>>To make it extra tricky to try to get the >>...

Inliner · ‎10-31-2007

>>To make it extra tricky to try to get the >>code, read/write out of RAM can be taken >>away by writing 0x7b into 0xffd1. Please, describe more,what will happens? As i know, not only bruteforcing is usefull to find or bypass security key.

Ake · ‎11-01-2007

Hi,

If you want to write $7b into $ffd1, enter

lda #$7b

sta $ffd1

If you want to get the data from the RAM cell $7b, write

lda $7b

sta $ffd1

But if you run it on a HC908JB16, nothing will happen because the cell $ffd1 is a Flash EPROM cell and cannot be written during normal operation.

Instead you should write in your assembly code

org $ffd1

dc.b $7b

If you are writing a Flash EPROM programming routine, you should write

lda $7b

sta $ffd1

as a part of a much more complex algoritm.

Did that help?

Regards,

Ake

Inliner · ‎11-01-2007

Is it possible to run these commands when in secured mode? Mean when i runnning my proc , after enterning to monitor with invalid security codes.

Ake · ‎11-01-2007

Hi,

If you enter the Monitor mode with an invalid security, the only thing that is possible is to erase the entire Flash EPROM.

And as I said in my previous message, you cannot change the Flash EPROM cells by just running some simple op codes.

If you want to change a single byte in a Flash EPROM where you do not know the security bytes, it is not possible. The only thing you can do is to erase everything and start from the beginning.

Regards,

Ake

Inliner · ‎11-02-2007

I understand, but i tried to execute commands in monitor mode: i programmned my flash wirh firmware with known 8-byte code. i entered into monitor mode with INVALID code. After executing set of codes: --------------
lda #FF
sta $FFF6
sta $FFF7 ...
sta $FFFD
-----------
i resetted the processor and tried to enter to MCU:
with correct code: without success..
with code FF..FF...FF : without success too...
how this can be?

peg · ‎11-02-2007

Hi inliner,

It is very unclear to me what it is you are actually trying to achieve or understand here with all these questions.

The code snipped you supplied does not work because the address being STA 'ed to is implemented in flash. It is no good just writing to here you must "programme" these locations.

Also the flash in these devices reads as FF when blank, so there is actually no need to programme FF ever. This is why a security code of all F's is used to gain access to a blank part.

Inliner · ‎11-03-2007

Hi! i just looking a way to read full(part of) firmware, protected with security. I tried to do thos within monitor mode. The second way is use USB monitor mode. Seems it's not checking secutiry when entering in USB monitor mode.

peg · ‎11-03-2007

Hi inliner,

Monitor entry via USB is only guaranteed when the device is blank (or reset vector). Even then it can still be prevented if extended security is enabled.

If the code in the device has been written in such a way as to provide for monitor entry from within the user programme, then yes, you may be able to get in. But what method have they implemented?

Inliner · ‎11-05-2007

Hi! The device can be updated with new firmware with usb interface trough the special connector in my device. Seems it loads the bootloader and then flashes rest of code. But i dont know, is it use usb monitor mode or custom code to update flash.

Inliner · ‎11-05-2007

Also, when i'm connecting my device via USB interface with 1.5 resistor and D+/D- pins , OS detects new device, but failed to install.
I used USBICP.INF/SYS driver.

Any ideas, howto talk to device directly, bypassing the OS's checking?

Inliner · ‎11-05-2007

Additinal:

Device has folowing characteristics:
idVendor: 0000
idProduct 0000

i use schematic with:
- 1.5 resistor on D-
- no capacitor 10nF on RESET.

Inliner · ‎11-05-2007

i used generator 6MHZ instead of 12, maybe this is a problem? i also tried to set PTA3 with 0 to make Bus clock = fXCLK. is it correct? or 12MHZ must be used instead? Thanks!

NLFSJ · ‎10-31-2007

Please provide the p/n in the HC08 family that you are working with.

Regards,

Nina

Inliner · ‎11-01-2007

I'm using MC68HC908JB series, partuculary 908JB16. Thanks!

>>To make it extra tricky to try to get the >>...

>>To make it extra tricky to try to get the >>...

General