MCU reverse engineering

Microcontroller Unlock - MikaTech

Our values and goals

About MikaTech

Time went fast, from the day we did our first 8051 MCU reverse engineering project in 1998, to the day we set up our million dollar reverse engineering lab in 2012, 14 years went by. Now we start our new business of embedded visual system development, hope we can serve another 10 years.

sign Peter Lee Co-Founder & CEO

Disassembler Softwares For Mcu Reverse Engineer

Note: all the softwares had been protected by password, after download the code, please send us a email, Mikatech will send you the password.

 

  • BIN / HEX convert
  • This is a BIN / HEX format convert tool for windows.

    Not all the codes can be converted 100%, you can download a Xeltek programer tool, load your BIN (or HEX) program without connecting the programmer, then save as HEX (or BIN) program.

    BinToHex.rar

  • Microchip PIC disassembler
  • The PIC disassembler is a Windows based software to control a development programmer for PIC microcontrollers. To operate this software, a basic knowledge about electronics and Windows is necessary.

    Programs : 12Cxx, 16Cxxx, 16Fxx, 16F87x, 18Fxxx, 16F7x, 24Cxx, 93Cxx, 90Sxxx, 59Cxx, 89Cx051, 89S53, 250x0, PIC, AVR , 80C51 etc.

    PIC_prog.rar

  • MCS-51 core MCU disassembler
  • As the name describes, it is a windows based disassembler for MCS-51 core MCU codes, Atmel, Intel, SyncMos, Nuvoton/Winbond and NXP MCS-51 core MCU codes can be disassembled with nice outcome.

    MCS-51_core_MCU.rar

  • AVR Studio
  • AVR Studio is developed by Atmel Corp, it is used for Atmel AVR mcu programming and debugging, it also can be used for disassembling, since it is a Atmel product, the disassembled code can not be exported, it can be use used to complement other disassembler to make more accurate disassembling results.

    The Disassembly window is only available when debugging. When any supported high level language is used, the source window is automatically displayed and the disassembly window is OFF. Enable it by choosing Debug→Windows→Disassembly or Ctrl+Alt+D during a debugging session.

    The disassembly window shows your program code disassembled. Program execution and AVR instructions can be followed in this view. By right clicking inside the Disassembly window you will be able to set breakpoints, run to the position of the cursor or go to the source code. You cannot modify the source code from the Disassembly window.

    Higher edition can be found on atmel website

  • http://www.atmel.com/microsite/avr_studio_5

  • http://www.atmel.no/webdoc/atmelstudio/atmelstudio.Debug.Views.Disassembly.html

    AVRstudio.rar

  • MDT OTP writer
  • Developed by MDT company.

    This is infact a MDT OTP writer, import your code, make the right config, click View >> disassemble to see the disassembly.

    MDTWriter.rar
  • Holtek disassembler
  • OTP and BIN format support

    Support symbol configuration, use default Symbol.ini or your diy symbols.

    Holtek_DeASM.rar
  • Elan Microcontroller EMC disassembler
  • W32Dasm 9.0 Version
  • In 9.0B version :
    - Doesn't hang anymore when we open packed appz.
    - Doesn't need anymore to change PE header to E0000020 in order to be able to be disassembled.
    - It now can show All string_ref from VB, VC, and Delphi appz (Best feature).
    The bad thing it's only available in Chinesse language.
    Translated all menus language to English!!!!
    (using Resource tuner, crack provided by UCEC & UCDV. ).

    W32Dasm9b.rar

 

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Assembly language source code generally permits the use of constants and programmer comments. These are usually removed from the assembled machine code by the assembler. If so, a disassembler operating on the machine code would produce disassembly lacking these constants and comments; the disassembled output becomes more difficult for a human to interpret than the original annotated source code. Some disassemblers make use of the symbolic debugging information present in object files such as ELF. The Interactive Disassembler allow the human user to make up mnemonic symbols for values or regions of code in an interactive session: human insight applied to the disassembly process often parallels human creativity in the code writing process.

Disassembly is not an exact science: on CISC platforms with variable-width instructions, or in the presence of self-modifying code, it is possible for a single program to have two or more reasonable disassemblies. Determining which instructions would actually be encountered during a run of the program reduces to the proven-unsolvable halting problem.

Writing a disassembler which produces code which, when assembled, produces exactly the original binary is possible; however, there are often differences. This poses demands on the expressivity of the assembler. For example, an x86 assembler takes an arbitrary choice between two binary codes for something as simple as "MOV AX,BX". If the original code uses the other choice, the original code simply cannot be reproduced at any given point in time. However, even when a fully correct disassembly is produced, problems remain if the program requires modification. For example, the same machine language jump instruction can be generated by assembly code to jump to a specified location (for example, to execute specific code), or to jump to a specified number of bytes (for example, to skip over an unwanted branch). A disassembler cannot know what is intended, and may use either syntax, generating a disassembly which reproduces the original binary[citation needed]. However, if a programmer wants to add instructions between the jump instruction and its destination, it is necessary to understand the program's operation to determine whether the jump should be absolute or relative, i.e., whether its destination should remain at a fixed location, or be moved so as to skip both the original and added instructions.

