NOTE: This question would be considered answered ONLY if duncan2-ga
responds.  Any other researcher - pl. do not respond.

Hi duncan2-ga,

I basically want to compesnate you for the work you did on my last
posting.  Your answer was definitely informative for me yet it didn't
provide the real clue.

I had written to Google about this.  Unless questions can be framed in
a manner where there is one and ONLY one answer, there will always be
cases like this where an answer is partially complete/useful.  The
world is not black and white - it is all shades of gray AND all shades
of all colors; thus b&w answers are difficult for most difficult
questions.  Hence Google should devise a way to somehow allow partial
compensation, esp. when the asker is willing to pay (after all, it is
much better than giving a 'money back satisfaction guarantee').

I am asking the same question here; pl. provide the same answer and
take the money.  I may be able to use your research some day and so it
is of some value to me - pl. don't think I am paying you without
reason.  :-)

Thanks for your good work.
Regards,
-------
QUESTION:

I need to get access to the internal program stored in a custom 
programmed PIC16F874-04 (I have the chip).  This is a microcontroller
made by Microchip (www.microchip.com).  Anyone who can provide 
information that eventually leads me to this program will be paid the
amount (note even if you can provide clues that will lead to someone 
else who can provide this info is sufficient to win.).  Guarantee that
I will not infringe on ANY copyright laws or will use the program for
any commercial purpose.  This info is needed to defend my own rights -
someone has copied my software and I have to prove it.  This is the 
only way to prove it.  More details available on request.

----------

Hello democracy-ga,

Thanks for your generosity and my apologies for not getting back to
you sooner.  I’m happy to hear that my research may be of future use
to you.

You’re correct in that many questions, particularly difficult ones,
may not have simple, black and white answers.  However, researchers
strive to completely answer questions (and your satisfaction is
guaranteed).  Researchers choose the questions they wish to work on;
this does mean that some of the really difficult or complicated
questions may go unanswered.  In many cases, the clarity of the
question phrasing, including what is sufficient as a complete answer,
is the deciding factor.  Partial compensation, while desirable in many
cases, isn’t a simple option at this point.  (Instead, some customers
may break up their question into separate pieces and post them
separately).  This service is still in Beta, and your feedback is
certainly appreciated.

I enjoyed working on this question and have looked further since first
posting this answer.  While lots of software disassemblers exist, so
far I’ve found nothing that suggests any 'backdoor' or 'debug modes'
that would allow direct access to the protected PIC.  If such exists,
I suspect it’s a closely guarded secret at the company, as even a
single leak of the information would negate security for the product. 
And with various PIC controllers having been on the market for over 20
years, it seems unlikely that the existence such modes wouldn’t have
become public knowledge.

Thanks again for your generosity, and for using Google Answers.  I
hope you visit us again soon.
Duncan2-ga

----------------------
REPOST BEGINS:

This is an unusual question, and one that I feel qualified to answer
with my background in Electrical Engineering.  While what you propose
is legal in many cases, it is, however, a question that treads on the
edge of legality.  Your assurance of non-infringement notwithstanding,
Researchers are not allowed to assist in helping customers conduct
illegal activities.   I therefore have accompanied my answer with some
suggestions as to how you might proceed to carefully accomplish your
goal, legally.

The reverse engineering of microcontrollers, which is the essence of
what you’re trying to do, can be achieved through several methods,
none of which are easy or inexpensive.  In many cases, programmable
controllers have built-in security (tamper-resistant hardware) to
prevent exactly what you’re trying to achieve.  Nevertheless, clever
tricks can be used to bypass these features.  These microcontroller
reverse-engineering methods can be divided into two general
categories: invasive, and non-invasive.

The most direct route (and the one which probably requires the most
expense) is to use microprobes to examine the chip as it functions. 
Generally this means taking the chip out of it’s packaging so that the
integrated circuit can be exposed and probed.  The test equipment to
accomplish this isn’t cheap, nor is this a particularly fast method. 
But this type of microscopic examination can be used on any integrated
circuit and can be more straightforward than trying to attack the chip
with software programs or voltage glitches.

Non-invasive techniques can be used as well; the benefit of these are
that they don’t require physically destroying the chip.  Instead you
try to get the chip to reveal information by attacking it with signals
designed to generate malfunctions or exploit weaknesses in the
protocols.

I’ll point out here, that since you feel fairly certain that the code
you wrote was stolen and incorporated into the chip, you might want to
check your own source code for any bugs or anomalies that might have
been copied wholesale into this implementation.  If you have an
unusual bug or error condition in your code, and it’s demonstrable in
the chip, this might be strong supporting evidence for your claim.

