How to change a chip signature?

I think someone mentioned this in passing in another post, probably in the last 12 months.

Does anyone know which (probably undocumented) high-voltage or ICSP programming locations you address to change the chip signature?

No idea, I'm very interested in this too.

The Atmel guy I talked to swore up and down that it wasn't possible to change signatures, or other things like that (like the default OSCCAL value, which is what I was interested in changing, so I could tune them and have the chip just work (at least at the temperature I tuned it at) without having to have a special bootloader)

I seem to recall that one of the long-time experts here found a link which showed you could change the signature as "fuse" byte 4/5/6 or something like that, but can't find the reference now.

This device claims to do that:

UPDATE 2.1X ADDS NEW FUNCTIONALITY! Send your own fuses and locks trough terminal, talk with chips with broken signature. If you connect terminal Tx pin to PCB Rx pin – manual mode will be enabled automatically. This requires Tx-terminal pin to be HIGH and OUTPUT when idle. It must pull up the 10K pulldown. If this condition is not met, doctor will work in normal – automatic mode.

http://mdiy.pl/atmega-fusebit-doctor-hvpp/?lang=en

afterthought: maybe it claims to be able to update fuses by allowing the Op to bypass the mangled chip signature... not sure exactly what the page is stating.

Ray

Can't you work around it in s/w? i.e. if using a bootloader patch it to lie to be whatever you want. If using ICSP, just go patch the avrdude config file to map the signature read to use the same entry as the signature you desire.

--- bill

Can't you work around it in s/w?

Sure. Just wondering that's all. I just thought I remembered it could be done. Maybe I was dreamin'.

I've heard rumors of people doing this with "less careful" device programmers. Occasionally to their own detriment (not being able to change back?) But I don't think I've ever seen any actual documentation that says "this undocumented command with these arguments can be used to to set xxxx" Sigh.

http://www.eevblog.com/forum/microcontrollers/how-bloody-hard-can-it-be-to-program-an-avr-chip/135/

Well the page for that link further links to this page: http://www.avrfreaks.net/comment/165666 There is a description of erasing and re-writing signature of tiny13. Interesting.

The method employed for this was brute force; I had a program fire off one random sequence after another, checking the chip state after each sequence

I could always try that, I suppose. :)

NEATO!

Gotta try that...

I wonder if the command is the same on other chips...

I think someone mentioned this in passing in another post, probably in the last 12 months.

I did. The signature row is just a bit of Flash. There is an undocumented pair of serial (ISP) commands for reading / writing. I remember them being a logical extension of the commands to read / write the program Flash. I believe I found three references. I know one was on avrfreaks. If you want a hand finding the material just let me know.

The Atmel guy I talked to swore up and down that it wasn't possible to change signatures...

If you ever meet him in person give him a good solid slap for lying to you.

I remember them being a logical extension of the commands to read / write the program Flash. I believe I found three references. I know one was on avrfreaks. If you want a hand finding the material just let me know.

Yes, please. I think you gave more details last time. ;P

My Googling has just revealed a lot of nonsense about how you can disable the signature checks, not how you can change the signatures.

Uh oh. I fear I did not save a reference... http://forum.arduino.cc/index.php?topic=318215.msg2203467#msg2203467

Going to have to put on my Google wishing cap.

Looks like @A Hellene is the Master of Wizards... http://www.eevblog.com/forum/microcontrollers/bootloader-on-smd-atmega328p-au/msg268938/#msg268938

These look like they have lots of goodies... http://www.avrfreaks.net/forum/undocumented-signature-row-contents http://www.avrfreaks.net/comment/1100311#comment-1100311 http://www.avrfreaks.net/forum/signature-row-serial-number?name=PNphpBB2&file=viewtopic&t=140522

If there is not enough detail in those links let me know and I will keep hunting. Tomorrow. It's bedtime.

This may be helpful... http://www.avrfreaks.net/comment/165751#comment-165751

[quote author=Coding Badly link=msg=2357712 date=1439629620] This may be helpful... http://www.avrfreaks.net/comment/165751#comment-165751 [/quote]

I read that a few times, but couldn't quite see what he was getting at. Plus I think that was a different chip.

Yeah, that's a bit jumbled.

There is some stuff I can sort-of remember that may have not been in any of the links I found. My memory works best when there is a concrete goal so ... Are you going to try manipulating the signature bytes of a processor? Which processor?

Ah ha! I think That post is in reference to the t13 processor / serial high-voltage programming.

His description of how to modify the Chip Erase command lines up with the datasheet…

To erase the signature and calibration rows, modify your programming software so that bit7 of the first instruction byte of chiperase is set. That is, the sdi/sii pairs
80,CC 00,64 00,6C

By his nomenclature, the Chip Erase command is 80,4C 00,64 00,6C.

Let's put it like this. In my HV programmer sketch, this erases the chip:

void eraseMemory ()
  {
  HVprogram (ACTION_LOAD_COMMAND, CMD_CHIP_ERASE);

  digitalWrite (WR, LOW);  // pulse WR to erase chip
  digitalWrite (WR, HIGH);
    
  pollUntilReady (); 
  clearPage();  // clear temporary page
  }  // end of eraseMemory

Given:

 // high-voltage programming commands we can send (when action is LOAD_COMMAND)
  enum {
        CMD_CHIP_ERASE       = 0b10000000,
        CMD_WRITE_FUSE_BITS  = 0b01000000,
        CMD_WRITE_LOCK_BITS  = 0b00100000,
        CMD_WRITE_FLASH      = 0b00010000,
        CMD_WRITE_EEPROM     = 0b00010001,
        CMD_READ_SIGNATURE   = 0b00001000,
        CMD_READ_FUSE_BITS   = 0b00000100,
        CMD_READ_FLASH       = 0b00000010,
        CMD_READ_EEPROM      = 0b00000011,
        CMD_NO_OPERATION     = 0b00000000,
        }; // end of commands

  // when XTAL1 is pulsed the settings in XA1 and XA0 control the action
  enum {
       ACTION_LOAD_ADDRESS,
       ACTION_LOAD_DATA,
       ACTION_LOAD_COMMAND,
       ACTION_IDLE
       };    // end of actions

By his nomenclature, the Chip Erase command is 80,4C 00,64 00,6C.

I can see the 0x80 there (CMD_CHIP_ERASE) but I don't see what the other bytes are.

[quote author=Coding Badly link=msg=2358497 date=1439677399] Are you going to try manipulating the signature bytes of a processor? Which processor? [/quote]

I read somewhere it couldn't be done, so I want to prove them wrong. ;)

Any reasonable processor that I have to hand and don't mind having to replace, eg. ATmega328P, ATtiny85.