Has anyone tried glitching 8052 based ICs to dump protected ROMs and EEPROMs?
I am currently building this - GitHub - JohnDMcMaster/8051dumper: by NF6X. Forked from: https://gitlab.com/NF6X_Retrocomputing/8051dumper - which would allow me to boot the 8052 chip (it’s actually P83C851 but…) and run stuff on it. The small 256 byte EEPROM in it is likely protected through a security bit at address $8000, so I wondered if this was possible to glitch past that - either clock or voltage.
Using the CW Lite trigger port, I could initiate the trigger from device itself in an ironic twist of self-attack
Not sure how realistic this would be, hence throwing the feeler out there…
Alright, here’s an idea, and questions.
Attach the EEPROM with the dumper program but start the 851 as normal with /EA pulled high, so it executes its ROM code.
Set the CW to trigger on the external source, say after a reset, with a sweep search for glitch that would do…something (using ext_offset/width/offset). I am not sure whether to use the clock glitch or the voltage one. Possibly clock to start with and then move on to voltage if there’s no luck.
Questions… I am not quite sure how connect CW Lite to this custom target. Can CW Lite power up an 851 chip? If so, which pin? Or is there a different to crowbar the power to the target?
Can I use Python to trigger a reset on the target device? It would likely pull the reset pin low to do so.
Any other tips?
Yeah, this is very likely possible - the device is going to have to check this value at some point, so you should be able to glitch past that.
This varies a lot from target to target. You’re probably going to have to try both to see which one works better. You may want to test on a simple loop to compare the two.
What are the voltage/current requirements for your target? Honestly, it might be easier to just power your target separately. Also keep in mind that the Lite’s IO voltage is 3.3V. Not sure what you mean by the final question there.
Yup, you have control over the Lite’s IO pins via the scope.io
module.
There are a few other ideas that I had thrown my way, like start execution as normal from ROM but then through glitching jump to an address in EEPROM that I have full control over and execute my own stuff without ever pulling the /EA pin down. This means that with /EA high, the core may consider letting me run MOVC instructions…
The target needs 5V, so I’ll use my bench supply for that. The final question was missing words…! It was meant to be “do I simply connect the glitch SMA port across the positive and negative power points to crowbar them”?
Nice - thank you. Should be nice and easy to get it looping.
Very interesting - thank you. I don’t have that dev board but it’s giving me a lot of ideas on how to attack the thing!