HW klic, precteni PIC

internet mail at onicom.sk
Tue Mar 4 23:06:24 CET 2003

CC/AAA  aj zamknute PIC sa da odomknut alebo zamknute PIC  si skopirujem
profi kopirovackov za 80 USD - obe moznosti funguju ....
PICBUSTER - Details Released On Internet

For a long time, some of the most frequently asked questions on Special
Projects were about Picbuster. Was it a program? Was it a device? Did it
really exist. The answer has been given in a Usenet message. It is
essentially a Welsh Poet - Dai Ode. In oth
er words, it is a diode.

The standard method of popping a PIC was to actually remove the top of the
chip and re-engineer the fuse. The method described opposite is effectively
the cheapest solution. Of course other methods exist.

The standard result when the fuse is reset is that the complete memory of
the PIC16C84 is reset. In the normal programming mode there is a large
difference between the programming voltage (approx 13.8 Volts) and the
supply voltage (5 Volts). In the Picbu
ster as described opposite, the recommended difference is approximately 0V5.
The voltage drop across the diode is 0V6 to 0V7. The 0V5 voltage
differential may not be enough to reset the entire memory but is enough to
alllow the fuse to be reset.

The publication of this information on the Usenet does provide other
problems. Most of the pirate smart cards in use at the moment are based on
the PIC16C84. The widespread knowledge of how to hack these chips means that
the market can become over- satur
ated with pirate cards.

To date the pirate cards have been upgraded in a trickle-down manner. A few
companies at the top of the chain figure out the fix for the new ECM and
implement it. The details of the fix are then sold on down the chain until
finally the whole market has b
een upgraded. In effect it is almost feudal.

It would be easy to think that this would benefit the hacked channels more
than the pirates. That would of course be wrong. The net result of the
publication is that the knowledge of the system is spread more widely than
before. Therefore the more people
 who understand the system, the quicker the turn around between ECM and fix.

The widespread availability of the knowledge to pop the PIC16C84 is making
some pirate card manufacturers rethink their strategy. One notable change
has been the Benedex - Futuretron Battery card. This card uses the Dallas
Micros chip rather than one fro
m the PIC16* series. Another option is the reprogrammed Sky 09 card (see
separate story in this issue).

The PIC16C84 is widely used. In some applications it is used to control
electronic locks such as those used on some of the more up market cars.
There was a court case in the UK last year where the defendant was convicted
for having in his possession a de
vice that snatched the RF data from these electronic keys and replayed it to
open the locks. The use of Picbuster could be dangerous if it showed that
there was a backdoor code (bad pun) that could be used by garages in the
event of the car owner losing
his electronic key.

It is almost certain that Arizona Microchip have implemented some sort of
modification to PIC16C84 die. This modification would of course take some
time to filter into the market. Most of the pirate cards at the moment are
recycling the PIC16C84 chips fr
om 07 pirate cards. There have been some rumours that the Picbuster does not
work with some of the more recent 1995 batches.CC/AAA
This is the Usenet Message that gave the details of PicBuster.

Article: 16241 of alt.satellite.tv.europe
Newsgroups: alt.satellite.tv.europe
From: Lester at bannold.demon.co.uk (Lester Wilson)
Reply-To: Lester at bannold.demon.co.uk
X-Newsreader: Newswin Alpha 0.7
Lines:  86
X-Posting-Host: bannold.demon.co.uk
Date: Wed, 26 Apr 1995 07:27:50 +0000
Sender: usenet at demon.co.uk
> lester may i ask a question just how secure is a pic chip when
> the security fuses have been blown ?
> --

In my opinion hte pIC16C84 is secure enough to prevent the  casual
reading  of  protected code. I think that this  subject  has  been
covered in other discussions in this group in the not too  distant
past. I have many private emails from persons claiming to have had
success  in reading data from a Code protected PIC16C84. I  myself
am convinced that it is possible, so are many others, but each  to
his  own.I  do not condone or encorage the  reading  of  copyright
protested  code by unathorised persons. It is acheivable  in  many
ways, one of which was emailed to me some time back by a satisfied

___addresses deleted___________________________________

Hi Lester,
______________________more deleted stuff________________________________

The  Pic  chip (PIC16C84) can in fact have it's program  and  data
memory  read  after  the  config  fuses  have  been  set  to  code
protection on.

