[Bunnie's] archives: Unlocking protected microcontrollers

A few years back [Bunnie] took a crack at cracking the security fuses on a PIC microcontroller. Like most of the common 8-bit microcontrollers kicking around these days, the 18F1320 that he’s working with has a set of security fuses which prevent read back of the flash memory and EEPROM inside. The only way to reset those security fuses is by erasing the entire chip, which also means the data you sought in the first place would be wiped out. That is, if you were limited to using orthodox methods.

[Bunnie] had a set of the chips professionally uncapped, removing the plastic case without damaging the silicon die inside. He set to work inspecting the goodies inside with an electron microscope and managed to hammer out a rudimentary map of the layout. Turns out that flash memory can be erased with ultraviolet light, just like old EPROM chips. Microchip thought of that and placed some shielding over the security fuses to prevent them being reset in this manner. But [Bunnie] managed to do so anyway, creating an electrical tape mask to protect the rest of the data stored in the chip while bouncing UV light underneath the shielding at an angle.

Want to uncap some chips of your own without enlisting the help of others? Give this method a try.

[via Dangerous Prototypes]