Archive for the ‘Recover MCU’ Category
Readout DSP Chip TMS320LF2406APZAR Program
June 25th, 2013 | 
Author: Readout DSP Chip TMS320LF2406APZAR Program
Before we will be able to Readout DSP Chip TMS320LF2406APZAR Program, it is necessary to know this CMOS chip structure:
High-Performance Static CMOS Technology
− 25-ns Instruction Cycle Time (40 MHz)
− 40-MIPS Performance
− Low-Power 3.3-V Design
D Based on TMS320C2xx DSP CPU Core
− Code-Compatible With F243/F241/C242
− Instruction Set and Module Compatible
With F240
D Flash (LF) and ROM (LC) Device Options
− LF240xA: LF2407A, LF2406A,
LF2403A, LF2402A
− LC240xA: LC2406A, LC2404A,
LC2403A, LC2402A
D On-Chip Memory
− Up to 32K Words x 16 Bits of Flash
EEPROM (4 Sectors) or ROM
− Programmable “Code-Security” Feature for the On-Chip Flash/ROM
− Up to 2.5K Words x 16 Bits of
Data/Program RAM
− 544 Words of Dual-Access RAM
− Up to 2K Words of Single-Access RAM
D Boot ROM (LF240xA Devices)
− SCI/SPI Bootloader
D Up to Two Event-Manager (EV) Modules (EVA and EVB), Each Includes:
− Two 16-Bit General-Purpose Timers
− Eight 16-Bit Pulse-Width Modulation (PWM) Channels Which Enable:
− Three-Phase Inverter Control
− Center- or Edge-Alignment of PWM Channels
− Emergency PWM Channel Shutdown With External PDPINTx Pin
− Programmable Deadband (Deadtime) Prevents Shoot-Through Faults
− Three Capture Units for Time-Stamping of External Events
− Input Qualifier for Select Pins
− On-Chip Position Encoder Interface Circuitry
− Synchronized A-to-D Conversion
− Designed for AC Induction, BLDC,
Switched Reluctance, and Stepper Motor Control
− Applicable for Multiple Motor and/or Converter Control
D External Memory Interface (LF2407A)
− 192K Words x 16 Bits of Total Memory:
64K Program, 64K Data, 64K I/O
D Watchdog (WD) Timer Module
D 10-Bit Analog-to-Digital Converter (ADC)
− 8 or 16 Multiplexed Input Channels
− 500-ns MIN Conversion Time
− Selectable Twin 8-State Sequencers
Triggered by Two Event Managers
D Controller Area Network (CAN) 2.0B Module (LF2407A, 2406A, 2403A)
Readout DSP Chip TMS320LF2406APZAR Program
D Serial Communications Interface (SCI)
D 16-Bit Serial Peripheral Interface (SPI)
(LF2407A, 2406A, LC2404A, 2403A)
D Phase-Locked-Loop (PLL)-Based Clock Generation
D Up to 40 Individually Programmable,
Multiplexed General-Purpose Input / Output (GPIO) Pins
D Up to Five External Interrupts (Power Drive Protection, Reset, Two Maskable Interrupts)
D Power Management:
− Three Power-Down Modes
− Ability to Power Down Each Peripheral Independently
D Real-Time JTAG-Compliant Scan-Based Emulation, IEEE Standard 1149.1† (JTAG)
D Development Tools Include:
− Texas Instruments (TI) ANSI C Compiler,
Assembler/ Linker, and Code Composer
Studio Debugger
− Evaluation Modules
− Scan-Based Self-Emulation (XDS510)
− Broad Third-Party Digital Motor Control Support D Package Options
Posted in 
Microchip MCU PIC16F870 Heximal Code Restoration
Microchip MCU PIC16F870 Heximal Code Restoration
The content from original PIC16F870 can be re-attained through Microchip MCU PIC16F870 Heximal Code Restoration procedures:
Microcontroller Core Features:
· High performance RISC CPU
· Only 35 single word instructions to learn
· All single cycle instructions except for program branches which are two-cycle
· Operating speed: DC – 20 MHz clock input DC – 200 ns instruction cycle
· 2K x 14 words of FLASH Program Memory
128 x 8 bytes of Data Memory (RAM) 64 x 8 bytes of EEPROM Data Memory
· Pinout compatible to the PIC16CXXX 28 and 40-pin devices
· Interrupt capability (up to 11 sources)
· Eight level deep hardware stack
· Direct, Indirect and Relative Addressing modes
· Power-on Reset (POR)
· Power-up Timer (PWRT) and Oscillator Start-up Timer (OST)
· Watchdog Timer (WDT) with its own on-chip RC oscillator for reliable operation
· Programmable code protection
· Power saving SLEEP mode
· Selectable oscillator options
· Low power, high speed CMOS FLASH/EEPROM technology
· Fully static design
· In-Circuit Serial Programmingä (ICSPä) via two pins
