How to unlock 89C2051 in order to read the code?

[johnsmith123]

Hello Guys,

I was curious to know if anyone successfully unlocked an 89C2051 (20 Pin device)
in order to read out the code.

I know it is possible, I have seen it done in the past, but I could never accomplish this myself.

I wrote a program for the AT89C2051 to dump the contents to the serial port.
The program will read 10h bytes to the serial port, OR the entire contents depending on which jump is executed.

I have been successful in glitching the micro, in order to skip the first jump to the routine that will dump 10h bytes. The code now executes the next jump to the routine that will dump the entire contents of the LOCKED micro.

I have a device with some older software that i am curious about. I realize some may not approve of this, but it IS a fact that large corporations reverse engineer others work to improve their own designs.

Since the 89C2051 is almost obsolete I see no harm in opening up a discussion on this topic.

Anyone care to share any ideas, you can message me.

 

[ajay_bhargav]

unlock 89C2051

its illegal to break the lock to get the code... i think..

actually this is done manually.. breaking the IC shield... and then make changes in the lock.. well i have seen screenshots

 

[wek]

unlock 89C2051

If there is no dump built-in already in the code - which of course would be too strange - glitching through code won't buy you too much...

You might want to fiddle around with glitching in parallel programming mode perhaps.

wek

 

[banjo]

unlock 89C2051

Hi,

You do realize that even it you are able to dump the chip, it will only be a raw assembly dump. There will be no labels, no named registers and of course, no comments in the code.

After much study of this raw dump, you may figure out some of what they did, but you will not know why they did it that way or what the limitations are. Even worse, if they wrote in a higher level language, you will confused by the weird way the compiler optimized the code which will further confuse the core concepts.

 

[johnsmith123]

Re: unlock 89C2051

If there is no dump built-in already in the code - which of course would be too strange - glitching through code won't buy you too much...
wek

I realize this. What i did was just an experiment to see if a glitch would skip over a ljmp intruction. It worked. This proves my theory that the micro can be glitched!

You might want to fiddle around with glitching in parallel programming mode perhaps.
wek

This device does not have serial programming mode, it is only parallel.

My theory is that you can glitch immediately after the erase command, causing the erase to fail. After a certain period of time raise VCC or VPP back to normal so the lock bits are erased.

I have this working on certain avr devices.

I do not wish to get into a heated debate whether or not reverse engineering is illegal, because it is not. The code I am trying to view is not copyrighted (I know this for sure), and the company has gone bankrupt leaving hundreds of customers hanging.

Furthermore, I would like to share ideas and what I have with anyone who is SERIOUS, and nobody who is just out to shoot the idea down.

Added after 3 minutes:

Hi,

You do realize that even it you are able to dump the chip, it will only be a raw assembly dump. There will be no labels, no named registers and of course, no comments in the code.

After much study of this raw dump, you may figure out some of what they did, but you will not know why they did it that way or what the limitations are. Even worse, if they wrote in a higher level language, you will confused by the weird way the compiler optimized the code which will further confuse the core concepts.

That is something that I am well aware of. It wouldn't be the first time I disassembled 8051 code either.

Curiosity (in this particular situation) prevails here.

Cheers