Break IC, Recover MCU, Microcontroller Reverse Engineering

Archive for the ‘Recover MCU’ Category

The first step to get Protected Winbond Microprocessor W78E65 Reverse Engineering to get its embedded firmware include the content from both eeprom and flash is to figure out the clock frequency, as a result of that, it is critical to understand the operational procedures of Microprocessor W78E65’s clock.

The W78E51B is designed to be used with either a crystal oscillator or an external clock. Internally,  the clock is divided by two before it is used.

This makes the W78E51B relatively insensitive to duty cycle variations in the clock. The W78E51B incorporates a built-in crystal oscillator. To make the oscillator work, a crystal must be connected across pins XTAL1 and XTAL2.

In addition, a load capacitor must be connected from each pin to ground. An external clock source should be connected to pin XTAL1. Pin XTAL2 should be left unconnected. The XTAL1 input is a CMOS-type input, as required by the crystal oscillator in order to finalize the evaluation of Protected Winbond Microprocessor W78E65 Reverse Engineering.

We can Restore Winbond Microcontroller W78E058 Heximal, please view the Microcontroller W78E058 features for your reference:

FUNCTIONAL DESCRIPTION:

The W78E058 architecture consists of a core controller surrounded by various registers, five general purpose I/O ports, 128 bytes of RAM, two timer/counters, and a serial port. The processor supports 111 different opcodes and references both a 64K program address space and a 64K data storage space.

NEW DEFINED PERIPHERAL:

In order to be more suitable for I/O, an extra 4-bit bit-addressable port P4 and two external interrupt
INT2 , INT3 has been added to either the PLCC or QFP 44 pin package. And description follows:

INT2 / INT3

Two additional external interrupts, INT2 and INT3 , whose functions are similar to those of external interrupt 0 and 1 in the standard 80C52. The functions/status of these interrupts are determined/shown by the bits in the XICON (External Interrupt Control) register. The XICON register is bit-addressable but is not a standard register in the standard 80C52. Its address is at 0C0H. To set/clear bits in the XICON register, one can use the “SETB (/CLR) bit” instruction. For example, “SETB 0C2H” sets the EX2 bit of XICON when Restore Winbond Microcontroller W78E058 Heximal.

XICON – external interrupt control (C0H)

PX3: External interrupt 3 priority high if set EX3: External interrupt 3 enable if set

IE3: If IT3 = 1, IE3 is set/cleared automatically by hardware when interrupt is detected/serviced IT3: External interrupt 3 is falling-edge/low-level triggered when this bit is set/cleared by software PX2: External interrupt 2 priority high if set

EX2: External interrupt 2 enable if set

IE2: If IT2 = 1, IE2 is set/cleared automatically by hardware when interrupt is detected/serviced IT2: External interrupt 2 is falling-edge/low-level triggered when this bit is set/cleared by software after Restore Winbond Microcontroller W78E058 Heximal

We can Decode Winbond Chip W78E065 Internal Memory, please view the Winbond Chip W78E065 features for your reference:

The W78E065 is an 8-bit microcontroller which can accommodate a wider frequency range with low power consumption. The instruction set for the W78E065 is fully compatible with the standard 8051. The W78E065 contains an 4K bytes Flash EPROM; a 128 bytes RAM; four 8-bit bi-directional and bit- addressable I/O ports; an additional 4-bit I/O port P4; two 16-bit timer/counters; a hardware watchdog timer and a serial port.

These peripherals are supported by seven sources two-level interrupt capability. To facilitate programming and verification, the Flash EPROM inside the W78E51B allows the program memory to be programmed and read electronically. Once the code is confirmed, the user can protect the code for security when Decode Winbond Chip W78E065 Internal Memory.

The W78E065 microcontroller has two power reduction modes, idle mode and power-down mode, both of which are software selectable. The idle mode turns off the processor clock but allows for continued peripheral operation. The power-down mode stops the crystal oscillator for minimum power consumption. The external clock can be stopped at any time and in any state without affecting the processor after Decode Winbond Chip W78E065 Internal Memory.

