For a long time, some of the most frequently asked questions on Special Projects were about Picbuster. Was it a program? Was it a device? Did it really exist. The answer has been given in a Usenet message. It is essentially a Welsh Poet - Dai Ode. In other words, it is a diode.
The standard method of popping a PIC was to actually remove the top of the chip and re-engineer the fuse. The method described opposite is effectively the cheapest solution. Of course other methods exist.
The standard result when the fuse is reset is that the complete memory of the PIC16C84 is reset. In the normal programming mode there is a large difference between the programming voltage (approx 13.8 Volts) and the supply voltage (5 Volts). In the Picbuster as described opposite, the recommended difference is approximately 0V5. The voltage drop across the diode is 0V6 to 0V7. The 0V5 voltage differential may not be enough to reset the entire memory but is enough to alllow the fuse to be reset.
The publication of this information on the Usenet does provide other problems. Most of the pirate smart cards in use at the moment are based on the PIC16C84. The widespread knowledge of how to hack these chips means that the market can become over- saturated with pirate cards.
To date the pirate cards have been upgraded in a trickle-down manner. A few companies at the top of the chain figure out the fix for the new ECM and implement it. The details of the fix are then sold on down the chain until finally the whole market has been upgraded. In effect it is almost feudal.
It would be easy to think that this would benefit the hacked channels more than the pirates. That would of course be wrong. The net result of the publication is that the knowledge of the system is spread more widely than before. Therefore the more people who understand the system, the quicker the turn around between ECM and fix.
The widespread availability of the knowledge to pop the PIC16C84 is making some pirate card manufacturers rethink their strategy. One notable change has been the Benedex - Futuretron Battery card. This card uses the Dallas Micros chip rather than one from the PIC16* series. Another option is the reprogrammed Sky 09 card (see separate story in this issue).
The PIC16C84 is widely used. In some applications it is used to control electronic locks such as those used on some of the more up market cars. There was a court case in the UK last year where the defendant was convicted for having in his possession a device that snatched the RF data from these electronic keys and replayed it to open the locks. The use of Picbuster could be dangerous if it showed that there was a backdoor code (bad pun) that could be used by garages in the event of the car owner losing his electronic key.
It is almost certain that Arizona Microchip have implemented some sort of modification to PIC16C84 die. This modification would of course take some time to filter into the market. Most of the pirate cards at the moment are recycling the PIC16C84 chips from 07 pirate cards. There have been some rumours that the Picbuster does not work with some of the more recent 1995 batches.
Article: 16241 of alt.satellite.tv.europe Newsgroups: alt.satellite.tv.europe From: Lester@bannold.demon.co.uk (Lester Wilson) Subject: Re: NEW PROGRAMMER Organization: PO BOX 845 WATERBEACH CAMBRIDGE CB5 9JS Reply-To: Lester@bannold.demon.co.uk X-Newsreader: Newswin Alpha 0.7 Lines: 86 X-Posting-Host: bannold.demon.co.uk Date: Wed, 26 Apr 1995 07:27:50 +0000 Message-ID: <429713219wnr@bannold.demon.co.uk> Sender: usenet@demon.co.uk > > lester may i ask a question just how secure is a pic chip when > the security fuses have been blown ? > -- > PAUL BULMER > > In my opinion hte pIC16C84 is secure enough to prevent the casual reading of protected code. I think that this subject has been covered in other discussions in this group in the not too distant past. I have many private emails from persons claiming to have had success in reading data from a Code protected PIC16C84. I myself am convinced that it is possible, so are many others, but each to his own.I do not condone or encorage the reading of copyright protested code by unathorised persons. It is acheivable in many ways, one of which was emailed to me some time back by a satisfied customer:- ___addresses deleted___________________________________ Hi Lester, ______________________more deleted stuff________________________________ --------------------------------------------------------------------------- PicBuster The Pic chip (PIC16C84) can in fact have it's program and data memory read after the config fuses have been set to code protection on. Try the following: Write some code to the chip with the code protection set to "ON". Read back to verify that the protection has indeed come on. Now set Vdd ( pin 14 ) to Vpp-0.5v, (Programming voltage less 0.5V). Set config fuse to "OFF" and reprogram config fuse. Now set Vdd back to normal, +5v. Power off the programmer. Wait 10 to 20 sec. Power back on the programmer. (VDD at + 5V) Read the Pic.... and hey presto, data in unprotected format should now be available. _________________________stuff deleted____________________________ This is experimental only and no liability will be accepted for any loss of data. ------------------------------------------------------------------ _____________lots and lots more deleted stuff_____________________ by revealing the above I hope that you are satisfied ( though I doubt it), I will not be replying to further questions on the subject. The above mail has been reproduced without the specific pewrmission of the sender, however I believe that since the mail was sent to me with no request for confidentiality I am within my rights to display my person mail. The information imparted is I believe in the PUBLIC DOMAIN, I did not invent or discover it myself. I have used methods SIMILAR to the above to acheive the same result. -- Best Regards Lester -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQBtAy+JizYAAAEDAN/jsyzLJII0xrHWRIjC62ty5MwQKv0j8MBTRZaVJZEZPayJ d8Tg3MKoQk/GBVL5bGoMF2n50rAxLGKTefCWmm3IoiytANbo+Tap7msQN2QkXfPW cnUbB2DcbjaJdOqOwQAFEbQjbGVzdGVyIDxsZXN0ZXJAYmFubm9sZC5kZW1vbi5j by51az4==uUvE -----END PGP PUBLIC KEY BLOCK-----