Recommendations
FIXME: convert formatting
On dumping firmware
See also: eprom_dump
Contents
General notes
* If you have the official programmer, try reading the data back. You usually can for verification purposes and not everyone remembers (or cares) to set code protection. Travis Goodspeed's Good/BadFET (NOTE: not all versions support voltage glitching!).
* The Willem programmer can program and rip many types of memories. Its relatively cheap compared to other suppliers and available from many distributors. Main disadvantages are that the Windows software is closed source (a limited open source Linux version is available) and it requires a parallel port.
* If its stored on EPROM, firmware can be somewhat trivially ripped as a simple address based read
* If its stored in EEPROM, you may be able to rip it using another MCU or a bus pirate works well if availible
* If the chip supports JTAG, there may be a variety of ways to rip it. Documented or not, JTAG enabled MCU often have debugging instructions that can be used to. I haven't played with bus pirate JTAG, but I'd imagine it would work well for this
* If the chip has protection, voltage glitching is an attractive option
Some low cost / open source / common readers that can rip various formats
Commodity programmers/readers
[bus pirate]
Hack-a-day brain child. I think I fried the buffer chip on mine or something hacking some IBM batteries...oops. These are USB enabled, small, and can interface a number of serial formats. Python bindings are available, but have some issues and never got a response back from the developer after filing some bug reports with patches (although I did get some comments from other users appreciating the patches). As of 2010, these can be had for about $30. Most everything just runs on a FTDI serial console, so no real software is needed and can run on any platform you have a FTDI driver for.
Willem
General purpose memory programmer/reader built off of simple logic chips running off of the parallel port. It can do quite a few formats and has a (closed source) Windows GUI by [[1]]. It has the advantages of being a semi-open hardware design with commercial support. Programmers vary in price depending on the model and quality you get. Additionally, expect to have to purchase a number of adapter boards. There is a minimalistic open source Linux implementation of the controller software, I'm considering beefing it up with a Qt GUI since I use this quite heavily.
[[2]]
Open source hardware and software based on the TI MSP430. Its cool feature is that some revisions have the ability to do voltage glitching to try to bypass various protections. While simple to build, unfortunately, I do not believe these can be purchased online, so this does lower the commodity value a bit. However, it seems Travis hands them out at a variety of conferences (ex: they were the badge for NeighborCon/BSides '09), so you might be able to easily get one if you go to these sorts of things, bearing in mind a $500 round trip flight is probably more expensive than the $30 or less you'd pay to send out the design even for a single board.
[[3]]
Arduino based parallel flash dumper.
[[4]]
PC based programmer/ripper. Uses existing interfaces such as the BIOS socket, NIC ROM, etc.
Serial formats
I2C EPROM (24C, etc)
* Bus pirate * Willem
SPI
* Bus pirate
JTAG
* Bus pirate * GoodFET/BadFET * Lots...Open WinCE / urjtag has a JTAG library or whoever is maintaining it these days
Parallel formats
Parallel flash
* Willem * ParallelFLASHDumper
EPROM (27C, etc)
* Willem
Serial flash (28C, etc)
* Willem
Techniques for dumping bit-rotten and/or damaged EPROMs:
Bit-rotten roms are EPROMs/EEPROMs/flash where the floating gate charges have decayed from age/light exposure below the threshold to reliably read as the 'high' state. On most EPROM based devices, a high floating gate charge indicates a 0 bit, so this means the values will read as 0xFF instead of the proper value.
There are several techniques to try to recover bit-rotten data like this:
* Change temperature. Ex: People have reported success using a hair dryer or heat-gun on parts. This seems to work better than freezing parts does, maybe by 'boosting' via thermal noise the floating gate charge readout value? * Lower reference voltage: Lowering the VCC/Reference voltage from 5v to below 4.97v or so lowers the 'threshold' for reading back floating gate charges, which can recover some bits which are just below the threshold. Too low of a voltage may make the chip malfunction, too high will not have any effect. To prevent potential damage to the chip by having address/control lines driven higher than VCC, the reference input 'high' (ViH) voltage for all pins should be lowered simultaneously, but this might not always be necessary. * Multiple reads and binary ANDing or 'voting' of the bits: dumping a chip several dozen/hundred times and having each dump 'vote' for whether a given bit is 1 or 0, the most popular votes winning. Binary AND is simpler, but this causes problems if a bit should read as 1 and erratically reads as 0.
Combining 2 or more of these techniques is significantly more effective than using them separately, so people have had much better luck both heating and simultaneously under-volting chips than doing either one separately.
Damaged Chips:
There are more or less two classes of damage to an IC which will prevent it from reading: Damage to the leadframe and bond wires, and damage to the die itself.
Heat might help for leadframe/bond wire damage (if it cannot be directly/permanently repaired with conductive epoxy or solder, etc) as it may make the metal expand enough to make contact with the other side it was broken off of.
