Maker Pro
Maker Pro

Erasing OTP's and EPROMS by heat?

I once heard that if you heat up an EPROM in an oven to a sufficient
extent then the leakage of the cells increase to the point that the
stored charge is discharge and the EPROM is effectively erased. Would
this really work? The reason I need to know is that I just bought 1000
OTP microcontrollers for a very good price from China but every one of
them is already programmed with 00 to FF sequentially for the whole
EPROM space. If I can possible save them, then good but otherwise they
are just rubbish now and I have lost my money :-( The part number is
MC68HC705J1ACP.
 
H

Homer J Simpson

I once heard that if you heat up an EPROM in an oven to a sufficient
extent then the leakage of the cells increase to the point that the
stored charge is discharge and the EPROM is effectively erased. Would
this really work? The reason I need to know is that I just bought 1000
OTP microcontrollers for a very good price from China but every one of
them is already programmed with 00 to FF sequentially for the whole
EPROM space. If I can possible save them, then good but otherwise they
are just rubbish now and I have lost my money :-( The part number is
MC68HC705J1ACP.

They have no windows? Wasn't there a theory that X-Rays would erase them?
You can't add an external ROM?
 
H

Hal Murray

I once heard that if you heat up an EPROM in an oven to a sufficient
extent then the leakage of the cells increase to the point that the
stored charge is discharge and the EPROM is effectively erased. Would
this really work? The reason I need to know is that I just bought 1000
OTP microcontrollers for a very good price from China but every one of
them is already programmed with 00 to FF sequentially for the whole
EPROM space. If I can possible save them, then good but otherwise they
are just rubbish now and I have lost my money :-( The part number is
MC68HC705J1ACP.

My guess is that "I have lost my money", but maybe you can experiment.

Leakage is generally exponential in temperature. At room temperature,
EPROMs last a long time - many years. How hot do you have to get the
chips to leak off in a reasonable time? How hot can you get them
before the plastic turns to mush? Is there any overlap?
 
A

Alan

I once heard that if you heat up an EPROM in an oven to a sufficient
extent then the leakage of the cells increase to the point that the
stored charge is discharge and the EPROM is effectively erased. Would
this really work? The reason I need to know is that I just bought 1000
OTP microcontrollers for a very good price from China but every one of
them is already programmed with 00 to FF sequentially for the whole
EPROM space. If I can possible save them, then good but otherwise they
are just rubbish now and I have lost my money :-( The part number is
MC68HC705J1ACP.

If you're reading 00 to FF sequentially then it seems to me that you
are not actually reading the chip but just the "phantom" data which
corresponds to the bottom byte of the address!

Try programming one and see if it works. It may not verify though if
you cannot read the data.

Alan
 
They have no windows? Wasn't there a theory that X-Rays would erase them?

I investigated this many years ago when I was using a lot of 63701
microcontrollers. I thought of designing a low-cost x-ray source for
erasing one-time programmable devices.

To test the idea I set up a number of eproms in an x-ray machine and
checked the contents regularly as I increased the dose. After a while
the contents were erased. It was even possible to reprogram the chips.

Unfortunately, the memory cells had become permanently leaky, so the
data leaked away after a minute or two.

So yes, it is possible to erase such devices with x-rays, but they may
not be much use afterwards.

I used the lowest energy the x-ray set would deliver, which was 30keV,
and the lowest dose which cleared all memory locations. Ideally, I
would have used an energy of no more than 15keV, just high enough to
get through the package filler material. So it is possible that very
low energy x-rays might work without damaging the devices, but I am not
optimistic.

John
 
M

Mike Harrison

If you're reading 00 to FF sequentially then it seems to me that you
are not actually reading the chip but just the "phantom" data which
corresponds to the bottom byte of the address!

Seems a strange pattern to be programmed into a device...
Is this maybe what they normally read when protection is enabled?
 
E

Eeyore

Mike said:
Seems a strange pattern to be programmed into a device...
Is this maybe what they normally read when protection is enabled?

I recall coming across some 24C02 Eeproms that were so coded at the factory.

