Go Down

Topic: How to change a chip signature? (Read 7384 times) previous topic - next topic

mestek123

I was interested in how to change the signature. I can read it OK.
i am interested too
theoritically it is an EEPROM so it can be modified
but how????

CrossRoads

Quote
theoritically it is an EEPROM so it can be modified
There is nothing in the datasheet suggesting the signature bytes are in EEPROM.
All the references only indicate reading is possible, such as:

28.7.13 Reading the Signature Bytes

 The algorithm for reading the Signature bytes is as follows (refer to "Programming the Flash" on page 293 for

details on Command and Address loading):

1. A: Load Command "0000 1000".

2. B: Load Address Low Byte (0x00 - 0x02).

3. Set OE to "0", and BS1 to "0". The selected Signature byte can now be read at DATA.

4. Set OE to "1".



Nowhere will you find "Writing the Signature bytes"
Designing & building electrical circuits for over 25 years.  Screw Shield for Mega/Due/Uno,  Bobuino with ATMega1284P, & other '328P & '1284P creations & offerings at  my website.

mestek123

There is nothing in the datasheet suggesting the signature bytes are in EEPROM.
All the references only indicate reading is possible, such as:

28.7.13 Reading the Signature Bytes

 The algorithm for reading the Signature bytes is as follows (refer to "Programming the Flash" on page 293 for

details on Command and Address loading):

1. A: Load Command "0000 1000".

2. B: Load Address Low Byte (0x00 - 0x02).

3. Set OE to "0", and BS1 to "0". The selected Signature byte can now be read at DATA.

4. Set OE to "1".



Nowhere will you find "Writing the Signature bytes"
have u checked the links provided by codingbadly?
somebody says he could change it,he just give undocumented code but without a supporting results or printscreens

mestek123

#33
Oct 02, 2015, 09:42 pm Last Edit: Oct 02, 2015, 10:27 pm by mestek123
over the years there have been a couple instances of these being altered by accident but some years back i also changed signature bytes in some tiny on purpose as described in the freaks thread linked above. since it was a scientific experiment and not particularly useful i did not bother to document but similar to that procedure:

This is via the HV programming logic; If someone maps it out on the other methods, I would like to learn too.

To erase the signature and calibration rows, modify your programming software so that bit7 of the first instruction byte of chiperase is set. That is, the sdi/sii pairs
80,CC 00,64 00,6C
Will erase the signature and calibration rows.

Before attempting this, read out ALL 16+16 bytes of signature and calibration. The documentation states that 2 bits in the second pair of read_sig_byte are address bits; This is untrue, there are 4 address bits for T13. Likewise for read_cal_byte, the second pair has 4 address bits.

After you have erased the signature and calibration rows, load the flash programming instruction, followed by 16 words of data as one usually would for programming flash. Then, instead of executing flash_load_high_address_page_program, load
sdi 1xx1 x011 0000 0000 0000 0000
sii 0101 0101 0100 0101 0011 0101
instead (let's call it sig_page_program).
The low bytes end up in signature, the high bytes end up in calibration.

And the calibration value written here IS used after reset. The higher undocumented sig/cal bytes may or may not have interesting control functions :-)

The method employed for this was brute force; I had a program fire off one random sequence after another, checking the chip state after each sequence. It spat out a number of interesting patterns, and I then had to figure out what part of the pattern was significant. Beware: Like the documented keep_eeprom_during_chiperase fuse, there is also an undcumented bit somewhere, 'keep signature rows during chiperase'; During some of my experimentation I managed to erase it on one of my devices and I haven't been able to find it, thus every time I do a normal chiperase the signature of this particular device is erased too.

edit: my bit patterns are given without 0_ and _00 padding.



i was able to alter several different chips but with no real application put little effort into saving the utilities or hardware (couple npn). now wish i did. a friend of mine also managed it but im not sure he still has more details. i will check.


have u checked this?

Go Up