PIC16C84 Security

It has been widely claimed that the code security of the Microchip PIC16C84 can be easily defeated. I do not have any personal experience with this, but is is of sufficient concern that I want to pass along a message which David Tait sent to the PIC mailing list. As you can read for yourself, David hasn't tried it either, but he forwarded details from a source who prefers to remain anonymous. 
Date:         Wed, 26 Apr 1995 18:17:57 +0100
Reply-To: pic microcontroller discussion list 
Sender: pic microcontroller discussion list 
From: David Tait 
Subject:      Re: Code protect
To: Multiple recipients of list PICLIST 
In-Reply-To:   from "Bryan Crotaz" at Apr 25, 95 12:38:58 pm

I think a null message escaped - sorry about that.

Anyway, I'm glad the code protect topic has come up again because it will
let me get this off my chest - sorry it's so long.

The security of the PIC code protection mechanism has been discussed
many times before.  It has even been discussed on the Microchip BBS:
in Message 61000 of the "Relablty" SIG David Wilkie of Microchip
ends one such thread with the soothing: "I assure you that the code is
safe once the protection bit is activated."

The vulnerability of the 16C84 is of particular concern. The 16C84 is
often used in smart cards issued by the satellite TV industry.  These
cards are intended to permit access to encrypted TV channels, and
clearly there is a lot of interest in being able to clone the cards
thereby avoiding payment to the TV providers.  This means the
protection topic is endlessly discussed in newsgroups like
alt.satellite.tv.europe.  Every so often this newsgroup carries
adverts for hardware which is claimed to be capable of reading
protected PICs.  I have always been skeptical of these claims.  I have
changed my mind.

The fact that I provide information on a homebrew 16C84 programmer
means that I often get asked whether I know how to read protected
PICs.  Recently an interesting situation arose.  I received yet
another request for this information at exactly the same time that
someone happened to send me details of a technique claimed to
unprotect PICs.  I simply passed these on from one correspondent to
the other.  Much to my surprise the requester later wrote back to say
the technique worked (but he destroyed 3 PICs in the attempt).  The
originator of the method is happy for the information to be placed in
the public domain although he wants to remain anonymous for some
reason.  So for the benefit of PICLIST readers (and I know that
includes Microchip employees) here are his instructions more or less
verbatim (although the description is tied to his programmer the other
guy used a variant of mine):


> 1. I use the PIC16 programmer from Farnell Components (part no. 459-471).
>
> 2. The standard programming software supplied is ASLPIC from Application
>    Solutions Ltd.
>
> 3. Install the 16C84 into a turned pin socket with pin 14 (VDD)
>    cut off.  Attach a flying lead to the stub of pin 14 and
>    connect this to a power supply (0V to +14V) sharing a common
>    ground with the programmer.
>
> 4. Run ASLPIC.
>    Insert the PIC+socket into the ZIF on the programmer board and switch
>    VDD to 5V.
>    From the menu set the CP configuration fuse to OFF.
>    Now set VDD to VPP-0.5V (approx 13.5 volts).
>    Program the configuration fuses.  (Reply on screen saying
>    error invalid??  Ignore this error and set VDD back to 5V.)
>    Switch VDD supply off at the power supply.
>    Switch off programmer supply.
>    Wait 10 to 20 secs.
>    Switch on programmer supply.
>    Switch the VDD supply to 5V.
>    Read PIC.
>
>    What may be confusing to people is the error message displayed
>    when programming the configuration fuses, and next not waiting for
>    the charge on the cells to fall back to 5 volts after setting the
>    fuses. This is why I say switch off for 10 to 20 secs, but don't
>    forget to reset the VDD supply to 5 volts first.


I must admit it looks like a surefire way to destroy PICs to me so I
haven't tried it myself even though the originator claims that he has
never fried a 16C84 this way.  I realise the fact that I have never
tried it myself means that all this is just hearsay, but although
there are some points left to the imagination, the description is
explicit enough to be tested by those worried by such things.

I have no idea whether the method is related to Bela Gebles
<100324.526@compuserve.com> technique, but if you think this info is
worth GBP1000, then like him, I'll be happy to give you my bank
account details :-)  On the other hand if you think it's all hogwash,
then I'm sorry to have wasted your time.

David

Last updated June 21, 1995

eric@brouhaha.com