IIRC it involves pulling one pin (one of the port C pins? pins 7,8,9,10,or 11?) to +12v on /RESET to kick the chip into test/debug mode.

In that mode, assuming the chip is not a 68705p5 with the secondary security bit set, you can synchronously feed bytes to port A and the chip will execute them as opcodes (I think it may immediately execute the words meaning you need to manually 'make up' immediate-value-only code to move your real program into the 0x0000-area ram, then jump to that to run it). This is used to put a small program into the 68705's memory, which spits the rom contents out port B sequentially, using port A or part of C for timing?

This works even on "protected" 68705P3 chips, where the protection bit on the very last eprom byte (actually a sort of flag/mode byte) before the mask rom is in memory is set. (if this bit is clear, I forget what the difference is)
The 68705P5 version added a second security bit which when set I think prevents port A from being read by the mcu (at least in test mode), effectively locking out the test/debug mode.

There is the 'other' more well known 68705 flaw however which still works on the P5, the one involving the built in rom's verify mode taking a different number of cycles to toggle the 'increment external address' line when in verify mode depending on a byte match or mismatch, which allows a 256 passes of one of each byte attack to dump the internal rom contents.

The 68705P5 attempted to prevent that by making the test/verify mode vector point to 3 bytes before the end of the eprom (which is immediately before the start of the mask rom/test code) with the intent that you would put a jump to the normal reset vector there to disable the test mode completely as protection, but this can be bypassed with voltage glitching to make the eprom bytes read as 0x00 (NOP).

We have yet to demonstrate this attack against a protected 68705P5 (from taito games etc), but according to what appears to be testimony from people in the security industry who dealt with these mcus before, that trick does work for dumping protected P5 chips.


"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"