One non-invasive technique that is used is to simply supply the
microcontroller with incorrect voltages or clock signals.  Other types
of eavesdropping on the chip’s input and output can also reveal the
inner workings of the chip.

You would do well to carefully read the article posted here:
“Breaking copy protection in microcontrollers”
http://www.cl.cam.ac.uk/~sps32/mcu_lock.html
This article details various reverse-engineering methods and
specifically mentions successful attacks on the PIC16F874.

Once you have an idea of what’s involved, you’re still going to have
to grapple with the legal side of this issue.  While reverse
engineering is generally legal, particularly in academic areas, THIS
ISN’T SOMETHING YOU WANT TO GUESS ABOUT.  GO TALK WITH A LAWYER. 
Really.  Preferably one that has good experience with
reverse-engineering law and the Digital Millennium Copyright Act
(DMCA).  The last thing you want to do is win your case but open
yourself up to large fines and jail time.

You may wish to inquire for a referral from the Electronic Frontier
Foundation (http://www.eff.org/ ) or get in touch with the Samuelson
Law, Technology & Public Policy Clinic at the University of
California, Berkeley, School of Law.  The Samuelson Clinic got a lot
of publicity recently for assisting in a DMCA defense against Walmart.
 The Samuelson Clinic can be found online at
http://samuelsonclinic.org .

Incidentally, Berkeley law professor Pamela Samuelson
(http://www.sims.berkeley.edu/~pam/ ) has argued in favor of reverse
engineering in the past, and wrote an interesting article on reverse
engineering and trade secret law.  The article, in Adobe Acrobat
format, is available online, here:
http://www.sims.berkeley.edu/~pam/papers/CACM%20on%20Bunner.pdf

Assuming you don’t want to (or cannot) do the reverse engineering
yourself, there *are* professional options.  Chipworks, a Canadian
company with offices in the US, Japan, and Poland, specializes in
reverse engineering.  (http://www.chipworks.com )  Quoting from their
FAQ,
“Is reverse engineering legal?
One of the most frequently asked questions at career fairs and
exhibits is the question regarding ethics and legality of reverse
engineering. In short, YES, Semiconductor Acts in Canada, United
States, and many other countries talk about RE as an important way to
educate engineers and promote healthy competition.”
(http://www.chipworks.com/FAQ.htm )

Chipworks provides a variety of services, including litigation
support.  You might be able to hire them to reverse engineer the chip,
compare the implementation to your code, and then call them as expert
witnesses for your case.  (http://www.chipworks.com/patent/litsup.htm
)

Chipworks has a competitor: Semiconductor Insights, Inc., also of
Ottawa, Canada  (http://www.semiconductor.com/index.shtml )  Their
reverse engineering reporting services can provide you with different
types of reports (Design analysis, Structural Analysis, or Technology
Overview) that might be helpful to your case.  Alternatively, they
might be willing to do a comparison of your code to that in the chip
in question as a customized analysis.

By hiring a company to do the comparison, you separate yourself from
the actual act of reverse engineering, which probably would help
protect you from any DMCA ramifications as well as lend additional
credence to the legal evidence you present.

I hope this answers your question.  Should you need additional details
or require more information, please don’t hesitate to post a request a
clarification and I’ll be happy to go further.

Regards,
Duncan2-ga

SEARCH STRATEGY:
I first searched for information specific to this controller.  The
Google search for the words “PIC16F874 reverse engineer” produced the
copy protection article:
://www.google.com/search?q=PIC16F874+reverse+engineer&btnG=Google+Search&hl=en&lr=&ie=UTF-8&oe=UTF-8

After several searches with terms such as “microcontroller reverse
engineering company”, I found Chipworks, from this search:
://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=chip+reverse-engineering+company&btnG=Google+Search

I found mentions of Semiconductor Insights, Inc. by searching for
“chipworks competitor”
://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=chipworks+competitor&btnG=Google+Search

Finally, I found Pamela Samuelson’s paper by searching for “reverse
engineering” at Greplaw, a service of the Berkman Center for Internet
and Society:
http://www.greplaw.org or http://grep.law.harvard.edu

ADDITIONAL LINKS:
There are a number of PIC-related websites on the Internet.  You might
also be interested in “The PICmicro ring”:
http://o.webring.com/hub?sid=&ring=picmicro&id=&home

The ring has a number of sites including “The PIC archive”
http://come.to/thepicarchive
 
A related section in the Google Web Directory: 
http://directory.google.com/Top/Computers/Programming/Disassemblers/PIC/

The PICList (resources and users devoted to the PIC microcontroller)
Useful, though not aesthetically-pleasing:
http://www.piclist.com/techref/piclist/index.htm#PICLIST