Hi,
I got distracted a bit
after I saw a youtube video from bigclive.com where he found another small gadget which most likely contains a PADAUK IC (he mentioned it in his video).
Video:
Item:
https://www.ebay.com/itm/182936210709I went and bought some. After they arrived I removed the IC with hot air and placed it in Easy PDK programmer:
Surprise surprise...
./easypdkprog probe
TYPE:OTP RSP:0x285A0 VPP=4.50 VDD=2.00
IC is supported: PMS150C ICID:0xA16 OK, it is a PMC150C !!!
Next step:
./easypdkprog -n PMS150C read test.bin -b
Reading IC... done.Great! But wait... dump looks a bit strange:
./hexdump test.bin
0000000 29 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000010 ff 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000020 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000030 25 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000040 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000050 24 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000060 b1 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000070 40 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000080 c2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000090 90 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000a0 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
00007a0 ff 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00007b0 ff 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00007c0 ff 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00007d0 ff 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00007e0 ff 1f ff 1f ff 1f ff 1f ff 1f ff 1f ca 01 ff 1f
00007f0 24 07 cc 1f ff 1f ff 1f ff 0f ff 1f 5a 01 fc 02It looks like some sort of security prevents us from reading the complete content.
However the read seems to work good since we see the complete reserved area at the end.
==> Let's have a look at the "last word" (FUSE), it is 0x02FC
Let's have a look at the IC datasheet / IDE include files / ...
in PMS150C.INC we can find:
.Assembly OPTION 0 Security Enable Disable
.Assembly OPTION 2 LVR 4.0V 3.5V 3.0V 2.75V 2.5V 1.8V 2.2V 2.0V
.Assembly OPTION 7 Drive Low Normal
.Assembly OPTION 10 Bootup_Time Slow X X Fast
.Assembly OPTION_LOW 1, 8, 12 ~ 15
.Assembly OPTION_DEFAULT 0x02FC==> 0x2FC is the default with security enabled
However the Option_Help for Security reads like this
Enable : "Security 7/8 words Enable"
Disable : "Security Disable"Hmmm... "Security 7/8 words Enable", looks exactly like our dump.
==> 7 out of 8 words are security enabled (will read all 0 when reading the IC)
So what now? Is this the end?
Of course not!
- as we can see, the first instruction is 0x1829 which translates to "GOTO 0x29".
(IDE always creates a JUMP to FPPA0 function as first instruction for PMC150)
- after this jump some space is unused (multi core PADAUK devices insert the startup jump for the other cores there)
- at 0x20 the interrupt service routine starts (fixed location for PMC150)
- at the end of the IC code memory we can see a lot of 0x1FFF, so most likely this space is unused as well
==> What if:
- we overwrite the first instruction with all 0 (NOP)
- place a jump to the near end of code memory at instruction 1
- write a special small program near the end of code memory which uses LDSPTL/LDSPTH to read code memory and send it out via GPIO
After some fiddeling and dry runs with fresh IC I got the following:
./easypdkprog -n PMS150C write dump_150c_ovl.hex --noblankchk --noverify
Writing IC... done.Then I started the IC and got data from it:
./hexdump cardoorlight_dumped.bin
0000000 00 00 d0 1b ff 1f ff 1f ff 1f ff 1f ff 1f ff 1f
0000010 ff 1f ff 1f ff 1f ff 1f ff 1f ff 1f ff 1f ff 1f
0000020 32 00 45 0d 1b 18 45 0e 20 09 62 02 23 09 82 02
0000030 25 09 e2 02 22 09 f5 17 d0 05 58 17 d1 05 d0 00
0000040 33 00 3b 00 64 17 e6 05 e6 07 00 0c 3a 00 66 09
0000050 24 18 30 00 3a 17 82 00 f6 1f 99 00 fe 1f ff 12
0000060 b1 18 d1 0f 40 17 8b 00 1c 17 83 00 06 17 c6 05
0000070 40 17 c1 05 8b 00 c0 09 c7 05 81 0a 01 08 06 09
0000080 c2 07 c4 05 c3 07 c5 05 01 17 c2 05 83 09 03 17
0000090 90 0d 48 18 d0 0f 90 0d 59 18 02 09 90 0d 59 18
00000a0 02 04 90 0d 57 18 03 08 90 0c 4b 18 58 18 42 09
... What do we learn from this?
=> do not leave empty space in IC when you want to prevent a readout.
=> IDE provides a simple method for this (mentioned in user manual):
.Fill_Space RESET;or
.Fill_Space NOP;=> I will add an option for Easy PDK programmer to set unused space to 0 (NOP)
=> and WTF is 7/8 security???
Best part: This product is a cheap source for 2x PCB + battery holder + housing + battery + magnet (pcb magnet sensor + 3x led for own projects)
Have fun,
JS