Hmm, what he was describing on that board sounds like it would work, though its a variant brute force attack:
Basically, you set the protected chip into verify mode, which iterates comparing the external and internal memories to verify that the internal rom matches the external one. The security hole is, the verify program(on mask rom inside all 68705s) STOPS when it detects a mismatch between external and internal roms. so, what you do is this:
Have an external MCU (maybe an atmel avr) outside the 68705 which watches what the 68705 does. set the external ram (which the 68705 is comparing against) to all zeroes. Now, run the 68705 in verify mode. It will halt after the first byte read from 0x0000 (and this will be visible on its bus, probably by the address bus ceasing to increment, testing is required) if the first byte in the internal rom is NOT a zero. If this is true, the external MCU should change the first byte in the ram it is verifying against to a 01, and reset the 68705 and set it to verify mode again.
if it fails again, set it to 02. etc.
once the verify program PASSES the test it will read address 0x0001 and halt. the external mcu should repeat the increment-and-reset for byte 1. repeat for all bytes in the internal rom. this takes about 18 or more hours to finish.
But it really should work, assuming Motorola didn't change the internal rom to prevent this attack on some revisions.
EDIT: one more important thing:
> Bootstrap program is always present in the address space, so you can
> program up a blank part and read it out. It's pretty strange and tight
> code that copies itself into the RAM and runs from there. But it's only
> 115 bytes.
This needs to be dumped and implemented in the 68705 cpu core.
Last edited by Lord Nightmare; 05/04/08 05:02 PM. Reason: add note