 

Examples of disassemblers

A disassembler may be stand-alone or interactive. A stand-alone disassembler, when executed, generates an assembly language file which can be examined; an interactive one shows the effect of any change the user makes immediately. For example, the disassembler may initially not know that a section of the program is actually code, and treat it as data; if the user specifies that it is code, the resulting disassembled code is shown immediately, allowing the user to examine it and take further action during the same run.
Any interactive debugger will include some way of viewing the disassembly of the program being debugged. Often, the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger. For example, objdump, part of GNU Binutils, is related to the interactive debugger gdb.

IDA
OllyDbg is a 32-bit assembler level analysing debugger
OLIVER and SIMON include disassemblers for Assembler, COBOL, and PL/1

 

 

Decompiler

A decompiler is a computer program that performs the reverse operation to that of a compiler. That is, it translates program code at a relatively low level of abstraction (usually designed to be computer readable rather than human readable) into a form having a higher level of abstraction (usually designed to be human readable). Decompilers usually do not perfectly reconstruct the original source code, and can vary widely in the intelligibility of their outputs. Nonetheless, decompilers remain an important tool in software reverse engineering.

The term decompiler is most commonly applied to a program which translates executable programs (the output from a compiler) into source code in a (relatively) high level language which, when compiled, will produce an executable whose behavior is the same as the original executable program. By comparison, a disassembler translates an executable program into assembly language (and an assembler could be used to assemble it back into an executable program).
Decompilation is the act of using a decompiler, although the term can also refer to the output of a decompiler. It can be used for the recovery of lost source code, and is also useful in some cases for computer security, interoperability and error correction.[1][unreliable source] The success of decompilation depends on the amount of information present in the code being decompiled and the sophistication of the analysis performed on it. The bytecode formats used by many virtual machines (such as the Java Virtual Machine or the .NET Framework Common Language Runtime) often include extensive metadata and high-level features that make decompilation quite feasible. The presence of debug data can make it possible to reproduce the original variable and structure names and even the line numbers. Machine language without such metadata or debug data is much harder to decompile.[2]
Some compilers and post-compilation tools produce obfuscated code (that is, they attempt to produce output that is very difficult to decompile). This is done to make it more difficult to reverse engineer the executable.

 

Design

Decompilers can be thought of as composed of a series of phases each of which contributes specific aspects of the overall decompilation process.

 

Loader

The first decompilation phase loads and parses the input machine code or intermediate language program's binary file format. It should be able to discover basic facts about the input program, such as the architecture (Pentium, PowerPC, etc.) and the entry point. In many cases, it should be able to find the equivalent of the main function of a C program, which is the start of the user written code. This excludes the runtime initialization code, which should not be decompiled if possible. If available the symbol tables and debug data are also loaded. The front end may be able to identify the libraries used even if they are linked with the code, this will provide library interfaces. If it can determine the compiler or compilers used it may provide useful information in identifying code idioms.

 

Disassembly

The next logical phase is the disassembly of machine code instructions into a machine independent intermediate representation (IR). For example, the Pentium machine instruction
mov eax, [ebx+0x04]
might be translated to the IR
eax := m[ebx+4];

 

Idioms

Idiomatic machine code sequences are sequences of code whose combined semantics is not immediately apparent from the instructions' individual semantics. Either as part of the disassembly phase, or as part of later analyses, these idiomatic sequences need to be translated into known equivalent IR. For example, the x86 assembly code:
cdq eax ; edx is set to the sign-extension of eax
xor eax, edx
sub eax, edx
could be translated to
eax := abs(eax);
Some idiomatic sequences are machine independent; some involve only one instruction. For example, xor eax, eax clears the eax register (sets it to zero). This can be implemented with a machine independent simplification rule, such as a xor a = 0.
In general, it is best to delay detection of idiomatic sequences if possible, to later stages that are less affected by instruction ordering. For example, the instruction scheduling phase of a compiler may insert other instructions into an idiomatic sequence, or change the ordering of instructions in the sequence. A pattern matching process in the disassembly phase would probably not recognize the altered pattern. Later phases group instruction expressions into more complex expressions, and modify them into a canonical (standardized) form, making it more likely that even the altered idiom will match a higher level pattern later in the decompilation.
It is particularly important to recognize the compiler idioms for subroutine calls, exception handling, and switch statements. Some languages also have extensive support for strings or long integers.

