At 11:44 PM 6/14/96 -0400, Warren wrote:

I have never paid much attention to the protection of firmware or the technical issues revolving around such schemes...was wondering:

I recently saw an add for a UK based group that says they can take a PIC OTP micro and read the prom (for a fee, of course) - How the heck is this done?? I have my suspicion that they (somehow) magically peel off the ceramic coating (without destroying the chewy center), get a circuit mask and 'micro probe' the I/O of the IC...they then download the secret recipe to the afore mentioned 'chewy center'.

Is this close to accurate?? How is it 'done' ???

While I have never come even close to needing to attempt this kind of thing, long ago it occurred to me that if the "no read" bit was stored in a programmable bit, and if the location of that bit was known or could be identified, you could expose that particular bit through a tiny mask hole and cause the part to be readable again. Locating that bit (assuming there's just one) would be relatively simple: Take a test part, program it, read-lock it, and then expose it to a VERY slowly sliding mask with UV behind. Do this for both axes, to find the bit's location on the chip. Jim Bell jimbell@pacifier.com