PICBUSTER - Details Released On Internet


For a long time, some of the most frequently asked questions on Special Projects were about Picbuster. Was it a program? Was it a device? Did it really exist. The answer has been given in a Usenet message. It is essentially a Welsh Poet - Dai Ode. In other words, it is a diode.

The standard method of popping a PIC was to actually remove the top of the chip and re-engineer the fuse. The method described opposite is effectively the cheapest solution. Of course other methods exist.

The standard result when the fuse is reset is that the complete memory of the PIC16C84 is reset. In the normal programming mode there is a large difference between the programming voltage (approx 13.8 Volts) and the supply voltage (5 Volts). In the Picbuster as described opposite, the recommended difference is approximately 0V5. The voltage drop across the diode is 0V6 to 0V7. The 0V5 voltage differential may not be enough to reset the entire memory but is enough to alllow the fuse to be reset.

The publication of this information on the Usenet does provide other problems. Most of the pirate smart cards in use at the moment are based on the PIC16C84. The widespread knowledge of how to hack these chips means that the market can become over- saturated with pirate cards.

To date the pirate cards have been upgraded in a trickle-down manner. A few companies at the top of the chain figure out the fix for the new ECM and implement it. The details of the fix are then sold on down the chain until finally the whole market has been upgraded. In effect it is almost feudal.

It would be easy to think that this would benefit the hacked channels more than the pirates. That would of course be wrong. The net result of the publication is that the knowledge of the system is spread more widely than before. Therefore the more people who understand the system, the quicker the turn around between ECM and fix.

The widespread availability of the knowledge to pop the PIC16C84 is making some pirate card manufacturers rethink their strategy. One notable change has been the Benedex - Futuretron Battery card. This card uses the Dallas Micros chip rather than one from the PIC16* series. Another option is the reprogrammed Sky 09 card (see separate story in this issue).

The PIC16C84 is widely used. In some applications it is used to control electronic locks such as those used on some of the more up market cars. There was a court case in the UK last year where the defendant was convicted for having in his possession a device that snatched the RF data from these electronic keys and replayed it to open the locks. The use of Picbuster could be dangerous if it showed that there was a backdoor code (bad pun) that could be used by garages in the event of the car owner losing his electronic key.

It is almost certain that Arizona Microchip have implemented some sort of modification to PIC16C84 die. This modification would of course take some time to filter into the market. Most of the pirate cards at the moment are recycling the PIC16C84 chips from 07 pirate cards. There have been some rumours that the Picbuster does not work with some of the more recent 1995 batches.


This is the Usenet Message that gave the details of PicBuster.

Article: 16241 of alt.satellite.tv.europe
Newsgroups: alt.satellite.tv.europe
From: Lester@bannold.demon.co.uk (Lester Wilson)
Subject: Re: NEW PROGRAMMER
Organization: PO BOX 845 WATERBEACH CAMBRIDGE CB5 9JS
Reply-To: Lester@bannold.demon.co.uk
X-Newsreader: Newswin Alpha 0.7
Lines:  86
X-Posting-Host: bannold.demon.co.uk
Date: Wed, 26 Apr 1995 07:27:50 +0000
Message-ID: <429713219wnr@bannold.demon.co.uk>
Sender: usenet@demon.co.uk

> 
> lester may i ask a question just how secure is a pic chip when 
> the security fuses have been blown ? 
> -- 
> PAUL BULMER
> 
> 

In my opinion hte pIC16C84 is secure enough to prevent the  casual 
reading  of  protected code. I think that this  subject  has  been 
covered in other discussions in this group in the not too  distant 
past. I have many private emails from persons claiming to have had 
success  in reading data from a Code protected PIC16C84. I  myself 
am convinced that it is possible, so are many others, but each  to 
his  own.I  do not condone or encorage the  reading  of  copyright 
protested  code by unathorised persons. It is acheivable  in  many 
ways, one of which was emailed to me some time back by a satisfied 
customer:-


___addresses deleted___________________________________

Hi Lester,

______________________more deleted stuff________________________________
---------------------------------------------------------------------------
                                  PicBuster


The  Pic  chip (PIC16C84) can in fact have it's program  and  data 
memory  read  after  the  config  fuses  have  been  set  to  code 
protection on.

Try the following:

Write some code to the chip with the code protection set to "ON".

Read back to verify that the protection has indeed come on.

Now  set  Vdd ( pin 14 ) to Vpp-0.5v,  (Programming  voltage  less 
0.5V).

Set config fuse to "OFF" and reprogram config fuse.

Now set Vdd back to normal, +5v.

Power off the programmer.

Wait 10 to 20 sec.

Power back on the programmer. (VDD at + 5V)

Read the Pic.... and hey presto, data in unprotected format should 
now be available.

_________________________stuff deleted____________________________

This  is experimental only and no liability will be  accepted  for 
any loss of data.
------------------------------------------------------------------


_____________lots and lots more deleted stuff_____________________



by  revealing the above I hope that you are satisfied (  though  I 
doubt  it),  I will not be replying to further  questions  on  the 
subject. 

The   above  mail  has  been  reproduced  without   the   specific 
pewrmission  of the sender, however I believe that since the  mail 
was sent to me with no request for confidentiality I am within  my 
rights to display my person mail. 

The information imparted is I believe in the PUBLIC DOMAIN, I  did 
not invent or discover it myself.

I  have  used  methods SIMILAR to the above to  acheive  the  same 
result.

  -- 
Best Regards

Lester