· Single 5V In-Circuit Serial Programming capability
· In-Circuit Debugging via two pins
· Processor read/write access to program memory
· Wide operating voltage range: 2.0V to 5.5V
· High Sink/Source Current: 25 mA
· Commercial and Industrial temperature ranges
· Low power consumption:
– < 1.6 mA typical @ 5V, 4 MHz
– 20 mA typical @ 3V, 32 kHz
– < 1 mA typical standby current
Microchip MCU PIC16F870 Heximal Code Restoration
Peripheral Features:
· Timer0: 8-bit timer/counter with 8-bit prescaler
· Timer1: 16-bit timer/counter with prescaler, can be incremented during SLEEP via external crystal/clock
· Timer2: 8-bit timer/counter with 8-bit period register, prescaler and postscaler
· One Capture, Compare, PWM module
– Capture is 16-bit, max. resolution is 12.5 ns
– Compare is 16-bit, max. resolution is 200 ns
– PWM max. resolution is 10-bit
· 10-bit multi-channel Analog-to-Digital converter
· Universal Synchronous Asynchronous Receiver
Transmitter (USART/SCI) with 9-bit address detection
· Parallel Slave Port (PSP) 8-bits wide, with external RD, WR and CS controls (40/44-pin only)
· Brown-out detection circuitry for Brown-out Reset (BOR)
Reverse Engineering Microchip PIC16F1913 Memory
Reverse Engineering Microchip PIC16F1913 Memory
Reverse Engineering Microchip PIC16F1913 Memory means delayer the silicon, plastic and metal layer from PIC16F1913 and counter sequence of microcontroller manufacturing:
High-Performance RISC CPU:
· Only 35 instructions to learn:
– All single-cycle instructions except branches
· Operating speed:
– DC – 20 MHz oscillator/clock input
– DC – 200 ns instruction cycle
· Program Memory Read (PMR) capability
· Interrupt capability
· 8-level deep hardware stack
· Direct, Indirect and Relative Addressing modes
Special Microcontroller Features:
· Precision Internal Oscillator:
– Factory calibrated to ±1%, typical
– Software selectable frequency range of
8 MHz to 125 kHz
– Software tunable
– Two-Speed Start-up mode
– External Oscillator fail detect for critical applications
– Clock mode switching during operation for power savings
· Software selectable 31 kHz internal oscillator
· Power-Saving Sleep mode
· Wide operating voltage range (2.0V-5.5V)
· Industrial and Extended temperature range
· Power-on Reset (POR)
· Power-up Timer (PWRT) and Oscillator Start-up
Timer (OST)
· Brown-out Reset (BOR) with software control option
· Enhanced Low-Current Watchdog Timer (WDT) with on-chip oscillator (software selectable nominal 268 seconds with full prescaler) with software enable
· Multiplexed Master Clear with pull-up/input pin
· Programmable code protection
· High-Endurance Flash/EEPROM cell:
– 100,000 write Flash endurance
– 1,000,000 write EEPROM endurance
– Flash/Data EEPROM retention: > 40 years
Low-Power Features:
· Standby Current:
– <100 nA @ 2.0V, typical
· Operating Current:
– 11 ìA @ 32 kHz, 2.0V, typical
– 220 ìA @ 4 MHz, 2.0V, typical
· Watchdog Timer Current:
– 1 ìA @ 2.0V, typical
Reverse Engineering Microchip PIC16F1913 Memory
Peripheral Features:
· Liquid Crystal Display module:
– Up to 60/96/168 pixel drive capability on 28/40/64-pin devices, respectively
– Four commons
· Up to 24/35/53 I/O pins and 1 input-only pin:
– High-current source/sink for direct LED drive
– Interrupt-on-change pin
– Individually programmable weak pull-ups
· In-Circuit Serial Programming™ (ICSP™) via two pins if Reverse Engineering Microchip PIC16F1913 Memory
· Analog comparator module with:
– Two analog comparators
– Programmable on-chip voltage reference (CVREF) module (% of VDD)
– Comparator inputs and outputs externally accessible
· A/D Converter:
– 10-bit resolution and up to 8 channels
· Timer0: 8-bit timer/counter with 8-bit programmable prescaler
· Enhanced Timer1:
– 16-bit timer/counter with prescaler
– External Timer1 Gate (count enable)
– Option to use OSC1 and OSC2 as Timer1 oscillator if INTOSCIO or LP mode is selected
· Timer2: 8-bit timer/counter with 8-bit period register, prescaler and postscaler
· Addressable Universal Synchronous
