EEPROM Write Limitation Questions ?
Bean
Posts: 8,129
Let's say you continuously wrote to a certain EEPROM location (let's say address 100).
When the EEPROM "wears out" does it ONLY affect that location ? Or does it affect a "block" of memory locations ?
Also if you continuously wrote the same exact value every time would the location still "wear out" ? Must a bit change value for the "wear out" to occur ? Does it "wear out" if the value written is always zero ? How about if it's always $FF ?
When a locations "wears out" does it always read zero ? Or does it read as random data ?
Sorry about so many questions, I want to do something tricky with an EEPROM...
Bean.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Cheap used 4-digit LED display with driver IC·www.hc4led.com
Low power SD Data Logger www.sddatalogger.com
SX-Video Display Modules www.sxvm.com
Stuff I'm selling on ebay http://search.ebay.com/_W0QQsassZhittconsultingQQhtZ-1
"USA Today has come out with a new survey - apparently, three out of every four people make up 75% of the population." - David Letterman
When the EEPROM "wears out" does it ONLY affect that location ? Or does it affect a "block" of memory locations ?
Also if you continuously wrote the same exact value every time would the location still "wear out" ? Must a bit change value for the "wear out" to occur ? Does it "wear out" if the value written is always zero ? How about if it's always $FF ?
When a locations "wears out" does it always read zero ? Or does it read as random data ?
Sorry about so many questions, I want to do something tricky with an EEPROM...
Bean.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Cheap used 4-digit LED display with driver IC·www.hc4led.com
Low power SD Data Logger www.sddatalogger.com
SX-Video Display Modules www.sxvm.com
Stuff I'm selling on ebay http://search.ebay.com/_W0QQsassZhittconsultingQQhtZ-1
"USA Today has come out with a new survey - apparently, three out of every four people make up 75% of the population." - David Letterman
Comments
Rick
There are ways to 'wear level' by having one byte of RAM point to a series of ROM locations in rotation.· Using two bytes is even better as you get a huge reduction in wear.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
"If you want more fiber, eat the package.· Not enough?· Eat the manual."········
I WANT to wear out a certain location. I just was wondering how to do it the quickest way, and what it would do when it went bad.
I guess some experiments are in order...
Bean.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Cheap used 4-digit LED display with driver IC·www.hc4led.com
Low power SD Data Logger www.sddatalogger.com
SX-Video Display Modules www.sxvm.com
Stuff I'm selling on ebay http://search.ebay.com/_W0QQsassZhittconsultingQQhtZ-1
"USA Today has come out with a new survey - apparently, three out of every four people make up 75% of the population." - David Letterman
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Chris Savage
Parallax Tech Support
Do I detect a copy protection scheme? Burn out a location and even if the EEPROM is copied, the program won't work because it writes to that location and EXPECTS to read back a different value...
Hmmm...
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Truly Understand the Fundamentals and the Path will be so much easier...
Bean.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Cheap used 4-digit LED display with driver IC·www.hc4led.com
Low power SD Data Logger www.sddatalogger.com
SX-Video Display Modules www.sxvm.com
Stuff I'm selling on ebay http://search.ebay.com/_W0QQsassZhittconsultingQQhtZ-1
"USA Today has come out with a new survey - apparently, three out of every four people make up 75% of the population." - David Letterman
Not to try to render useless or discredit your approach (I think it is a great idea). But to really be effective you would need to do that to multiple locations. Anyone with a BASIC Stamp could just do a RAW copy ignoring the verify, or, better yet, copy in spite of the error or copy the ranges outside the error. Now I can see that if several locations were bad it would be a pain to do the range thing. But a RAW copy using a BASIC Stamp would just write to the target whatever was read not caring if it wrote correctly. Just something to keep in mind. Take care.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Chris Savage
Parallax Tech Support
I agree with Chris, multiple locations would be the way to go. If purposefully "damaging" the EEPROM and reading the data back was reliable, that is "reliably damaged". You could be on to something IF somehow the "damaged" EEPROM bits worked as a Key or Mask to be XORed to reconstruct valid data. Since the Stamp is capable of self modifying code, this method if cleverly done, could "dissuade" most hacker attempts.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe
IC Layout Engineer
Parallax, Inc.
Post Edited (Beau Schwabe (Parallax)) : 1/13/2007 6:05:58 AM GMT
Then, if the code had a routine that attempted to toggle the fixed byte location and disabled itself if it was successful in changing that particular byte, then I would think that this could succeed, as long as the hacker who is trying to steal the code isn't smart enough (or doesn't read this thread) to know that a damaged, fixed byte is part of the design of the device.
I have a damaged MMC card that does report an error if I try to reading certain blocks, but as PLJack says, EEPROMs may behave differently from the flash RAM in the MMC card.
David
I don't know much about copy protection but........
It would seem to me IF you suspected there was some copy protection scheme implemented in the EEPROM of such product, you would:
1. remove or access the EPROM with out first powering the product up.
2. do a complete copy of the EEPROM AS-IS
3. Erase the EEPROM
4. Then write a known value such as 0 or FF to each location, maybe both.
5. read back the EEPROM and see what was different (not 0 or FF)
6. damage a new EEPROM at the locations and values as discovered in step 5
7. reload the copy of the EEPROM as done in step 2 to the newly damaged EEPROM
8. install the EEPROM and test.
