I need to get access to the internal program stored in a custom
programmed PIC16F874-04 (I have the chip).  This is a microcontroller
made by Microchip (www.microchip.com).  Anyone who can provide
information that eventually leads me to this program will be paid the
amount (note even if you can provide clues that will lead to someone
else who can provide this info is sufficient to win.).  Guarantee that
I will not infringe on ANY copyright laws or will use the program for
any commercial purpose.  This info is needed to defend my own rights -
someone has copied my software and I have to prove it.  This is the
only way to prove it.  More details available on request.

---

Request for Question Clarification by vinods-ga on 23 Dec 2002 13:04 PST

Hi democracy-ga, 

Just curious, many versions of the chip exist. /L, /P, /PQ, /PT, E/L,
E/P, E/PQ, E/PT, I/L, I/P, I/PT, I/PQ. Is the internal program in
question on all these variants and the same?

warm regards
vinods-ga

Answer to Question ID: 126154, "PIC microcontroller question", by
democracy-ga

Greetings!

QUESTION
How to get access to the internal program stored in a custom
programmed PIC16F874-04.

ANSWER

Just to make sure, you may wish to explore in detail the
www.microchip.com website [1].  It provides a comprehensive knowledge
base of PIC16F874 and other PICs, including information on write
protect techniques and ways of reducing the risk of unauthorized
access.  For example:
http://www.microchip.com/download/lit/pline/security/keeloq.pdf

Points of contact are given to get technical/consulting help:

Microchip Technical Support -- several regional contacts are listed
that allow you to consult directly with microchip.com technical
support:
http://www.microchip.com/1000/tsupport/index.htm

Consultants -- contact information is provided for microchip
consultants in several countries, including consultants in every state
of the USA:
http://www.microchip.com/1000/tsupport/consult/index.htm

Third Party Resources -- 130+ global third party tool manufacturers,
programmers, emulators, software tools, consultants, etc.
http://www.microchip.com/1000/pline/tools/tparty/3ptywebs/websites/index.htm

There are some other possibilities in terms of "how to" information
and tools --for example, see [2] to [5].  But the fact that the
software burned into this chip has been customized is indicative that
you are in for some "creative" research and experimentation.

In this kind of situation, the best thing to do is usually to get
expert help.  Someone, for example, like G. Wayne Haslam [6]. 
Professional associations also provide links to sources of relevant
information and expertise [7].

SOURCES

[1] Microchip Website
http://www.microchip.com

[2] The ChipCenter
http://www.chipcenter.com/

[3] Tech Tools -- Embedded Systems Development Tools
http://www.tech-tools.com/

[4] Altera -- The Programmable Solutions Company
http://www.altera.com/

[5] Embedded Systems Programming & Links to Other Sources 
http://www.embedded.com/
http://www.embeddedethernet.com/links.html
http://www.criticallink.com/
http://www.sss-mag.com/pic.html#links
http://www.keil.com/links/otherinfo.htm

[6] G. Wayne Haslam -- Software/Hardware/Firmware Engineer
http://gwhaslam.home.mindspring.com/

[7] Some professional associations that may provide good points of
contact:

[7.1] Embedded Software Association (ESOFTA) -- http://www.esofta.com
[7.2] Surface MountTechnology Association (SMTA) --
http://www.smta.org/
[7.3] Telecommunications Industry Association (TIA) --
http://www.tiaonline.org/

SEARCH STRATEGY

1. Review of www.microchip.com
2. Search for similar sites 
3. Search for expert consultants

RESEARCH SUMMARY

Extracting software from firmware is a tricky exercise.  After
reviewing the sources of available information and tools, it is
recommended to seek some expert help.  Several sources of expertise
are suggested.

I hope this answer will be useful to you.  Before rating this answer,
please ask for a clarification if you have a question or if you would
need further information.

Hope you will come back to visit us at Google Answers.  

Best regards,
pelican-ga

---

Request for Answer Clarification by democracy-ga on 23 Dec 2002 22:58 PST

I am not sure what these /L, /P, etc. stand for - do they specify
packaging, temperature range, etc?

---

Request for Answer Clarification by democracy-ga on 23 Dec 2002 23:03 PST

To: pelican-ga

Thanks but there is almost no information in your posting that has the
answer I am looking for.  You are providing links to development
tools, tech support, etc. whereas I am seeking an affordable way of
getting access to the secured internal program/data memory of the PIC
chip.

----
The first person who posted the answer had some good hints and I
wanted to pay him half the sum since his answer was not completely
relevant and requested.  However, Google removed that answer.  I wish
they would put me in touch with that person so I can pay him.

After that, I'd like to close this question.

---

Clarification of Answer by pelican-ga on 24 Dec 2002 10:08 PST

Hello democracy-ga,

What is the answer you are looking for?  Your question is general, so
the answer is general.  The answer is responsive to the original
question as stated.  Specifically, it provides pointers to available
tools you may be able to use, and experts who may be able to help you.
 There is no magic tool or "cook book" method that will allow you to
abstract the software from the firmware, specially if it has been
modified/customized by someone else and you don't have any documented
description of what the modification entailed.  If you cannot do it
yourself, the only practical thing to do is get help from a good
vendor or consultant with expertise in the hardware, the software, and
the firmware -- all three knowledge domains are required.  If you want
to redefine more precisely the question, and the answer you need, I
would be happy to keep working with you, and I know where to find some
excellent HW/SW/FW gurus, but you have to provide more details about
the legal and technical situation before anyone can help you.

