Hacking EPROM based microcontrollers in general First check if the window version is available and buy one. Program it and program the security bit, too. Mask some area of the window and try with UV light 5 to 15 min. If you can't read it, the security bit is on the masked area. Move the mask until you can localize the security bit area. Erase EPROM and program it again and try find mask, which saves the contents of the EPROM but erases the security bits. COP8782 is easy because there is enough room between the security bit and the memory area. When you can program the chip and erase the security bit and read it again, you are ready to try with real OTP version. Buy also some OTP versions. They are much cheaper than window version. First you must have X-ray photo to localize the chip. I didn't and lost therefore a COP8782CN with the software. The chip was more than 1 mm from that what I supposed. I trained first also with OTP version but the place of the chip can vary in every package. Drill with 2 mm diameter milling cutter a 1.0 mm deep hole on the chip over the security bit area. The nitric acid will etch also the aluminium pads under the bonding wires, so try to place the hole symmetrically to every direction to avoid the etching of these pads. If you etch 0.5 mm on the bottom of the hole, the diameter of the hole will also grow up 2*0.5 mm. In DIL package the chip is 1.5 mm from the top but the bonding wires are above it so you have to be very careful. Set the DIL chip on a 8 mm aluminium rectangular bar and fasten it in the milling cutter. When the hole is ready, set the aluminium bar on a hotplate and warm it up to 90 degrees Celsius. Then drop one drop 60 % nitric acid into the hole. If the chip is warm enough the acid seems to boil with little bubbles. However don't warm it too much. When the acid seems to dry add one drop more. After a few minutes clean the chip with warm water and a soft brush. An ultrasonic cleaner could be handy but I don't have it. Neutralize the remaining acid with alcohol and let it dry. If the etched hole isn't big enough, continue etching it. When you can see inside the chip, wash it carefully with warm water. When it is dry, wash it with alcohol or isopropanol to neutralize the remaining acid. When you can see tiny bubbles moving in the alcohol there is still some acid in it. I used a microscope with 20X and some drops of isopropanol. Then mask the memory area with black tape and erase the security bit with UV light and read the chip. That's all. Remember: Be extremely careful with the nitric acid because it is very dangerous. I can hack any COP8782C in a couple of hours if I know the exact place of the chip inside the package. However, I can't guarantee to save the chip. The opening process can destroy it. What you need to do that: EPROM programmer EPROM erasing ultraviolet lamp Microscope 10X or more Nitric acid 60 % or more The reason for my experiments was the AD of Remco Co. They said "you have it, we hack it". I think, why couldn't I do that if somebody else can. +------------U------------+ | 1 20 | | | | COP8782CN | | | | | | | | | | | | | | | | chip 3.5*4.8 mm | | | | +---------------+ | | | | | | | | | | | | | | | | | | | | | | | +--+-+--+ | | | | |M1| |M2| | | | | +--+-+--+ |0.15mm gap | | +------+ | | | |1.0mm |EECON | | | | | |+SECUR| | | | | +------+ | | | +---------------+ | | 1.6mm | | | | | | | | | | | | | | | | | | | | 10 11 | | | +-------------------------+ M1 and M2 are EPROM memory areas, sizes 0.8*0.8 mm gap between memory and security is 0.15 mm EECON and security bits are on the area, size 1.0*1.6 mm There are at least 2 or more security bits. When one bit is erased, EECON register shows "SECURITY DISABLED", but reading the chip gives only E0H-bytes. When all of the bits are erased, the chip can be read. ======================================================================== Disclaimer from Sathack BBS =========================== Under NO circumstances should this data be used for any illegal purpose. It is issued for informational and educational use only. Please respect your own countries laws. It is impossible for all data to be fully understood before release. If anyone considers their rights are being infringed in any way please call Sathacks voice line or send a postal letter by recorded delivery to the address given and I will try to rectify any problem immediately. Do NOT use E-Mail for this purpose. It may not arrive. Downloaded from:- Sathack BBS UK Node1 and FAX Tel:- +44 (0)1884 255316 - Node2 +44 (0)1884 252388 Voiceline +44 (0)1884 256197 Sysop - David Tilley E-Mail sathack@mail.zynet.co.uk Sathack BBS is operated from:- 6 Lime Road, Tiverton, Devon EX16 6JA England. http://www.wedzboyz.demon.co.uk