Thus this method of copy protection defeated?
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Mike
To be honest I don’t know how reliable a read is from the EEPROM bad cell. But assuming it wouldn’t be a problem to copy, which is likely, then couldn’t we assume that the code would test the location to see if it were dead on the destination? IOW, the code wouldn’t allow itself to run if it were able to write to the location that was supposed to be bad. If it returned the value that was there to what it used to be before failing to run, then you wouldn’t necessarily know which location it was trying to do this to. In theory this could be pretty good protection, especially if the source gives a reliable read. I mean, after all, how would you know which location was supposed to be bad?
The answer there again assumes that the person doing the copy knows or suspects that there is this type of protection being implemented. In this case you would backup the source EEPROM, then (admittedly, with a certain risk), do an EEPROM test to detect any bad cells. A non-destructive test would restore each location after the test. Thoughts?
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Chris Savage
Parallax Tech Support
They damaged some floppy sectors to prevent the floppy from being copied.
With the tools available today I'm not sure how this would work on an EEPROM.
Chris's idea of "good sector" discovery seems like it might work.
Assuming there were lots of bad bytes to test. Not just one or two.
Although, self destructing software is not in the end users best interest.
And would remove the software from any mission critical applications.
On this topic I always seem to fall back on the easter egg code approach.
Add some code that serves no purpose, then when your EEPROM shows up in the wild, take them to court and have them explain to the judge what all that useless code is supposed to do.
Having said all that, its a great problem to solve, looking forward to more in this thread.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
- - - PLJack - - -
Perfection in design is not achieved when there is nothing left to add.
It is achieved when there is nothing left to take away.
I do recall what you mentioned…That type of protection is still in use today on CD-ROM Media. And it’s pretty effective since the software running only accesses the data it needs. There are two forms of it I am familiar with. The first relies on the hard error on the media. In this case the software never accesses that part of the media so there is no problem. However, when the disc copier tries to create a copy it reads the entire CD in a linear fashion eventually hitting the error and failing.
The second form actually relies on a specific type of error existing on the media which cannot be duplicated by the copier. The software then looks for this specific error on its media and when it cannot find it, it fails to run, or, in the case of an old Lucas Film game takes your character to jail and preaches about copyright infringement. I must admit that in this day and age your approach seems more “modern” in approach. It does rely on the necessity of the copier to attempt illegal distribution of the information to be caught. A lot of good ideas have been shared here. Very interesting conversation. Take care.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Chris Savage
Parallax Tech Support
A VERY interesting idea. Don Galloway, inventor of the computer Dongle would be proud of you.
I'd do some trials though...
Some time ago, I seem to have destroyed a byte on a BS2p on-board EEprom by continuously writing to one group of bytes. Trouble is that the damaged byte wasn’t the same as the one I was writing to!!! It’s the same location, but on a different page. I assumed that only one bit was damaged because garbage was retrieved from that byte but the garbage you retrieved was the same if you stored the same byte.
But then the EEprom may just have been damaged by static or some other cause... Who is to know?
Kind regards from Africa, the continent where our memory is short anyway.
John Bond
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Interestingly enough, that approach is the result of 6 months of researching "anti-theft" techniques for my PC software.
I looked at all of them. All of them a pain in the butt for either me or my users. All of them crackable.
Even spent a month designing my own "security through obscurity" custom protection.
In the end its all Smile and just adds more complexity to the design.
After all that I decided the best approach was a simple user key and pepper the code with trace DNA.
Even the simplest protection will deter 85% of the hackers.
But that is the PC world. In the Eeprom world is seems your only left with trace code.
Or software specifically designed to fail. That's the part I'm not willing to do. Call me old fashioned but it would physically hurt me to design code like that. You just know the "fail now" code is going to come back and bite you.
All that aside the "good sector discovery" seems the only hardware solution so far. Again, anyone worth their salt could crack the protection. Maybe encapsulation would be enough of a determent for most.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
- - - PLJack - - -
Perfection in design is not achieved when there is nothing left to add.
It is achieved when there is nothing left to take away.
Our experience with your suggestion is that on the affected page (block), the most significant bit on most (but not all) bytes got stuck to a one, as well as bit 4 on some of the bytes.
All in all not very predictable or reliable, so I don't think this is a good approach for you.
Cheers,
Peter (pjv)
Another post on this forum was on how to measure the speed on the little Deutz 3 cyl diesel engine so when I spotted a brand new 6 cyl “Deutz” at a local auction house, I went to have a good look at it. This engine was an exact replica of the Deutz except for the injectors, pump and electrics and was made in (you guessed it) China. Even the Logo had been made to look similar from 3 feet away.
The counterfeit engines sell in South Africa for about 70% of the price of the Genuine product and include other brands like Perkins, ND and Cat. I am told that they are unreliable and have a life of under 2 years. The main advantage to buying these counterfeits rather than the other Chinese “No Name Brand” engines is that spares are readily available from the dealers of the genuine engine…
The point to note here is that the counterfeit product is always inferior. I suppose the old adage applies, “you get what you pay for”.
Kind Regards from Africa...
John Bond
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