Sincerely,
pelican-ga

This was my first ever question posted on Google and I was unsure of
the length of the question that was allowed so I kept my question
short.  This resulted in a somewhat incomplete question.  The first
person who replied provided some information but it was not what I was
seeking.  The second person is miles away from any clue.

My question is really asking if anyone knows access to the internal
program of PIC through the use of any binary sequence that would gain
access to the internal secured program.  Manufacturers of chips
usually have several 'test modes' in a chip and it is possible that
someone knows about a test mode that allows a user to peak inside the
program and data memory of the PIC controller in question.  The cost
of getting access to the chip should not be prohibitive also.

I feel that this would be a question too difficult to answer and it
would also require much more detailed specification so people don't
come up with undesirable answers.

Repost of first answer attempt:

Hello democracy-ga, 

This is an unusual question, and one that I feel qualified to answer
with my background in Electrical Engineering.  While what you propose
is legal in many areas, it is, however, a question that treads on the
edge of legality.  Your assurance of non-infringement notwithstanding,
Researchers are not allowed to assist in helping customers conduct
illegal activities.   I therefore have accompanied my answer with some
suggestions as to how you might proceed to carefully accomplish your
goal, legally.

The reverse engineering of microcontrollers, which is the essence of
what you’re trying to do, can be achieved through several methods,
none of which are easy or cheap.  In many cases, programmable
controllers have built-in security (tamper-resistant hardware) to
prevent exactly what you’re trying to achieve.  Nevertheless, clever
tricks can be used to bypass these features.  These microcontroller
reverse-engineering methods can be divided into two general
categories: invasive, and non-invasive.

The most direct route (and the one which probably requires the most
expense) is to use microprobes to examine the chip as it functions. 
Generally this means taking the chip out of it’s packaging so that the
integrated circuit can be exposed and probed.  The test equipment to
accomplish this isn’t cheap, nor is this a particularly fast method. 
But this type of microscopic examination can be used on any integrated
circuit and can be more straightforward than trying to attack the chip
with software programs or voltage glitches.

Non-invasive techniques can be used as well; the benefit of these are
that they don’t require physically destroying the chip.  Instead you
try to get the chip to reveal information by attacking it with signals
designed to generate malfunctions or exploit weaknesses in the
protocols.

I’ll point out here, that since you feel fairly certain that the code
you wrote was stolen and incorporated into the chip, you might want to
check your own source code for any bugs or anomalies that might have
been copied wholesale into this implementation.  If you have an
unusual bug or error condition in your code, and it’s demonstrable in
the chip, this might be strong supporting evidence for your claim.

One non-invasive technique that is used is to simply supply the
microcontroller with incorrect voltages or clock signals.  Other types
of eavesdropping on the chip’s input and output can also reveal the
inner workings of the chip.

You would do well to carefully read the article posted here: 
“Breaking copy protection in microcontrollers” 
http://www.cl.cam.ac.uk/~sps32/mcu_lock.html  This article details
various reverse-engineering methods and specifically mentions
successful attacks on the PIC16F874.

Once you have an idea of what’s involved, you’re still going to have
to grapple with the legal side of this issue.  While reverse
engineering is generally legal, particularly in academic areas, THIS
ISN’T SOMETHING YOU WANT TO GUESS ABOUT.  GO TALK WITH A LAWYER. 
Really.  Preferably one that has good experience with
reverse-engineering law and the Digital Millennium Copyright Act
(DMCA).  The last thing you want to do is win your case but open
yourself up to large fines and jail time.

You may wish to inquire for a referral from the Electronic Freedom
Foundation (http://www.eff.org/ ) or get in touch with the Samuelson
Law, Technology & Public Policy Clinic at the University of
California, Berkeley, School of Law.  The Samuelson Clinic got a lot
of publicity recently for assisting in a DMCA defense against Walmart.
 The Samuelson Clinic can be found online at
http://samuelsonclinic.org .

Incidentally, Berkeley law professor Pamela Samuelson
(http://www.sims.berkeley.edu/~pam/ ) has argued in favor of reverse
engineering in the past, and wrote an interesting article on reverse
engineering and trade secret law.  The article, in Adobe Acrobat
format, is available online, here:
http://www.sims.berkeley.edu/~pam/papers/CACM%20on%20Bunner.pdf

Assuming you don’t want to (or cannot) do the reverse engineering
yourself, there *are* professional options.  Chipworks, a Canadian
company with offices in the US, Japan, and Poland, specializes in
reverse engineering.  (http://www.chipworks.com )  Quoting from their
FAQ:

“Is reverse engineering legal?  One of the most frequently asked
questions at career fairs and exhibits is the question regarding
ethics and legality of reverse engineering. In short, YES,
Semiconductor Acts in Canada, United States, and many other countries
talk about RE as an important way to educate engineers and promote
healthy competition.” (http://www.chipworks.com/FAQ.htm )

Chipworks provides a variety of services, including litigation
support.  You might be able to hire them to reverse engineer the chip,
compare the implementation to your code, and then call them as expert
witnesses for your case.  (http://www.chipworks.com/patent/litsup.htm
)

Chipworks has a competitor: Semiconductor Insights, Inc., also of
Ottawa, Canada  (http://www.semiconductor.com/index.shtml )  Their
reverse engineering reporting services can provide you with different
types of reports (Design analysis, Structural Analysis, or Technology
Overview) that might be helpful to your case.  Alternatively, they
might be willing to do a comparison of your code to that in the chip
in question as a customized analysis.

By hiring a company to do the comparison, you separate yourself from
the actual act of reverse engineering, which probably would help
protect you from any DMCA ramifications as well as lend additional
credence to the legal evidence you present.

I hope this answers your question.  Should you need additional details
or require more information, please don’t hesitate to post a request a
clarification and I’ll be happy to go further.

Regards,  Duncan2-ga 

SEARCH STRATEGY:  I first searched for information specific to this
controller.  The Google search for the words “PIC16F874 reverse
engineer” produced the copy protection article:
://www.google.com/search?q=PIC16F874+reverse+engineer&btnG=Google+Search&hl=en&lr=&ie=UTF-8&oe=UTF-8

After several searches with terms such as “microcontroller reverse
engineering company”, I found Chipworks, from this search:
://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=chip+reverse-engineering+company&btnG=Google+Search

I found mentions of Semiconductor Insights, Inc. by searching for
“chipworks competitor”
://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=chipworks+competitor&btnG=Google+Search

Finally, I found Pamela Samuelson’s paper by searching for “reverse
engineering” at Greplaw, a service of the Berkman Center for Internet
and Society: http://www.greplaw.org or http://grep.law.harvard.edu

Repost of first RFC:

Request for Answer Clarification by democracy-ga on 20 Dec 2002 11:22
PST  Hi,

Thanks for your detailed answer which I really appreciate.  I guess it
is my fault that I didn't clarify the question clearly (this is my
first ever use of this Google service and I was not even sure about
the length of question they would allow so I kept the question fairly
short).

1. Over the years, I have been told that a lot of chip manufacturing
companies leave some 'test modes' or other 'manufacturing modes' that
can be activated by using special sequencing of binary information on
external pins.  It is said that some such mode (obviously kept a
secret) can go past on-board security bits and peek into secured
program/data memory.

My intention of posting this question was to see if there was anyone
out there who knew of such 'hidden' info or who knew someone else who
knew such info (i.e. who could lead me to such info eventually.)

I am an electrical design engineer myself and have known some of the
reverse engineering techniques described in the papers you point to. 
In fact, I have been part of teams that have reverse engineered
complex chips using photographic enlargement methods.

Such techniques, as you also point out, are prohibitively expensive
and I was not particularly interested in those methods for that
reason.  In fact, it might come out less expensive to file a lawsuit
against the perceived copier of my product and have the court order
the defendant to show a listing of their code to be evaluated by an
'expert' witness.

2. Anyhow, I'd like to definitely compensate you for your effort but I
wonder if Google has a way of allowing the two parties to negotiate or
is it the whole 'package' deal that has to be accepted/rejected.  And
if there is a way to negotiate, what is your thought on what a fair
value to this might be considering my mistake, my real question and
the time you spent?

Will be in touch ... 

Thanks. 

Best regards,

Hello democracy-ga,

I've done some more research and concluded that I will not be able to
fully answer your question, taking into account the RFC which you
posted.  In the future, to avoid misdirecting/confusing researchers,
you’ll want to be as specific as possible in your initial question
posting.  As this was your first question to the service, and I can
understand the confusion in the question-asking process,  I therefore
asked the editors to remove my answer, which I've posted here as
comments.  Hopefully another researcher will be able to locate the
information you are looking for.

In regards to negotiation for payment, Google Answers does not have a
mechanism in place for bargaining for payment, i.e. you posted the
question at a $200 value – if you are satisfied with the answer, that
is the price you will be charged.  There are two other possibilities
you can consider for the future; 1) price the question lower to begin
with, and tip the researcher for a good answer or 2) post a second
question (for a particular value) for a specific researcher as a way
to compensate.  Thanks for your generous offer to pay me, but as I
didn’t answer the question, I’m happy to give you this information for
free.

With 500+ researchers in many time zones, it’s not surprising that
another researcher has stepped up to the plate.  I hope that he/she is
successful.  If not, and you are unsatisfied, they may rescind their
answer, as I did, or you may reject their answer.  Read the Google
Answers help for more details:
http://answers.google.com/answers/help.html#followup

While larger chips certainly have debug modes and testing hooks, I
actually doubt that the PIC product has the feature you are interested
in.  But I've been unable to verify that either way.

I sincerely hope you find what you are seeking and that you have a
happy holiday.

Regards,
Duncan2-ga