Reverse engineering microcontrollers WITHOUT a datasheet

There’s been countless times when I’ve needed to reverse engineer something complex like a microcontroller, and it turned out that no public datasheet exists. I guess you could argue that the lack of obvious publicly available information is a sort of security-through-obscurity, but whatever the reason it shouldn’t defeat you.

The point is that if you need to reverse engineer a complex processor in LBGA256 on an 8-layer board that you only have one of, that datasheet is going to be very helpful.

Where do you start?

For this I’ll be discussing a specific device – the ST SPC58EC80 in TQFP64. It’s a great example as it’s complex, and more importantly I’ve become familiar with it through working on it in the past.

Find public documents

From the off I know there is a “data brief” available from the website (link opens PDF). It contains specs and other bits and bobs, but as it’s essentially a marketing document there’s not much of use to me:

Ask nicely

If rooting around the internet doesn’t help ask the manufacturer direct, like this:

BTW I didn’t write “Most urgently”, they seem to have a thing for editing posted queries.

Anyway, they responded within a week to say “i will forward your request to the Marketing guys.”. As this wasn’t my first rodeo I knew it actually meant “We’re not going to give them to you”. Interestingly, when someone else asked they got directed to the wrong resource.

Explore related resources and be a detective

It’s now time to get creative. If you can’t get exactly what you need, try the next best thing and start to piece things together. I started by downloading the IDE – SPC5-STUDIO. The IDEs for many processors are free, but sometimes limited:

In this case I got lucky, the SPC5-STUDIO has a “pin wizard” letting you see the pin-outs.

Even if it didn’t have pinouts, the HAL/BSP will provide a lot of clues as to what the pins do. The IDE doesn’t have support for it though so I went back to the forum.

…and got this reply:

As I didn’t get a reply I’m guessing that the marketing guys weren’t OK with it.

More digging

It’s quite common for processors in the same product line and package to share pin-outs, so spread your search wider. In this case I turned up this product line PDF:

Unfortunately there are no datasheets available for these either.

Development boards

What’s the next thing to look at? Development boards! After more digging I found this PDF:

The board on the right is interesting: it’s TQFP64, like the chip we are looking at. Here’s a close-up of the SPC582B-DIS:

Now we can look for that, and find this goldmine, loaded with schematics and layout.

So, now that we have the layout and schematic of the dev board we can quickly see which pins are JTAG. OK, it’s not 100% but we can be fairly sure:

Oddly, there is an error in the manual. It says TDI is 38 – it’s 39:

So rather than JTAGulate 32 odd pins on the device, we know which pins they are.

One other trick

IDEs often download support for given processors on-the-fly. Intercept the comms, try a bit of forced browsing or hope for open directory listings…

Hope that gives you some ideas for how to find things!