Try the following:
Write some code to the chip with the code protection set to "ON".
Read back to verify that the protection has indeed come on.
Now  set  Vdd ( pin 14 ) to Vpp-0.5v,  (Programming  voltage  less

Set config fuse to "OFF" and reprogram config fuse.

Now set Vdd back to normal, +5v.

Power off the programmer.

Wait 10 to 20 sec.

Power back on the programmer. (VDD at + 5V)

Read the Pic.... and hey presto, data in unprotected format should
now be available.

_________________________stuff deleted____________________________

This  is experimental only and no liability will be  accepted  for
any loss of data.
_____________lots and lots more deleted stuff_____________________

by  revealing the above I hope that you are satisfied (  though  I
doubt  it),  I will not be replying to further  questions  on  the

The   above  mail  has  been  reproduced  without   the   specific
pewrmission  of the sender, however I believe that since the  mail
was sent to me with no request for confidentiality I am within  my
rights to display my person mail.

The information imparted is I believe in the PUBLIC DOMAIN, I  did
not invent or discover it myself.

I  have  used  methods SIMILAR to the above to  acheive  the  same
Kest Regards

Pandora - http://www.pandora.cz/

> Posilam zminku ktera se objevila v konfere o SmartCards
> Q: Jak se da 16C84 vycist?
> A:mrkni se na DEJANovo stranky. Mnel tam na to i nejakej ten softik.
>   Princip: V okamziku zapisu nejake hodnoty do fls ti na nekterem
>   vyvodu na okamzik prozradi puvodni hodnotu. -> mas jen jeden pokus
>   :-))) U dejana je to popsane podrobneji...
> Snad to nekomu pomuze :-))
> On 4.3.2003 at 18:12 Jiří Krul wrote:
> |Jak uz tu nekdo rekl vse je jen otazka penez. Na internetu jsem nasel
> |nekolik firem, krere tvrdili, ze umi porecist
> |i zamceny PIC, pokud si dobre pamatuji chteli za to nekolik set USD tusim
> |500USD.
> |
> |Docela by me zajimalo jak to delaji .
> |
> |
> |----- Original Message -----
> |From: "Jaroslav BUCHTA" <buchta at compelson.cz>
> |To: <hw-news at list.gin.cz>
> |Sent: Tuesday, March 04, 2003 11:25 AM
> |Subject: Re: HW klic
> |
> |
> |> Jen pro upresneni,
> |> Je jasne, ze pokud to jde, tak je idealni obracena cesta, tedy zkoumani
> |> aplikacniho SW a v techto pripadech je dle meho nazoru HW klic opravdu
> |> ...
> |> Zde se vsak jedna o zarizeni s buhvijakym hardware a SW je v karte
> |> pripominajici PCMCIA(ale vetsi), zarizeni je zaplombovano a stoji
> |majlant.
> |> Navic je zrejme klic vazan na konkretni serial number SW a da se
> |> preprogramovat na jiny SW / jinou sadu funkci (tedy je to nejak
> |> parametrizovano dle EEPROM)
> |> Slo o to, ze na karte je asi kompletni SW a klic povoluje v menu
> |polozky...
> |> zda se ze to maji opravdu dobre udelane, necham to byt.
> |> (predpokladam ze nezapomeli locknout PIC, to bych se z toho ...
> |>
> |> ----- Original Message -----
> |> From: "Jiří Krul" <jKrul at seznam.cz>
> |> To: <hw-news at list.gin.cz>
> |> Sent: Tuesday, March 04, 2003 10:03 AM
> |> Subject: Re: HW klic
> |>
> |>
> |> > Mozna to chtelo napsat o jaky jde SW a kdo je vyrobcem onoho HW
> |> > Z techto informaci uz pak lze dojit k nejakemu zaveru, mozna :-)))
> |> >
> |> ....
> |>
> |>
> |>

More information about the HW-list mailing list