Graham
 
This is the entire s-record file I uploaded from one of them.
You can see how it repeats several times over. Definitely not a program
listing.

S1130300000102030405060708090A0B0C0D0E0F71
S1130310101112131415161718191A1B1C1D1E1F61
S1130320202122232425262728292A2B2C2D2E2F51
S1130330303132333435363738393A3B3C3D3E3F41
S1130340404142434445464748494A4B4C4D4E4F31
S1130350505152535455565758595A5B5C5D5E5F21
S1130360606162636465666768696A6B6C6D6E6F11
S1130370707172737475767778797A7B7C7D7E7F01
S1130380808182838485868788898A8B8C8D8E8FF1
S1130390909192939495969798999A9B9C9D9E9FE1
S11303A0A0A1A2A3A4A5A6A7A8A9AAABACADAEAFD1
S11303B0B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC1
S11303C0C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFB1
S11303D0D0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFA1
S11303E0E0E1E2E3E4E5E6E7E8E9EAEBECEDEEEF91
S11303F0F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF81
S1130400000102030405060708090A0B0C0D0E0F70
S1130410101112131415161718191A1B1C1D1E1F60
S1130420202122232425262728292A2B2C2D2E2F50
S1130430303132333435363738393A3B3C3D3E3F40
S1130440404142434445464748494A4B4C4D4E4F30
S1130450505152535455565758595A5B5C5D5E5F20
S1130460606162636465666768696A6B6C6D6E6F10
S1130470707172737475767778797A7B7C7D7E7F00
S1130480808182838485868788898A8B8C8D8E8FF0
S1130490909192939495969798999A9B9C9D9E9FE0
S11304A0A0A1A2A3A4A5A6A7A8A9AAABACADAEAFD0
S11304B0B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0
S11304C0C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFB0
S11304D0D0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFA0
S11304E0E0E1E2E3E4E5E6E7E8E9EAEBECEDEEEF90
S11304F0F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF80
S1130500000102030405060708090A0B0C0D0E0F6F
S1130510101112131415161718191A1B1C1D1E1F5F
S1130520202122232425262728292A2B2C2D2E2F4F
S1130530303132333435363738393A3B3C3D3E3F3F
S1130540404142434445464748494A4B4C4D4E4F2F
S1130550505152535455565758595A5B5C5D5E5F1F
S1130560606162636465666768696A6B6C6D6E6F0F
S1130570707172737475767778797A7B7C7D7E7FFF
S1130580808182838485868788898A8B8C8D8E8FEF
S1130590909192939495969798999A9B9C9D9E9FDF
S11305A0A0A1A2A3A4A5A6A7A8A9AAABACADAEAFCF
S11305B0B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFBF
S11305C0C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFAF
S11305D0D0D1D2D3D4D5D6D7D8D9DADBDCDDDEDF9F
S11305E0E0E1E2E3E4E5E6E7E8E9EAEBECEDEEEF8F
S11305F0F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF7F
S1130600000102030405060708090A0B0C0D0E0F6E
S1130610101112131415161718191A1B1C1D1E1F5E
S1130620202122232425262728292A2B2C2D2E2F4E
S1130630303132333435363738393A3B3C3D3E3F3E
S1130640404142434445464748494A4B4C4D4E4F2E
S1130650505152535455565758595A5B5C5D5E5F1E
S1130660606162636465666768696A6B6C6D6E6F0E
S1130670707172737475767778797A7B7C7D7E7FFE
S1130680808182838485868788898A8B8C8D8E8FEE
S1130690909192939495969798999A9B9C9D9E9FDE
S11306A0A0A1A2A3A4A5A6A7A8A9AAABACADAEAFCE
S11306B0B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFBE
S11306C0C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFAE
S11306D0D0D1D2D3D4D5D6D7D8D9DADBDCDDDEDF9E
S11306E0E0E1E2E3E4E5E6E7E8E9EAEBECEDEEEF8E
S11306F0F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF7E
S1130700000102030405060708090A0B0C0D0E0F6D
S1130710101112131415161718191A1B1C1D1E1F5D
S1130720202122232425262728292A2B2C2D2E2F4D
S1130730303132333435363738393A3B3C3D3E3F3D
S1130740404142434445464748494A4B4C4D4E4F2D
S1130750505152535455565758595A5B5C5D5E5F1D
S1130760606162636465666768696A6B6C6D6E6F0D
S1130770707172737475767778797A7B7C7D7E7FFD
S1130780808182838485868788898A8B8C8D8E8FED
S1130790909192939495969798999A9B9C9D9E9FDD
S11307A0A0A1A2A3A4A5A6A7A8A9AAABACADAEAFCD
S11307B0B0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFBD
S11307C0C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFAD
S11207F1F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF6D
 
