Hacking the PIC 18F1320

I thought it would be fun to try out some of the hacking techniques I had heard about on the PIC series of microcontrollers. PIC microcontrollers typically come with a set of “configuration fuses” that typically include settings to prevent the modification or readback of certain regions of memory. Quite often, a legitimate need arises to read out the contents of a secured, programmed PIC. A typical example is a company that has lost the documentation or the personnel that originally created the codes for a secured PIC. This often happens when a company needs to revise or upgrade a legacy line of products.

I scored four PIC18F1320′s from Joe’s stash (it’s nice having lots of fellow hackers in San Diego) and started stripping them down. This is what a PIC18F1320 looks like in its native state:

The first thing to do is to take the top off so you can see the silicon within. While there are many homebrew techniques for doing this, they typically involve the application of fuming Nitric or Sulfuric acid. Neither of these are compounds that you would want to have around your home, nor are they easy to obtain since Nitric acid in particular is an important compound for explosives fabrication. I’ve found that the easiest and most reliable way to do this is to just send the part to a failure analysis lab, such as MEFAS, and for about $50 and a two-day wait, you can have a decapped part in your hands. For this project, I decapped three total parts; two were functionally decapped (silicon revealed with device still in lead frame, fully functional), and the last one was fully decapsulated so that it was just a bare silicon die completely absent a package. The last die was fully decapsulated because my inspection microscope has a very short working distance at the highest magnifications.

A little sweeping around the die revealed several prominent features, as shown below:

The above annotations are my best guesses at what various structures do; I could be wrong, and if you happen to have anything to share, please do post a note!

One set of structures grabbed my attention immediately: a set of metal shields over transistors, following a regular pattern that had about the right number of devices to account for all the security bits. Full metal shields covering a device is very rare in silicon, and like a big X marking the spot, it draws attention to itself as holding something very important.

Let’s think a little bit more about this metal shield. What is the significance? First, let’s review some interesting facts about FLASH technology (the type of memory technology used in this PIC device to store the security fuse information). FLASH technology uses a floating-gate transistor structure very similar to that found in the old UV-eraseable EPROM technologies (remember the days of the ceramic packaged 2716′s with quartz windows?). Data is stored in both FLASH and UV-EPROM devices by causing electrons to tunnel into the floating gate, where the electrons will remain for decades. The extra electrons residing in the floating gate creates a measurable offset in the characteristics of the storage transistor. The difference is that FLASH memory can withdraw the stored electrons (erase the device) using only electrical pulses, whereas a UV-EPROM requires energetic photons to knock the electrons out of the floating gate. The UV light required to accomplish this is typically on a wavelength of around 250 nm. This wavelength of UV is a bit difficult to manipulate, since it requires expensive quartz optics to manipulate without excessive loss.

Here’s the important observation that comes out of these facts: FLASH devices can usually also be erased using UV light since they have a similar transistor structure to UV-EPROM devices. The encapsulation around a FLASH device normally prevents any UV light from effectively reaching the die, but since the PIC devices had the plastic around them removed, I can now attempt to apply UV light to see what happens.

I performed a simple experiment where I programmed the PIC device with a ramping pattern (0×00->0xFF over and over again) and then tossed it in my UV-EPROM eraser for the length of oh, about a good long shower and some email checking. When I took the device out of the eraser, I found that indeed the FLASH memory was blanked to it’s normal all 1′s state, and that the security fuses were unaffected. Significantly, if I did not bake the PIC device for long enough, I would get odd readings out of the array, such as all 0′s, a phenomemon that I do not understand. I’m supposing it could be due to some effect involving incomplete erasure and the reference bitlines used to drive the reference leg of the sense amps on the FLASH array. Also note that the UV light works just as well on the EEPROM array.

Clearly, the metal shields over the security fuses were provisioned to thwart attempts to selectively erase the security fuses while leaving the FLASH memory array unaffected.

The picture above illustrates the problem I have (and its solution) (click on the image for a larger, clearer version). In order for the FLASH memory transistor to be erased, high-intensity UV light must strike the floating gate. The metal shield effectively reflects all of the incident light.

However, due to the optical index mismatch between the oxide and the silicon interfaces, light at certain angles will reflect off of the silicon surface. In order to witness an example of this reflective effect, jump in a swimming pool and submerse your head and look up at the water-air interface. You will note that the water looks highly reflective at an oblique angle. This is due to the index mismatch between water and air causing total internal reflection of light.