2. FEATURES
 Fully static design 8-bit CMOS microcontroller
 Wide supply voltage of 4.5V to 5.5V
 128 bytes of on-chip scratchpad RAM
 4 KB On-chip Flash EPROM
 64 KB program memory address space
 64 KB data memory address space
 Four 8-bit bi-directional ports

 One extra 4-bit bit-addressable I/O port, additional INT2 / INT3
(available on 44-pin PLCC/QFP package)
 Two 16-bit timer/counters
 One full duplex serial port(UART)
 Watchdog Timer
 Seven sources, two-level interrupt capability
 EMI reduction mode
 Built-in power management
 Code protection mechanism

We can reverse engineering locked chip ATMEGA164PA firmware, please view the locked chip ATMEGA164PA features for your reference:
The interrupt execution response for all the enabled AVR interrupts is four clock cycles minimum. After the four clock cycles the firmware vector address for the actual interrupt handling routine is executed.
During this 4-clock-cycle period, the firmware Counter (9 bits) is pushed onto the Stack. The vector is often a relative jump to the interrupt routine, and this jump takes two clock cycles.
If an interrupt occurs during execution of a multi cycle instruction, this instruction is completed before the interrupt is served. If an interrupt occurs when the MCU is in Sleep mode, the interrupt execution response time is increased by four clock cycles before Reverse Engineering Locked Chip ATmega164PA Firmware.
A return from an interrupt handling routine takes four clock cycles. During these four clock cycles, the firmware Counter (9 bits) is popped back from the Stack. When AVR exits from an interrupt, it will always return to the main firmware and execute one more instruction before any pending interrupt is served.
· Bit 7 – Res: Reserved Bit
This bit is a reserved bit in the atmega164pa and always reads as zero.
· Bit 6 – INT0: External Interrupt Request 0 Enable
When the INT0 bit is set (one) and the I-bit in the Status Register (SREG) is set (one), the external pin interrupt is activated.
The Interrupt Sense Control0 bits 1/0 (ISC01 and ISC00) in the MCU general Control Register (MCUCR) define whether the external interrupt is activated on rising or falling edge, on pin change, or low level of the INT0 pin after Reverse Engineering Locked Chip ATmega164PA Firmware.
Activity on the pin will cause an interrupt request even if INT0 is configured as an output. The corresponding interrupt of External Interrupt Request 0 is executed from firmware memory address $001. See also “External Interrupts.”
· Bit 5 – PCIE: Pin Change Interrupt Enable
When the PCIE bit is set (one) and the I-bit in the Status Register (SREG) is set (one), the interrupt on pin change is enabled. Any change on any input or I/O pin will cause an interrupt.
The corresponding interrupt of Pin Change Interrupt Request is executed from firmware memory address $002. See also “Pin Change Interrupt.”
· Bits 4..0 – Res: Reserved Bits
These bits are reserved bits in the atmega164pa and always read as zero.
· Bit 6 – INTF0: External Interrupt Flag0
When an edge or logic change on the INT0 pin triggers an interrupt request, INTF0 becomes set (one). If the I-bit in SREG and the INT0 bit in GIMSK are set (one), the MCU will jump to the interrupt vector at address $001 before Reverse Engineering Locked Chip ATmega164PA Firmware.
The flag is cleared when the interrupt routine is executed. Alternatively, the flag can be cleared by writing a logical “1” to it. The flag is always cleared when INT0 is configured as level interrupt.
· Bit 5 – PCIF: Pin Change Interrupt Flag
When an event on any input or I/O pin triggers an interrupt request, PCIF becomes set (one). If the I-bit in SREG and the PCIE bit in GIMSK are set (one), the MCU will jump to the interrupt vector at address $002.
The flag is cleared when the interrupt routine is executed. Alternatively, the flag can be cleared by writing a logical “1” to it before reverse engineering Microcontroller.
· Bits 4..0 – Res: Reserved Bits
These bits are reserved bits in the atmega164pa and always read as zero.