 

Program analysis

Various program analyses can be applied to the IR. In particular, expression propagation combines the semantics of several instructions into more complex expressions. For example,
mov eax,[ebx+0x04]
add eax,[ebx+0x08]
sub [ebx+0x0C],eax

could result in the following IR after expression propagation:
m[ebx+12] := m[ebx+12] - (m[ebx+4] + m[ebx+8]);

The resulting expression is more like high level language, and has also eliminated the use of the machine register eax . Later analyses may eliminate the ebx register.

 

Data flow analysis

The places where register contents are defined and used must be traced using data flow analysis. The same analysis can be applied to locations that are used for temporaries and local data. A different name can then be formed for each such connected set of value definitions and uses. It is possible that the same local variable location was used for more than one variable in different parts of the original program. Even worse it is possible for the data flow analysis to identify a path whereby a value may flow between two such uses even though it would never actually happen or matter in reality. This may in bad cases lead to needing to define a location as a union of types. The decompiler may allow the user to explicitly break such unnatural dependencies which will lead to clearer code. This of course means a variable is potentially used without being initialized and so indicates a problem in the original program.

 

Type analysis

A good machine code decompiler will perform type analysis. Here, the way registers or memory locations are used result in constraints on the possible type of the location. For example, an and instruction implies that the operand is an integer; programs do not use such an operation on floating point values (except in special library code) or on pointers. An add instruction results in three constraints, since the operands may be both integer, or one integer and one pointer (with integer and pointer results respectively; the third constraint comes from the ordering of the two operands when the types are different).

Various high level expressions can be recognized which trigger recognition of structures or arrays. However, it is difficult to distinguish many of the possibilities, because of the freedom that machine code or even some high level languages such as C allow with casts and pointer arithmetic.

The example from the previous section could result in the following high level code:
struct T1 *ebx;
struct T1 {
int v0004;
int v0008;
int v000C;
};
ebx->v000C -= ebx->v0004 + ebx->v0008;

 

Structuring

The penultimate decompilation phase involves structuring of the IR into higher level constructs such as while loops and if/then/else conditional statements. For example, the machine code
xor eax, eax
l0002:
or ebx, ebx
jge l0003
add eax,[ebx]
mov ebx,[ebx+0x4]
jmp l0002
l0003:
mov [0x10040000],eax
could be translated into:
eax = 0;
while (ebx < 0) {
eax += ebx->v0000;
ebx = ebx->v0004;
}
v10040000 = eax;

Unstructured code is more difficult to translate into structured code than already structured code. Solutions include replicating some code, or adding boolean variables.

 

Code generation

The final phase is the generation of the high level code in the back end of the decompiler. Just as a compiler may have several back ends for generating machine code for different architectures, a decompiler may have several back ends for generating high level code in different high level languages.

Just before code generation, it may be desirable to allow an interactive editing of the IR, perhaps using some form of graphical user interface. This would allow the user to enter comments, and non-generic variable and function names. However, these are almost as easily entered in a post decompilation edit. The user may want to change structural aspects, such as converting a while loop to a for loop. These are less readily modified with a simple text editor, although source code refactoring tools may assist with this process. The user may need to enter information that failed to be identified during the type analysis phase, e.g. modifying a memory expression to an array or structure expression. Finally, incorrect IR may need to be corrected, or changes made to cause the output code to be more readable.

General Questions About Microcontroller Firmware Extraction


  • Is it safe to send payment to MikaTech ?

    If MikaTech was a bad company, you could find tons of bad reputations about its service on the internet over the 28 years history

    So, the answer is YES! We are good people.

    Why choose Mikatech, please click here to find out


  • Can Mikatech break ics not listed on this site ?

    Different chip manufacturers have different part numbers, but the inner core of the chip can be make with same technology, it would be quite impossible to list all the part numbers where our technology can apply such as MYSON, STK, FEELING, ANALOG, FUJITSU, NOVATEK, LG/HYNDAI.

    Also by the advancing of the technology, everyday we gain more and more experience and develope new methods for reverse engineering for different Intergated Circuit parts. Full list of Integrated Circuit part numbers which is within our scope of capability is always getting bigger, please contact us to find out.

  • Will my privacy be protected ?

    Mikatech Innovative Limited understands the importance of its clients' privacy. At the moment you contact Mikatech, the personal information from you will be put under protection by our management regulations which was developed by our years of practice, Mikatech uses these information to customize its service to you, it will never disclose these information to third party out of any reason.
    Every project we did, we will delete all the data, materials, and codes 60days after deliverig the files, it iwll protect us and protect your privacy.

  • Is it legal to get service from Mikatech ?

