From: jim bell <jimbell@pacifier.com>
Date: Sun, 16 Jun 1996 05:27:43 +0800
To: cypherpunks@toad.com
Subject: Re: Fuseable Links - no guarantees??
Message-ID: <199606151651.JAA22789@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:44 PM 6/14/96 -0400, Warren wrote:
>I have never paid much attention to the protection of firmware or the
>technical issues revolving around such schemes...was wondering:
>
>I recently saw an add for a UK based group that says they can take a PIC
>OTP micro and read the prom (for a fee, of course) - How the heck is this
>done?? I have my suspicion that they (somehow) magically peel off the
>ceramic coating (without destroying the chewy center), get a circuit mask
>and 'micro probe' the I/O of the IC...they then download the secret recipe
>to the afore mentioned 'chewy center'.
>
>Is this close to accurate?? How is it 'done' ???


While I have never come even close to needing to attempt this kind of thing, 
long ago it occurred to me that if the "no read" bit was stored in a 
programmable bit, and if the location of that bit was known or could be 
identified, you could expose that particular bit through a tiny mask hole 
and cause the part to be readable again.  Locating that bit (assuming 
there's just one) would be relatively simple:  Take a test part, program it, 
read-lock it, and then expose it to a VERY slowly sliding mask with UV 
behind.  Do this for both axes, to find the bit's location on the chip.

Jim Bell
jimbell@pacifier.com