Asynchronous Receiver Transmitter (AUSART)
· Up to 2 Capture, Compare, PWM modules:
– 16-bit Capture, max. resolution 12.5 ns
– 16-bit Compare, max. resolution 200 ns
– 10-bit PWM, max. frequency 20 kHz
· Synchronous Serial Port (SSP) with I2C™
Recover TI MSP430G2452 Embedded Memory
Recover TI MSP430G2452 Embedded Memory
Recover TI MSP430G2452 Embedded Memory starts from acquiring its basic structure:
FEATURES
Low Supply Voltage Range: 1.8 V to 3.6 V
Ultra-Low Power Consumption
– Active Mode: 220 µA at 1 MHz, 2.2 V
– Standby Mode: 0.5 µA
– Off Mode (RAM Retention): 0.1 µA
Five Power-Saving Modes
Ultra-Fast Wake-Up From Standby Mode in Less Than 1 µs
16-Bit RISC Architecture, 62.5-ns Instruction Cycle Time
Recover TI MSP430G2452 Embedded Memory
Basic Clock Module Configurations
– Internal Frequencies up to 16 MHz With Four Calibrated Frequencies
– Internal Very-Low-Power Low-Frequency (LF) Oscillator
– 32-kHz Crystal
– External Digital Clock Source One 16-Bit Timer_A With Three Capture/Compare Registers
Up to 16 Touch-Sense Enabled I/O Pins
Universal Serial Interface (USI) Supporting SPI and I2C
recover MCU IC Texas Instruments MSP430G2452IPW14R
recover MCU IC Texas Instruments MSP430G2452IPW14R
10-Bit 200-ksps Analog-to-Digital (A/D)
Converter With Internal Reference, Sample-and-Hold, and Autoscan (MSP430G2x52 Only)
On-Chip Comparator for Analog
Brownout Detector Serial Onboard Programming,
No External Programming Voltage Needed,
Programmable Code Protection by Security Fuse
On-Chip Emulation Logic With Spy-Bi-Wire Interface
Family Members are Summarized in Table 1 Package Options
– TSSOP: 14 Pin, 20 Pin
– PDIP: 20 Pin
– QFN: 16 Pin
For Complete Module Descriptions, See the MSP430x2xx Family User’s Guide (SLAU144)
Restore Winbond W78IE54 MCU Encrypted Heximal
Restore Winbond W78IE54 MCU Encrypted Heximal
As we all know that in the common situation, the status of a MCU W78IE54 will be set as encrypted, and only through disable the security fuse bit can Restore Winbond W78IE54 MCU Encrypted Heximal. hereby we would like to introduce the security system of W78IE54:
During the on-chip MTP-ROM programming mode, the MTP-ROM can be programmed and verified repeatedly. Until the code inside the MTP-ROM is confirmed OK, the code can be protected. The protection of MTP-ROM and those operations on it are described below.
special setting register
The W78IE54 has several Special Setting Registers, including the Security Register and Company/Device ID Registers, which can not be accessed in programming mode before Restore Winbond W78IE54 MCU Encrypted Heximal. Those bits of the Security Registers can not be changed once they have been programmed from high to low.
They can only be reset through erase-all operation. The contents of the Company ID and Device ID registers have been set in factory. The Security Register is located at the 0FFFFH of the LDROM space.
Lock bit
This bit is used to protect the customer’s program code in the W78E62B. It may be set after the programmer finishes the programming and verifies sequence. Once this bit is set to logic 0, both the MTP ROM data and Special Setting Registers can not be accessed again.
Winbond W78ERD2 MCU Locked Program Recovery
After the MCU has been switched to In-System Programming (ISP) Mode, Winbond W78ERD2 MCU Locked Program Recovery can be executed directly, The W78ERD2 equips one 64K byte of main MTP-ROM bank for application program (called APROM) and one 4K byte of auxiliary MTP-ROM bank for loader program (called LDROM).
In the normal operation, the microcontroller executes the code in the APROM. If the content of APROM needs to be modified, the W78ERD2 allows user to activate the In-System Programming (ISP) mode by setting the CHPCON register.
The CHPCON is read-only by default, software must write two specific values 87H, then 59H sequentially to the CHPENR register to enable the CHPCON write attribute. Writing CHPENR register with the values except 87H and 59H will close CHPCON register write attribute.