We can recover locked microprocessor ATMEGA164PV source code, please view the locked microprocessor ATMEGA164PV features for your reference:
To enter any of the three sleep modes, the SE bit in locked microprocessorCR must be set (one) and a SLEEP instruction must be executed. The SM1 and SM0 bits in the locked microprocessorCR register select which sleep mode (Idle, ADC Noise Reduction or Power-down) will be activated by the SLEEP instruction (see Table 7).
If an enabled interrupt occurs while the locked microprocessor is in a sleep mode, the locked microprocessor wakes up. The locked microprocessor is then halted for four cycles, executes the interrupt routine and resumes execution from the instruction following SLEEP if Recover Locked Microprocessor ATmega164PV Source Code.
On wake-up from Power-down mode on pin change, the two instructions following SLEEP. The contents of the register file, SRAM, and I/O memory are unaltered when the device wakes up from sleep.
If a reset occurs during sleep mode, the locked microprocessor wakes up and executes from the Reset vector. When the SM1/SM0 bits are “00”, the SLEEP instruction forces the locked microprocessor into the Idle mode, stopping the CPU but allowing the ADC, Analog Comparator, Timer/Counters, Watchdog and the Interrupt system to continue operating.
This enables the locked microprocessor to wake up from external triggered interrupts as well as internal ones like the Timer Overflow interrupt and Watchdog Reset. If the ADC is enabled, a conversion starts automatically when this mode is entered when Recover Locked Microprocessor ATmega164PV Source Code.
If wake-up from the Analog Comparator interrupt is not required, the Analog Comparator can be powered down by setting the ADC-bit in the Analog Comparator Control and Status Register (ACSR).
This will reduce power consumption in Idle mode. When the SM1/SM0 bits are “01”, the SLEEP instruction forces the locked microprocessor into the ADC Noise Reduction mode, stopping the CPU but allowing the ADC, the external interrupt pin, pin change interrupt and the Watchdog (if enabled) to continue operating.
Please note that the clock system including the PLL is also active in the ADC Noise Reduction mode. This improves the noise environment for the ADC, enabling higher resolution measurements after RECOVER MCU.
If the ADC is enabled, a conversion starts automatically when this mode is entered. In addition to Watchdog Time-out and External Reset, only an external leveltriggered interrupt, a pin change interrupt or an ADC interrupt can wake up.

We can reverse engineering secured chip ATMEGA324 flash, please view the secured chip ATMEGA324 features for your reference:
When the SM1/SM0 bits are “10”, the SLEEP instruction forces the MCU into the Power down mode. Only an External Reset, a Watchdog Reset (if enabled), an external level triggered interrupt, or a pin change interrupt can wake up the MCU when reverse engineering secured chip flash.
Note that if a level-triggered or pin change interrupt is used for wake-up from Power-down mode, the changed level must be held for some time to wake up the MCU if reverse engineering secured chip flash.
This makes the MCU less sensitive to noise. The changed level is sampled twice by the Watchdog Oscillator clock, and if the input has the required level during this time, the MCU will wake up before reverse engineering secured chip flash.
The period of the waTchdog Oscillator is 2.9 µs (nominal) at 3.0V and 25°C. The frequency of the Watchdog Oscillator is voltage-dependent as shown in the “Electrical Characteristics” section after reverse engineering secured chip flash.
When waking up from the Power-down mode, a delay from the wake-up condition occurs until the wake-up becomes effective. This allows the clock to restart and become stable after having been stopped when reverse engineering secured chip flash.
The wake-up period is defined by the same CKSEL fuses that define the reset time-out period. The internal RC oscillator provides a fixed 1.6 MHz clock (nominal at 5V and 25°C) if reverse engineering secured chip flash.
This internal clock is always the system clock of the ATtiny15L. This oscillator can be calibrated by writing the calibration byte (see page 55) to the OSCCAL register before reverse engineering secured chip flash.
Writing the calibration byte to this address will trim the internal oscillator frequency in order to remove process variations. When OSCCAL is zero (initial value), the lowest available frequency is chosen after reverse engineering secured chip flash.
Writing non-zero values to this register will increase the frequency of the internal oscillator. Writing $FF to the register selects the highest available frequency before reverse engineering secured chip flash.

