Semi-Automatic Hacking of Masked ROM Code From Microscopic Images 42
An anonymous reader writes "Decapping chips and recovering code or data is nothing new, but the old problem of recovering Masked ROM through visual inspection (binary '0' and '1' can be distinguished within the images) is normally done by crowd sourcing a manual typing effort. Now a tool that semi-automates this process and then recovers the data automatically has been released."
Nice 8085 example (Score:5, Interesting)
This is awesome... (Score:5, Interesting)
Could be useful for future MAME work if someone is able to decap (and photograph) various otherwise un-dumpable mask-ROM-based MCUs and other chips.
Re:This is awesome... (Score:5, Interesting)
Interestingly, this was done for Bubble Bobble to ensure that the emulation was perfect:
http://mamelife.blogspot.co.uk/2006/08/completed-at-last.html [blogspot.co.uk]
Re:As said this is not really new... (Score:3, Interesting)
Hardware designers are wise to this of course, and now there are often entirely separate ARM cores with no purpose other than as a data integrity watchdog on the 'main' system(s) that can shut everything down. There are some very popular chips which use 2 identical ARM cores, one of which is delayed by 2 cycles. There is a dedicated circuit that performs a CMP on the output of the two chips and shuts everything down if there are any differences.
I have seen designs that hardware encrypt everything including the bus and the EEPROM, so all program code is stored in the EEPROM encrypted, so who cares if you can image it? The decryption key is stored, also encrypted, in the EEPROM as well. There is a separate master boot key which decrypts the memory decryption key stored in a special battery-backed RAM register, which does not leave an 'after-image'. If the hardware watchdog system detects any shenanigans, or if you try to remove the chip from the system without preserving the battery backing, the master key is simply flushed and the chip rebooted. At that point it looks like a blank chip that hasn't been through UV erase (random data everywhere).
I'm not a uC or hardware guy so some of this might be old news, but I found it interesting at least.