"Erasing" EPROM without UV
There is no such thing as overerasing, but there are some gate effects that can prove helpful in getting to the protected content of memory chips. We start with EPROM FAMOS cell, because it is the oldest reprogrammable memory here and it served well for many, many years.
Basic disadvantage is quantum mechanics... You program this memory to "0" by tunelling some hot electrons under high electrical stress. You have to do it in short pulses... have you ever wondered why? You can oversaturate the sensing transistor by "too much programming" the FAMOS transistor, I guess the best is to use one solid long pulse, longer than the programming manual intended, if it is succesful, sor some time the cell might be read as a logical "1", that means unprogrammed state. Of course, if the programming circuitry is not disabled. (most probably not, IC designers are lazy creatures)
Any proof? I know you want me to quote some sources.. I will one day maybe, but I personally tried a cheaper single-chip video camera. It was pretty much IR sensitive, so colors were rather poor. The sun was rising and started to show in the window. As I pointed tha camera more to the sun, The sun appeared as bright, brighter, brightest and became a big black spot surrounded by white. So, you see that various hacks do exist on there big fat floating polysilicon gates. By the way, the camera CCD sensor is very similar to EPROM memory.
Next post might be about the specs of the old EEPROM and its read and write logical cell states and hypothetical modes of attack.
P.S. I have to mention memory cell size, programming protocol, supply voltage, supply voltage interference, logic glitch.
Basic disadvantage is quantum mechanics... You program this memory to "0" by tunelling some hot electrons under high electrical stress. You have to do it in short pulses... have you ever wondered why? You can oversaturate the sensing transistor by "too much programming" the FAMOS transistor, I guess the best is to use one solid long pulse, longer than the programming manual intended, if it is succesful, sor some time the cell might be read as a logical "1", that means unprogrammed state. Of course, if the programming circuitry is not disabled. (most probably not, IC designers are lazy creatures)
Any proof? I know you want me to quote some sources.. I will one day maybe, but I personally tried a cheaper single-chip video camera. It was pretty much IR sensitive, so colors were rather poor. The sun was rising and started to show in the window. As I pointed tha camera more to the sun, The sun appeared as bright, brighter, brightest and became a big black spot surrounded by white. So, you see that various hacks do exist on there big fat floating polysilicon gates. By the way, the camera CCD sensor is very similar to EPROM memory.
Next post might be about the specs of the old EEPROM and its read and write logical cell states and hypothetical modes of attack.
P.S. I have to mention memory cell size, programming protocol, supply voltage, supply voltage interference, logic glitch.
posted by Mario. at 8:58 PM
0 Comments:
Post a Comment
<< Home