Reading out Maskrom Data The Hardway

[Sionyn]

Recovering code or data is nothing new, but the old problem of recovering Masked ROM through visual inspection normally done by crowd sourcing this guy has automated this his new software tool.

http://oamajormal.blogspot.co.uk/2013/01/fun-with-masked-roms.html

[amyk]

Not particularly difficult compared to e.g. handwriting recognition or other visual processing tasks, as all the bits are already nicely arranged and ready to be read.

[free_electron]

There's a far easier way.. Which is what the pro's use.

Get a hold of a blank chip. Scan
Set the 'read protect' fuse. Scan
Fuse coordinates are bo known.

Decapsulate the chip to be reverse engineered. Flip read protect fuse. Dump. Done.

Eeprom and flash rom cells can be scanned using an e-beam prober. This machine can detect the gate charges. They use an electron beam to sweep the chip surface. Current change means voltage change in the chip. So you get a clear map of the bits immediately. Once you got the coordinates of the fusebits you can use the e-beam to 'write' its state...

The reverse engineering shops have tables with the coordinates of the fuses for al ost anything out there.

A harder way is to use self decrypting code. Read crypto key from outside the chip and have the program instructions being decrypted on the fly. Then probing gets you nowhere as you don't have the key. Only the cypher code and the encrypted program code. The cypher itself is missing.