as soon as there's a byte mismatch? |> If so, it's fairly straightforward to write a program that can |> work out the contents of each byte, one at a time.

Does anyone by chance know some "secret" verification process of R6500/11 microcontrollers? Those employ a 3kB mask-programmable ROM area -- I guess correct function/programming is tested after assembly of the entire chip and not only on die level.

Rainer

Reply to
Rainer Buchty

It's not documented, but verifying a chip full of 0x00 against a file full of 0xFF takes the same time as verifying a chip full of 0x00 against a file full of 0x00.

Reply to
larwe

Well, it's not a straightforward case as the bootloader doesn't have readback facility. Verify operation can be applied to a relatively large group of data (something like 128 or 256 bytes). There are several ways of extracting the code but they require well qualified engineers and special knowledge. The whole story of various security protections and attacks on microcontrollers are in the book called "Semi-Invasive Attacks - A New Approach to Hardware Security Analysis". It won't help you to solve the problem but it'll give you some idea on how it can be done. Alternatively, there are some commercial companies around the world which provide code extraction service if you can prove good intentions.

Sergei

Reply to
Sergei Skorobogatov

No hits on this title. ISBN or author / publisher, please?

I recall a recent book with a section on this topic, but I'm not finding it at the moment.

Reply to
Richard H.

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.