This reflection can be used to cause the UV light to bounce up and the metal shield, and bounce back onto the floating gate. Thus, by angling the PIC inside the ROM eraser, I can get enough light to bounce into the FLASH memory transistor region and cause erasure. After a couple of attempts, I developed a technique that seems to work relatively well.


Picture of the chip inside the UV eraser (note blue halo around chip due to active UV lamp). The chip is stuck into the antistatic foam at an angle.

This still doesn’t prevent me from erasing the desired data in the program FLASH space. In order to prevent erasure of this data, a hard-mask is formed using a very carefully cut piece of electrical tape that was stuck onto the surface of the die using a steady hand, two tweezers, and a microscope. The electrical tape effectively blocks the UV light from directly hitting the FLASH code memory regions, and it also somewhat absorbs light bounced back from the silicon substrate.


Here’s a picture of the die in package with electrical tape over the FLASH rom array.

Using this technique, I was able to effectively reset the security fuses without impacting the FLASH code array too much. The pictures below show the array memory status according to the programming/readback tool I was using. A part of the code array was still erased, but probably some judicious resizing of the electrical tape could fix that problem.


Screenshot of PIC programmer workspace of device settings before erasure. Note settings of security fuses and the values programmed in the FLASH rom in the window behind the fuse window.


Screenshot of PIC programmer workspace of device settings after erasure. Note that security fuses are disabled while the FLASH rom contens in the window behind the fuse window read out identically to what was programmed in previously.

And thus one can selective erase portions of a PIC’s contents. Fun!

41 Responses to “Hacking the PIC 18F1320”

  1. [...] Flylogic Engineering now has an interesting blog up on chip hacking! If you liked the posts on my blog about chip hacking, you may very much enjoy the postings at Flylogic. They’ve actually got a very nice piece up on the PIC18F1320 which reveals new findings about a device that I have some prior familiarity with. I’m looking forward to reading part II of their series! [...]

  2. accusensume says:

    nice to see you on blog

  3. john says:

    no no no nice to see you! on the blog… nigga

  4. Martin says:

    Do you have any idea how are code protection fuses handled in these PICs ? I mean are they read and data stored in some flip flop during reset, or are all CPx bits hardwired to logic gates disallowing access to certain areas during ICSP programming?

  5. [...] – a Cautionary Note Safety Protection Guides and Fact about Microcontroller You Should Know Hacking the PIC 18F1320 IC reverse engineering Blog Silicon [...]

  6. Migsantiago says:

    Hi!

    What’s the model of microscope you used Bunnie?

  7. Peter says:

    nice meet you!
    I’m a Korean and working for medical company.
    We have PIC-18F1320_I/SS to reset count.
    Can you reset count data ?
    We will send it to you, if you can.
    I’m waiting for your answer.

    have a good day

  8. Jason says:

    Bunnie, I’m currently working in the UK on a large counterfeit investigation for a lawfirm of a household name in consumer electronics. We could do with your skills on the team can we please make contact? Best regards, Jason

    • BS says:

      He’d be mad if he helps you, sorry to say ! The same skills he is sharing here is the ones that could get him in prison… Then again a lot of people have a price. To those i usually say ” we found a slut, all we need now is the right amount of money !!”

  9. Isaac Padget says:

    Checkout MySwapsCollection.com For a list of crafts made by girlscouts.

  10. mitchell says:

    I just Googled for shields electronics and Got your Page.Your Post Hacking the PIC 18F1320 « bunnie's blog is really Nice.Pl. keep posting on shields electronics

  11. Twistedreflex says:

    I have a 16F648A/628A I would like the security feature reset on. Would you be willing to work this chip?

  12. Dominic says:

    I have a pic16c57c-04/p and I tried to read the program,but was unsucesslful. If you can do anything with chip please contact me.

    • Jack says:

      PIC12\16\18\30系列我们能够攻击。And提取出芯片程序代码,如果您需要帮忙,可以联系我。您只需提供一个或者2个样品给我。szjack86@gmail.com。

  13. [...] chương trình của con pic dùng bất cứ phần mềm nào để nạp chip. Đây là link chỉ cách. Tôi sẽ không dịch, bạn nào giỏi tiếng Anh thì tham [...]

  14. Oswaldo says:

    Greetings I wonder if it is possible to read information from a pic or 16f627A 12f627A that are blocked and do that way, if it were so kind to answer a lot would know thank

  15. Sunil says:

    Can anybody copy code from the following MCUs?