We can decode locked microprocessor ATMEGA324A source code, please view the locked microprocessor ATMEGA324A features for your reference:
Writing a logical “1” to this bit forces a change in the compare match output pin PB1 (OC1A) according to the values already set in COM1A1 and COM1A0.
The Force Output Compare bit can be used to change the output pin without waiting for a compare match in timer.
The automatic action programmed in COM1A1 and COM1A0 happens as if a Compare Match had occurred, but no interrupt is generated and the Timer/Counter1 will not be cleared even if CTC1 is set. The FOC1A bit will always be read as zero if decode locked microprocessor source code.
The setting of the FOC1A bit has no effect in PWM mode.
· Bit 1 – PSR1: Prescaler Reset Timer/Counter1
When this bit is set (one) the Timer/Counter1 prescaler will be reset. The bit will be cleared by hardware after the operation is performed. Writing a “0” to this bit will have no effect. This bit will always be read as zero.
· Bit 0 – PSR0: Prescaler Reset Timer/Counter0
When this bit is set (one) the Timer/Counter0 prescaler will be reset. The bit will be cleared by hardware after the operation is performed. Writing a “0” to this bit will have no effect. This bit will always be read as zero after decode locked microprocessor source code.
The 8-bit Timer/Counter0 can select clock source from CK, prescaled CK or an external pin. In addition, it can be stopped as described in the specification for the Timer/Counter0 Control Register (TCCR0).
The overflow status flag is found in the Timer/Counter Interrupt Flag Register (TIFR). Control signals are found in the Timer/Counter0 Control Register (TCCR0). The interrupt enable/disable settings for Timer/Counter0 are found in the Timer/Counter Interrupt Mask Register (TIMSK) if decode locked microprocessor source code.
When Timer/Counter0 is externally clocked, the external signal is synchronized with the oscillator frequency of the CPU. To ensure proper sampling of the external clock, the minimum time between two external clock transitions must be at least one internal CPU clock period.
The external clock signal is sampled on the rising edge of the internal CPU clock. The 8-bit Timer/Counter0 features both a high-resolution and a high-accuracy usage with the lower prescaling opportunities.
Similarly, the high-prescaling opportunities make the Timer/Counter0 useful for lower-speed functions or exact-timing functions with infrequent actions before BREAK IC.

We can reverse engineering Microprocessor ATMEGA1284PV embedded firmware, please view the Microprocessor ATMEGA1284PV features for your reference:
These bits select the voltage reference for the ADC, as shown in Table 19. If these bits are changed during a conversion, the change will not go into effect until this conversion is complete (ADIF in ADCSR is set).
Whenever these bits are changed, the next conversion will take 25 ADC clock cycles. If active channels are used, using AVCC or an external AREF higher than (AVCC – 1V) is not recommended, as this will affect ADC accuracy.
The internal voltage reference options may not be used if an external reference voltage is being applied to the AREF pin. The ADLAR bit affects the presentation of the ADC conversion result in the ADC Data Register.
If ADLAR is cleared, the result is right-adjusted. If ADLAR is set, the result is left-adjusted. Changing the ADLAR bit will affect the ADC Data Register immediately, regardless of any ongoing conversions after reverse engineering Microprocessor ATMEGA1284PV embedded firmware.
For a complete description of this bit, see “The ADC Data Register. The value of these bits selects which analog input is connected to the ADC. In case of differential input (PB3 – PB4), gain selection is also made with these bits. Selecting PB3 as both inputs to the differential gain stage enables offset measurements.
Refer to Table 20 for details. If these bits are changed during a conversion, the change will not go into effect until this conversion is complete (ADIF in ADCSR is set). Writing a logical “1” to this bit enables the ADC. By clearing this bit to zero, the ADC is turned off if reverse engineering Microprocessor ATMEGA1284PV embedded firmware.
Turning the ADC off while a conversion is in progress will terminate this conversion. In Single Conversion mode, a logical “1” must be written to this bit to start each conversion. In Free Running mode, a logical “1” must be written to this bit to start the first conversion.
When the conversion completes, ADSC returns to zero in Single Conversion mode and stays high in Free Running mode. Writing a “0” to this bit has no effect. When this bit is set (one), the ADC operates in Free Running mode. In this mode, the ADC samples and updates the data registers continuously after reverse engineering Microprocessor ATMEGA1284PV embedded firmware.
Clearing this bit (zero) will terminate Free Running mode. If active channels are used (MUX2 in ADMUX set), the channel must be selected before entering Free Running mode. Selecting an active channel after entering Free Running mode may result in undefined operation from the ADC when reverse engineering Microcontroller.

