Siemens SAB 80C537 Reverse Engineering

If I am not mistaken you are asking somebody to steal intellectual property by hacking a protected program. Please do not post here!

Schwob

snipped-for-privacy@gmail.com wrote:

More likely, it's a company where the original design engineer has left and no one knows what's going on.

Dan

You might be mistaken. My company for example, sells a device

which is also produced by someone else gid=6&sgid=0). I have sold that company 100 microcontrollers with code 7 or

8 years ago. They are still selling this device, so I bought one and compared the timing of the signals and they matched my device. But I would love to be able to read the contents of their micro to be 100% sure that they copied my microcontrollers, wich were inadvertedly unlocked..... So that would be a perfectly legal case.

Meindert

The manufacturer of the board went bust and we are trying to make 1 or

2 sets for standby. Do you know it cost a bomb just to make 2 boards compared to like 200? I wish I could make 50,000 pieces and sell them too since there's nobody around to sue us, but that's not our objective. Moreover, nobody would want this application-specific board anyway.

But anyway, I do not have much knowledge of this chip. (Siemens SAB

80C537-16-N) It is programmable and lockable? If it is, how hard is it to reverse engineer it?

The 80C537 uses external rom only, so there's no need to reverse engineer this chip. There should be a PROM or EEPROM on your board that contains the code.

Meindert

In article , An Schwob in the USA writes

Please do not top post.

There are MANY reasons why some one needs to get into a locked system. Very often where the original programmer has left and the notes have disappeared.

Other times one company has bought out the IP from another if the staff at the original company are not being taken on they tend to "loose" all the documentation before the hand over. I have known this happen several times.

In the case of a local car company I understand the R&D team spent a couple of days shredding and burn all paper work and reformatting the hard disks. It was even suggested the over wrote all the backups with the new reformatted balk data.

However there are also many times when it is hacking for illegitimate reasons. You have to be satisfy your own moral and professional standards in each case as to whether you will help of not.

Though as the 537 is all external memory I can't see how it can be locked... unless they have scrambled the address and data lines.

The 537 is a rather old discontinued part that has not been for new designs for many years so it is likely to be an old system and probably not something leading edge worth hacking unless it is your own system.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Most likely it will but it may not be much use to you unless you use it with a 537. Although it's basically a 8051 variant it does have some unique hardware.

question is how hard is it to get the code out? Would a $45 universal prommer do the job?

Any Eprom Programmer will do.

Infineon even has a disassembler somwhere in their download section for the

8 bit controllers. User Manuals for the 537 are available as well.

see

for more info/goodies

grtnx /jan

schrieb im Newsbeitrag news: snipped-for-privacy@z14g2000cwz.googlegroups.com...

Not. Plug it in a programmer and press READ

Yep. EPROMS have no protection mechanism.

Meindert

Thanks for all the help guys. Being a noob in embedded stuff, I've learnt alot from this post alone.

This also led me to another question. So how does one protect their code?

In article , snipped-for-privacy@gmail.com writes

You don't. In the vast majority of embedded systems the software is of little use without all the hardware it is attached to. What is more most of it only works with the specific hardware it is attached to.

Added to that without the source code it is a long tedious job to work backwards from 64K of assembler to flowcharts and an understanding of the system.

It would have to be something VERY special to warrant that sort of effort. Either that or you are about to pirate the whole system and mass produce your own.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

By using a microcontroller with internal ROM/FLASH for instance, which usually has some form of protection like lock-bits that prevent readout of the controller by a programmer.

Meindert

Dear all, I have a wind-turbine that is equipped with a Siemens 80c537 CPU based PLC, named Sentic convoy 537. Seems that today nobody is able to interact with this PLC. I have recognized the eprom (AMD 27c512). I need to modify a functional parameter (the rotor rpm set): can anyone suggest how to do that?

I have an eprom programmer and I can read the eprom content. But I need further help to do my job....

Please, can anyone help me?

Thank you!!

I am Jack's complete lack of surprise.

and a UV EPROM eraser.

--
Les Cargill