Mike said:
Seems a strange pattern to be programmed into a device...
Is this maybe what they normally read when protection is enabled?

Update --> Dang! You are dead right. I just went and got a known good
one that has the security bit set and it read out =exactly= *verbatim*
the same as the bad ones.
 
N

nermal

Interesting: I tried zapping a bunch (with windows) at 60 KV @ 10 mA for
about 60 minutes but with no effect. These were '2716' series.
 
D

Dave (from the UK)

Mike said:
Seems a strange pattern to be programmed into a device...
Is this maybe what they normally read when protection is enabled?

AFAIK you can't protect an EPROM - it must be possible to read every
memory location - otherwise what use would they be? A PIC is very
different, since you don't need to be able to read them to use them. But
an EPROM ...

--
Dave (from the UK)

Please note my email address changes periodically to avoid spam.
It is always of the form: [email protected]
Hitting reply will work for a few months only - later set it manually.

http://witm.sourceforge.net/ (Web based Mathematica front end)
 
H

Homer J Simpson

AFAIK you can't protect an EPROM - it must be possible to read every
memory location - otherwise what use would they be? A PIC is very
different, since you don't need to be able to read them to use them. But
an EPROM ...

These were OTPs . . . . .

--
..
..
..
..
..
..
..
..


.......
 
nermal said:
Interesting: I tried zapping a bunch (with windows) at 60 KV @ 10 mA for
about 60 minutes but with no effect. These were '2716' series.
How far from the target? I had mine a few cm away in a microfocal
system and I think it took around 20 or 30 minutes to erase/destroy
them. I can't remember the exact details as this was around 20 years
ago - although I may still have my lab notebook from then.

It may be that at 60keV there is much less interaction with the silicon
- the x-rays don't do much if they are passing straight through.

John
 
N

nermal

I chose 60 kV since the die and die attach material were visible on
film. I placed the UVEPROMs on the top shelf, about 12 inches from the
target. I chose 60 - 90 minutes since that was > 10 times the exposure
needed to produce a good quality result on Polaroid type 55 film.

I also used a black light (blue ray) UV source with the windows about 8
inches from the source (in the most intense spot). About 20 minutes the
data was unreadable. The EPROM would not take a new program. It took
only 4 minutes inside the commercial eraser. The EPROM could then be
programmed.

I am not sure if the long wave UV completely erased all cells and
prevented a rewrite. All of the devices that went through the near and
far UV could be reprogrammed (if none of the traces were blown during
initial programming or in the system).

I used to have a lot of these devices to work with. The main problem
was that project used two or more of these devices in a system. After
programming the wrong label was applied. People on project did not know
how to read out the check sum (or that there was such a thing).

Another problem: the home brew programmer often applied +15 or more to
the enable pin during programming. It was easy to diagnose since the
blown bond wires and traces were visible through he window.

The populated PC boards went through a bed-of-nails test called a "fault
finder" (I never saw the beast). The program often caused good parts to
go bad. On one occasion it actually wrote data into the '2716' (we only
use the lower 8k for data). It was a real suprise when I saw data on
the upper 8k. The 'fault finder' also used to blow traces on the some of
the CMOS parts (it would drive the inputs negative with respect to GND
to check for opens). The RCA parts at the time could take >>>100 mA in
this direction, the competition could only take about 100 mA. The 'fault
finder' was programmed to only put out 10 mA but just before it was
scrapped a defect was found that caused it to sometimes produce 1A
pulses.
 
Top