PIC16C57C Unlocking and code dumping

After some tests on reading back the Program Memory of the PIC16C57C (I have many of them, thanks to you ;)) I finally managed to have a full working dump. The first one based on the previously decaped PIC was half a failure because of the nail polish area, there was many bad opcode right in the middle of the code and especially in the most interesting part. But that was a good starting point fuse were not protected against UV.

Badly covered area

Following the results only the little area on top right of the picture was in fact reset to 0xFF, the big part was protected (thanks to the mega Gemey long lasting UV resistant nail polish). To be sure of that we did a Full zero programming of the program memory and read it back. Quickest option was to redo the whole process on an other part.

Example of corrupted bit:


1274   4F9     191          XORWF 0x11, W
1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     00E
1278   4FD     34E          RLF 0xe, W
1279   4FE     370          RLF 0x10, F
1280   4FF     371          RLF 0x11, F

Good version:


1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     02E          MOVWF 0xe
1278   4FD     36E          RLF 0xe, F
1279   4FE     370          RLF 0x10, F
1280   4FF     371          RLF 0x11, F

The second try was worst with a much more destroyed code dump, but the Zero test for leak in the UV shield passed without any problem. In fact after some investigation I shorted some bond wires together while applying the polish on the EPROM area. It gave some weird stuff and totally broke the code.


1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     03E          MOVWF 0x1e
1278   4FD     B7E          GOTO 0x17e
1279   4FE     B70          GOTO 0x170
1280   4FF     B71          GOTO 0x171

Here are some details of the fuse section, I think the Code Protect one is copied in the C version of that Pic because there is still 4 fuses where the datasheet gives a 12bits fuse register. It could make sense to do that to avoid undefined values in the code when reading the fuses (in fact this feature is present on all revision of the serie). This part is just a theory, if you have a better idea don’t hesitate to post it.

PIC16C57C Datasheet:

bit 11-3: CP: Code Protection Bit
bit 2: WDTE: Watchdog timer enable bit
bit 1-0: FOSC1:FOSC0: Oscillator Selection Bit

PIC16C57 Datasheet:

bit 11-4: Unimplemented : Read as ‘0’
bit 3: CP: Code protection bit.
bit 2: WDTE: Watchdog timer enable bit
bit 1-0: FOSC1:FOSC0: Oscillator selection bits

PIC16C57C Top Metal

Details (Neo DPlan 50x) of the FET with no protection on the gate:
pic16c57c fuse details

H2SO4 Decaping – Many failures analysis

For a little project I need to decap a PIC16C57C but keeping it alive for analysis. I finally manage to have a clean “localized” decaping but I did many test before. If you have stuff needed to work with HNO3 it will be easier, there are many article on that point on the mega Interweb. In my case I’m more comfortable with H2SO4 mainly because it’s easier to source (drain cleaner that’s what I use) where Nitric Acid is regulated (explosiv manufacturing ?). So my today results seem promising, the decaping is really clean.

Ready for live analysis

Ready for live analysis

Continue reading