The W78ERD2 achieves all in-system programming operations including enter/exit ISP Mode, program, erase, read …etc, during device in the idle mode. Setting the bit CHPCON.0 the device will enter in-system programming mode after a wake-up from idle mode from Winbond W78ERD2 MCU Locked Program Recovery.
Because device needs proper time to complete the ISP operations before awaken from idle mode, software may use timer interrupt to control the duration for wake-up from idle mode. This in-system programming feature makes the job easy and efficient in which the application needs to update firmware frequently. In some applications, the in-system programming feature make it possible that the end-user is able to easily update the system firmware by themselves without opening the chassis.
SFRAH,SFRAL:
The objective address of on-chip MTP-ROM in the in-system programming mode. SFRFAH contains the high-order byte of address, SFRFAL contains the low-order byte of address.
SFRFD:
The programming data for on-chip MTP-ROM in programming mode.
SFRCN:
The control byte of on-chip MTP-ROM programming mode.
SFRCN (C7)
Reverse Engineering Winbond W78E354 Microcontroller
Reverse Engineering Winbond W78E354 Microcontroller
Through Power glitch method we can find an effective way to Reverse Engineering Winbond W78E354 Microcontroller and get its program and data from both eeprom and flash effortlessly, as a result of that, it is important to have some knowledge about the power management:
Idle Mode
The idle mode is entered by setting the IDL bit in the PCON register. In the idle mode, the internal clock to the processor is stopped. The peripherals and the interrupt logic continue to be clocked. The processor will exit idle mode when either an interrupt or a reset occurs.
Power-down Mode
When the PD bit in the PCON register is set, the processor enters the power-down mode. In this mode all of the clocks are stopped, including the oscillator. To exit from power-down mode is by a hardware reset or external interrupts INT0 to INT3 when enabled and set to level triggered.
Reduce EMI Emission
The W78E354 allows user to diminish the gain of on-chip oscillator amplifier by using programmer to clear the B7 bit of security register. Once B7 is set to 0, a half of gain will be decreased. Care must be taken if user attempts to diminish the gain of oscillator amplifier from Reverse Engineering Winbond W78E354 Microcontroller, reducing a half of gain may affect the external crystal operating improperly at high frequency above 24 MHz. The value of R and C1,C2 may need some adjustment while running at lower gain.
W78E354 Special Function Registers (SFRs) and Reset Values
Reset
The external RESET signal is sampled at S5P2. To take effect, it must be held high for at least two machine cycles while the oscillator is running. An internal trigger circuit in the reset line is used to deglitch the reset line when the W78E62B is used with an external RC network.
The reset logic also has a special glitch removal circuit that ignores glitches on the reset line. During reset, the ports are initialized to FFH, the stack pointer to 07H, PCON (with the exception of bit 4) to 00H, and all of the other SFR registers except SBUF to 00H. SBUF is not reset.
Attack Winbond W78E051A Protected Eeprom
When Attack Winbond W78E051A Protected Eeprom, we need to have some general idea about its architecture. The W78E051A architecture consists of a core controller surrounded by various registers, five general purpose I/O ports, 256 bytes of RAM, three timer/counters, and a serial port. The processor supports 111 different opcodes and references both a 64K program address space and a 64K data storage space.
Timers 0, 1, and 2
Timers 0, 1, and 2 each consist of two 8-bit data registers. These are called TL0 and TH0 for Timer 0, TL1 and TH1 for Timer 1, and TL2 and TH2 for Timer 2. The TCON and TMOD registers provide control functions for timers 0 and 1. The T2CON register provides control functions for Timer 2. RCAP2H and RCAP2L are used as reload/capture registers for Timer 2.
The operations of Timer 0 and Timer 1 are the same as in the W78E051A. Timer 2 is a special feature of the W78E051A: it is a 16-bit timer/counter that is configured and controlled by the T2CON register. Like Timers 0 and 1, Timer 2 can operate as either an external event counter or as an internal timer after Attack Winbond W78E051A Protected Eeprom, depending on the setting of bit C/T2 in T2CON. Timer 2 has three operating modes: capture, auto- reload, and baud rate generator. The clock speed at capture or auto-reload mode is the same as that of Timers 0 and 1.
