Treatment on the hardware side of accessing eeproms
by Dr Fuhrball
Fravia+ has asked for a treatment on the hardware side of accessing eeproms. Here it is. I believe that although this belongs in the dongle section it also belongs in a new section on cracking hardware. The HCU need to expand their horizons to include cracking chips that include (among others ) pic16xx, dallas 5000, atmel 89c52. (yes they are all crackable without an ic foundry) First a small parallel port primer (quoting from the IBM technical reference 1984) The parallel printer port consists of an 8 bit output port (later turned into bi-directional) and a number of handshake lines. 4 output handshake lines (strobe, auto feed, init, and select) are all open collector with 4.7k pull up resistors to +5 volts. There are also 4 input handshake lines (slct, busy, pe, and ack) The last of which ack is pulled up with two 4.7k resistors in parallel (2.35k). There exists no power line as such. So dongle designers have to be creative. Small amounts of power can be pulled off of the lines with the pull up resistors. The result is that chips used in dongles must be extremely low power. Therefore cmos chips are highly desired (cd4000 series, 74c series). In addition many keys that use storage, have to use the ultra low power eeproms that are available. It is also true that pass thru dongles must not adversely affect the printer which is also attached. This leads to further creativity. Various timing diagrams for these devices can be found at microchips web site. (http://www.microchip.com) here is a copy of the schematic for the software sentinel c plus (an older version part of which is inside the sentinel pro) The software sentinel pro is the only key i know of that REALLY uses a custom designed integrated circuit for the job. All other keys i have seen use standard chips. (Marx dongles included, reguardless of what they say) I apologize in advance for the poor quality of these schematics. I no longer (temporarily) have the ability to translate hpgl directly into gif files. And my scanner and i are not getting along.
download the original Dr Fuhrball's gif1.gif (drfugif1.gif = 70418 bytes) shiftclicking here, since, unfortunately, this gif seems to cause problems inside some version of Netscape, you may alternatively see on-line this RESIZED version of it
Here is a copy of the schematic for the microphar and protec keys. A much more simplified version, but quite real none the less.
download the original Dr Fuhrball's gif2.gif (drfugif2.gif = 35315 bytes) shiftclicking here, since, unfortunately, this gif seems to cause problems inside some version of Netscape, you may alternatively see on-line this RESIZED version of it
And here is a copy of some keys I built for various purposes.
download the original Dr Fuhrball's gif3.gif (drfugif3.gif = 43675 bytes) shiftclicking here, since, unfortunately, this gif seems to cause problems inside some version of Netscape, you may alternatively see on-line this RESIZED version of it
Notice that all these devices have some things in common. they all steal power from the strobe line, and they all put data back on one of the input lines. here is an example of some really trashy dos basic stuff to talk to these devices. 5 REM Software Sentinel C plus rev B 6 REM change 18 to rbit=abit for rev A 7 REM change 540 to abit for rev A 8 REM change 560 to <> for rev A 10 port = &H378 11 sport = &H379 12 cport = &H37A 13 ibit = &H4 14 sbit = &H1 15 bbit = &H80 16 abit = &H40 17 sbith = &HFE 18 rbit = bbit 19 DIM resp(64) 20 GOTO 2000 50 FOR k = 0 TO 63 100 a = INP(cport) 110 OUT cport, (a OR ibit) AND sbith 120 GOSUB 6000 130 FOR j = 1 TO 8 140 GOSUB 7000 160 NEXT 170 GOSUB 6000 180 GOSUB 8000 200 GOSUB 7000 300 index = &H20 310 IF (k AND index) = 0 THEN 400 320 GOSUB 8000 350 GOTO 420 400 GOSUB 7000 420 index = index \ 2 430 IF index <> 0 THEN 310 450 response = 0 500 FOR index = 0 TO 15 510 GOSUB 7000 530 response = response * 2 540 status = (INP(sport) AND rbit) 560 IF status = 0 THEN 600 570 response = response + 1 600 NEXT 604 resp(k) = response 610 NEXT 620 FOR k = 0 TO 63 625 PRINT CHR$(resp(k) - ((resp(k) \ 256) * 256)); 630 PRINT CHR$(resp(k) \ 256); 660 NEXT 670 PRINT 700 RETURN 1000 a = INP(cport) 1010 OUT cport, (a OR ibit) AND sbith 1020 GOSUB 6000 1030 GOSUB 7000 1050 GOSUB 7000 1070 GOSUB 8000 1090 GOSUB 8000 1110 FOR j = 1 TO 15 1120 GOSUB 7000 1140 NEXT 1200 FOR k = 0 TO 63 1210 GOSUB 6000 1220 GOSUB 7000 1240 GOSUB 8000 1260 index = &H20 1270 IF (k AND index) = 0 THEN 1310 1280 GOSUB 8000 1300 GOTO 1330 1310 GOSUB 7000 1330 index = index \ 2 1340 IF index <> 0 THEN 1270 1350 index = 32768 1360 IF (resp(k) AND index) = 0 THEN 1400 1370 GOSUB 8000 1390 GOTO 1430 1400 GOSUB 7000 1430 index = index \ 2 1440 IF index <> 0 THEN 1360 1450 OUT port, &HFF 1460 SLEEP 1 1470 NEXT 1500 RETURN 2000 PRINT "Bust a dongel options" 2010 PRINT "read = 0" 2020 PRINT "write = 1" 2025 PRINT "stop = 2" 2030 INPUT a 2040 IF a = 0 THEN 2100 2050 IF a = 1 THEN 2200 2060 IF a = 2 THEN 2300 2070 GOTO 2000 2100 GOSUB 50 2110 GOTO 2000 2200 GOSUB 1000 2210 GOTO 2000 2300 STOP 6000 OUT port, &HFF 'clock high data high select off 6010 OUT port, &HFC 'clock low data low select off 6020 OUT port, &H5C 'select on 6030 OUT port, &H5D 'clock high data low 6040 OUT port, &H5E 'clock low data high 6050 OUT port, &H5F 'clock high data high 6060 RETURN 7000 OUT port, &H5C 'clock low data low 7010 OUT port, &H5D 'clock high data low 7020 RETURN 8000 OUT port, &H5E 'clock low data high 8010 OUT port, &H5F 'clock high data high 8020 RETURN