    Yes, it is totally legal.
    Mikatech deliver its reverse engineering services for educational purposes only, it can be illegal to use above mentioned services in some coutries or regions, please check your local laws. Mikatech does not take any responsibility in relation to the use of above mentioned services that may be considered illegal.


    The Legality of Microcontroller Reverse Engineering

    The legality of microcontroller reverse engineering is not a binary matter; it is heavily context-dependent and differs substantially across legal jurisdictions. The crux of the issue hinges on two critical factors: the purpose of the reverse engineering activity and the type of information or content being extracted during the process.

    The following analysis elaborates on the core legal considerations governing microcontroller reverse engineering worldwide:

    1. Primacy of the Intended Purpose

    Interoperability and Security Research Purposes: Most major jurisdictions, including the United States and the European Union, have established statutory exceptions for reverse engineering conducted to enable interoperability with independently developed software or to conduct legitimate security assessment and testing. Such practices are generally deemed legally permissible.

    Commercial Exploitation and Infringing Replication: Reverse engineering undertaken to extract, replicate, and repurpose proprietary binary firmware from microcontrollers for the development, production, or sale of competing commercial products is overwhelmingly illegal. This conduct constitutes a direct violation of prevailing copyright laws across most regions.

    2. Copyright Infringement Risks for Embedded Software

    The primary legal liability associated with microcontroller reverse engineering stems from the embedded software stored within the chip. Judicial rulings in numerous countries have confirmed that on-chip binary code qualifies as computer software and is therefore entitled to full copyright protection.

    Reverse engineering a microcontroller to extract its proprietary binary code, followed by unauthorized replication, appropriation, or commercial distribution of that code, constitutes explicit copyright infringement. This remains the foundational legal violation in the majority of recent criminal and civil enforcement cases involving chip reverse engineering.

    3. Regional Legal Regulatory Frameworks

    United States

    Legality in the U.S. is regulated by federal copyright law and the Digital Millennium Copyright Act (DMCA). Notably, Section 1201 of the DMCA sets forth strict anti-circumvention provisions, which criminalize the circumvention of technological protection measures (such as encryption protocols) that restrict access to copyright-protected works.

    While the DMCA carves out limited exceptions for legitimate reverse engineering, encryption research, and cybersecurity testing, these exemptions are narrowly defined and strictly interpreted. Strict legal compliance is mandatory for any related technical activities.

    European Union

    The EU Software Directive provides the unified regulatory framework for reverse engineering practices within member states. Decompilation (a core form of reverse engineering) is legally permitted solely to achieve interoperability with independently created software programs.

    The EU regulatory regime is highly restrictive: it explicitly prohibits secondary-stage reverse engineering activities conducted for all non-exempt purposes, limiting lawful reverse engineering to extremely specific scenarios.

    China

    China’s legal position on reverse engineering is nuanced and has been further clarified by recent judicial interpretations and landmark court rulings. The Supreme People’s Court has formally recognized reverse engineering as a legitimate technical method in itself.

    However, the legitimacy of the technical method does not equate to immunity from intellectual property infringement liabilities. As exemplified by rulings from the Ningbo Beilun District People’s Court and multiple subsequent judicial cases, conducting reverse engineering to extract a microcontroller’s core proprietary program for commercial replication and exploitation constitutes a criminal offense. This judicial principle has been consistently upheld in Chinese judicial practice.

    4. Trade Secrets and Contractual Restrictions

    Trade Secret Protection: Core design parameters and manufacturing specifications of microcontrollers are legally recognizable trade secrets. While reverse engineering lawfully acquired commercial products is generally considered a legitimate means of discovering trade secret information, this exception does not authorize the unauthorized replication of embedded software or the physical circuit layout of microcontroller chips.

    Contractual Obligations: End-User License Agreements (EULAs) and other binding contractual terms routinely include explicit clauses prohibiting reverse engineering. Any violation of these contractual provisions may result in civil liability for breach of contract, independent of copyright or trade secret laws.

  • I sent you an email, why there is no answer ?

    • A. Our mail server is temperally broke down, your message has not been delivered to our mailbox even the mail sent successfully message is showed on the screen, please contact us again.
    • B. Our email is recognised as junk mail email by your mail server, so our reply has been rejected by your mail server or it is diverted to your junk mailbox, please remove our account from junkmail list or check your junk mailbox, or use another email account to contact such as gmail.
    • C. Your email is recognised as junk mail email by our mail server, so your email was put to our junk mailbox, please use another email account to contact us again.

    microcontroller_hack_time

    Years

    28 +
    microcontroller hack countries

    Countries

    110 +
    microcontroller attack clients

    Clients

    5000 +
    microcontroller projects unlocked

    Projects

    60000 +