    MC9S12XS128MAA
    MC9S12B128
    MB90F867ES

  16. Jack says:

    Hello. We were able to extract the MCU program code, copy the code.For example, AVR, PIC, TI, Freescale, Renesas, etc. If you need any help, please contact us. E-mail: szjack86@gmail.com

  17. David says:

    Hello.
    Could you tell me if the other PIC Devices are hackable in the same way?
    Sincerely
    David

  18. Anand says:

    Hi…
    While we fusing program in PIC 16f877a IC by using win pic programmer. if program successfully fused, win pic shows” Programming Failed”. My questions is how win pic tells it? is there any bits/information come from PIC ic to win pic.

    Pls explain me….

  19. Anand says:

    Hi…
    While we fusing program in PIC 16f877a IC by using win pic programmer. if program not successfully fused, win pic shows” Programming Failed”. My questions is how win pic tells it? is there any bits/information come from PIC ic to win pic.

    Pls explain me….

  20. UliHuber says:

    I have a MB90F562B, can you guys do it? ulihuber@gmx.de

  21. Edu says:

    Have PIC18F45K20 with read/write software protected. There is any way to unlock this controller? can anyone to do this surcharge? fiberinternet@gmail.com

  22. edu says:

    I talked to someone from http://www.break-ic.com and for for a common circuit pic microcontroller asked me to pay 9000usd!!!! it’s not normal, avoid this site and this people! ……… shame

    “Everything they make, we can break” but the price is from another world

    • Linda says:

      The shame on you, PIC18F45K20 is totally different from PIC18F1320, purpose of using PIC18F45K20 is to prevent guys like you to copy, I did the research, at current technology, 9000usd to get PIC18F45K20 copied is good, you are lucky if you can find someone to copy it.

      You wanna copy an expensive product, if it can be copied at low price, others can also do so, you will not make any profit at the end.

  23. Muhammad says:

    Hello
    How can i read hex file from protected PIC 18F1320 Micro Controller.
    Needs your guidelines help.

    Thanks

  24. [...] are learning from this stuff and improving their products. Here is some very old information. And here too. Apparantly if you can afford $US9k you can get someone to do it for [...]

  25. the professional way this is done is much easier. ( but requires a specilised piece of kit : an e-beam prober or a FIB ion mill )

    The company specialising in hacking these devices buys a few empty devices. They decapsulate them and put them in an e-beam prober. a first scan is done to determine base charge pattern on the die. Then the fuse bit is set and a second scan is done. the two patterns are matched and the charge alteration shows clearly where the fuse bit resides on the chip.

    any device that needs hacking afterwards is a piece of cake. Decapsulate , stick in e-beamprober or FIB , go to the known coordinates and clear the fuse using the e-beam or the ion-mill of the FIB.

    FIB and e-beam probers are available at many universities, research centers and there are plenty of subcontractors that offer FIB services for 50$ a pop.
    convince one of these guys to spend a few hours during slow season and off you go.

  26. I didn’t understand what you were referring to when you showed those 2 print screen images. Is there anyway to get those images zoomed in?
    Thanks

  27. imtiyaz says:

    sir
    it is possible in pic18f4525 ?

  28. rüzgar says:

    Hi I have a pic 18F4520 hex file, how can you get it

  29. rüzgar says:

    selam bende bir pic var 18f4520 bunun hex dosyasını nasıl alınır

  30. rüzgar says:

    Hi I have a pic 18F4520 hex file how to get it

  31. santy says:

    My name is santosh kumar . I am from india.

    Need hexfiles of IC…zilog84c923. Can you get me the code. I can provide you the lock code.you need to unlock this code & rectify the error .

  32. alamgirtgl says:

    Dear Sir,

    How can I read hex file on PIC16F676 protected MCU.

  33. Con el entrenamiento de elite “Educar un cánido” podrás reeducar a tu can moldeando su conducta.Olvida gastarte ingentes cantidades de dinero en adiestradores, cuando tú
    puedes ser el mejor adiestrador para tu perro. En los hogares en los que conviven perros y pequeños no hay una educación siendo consciente
    de la relación que debe establecer un pequeño con su perro.
    De ahí que que te invito a conocer estos productos y reflexiones
    sobre la necesidad de tener un perro con responsabilidad, un can educado..

Leave a Reply