=============================================================================
* Area : RELCOM.COMP.CROSSTOOLS
* From : Alexej Vladimirov, 2:5100/22.1 (10 Mar 95 23:00)
* To   : Denis@siminst.msk.ru
* Subj :     51-ᥬ⢮
=============================================================================

 D> H 室 ଠ  ""  ⠫
 D> PIC.  諠 ,     ந⢥
 D> ᫮ ᨫ ⮪ ⠫ + $50000   
 D> ࠡ.(ଠ   "६ ⠫
 D> ப஫"  ஢ avlad@memec.apex.arcus.lv)

 ⢥p, p  ᫥    p, p㥬
㬬 -⠪ ᪮쪮  - p浪 $5000   p⭮ p訢
PIC16C5x  p⠫  ᫥ p 3...5 .

 D>   ᯮ  ଠ樥 ⭮⥫쭮 51-
 D> ᥬ⢠? H᪮쪮    孨  ?

 51- p⠫  㦥      ᥪp⮬.  䠩
  堪p᪮ p p, 饣   , 
⠪  㡫襣  - p⮢᪮ p樨:

Hacking 8052 chips :                                           August 1, 94
***********************************************************

With HACK.ASM program, it's possible to read most of the 8051/52 chips.
Unprotection of chip is based on possibility to read the 8052 having
the two security bits setted with help of the instruction MOV a,@DPTR, if that
instruction will be executed by internal Eprom. If the 8052 will be run in a
particular mode, the instruction can be called via an external Eprom.

You must operate in this way :
1) Put ON processor of the internal Eprom
2) When the 8052 is executing the internal Eprom, switch to external Eprom. The
   8052 will see only 0FFh, means MOV R7,A
3) Control of the processor will be under external Eprom, you will be able after
to return executing program of internal Eprom.

It seems difficult, but if you try it you will understand easily yourself.

Usefull hardware :
1) 8051/52 chip
2) A latch and the program stored on an eprom
3) A switch to pin 31 to be able to switch from internal and external Eprom.
4) A MAX232 or something compatible to interface with a Rs232c
5) A quartz 11.0592 Mhz
6) A terminal program for your computer

Have fun !

Toysoft Switzerland
Contact me on "Special Projects BBS, John Mc Cormac, Ireland"


;**********************************************************************
;THIS SOURCECODE HACKS 8052 MICROCONTROLLERS WITH ITS TWO SECURITY
;BIT SETTED. YOU CAN USE THIS SOFTWARE ON ANY 8051 EVALUATION BOARD AND THE
;HACK IS DONE BY SWITCHING FROM INTERNAL TO EXTERNAL PROGRAM MEMORY. WHAT
;YOU NEED IS A TERMINAL PROGRAM WITH CAPTURE ON, SERIAL DATA IS
;COMING OUT FROM THE TXD PIN ON THE MICROCONTROLLER, GOOD LUCK!!!
;NOTE: PLEASE USE A 11.0592 MHZ X-TAL
;**********************************************************************

BEGIN:
  CALL RS_INIT
  MOV DPTR,#TEKST1
  CALL RS_DPTR
  SJMP $

CSEG AT 2000H

  CALL RS_INIT
  MOV DPTR,#TEKST2
  CALL RS_DPTR
  MOV DPTR,#LOGO
  CALL RS_DPTR
  MOV A,#32
  CALL DELAY
  MOV DPTR,#0000H
  CALL GETTER
  MOV DPTR,#TEKST3
  CALL RS_DPTR
  MOV A,#32
  CALL DELAY
  MOV DPTR,#0000H
LOOP:  CALL GETTER
  MOV B,A
  MOV A,DPH
  CALL RS_HEX
  MOV A,DPL
  CALL RS_HEX
  MOV A,#':'
  CALL RS_ASC
  MOV A,B
  CALL RS_HEX
  CALL RS_CR
  INC DPTR
  MOV A,DPH
  CJNE A,#20H,LOOP
  MOV DPH,#0
  SJMP LOOP

GETTER:  PUSH DPH
  PUSH DPL
  MOV R2,#1
  MOV R0,#0
  CLR A
  MOV @R0,A

  ;**************************************************
  ;TRAP ADRESS, PLEASE TRY ONE OF THESE
  ;**************************************************
  CALL 016B1H; 012DAH ;17ACH

  POP DPL
  POP DPH
  RET


;**************************************************************************
;**************************************************************************
; BEGIN MODULE RS-232
;**************************************************************************
;**************************************************************************

RS_INIT: MOV TMOD,#20H
  MOV TH1,#0FDH ;BEPAALD BAUDRATE
  MOV TCON,#040H
  MOV SCON,#058H
  MOV 87H,#000H ;DUBBELE BAUDRATE=80, ANDERS 00
  SETB P3.1
  MOV A,#1
  CALL DELAY  ;HERSTEL RS-232
  CLR TI
  RET

RS_CR:  PUSH ACC
  MOV A,#0AH
  CALL RS_ASC
  MOV A,#0DH
  CALL RS_ASC
  POP ACC
  RET

RS_DPTR: CLR A
  MOVC A,@A+DPTR
  CJNE A,#'~',RS_DPTR_1
  RET
RS_DPTR_1: CJNE A,#'`',RS_DPTR_2
  CALL RS_CR
  INC DPTR
  SJMP RS_DPTR
RS_DPTR_2: CALL RS_ASC
  INC DPTR
  SJMP RS_DPTR

RS_ASC:  MOV SBUF,A
  JNB TI,$
  CLR TI
  RET

RS_HEX:     PUSH DPH
  PUSH DPL
  PUSH  ACC

  MOV DPTR,#HEXTABEL

  SWAP A
  ANL     A,#00FH

  MOVC A,@A+DPTR

                CALL    RS_ASC
                POP     ACC
  PUSH ACC

                ANL     A,#00FH
                MOVC A,@A+DPTR
                CALL    RS_ASC

  POP ACC
  POP  DPL
  POP DPH
                RET

HEXTABEL: DB '0123456789ABCDEF'

RS_DEC:  PUSH ACC
  PUSH B
  MOV B,#100
  DIV AB
  ADD A,#30H
  CALL RS_ASC
  MOV A,B
  MOV B,#10
  DIV AB
  ADD A,#30H
  CALL RS_ASC
  MOV A,B
  ADD A,#30H
  CALL RS_ASC
  POP B
  POP ACC
  RET

TEKST1:  DB 'GOOD LUCK```````````````````'
  DB '*******************************************`'
  DB '*   CHIP COPIER VERSION 2.02              *`'
  DB '*******************************************`'
  DB '`'
  DB '1. SWITCH TO INTERNAL ROM`'
  DB '2. RESET CHIP`'
  DB '3. SWITCH BACK TO EXTERNAL ROM`'
  DB '4. WAIT FOR THE MESSAGE READY TO COPY`'
  DB '5. SWITCH BACK TO INTERNAL ROM``'

TEKST2:  DB '``````````READY TO COPY`SWITCH TO INTERNAL ROM`~'

TEKST3:  DB '``````````HEY-LOW-FUCK.... HERE IT COMES....`~'
LOGO:  DB '                                           `~'

DELAY:          PUSH 050H
  PUSH 051H
  PUSH 052H
  MOV     50H,A
                MOV     51H,#00H
                MOV     52H,#00H
DELAY_2:        DJNZ    52H,DELAY_2
                DJNZ    51H,DELAY_2
                DJNZ    50H,DELAY_2
  POP 052H
  POP 051H
  POP 050H
                RET

END

ᥩ p

 + Origin: * AV_Point - Riga, Latvia * (2:5100/22.1)
=============================================================================