We can dump microcontroller ATMEGA1284V source code, please view the microcontroller ATMEGA1284V features for your reference:
This bit is set (one) when an ADC conversion completes and the data registers are updated. The ADC Conversion Complete Interrupt is executed if the ADIE bit and the I-bit in SREG are set (one).
ADIF is cleared by hardware when executing the corresponding interrupt handling vector. Alternatively, ADIF is cleared by writing a logical “1” to the flag.
Beware that if doing a read-modify-write on ADCSR, a pending interrupt can be disabled. This also applies if the SBI and CBI instructions are used before Dump Microcontroller ATMEGA1284V Source Code.
· Bit 3 – ADIE: ADC Interrupt Enable
When this bit is set (one) and the I-bit in SREG is set (one), the ADC Conversion Complete Interrupt is activated.
· Bits 2..0 – ADPS2..ADPS0: ADC Prescaler Select Bits
These bits determine the division factor between the CK frequency and the input clock to the ADC. When an ADC conversion is complete, the result is found in these two registers.
When ADCL is read, the ADC Data Register is not updated until ADCH is read. If the result is left adjusted and no more than 8-bit precision is required, it is sufficient to read ADCH.
Otherwise, ADCL must be read first, then ADCH. The ADLAR bit in ADMUX affects the way the result is read from the registers. If ADLAR is set, the result is left-adjusted if Dump Microcontroller ATMEGA1284V Source Code.
If ADLAR is cleared (default), the result is right-adjusted.
· ADC9..0: ADC Conversion Result
These bits represent the result from the conversion. For the differential channel, this is the value after gain adjustment, as indicated in Table 20 on page 47. For single-ended conversion, or if ADLAR or SIGN is zero, $000 represents ground and $3FF represents the selected reference voltage minus one LSB.
Since change of analog channel always is delayed until a conversion is finished, the Free Running mode can be used to scan multiple channels without interrupting the converter.
Typically, the ADC Conversion Complete Interrupt will be used to perform the channel shift. However, the user should take the following fact into consideration:
The interrupt triggers once the result is ready to be read. In Free Running mode, the next conversion will start immediately when the interrupt triggers. If ADMUX is changed after the interrupt triggers, the next conversion has already started, and the old setting is used if Dump Microcontroller ATMEGA1284V Source Code.

We can reverse engineering chip ATMEGA640PV locked flash, please view the chip ATMEGA640PV features for your reference:
In ATmega640PV four Port B pins – PB2, PB3, PB4, and PB5 – have alternative functions as inputs for the ADC. If some Port B pins are configured as outputs, it is essential that these do not switch when a conversion is in progress.
This might corrupt the result of the conversion. During Power-down mode and ADC Noise Reduction mode, the Schmitt triggers of the digital inputs are disconnected on these pins if reverse engineering chip locked flash.
This allows an analog input voltage close to VCC/2 to be present during Power-down without causing excessive power consumption. The Port B pins with alternate functions are shown in Table 1 on page 4.
When the pins PB4..0 are used for the alternate function, the DDRB and PORTB registers have to be set according to the alternate function description. When PB5 is used as external reset pin, the values in the corresponding DDRB and PORTB bit are ignored after Reverse Engineering Chip ATmega640PV Locked Flash.

The Port B Input Pins address (PINB) is not a register, and this address enables access to the physical value on each Port B pin. When reading PORTB, the PORTB Data Latch is read, and when reading PINB, the logical values present on the pins are read.

The lower five pins in Port B are equal when used as digital I/O pins. PBn, general I/O pin: The DDBn bit in the DDRB register selects the direction of this pin if Reverse Engineering Chip ATmega640PV Locked Flash.

If DDBn is set (one), PBn is configured as an output pin. If DDBn is cleared (zero), PBn is configured as an input pin. If PORTBn is set (one) when the pin is configured as an input pin, the MOS pull-up resistor is activated.
To switch the pull-up resistor off, the PORTBn has to be cleared (zero) or the pin has to be configured as an output pin. Pull-ups for all ports can be disabled also by setting PUD-bit in the MCUCR register.