New Defined Peripheral
In order to be more suitable for I/O, an extra 4-bit bit-addressable port P4 and two external interrupt INT2 , INT3 has been added to either the PLCC or QFP 44-pin package. And description follows:
1. INT2 / INT3
Two additional external interrupts, INT2 and INT3 , whose functions are similar to those of external interrupt 0 and 1 in the standard 80C52. The functions/status of these interrupts are determined/shown by the bits in the XICON (External Interrupt Control) register. The XICON register is bit-addressable but is not a standard register in the standard 80C52. Its address is at 0C0H. To set/clear bits in the XICON register, one can use the “SETB (/CLR) bit” instruction. For example, “SETB 0C2H” sets the EX2 bit of XICON.
Reverse Engineering Winbond W78E54B Eeprom Heximal
Reverse Engineering Winbond W78E54B Eeprom Heximal need to decapsulate the polysilicon package and get access to the chip die which will help hacker read out the heximal from its eeprom area directly.
Hereby we would like to introduce the main features of W78E54B, The W78E54B is an 8-bit microcontroller which can accommodate a wider frequency range with low power consumption. The instruction set for the W78E54B is fully compatible with the standard 8051.
The W78E54B contains an 16K bytes Flash EPROM; a 256 bytes RAM; four 8-bit bi-directional and bit- addressable I/O ports; an additional 4-bit I/O port P4; three 16-bit timer/counters; a hardware watchdog timer and a serial port. These peripherals are supported by eight sources two-level interrupt capability.
To facilitate programming and verification, the Flash EPROM inside the W78E54B allows the program memory to be programmed and read electronically after Reverse Engineering Winbond W78E54B Eeprom Heximal. Once the code is confirmed, the user can protect the code for security.
The W78E54B microcontroller has two power reduction modes, idle mode and power-down mode, both of which are software selectable. The idle mode turns off the processor clock but allows for continued peripheral operation. The power-down mode stops the crystal oscillator for minimum power consumption. The external clock can be stopped at any time and in any state without affecting the processor.
• Fully static design 8-bit CMOS microcontroller
• Wide supply voltage of 4.5V to 5.5V
• 256 bytes of on-chip scratchpad RAM
• 16 KB electrically erasable/programmable Flash EPROM
• 64 KB program memory address space
• 64 KB data memory address space
• Four 8-bit bi-directional ports
• One extra 4-bit bit-addressable I/O port, additional INT2 / INT3
(available on 44-pin PLCC/QFP package)
• Three 16-bit timer/counters
• One full duplex serial port(UART)
• Watchdog Timer
• Eight sources, two-level interrupt capability
• EMI reduction mode
• Built-in power management
• Code protection mechanism
• Packages:
DIP 40: W78E54B-24/40
PLCC 44: W78E54BP-24/40
PQFP 44: W78E54BF-24/40
Attack Nutovon Microcontroller W77E52 Flash Memory
It is very critical to reset the security bits of Microcontroller W77E52 to disable its protection against the internal memory system which include flash and eeprom, only when the bits has been disable, the Attack Nutovon Microcontroller W77E52 Flash Memory will become a possibility, now we list some of the basic features of its security bits:
During the programmer operation mode, the Flash EPROM can be programmed and verified repeatedly. Until the code inside the Flash EPROM is confirmed OK, the code can be protected. The protection of Flash EPROM and those operations on it are described below.
The W77E52 has a Special Setting Register, the Security Register, which can be accessed in normal mode. The register can only be accessed from the Flash EPROM operation mode. Those bits of the Security Registers can not be changed once they have been programmed from high to low. They can only be reset through erase-all operation. The Security Register is addressed in the Flash EPROM operation mode by address #0FFFFh when Attack Nutovon Microcontroller W77E52 Flash Memory.
SPECIAL SETTING REGISTER
7.1 Lock Bit
This bit is used to protect the customer’s program code in the W78E51B. It may be set after the programmer finishes the programming and verifies sequence. Once this bit is set to logic 0, both the on-chip ROM data and Special Setting Registers can not be accessed again.
7.2 MOVC Inhibit
This bit is used to restrict the accessible region of the MOVC instruction. It can prevent the MOVC instruction in external program memory from reading the internal program code. When this bit is set to logic 0, a MOVC instruction in external program memory space will be able to access code only in the external memory, not in the internal memory. A MOVC instruction in internal program memory space will always be able to access the ROM data in both internal and external memory. If this bit is logic 1, there are no restrictions on the MOVC instruction after Attack Nutovon Microcontroller W77E52 Flash Memory.
7.3 Encryption
This bit is used to enable/disable the encryption logic for code protection. Once encryption feature is enabled, the data presented on port 0 will be encoded via encryption logic. Only whole chip erase will reset this bit before reverse engineering MICROCONTROLLER.