Thanks everybody for the help.
electricboyo:
Sometimes it can be useful to retrieve the existing flash memory contents from an AVR device for archival purposes. I've done this a number of times myself.
Retrieving the existing flash contents from an AVR device makes it possible to restore the original firmware back into the AVR device. The fuses and lock bytes also need to be retrieved from the target AVR device and saved in files.
Avrdude, operated from a Windows command line, is the best method for doing this. The target AVR device should be connected with the ISP connection method. However, please note that the original developer might have programmed the lock to prevent access to the flash. In that case it simply isn't possible to retrieve the original flash contents.
I agree that the binary file which can be read from the AVR device isn't particularly useful for analysis or reverse engineering. This is something of a "for experts only" procedure. There are "disassembler" applications available that run under Windows or Linux. These are capable of converting raw binary AVR flash files back into a type of "pseudo assembly language." But there aren't any analysis apps out there that can take the next step of "reverse compilation" to go from assembly language to C code. That said, I have obtained useful information from a "disassembly" of existing binary code in the past. Mostly when i was searching for one very specific item, such as how the I/O ports in the AVR device were configured.
Here are some examples of Windows command lines for using avrdude to retrieve data from AVR devices:
___________________________________________________________________
"Arduino as ISP" with ISP cable can be used to connect target board:
Notes: Must select 19200 baud rate
Com port for IRONMAN PC is com12
This connection mode permits all AVRDUDE features to operate, such
as "terminal mode."
The following commands work for both "serial bootloader" connection
and for ISP connection through a separate programming device
Reading flash contents into disk file and then re-writing this file
back to AVR device will preserve the original flash data and bootloader,
but will change the lock bits from 0x0f to 0x3f
Note: Hfuse must have been previously set to preserve EEPROM if
existing EEPROM data is to be preserved during this process:
avrdude -pm328p -carduino -Pcom12 -b19200 -Uflash:r:rd_flash.bin:r
avrdude -pm328p -carduino -Pcom12 -b19200 -Uflash:w:rd_flash.bin:r
The following command starts AVRDUDE "terminal mode"
ISP data connection allows terminal mode to:
Read all AVR data
Write everything except lock bits
Serial/bootloader connection does NOT support terminal mode
avrdude -pm328p -carduino -Pcom12 -b19200 -t
Examples of commands that can be used during terminal mode:
read lfuse
read hfuse
read efuse
read lock
read calibration
read cal
read sig
read ee 0 0x400
read flash 0 0x400
read flash
read flash 0x7800 0x400
read flash
Write hfuse to preserve EEPROM data during chip erase:
write hfuse 0 0xd2
Write serial number data into device EEPROM:
write ee 0x3fa 0x70 0x6d 0x35 0x33 0x20 0x20
Write lock to protect bootloader flash from accidental over-write,
while still allowing application to read from bootloader flash:
Note: This only works after a "chip erase" initializes
lock to 0x3f
write lock 0 0x2f
Useful FUSE values for testing Arduino boards with ATmega328P MCU
LFUSE HFUSE EFUSE
Factory default 16 MHz crystal 0xFF 0xD6 0xFD
8 MHz crystal 0xFF 0xD6 0xFD
With clock out on port B0 0xBF 0xD6 0xFD
Internal oscillator 8 MHz 0xC2 0xD6 0xFD
With clock out on PB0 0x82 0xD6 0xFD
With divide by 8 (1 MHz) 0x42 0xD6 0xFD
Add clock out 0x02 0xD6 0xFd
Sounds very interesting @electricboyo. Could you direct me to some links/resources to learn a bit more.
