IF YOU ARE THINKING OF FLASHING YOUR CONTROLLER PLEASE POST HERE BEFORE YOU DO SO

[Teoman Naskali]

I was doing some research for work and i came across this:

http://www.openpcd.org/HID_iClass_demystified

at minute 30, it says how there is a workaround for extracting the software from PIC microcontrollers. It would be beneficial for the whole community (and you the potential uprader to catgenius) if we could get the original software in our posession.


So basically I would like you to try out a few things before you flash your catgenie to extract the old software. I am unable to do it because i wrote over it.

[Robert Deliën]

> I was doing some research for work and i came across this:
> http://www.openpcd.org/HID_iClass_demystified

> at minute 30, it says how there is a workaround for extracting the
> software from PIC microcontrollers. It would be beneficial for the
> whole community (and you the potential uprader to catgenius) if
> we could get the original software in our posession.

I haven't watched the movie, because I'm at work now, but it's probably not working on the PICs we use. On very old PIC processors, one could erase a part of the program memory and put in a small piece of code that would read out the rest. Modern PICs can only be erased in full.

One could try to put in instructions that won't require erasing, hence only changing 1's into 0's and not the other way around. But that would severely limit the possibilities, and requires a lot of trial and error because you don't know what's already there.

Or one could shave the housing, cook off the rest using boiling acetone and read the contents using a scanning electron microscope.

Or....

If you read into it, - and I have - many things will be possible, but in reality it is much less effort to write new code, duplicating the functionality.

[Teoman Naskali]

If you can shave it, I can read it with an electron microscope :)

But you should provide 2 just in case. Last time I fried the sample with the electron beam.

[Teoman Naskali]

Breaking Microchip PIC18F CPU copy protection

Initial OpenICSP Prototype which was used to extract the firmware out of a HID iCLASS RW400 reader (Microchip PIC18F452 CPU)

One of the challenges of breaking iCLASS RFID readers, was to extract the Firmware and the security keys of RW400 readers without leaving visible traces like breaking the case open. This challenge could be solved by finding a vulnerability in PIC18FXX2/XX8 micro controllers that allows dumping the firmware by only accessing the ICSP pins.

[Robert Deliën]

> I was doing some research for work and i came across this:
> http://www.openpcd.org/HID_iClass_demystified

Hm, you may be on to something there!

> at minute 30, it says how there is a workaround for extracting the
> software from PIC microcontrollers. It would be beneficial for the
> whole community (and you the potential uprader to catgenius) if
> we could get the original software in our posession.

Yes, no doubt that is had benefits. But once one of us has it, sharing it can be a bit tricky, let alone publishing it.

> So basically I would like you to try out a few things before you flash
> your catgenie to extract the old software. I am unable to do it because
> i wrote over it.

I understand. But even with the original software overwritten, you could still see if it works. With a proof of concept in place, I'm sure we can arrange something to get you an original board.

--
You received this message because you are subscribed to the Google Groups "CatGenius" group.
To unsubscribe from this group and stop receiving emails from it, send an email to catgenius+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Robert Deliën]

> If you can shave it, I can read it with an electron microscope :)

Cool! I always wanted to have one, but they are very rare on the surplus market. And when they do pop up, they do so at ridiculous prices. Priced for companies needing it to make money, but too obsolete to do that anymore, and too expensive for the curious hobbyist.

This guy built his own:
https://www.youtube.com/user/bkraz333
But I'm not _that_ curious. And he eventually bought a surplus unit too.

> But you should provide 2 just in case. Last time I fried the sample with
> the electron beam.

The guy above has posted a movie off him putting an NE555 test circuit in his SEM, and indeed it didn't last very long, for exactly that reason.

[Robert Deliën]

That is interesting: The 18F series is very modern, so I'm curious about the exact vulnerability.

---

From: catg...@googlegroups.com [catg...@googlegroups.com] on behalf of Teoman Naskali [t...@200iq.com]
Sent: Monday, October 27, 2014 16:20
To: catg...@googlegroups.com
Subject: [catgenius] Re: IF YOU ARE THINKING OF FLASHING YOUR CONTROLLER PLEASE POST HERE BEFORE YOU DO SO

--

[Michael Conner]

Okay, so I've not responded to this ever occurring subject, now I must.

First, as Robert has pointed out, many  many times, If you reprogram your CG litter box,

the original OEM code is gone !! End Of Story !!!

Next, even if you could 'finally" extract the OEM code from a CG litter box, You can not use it.

All companies Copywrite their code, for good reason. It is illegal to use Copyright Code, plain and simple

I've programmed eight CG litter CPU's. Most were CG-120 series (two were newer units) and the remaining were CG-60's The only issue I've had in the programming process were my own fault. 

My oversights,,

I had one newer CG-120 that (after re-programming) when it finished the initial scoop routine it never  started the wash routine - the litter box never filled. The CG litter box just ran the bowl in the same direction - Endlessly.

After three attempts at re-programming this litter box I decided to back up and see what I was dong WRONG

 I decide to run the Diag program. 

I immediately knew that I was making an error because the Roberts marvelous Diagnostic ran perfectly. I was using the MPLAB program. I simple fact is that when I programmed Roberts Run program I was selecting the incorrect  CPU. No, I don't recall the exact error other than I selected the incorrect CPU, one of the letters.

On another occasion the CG litter box operated rather unexpectedly. Every time I cycled the A.C. Power the litter box started somewhere in he middle of the program. I discovered that one of the pins on the programming socket was defective, holding retention was very loose.  Of course it was the serial pin. Replacement of this socket solved my problems. One can test the retention by inserting a single pin into each location in the connector

The other common errors were forgetting to check the boxes in the PicKit programmer  GUI or forgetting to plug in the CG litter box so as to have the + 5 Volt D.C on the circuit board.

I don'r utilize or design PIC CPU's, in anything that I've designed over the last couple of decades. So, for Me, the small details can quickly make a re-program a difficult and frustrating task. 

I've long since forgotten what your original problem with your CG-120   is. But, if you have installed the Diag program and this program does operate properly, please list the exact errors in the operation of daig program. 

IF your tests indicate a defective IR LED in the H2O detect circuit then please detail out your test and how you reached this conclusion. 

Do KNOW  that the IR Detector is very sensitive to ambient light. Yes it is an IR device and should not be sensitive to visible ambient light, but it in fact this one is. 

So if you plan to test the D.C voltage output of the IR sensor then you will need to accomplice this in a dimly lighted area. 

Once AGAIN. THERE is 120 Volts on this circuit board and extreme caution must be taken when testing a CG circuit board that is HOT, plugged in 120 Volts !!   

BE Careful  !!

Michael...