The basics of electronic security bypassing

By on July 2, 2015







Enter into the deep of the world of binaries – well come to my kingdom

Hi everybody, today I will bring some mysterious things to the shining sunny day for you, and give to you a little homework too. I know, in most of case people, no matter young or old like stuff like this. I will introduce through this tutorial, some very basic things about software code, how data are stored in the software, firmware, eeprom and what kind of tools I use to enter into this world. Remember, this is really; basic stuff and I try to write on a human language, not on a language of experts.

Let’s start, all of you got into a situation to use some device with a code or some other stuff what are use some additional information for his operation. Some of as are repair daily electronic equipments of this type. In most of time, we have to decode something, crack the code of a faulty TV device, pin code, and make some settings in the eeprom to an oven for ceramics because the user need higher temp as it is possible to set on the panel.

In most of case, all the data are stored in eeproms, which can be separate on the pcb or inside of the cpu.

Let’s make things clear, the eeprom is a device where are stored preset data of the device. The cpu is the place where are the firmware, or you can say there are the operating system of that device like on the PC the Windows, Linux, Unix etc. and the eeprom is the registry database like on Windows OS or some ini file with the settings on that device.

Time to time people ask me how can I find or know the code for some device or software.
From my side, I never have to know the code. Let us think about. Why should we know a code for entering into a restricted area? What is our mission on that area?
To know the code or to make some setup? Think about that for a minute…

I mean, before you make the first step to decode something or change some setup in a hex editor, you have to know what you wish to happened and calculate your time consumption, tools what you have to use and what method of decoding you have to use in your situation.
I don’t need a key for my house door to enter into my house. I can maybe go into the house through a forgotten or a bad closing window. This is so called software BUG.
Are you know what I mean?

Here is a situation what I prepared for all of you. This is a really simply thing but I hope it will help all of you understand the basic of the cpu firmware works and how to override the mystery.

I wrote simple software. It is working in Windows environment. The software asks you for a username and a password. This can be a car radio code too, but you don’t know all that. What would you do to bypass the restriction?

Here is how I prepare myself to do think like this:

I always make a backup of the original software. Check on what kind of cpu it works and what kind of operating system it need to run. In this case, this is software with the name CrackMe.exe and it runs on PC on a Windows environment. You can download it from here:
Now I make a decision what tool should I use, I always use my favorite tools.

– OllyDdbg
– IDA Pro
– HxD Hexeditor
-HIEW Hackers Eye View

is practically an assembler level analysis tool. It is very useful when no source code available.

software basic

IDA Pro is a very helpful disassemble tool. I use the implemented function like the graphics analyzer and other functions what comes later to the table.


HxD Hexeditor is a simple but powerful hex editor. I use it to quick analyze the targeted software, reading the header of the software or maybe to change some bytes if it is needed. With this peace software it is possible to write the new code to the bin file of the eeprom of the car radio, which is code protected.


HIEW Hackers Eye View is an old software but my favorite one. Runs on a minimum PC configuration, on MS-DOS operating system even from a floppy too. It is a disassembly, hex editor, text editor. Very powerful.


Let’s start and get the access to CrackME software.
You maybe need the Vbrun60.exe runtime library to run the CrackMe.exe.
Download from here:

Here is the picture of the software what I wrote to practice:


The left pic is the main frame what is appearing when you start the CrackMe.exe.
The right pic is the message what you get if you click on the “LOGIN” button on the left side pic. After you press the “OK” button on the right pic, you go back to the main screen of the app or the app quits.

So, can you see some strange problem with the app?

Lets say, your device what you have to recode or crack have a display.
You should put a code or whatever for login or entering in some menu or whatever. In most key you got a message about a wrong input.
This message of wrong inserted login information is in most case the key to crack the app or the device.

Because, after you don this few steps with the app, you got some knowledge how the app works, where is the main part of the app which you have to entering and you got the message in human readable format which in our case is: “You Failed man!…”

In most case, the very basic structure of an app is like this:

software6Think about for a minute, what should we do when we disassemble the firmware/app?

  1. search for a user name and code?
  2. make a simple jumper to reach the part of the program what we need?
  3. rewrite a part of the program to overcome the security part?
  4. Or should we do other possibilities? If you have any other idea its ok…

First I look inside the firmware/eeprom dump or app for any readable strings which could give me maybe the username and password/code.

Open IDA Pro, which you can download from:
Drag and drop the CrackMe.exe to the disassemble area where the text is standing:


After this operation IDA Pro will ask for some settings, just press OK.


In this tab are the strings collected. Maybe you can find some interesting words, which can indicate the possibility of the user name and password or the code of the login section on the device.

In this case, there are no data for as.Go back and continue analyzing the data on the “IDA View-A” tab.


What have we now, we can see now the whole stuff of the programmed code of the CrackMe.exe in assembly language.
Do not pay attention to this. Just try to find the word ” You Failed man! Try again”
by the search function or scrolling down.
This text is the text what we are got from the CrackMe.exe when we put an incorrect username and pass and pres the “LOGIN” button.

Press the ALT+T or in the menu click on SEARCH then on TEXT…


Write in the “String” field the text “You Failed man! Try again”, click on “Find all occurrences” and press “OK”.

We are interested on the second line of the result, because there you can see some programming instructions “mov dword ptr…”. We have a starting address where this program is starting to running: 0041E793. So, now double click on this line and you will be directly dropped to the address line 0041E793 with the program instructions stuff.

Here we can see the program instructions which is triggered if a wrong login was made. But! the cpu is landing on this program line because of an instruction before told them to do so. Therefore, we have to find that instruction which triggered the cpu to do so. The same thing is going on if you analyze a firmware of car audio/video equipment or as a told before an oven, which has reached his max preset heating setup or whatever…

Let us see who is the man who told the cpu he should give as a message about a wrong login and not to let as in the program.


On this line, you can see the magic triggers who decide, should we access the whole program or should we be refused. Can you see the command “JZ” on the right side of the address 0041E735? That is our magic man. The JZ means if something is not equal then go to address 0041E78A. I our case, if you check what is after the 0041E78A address then you can see there is the text “You failed man!…”.

IDA Pro show as a several usable infos:
Watch on the left side of the picture, the red dotted line-arrow which shows the program will continue on the line 0041E78A and will not execute the program between the lines 0041E737 and 0041E785, where are our “Congratulation ! You cracked ME! 🙂”  text stand what wee need. J

Ok, now we found the security mechanism in the program CrackMe.exe. The same stuff is working on other programs or equipment ( of course not exactly in the same way as in my CrackMe.exe program ). You can read out the firmware from the device cpu which you have to decode and find a right software like IDA Pro but for your type of cpu let say it is a Motorola or a NEC or whatever, and lets play with it…

Now, our next step is to change something somewhere in a direction does the CrackMe.exe let as into after the login button is pressed.
In other word, if your car radio searching for a code let modify the firmware so in a way does they newer search for a code or let you enter any wrong code and they accept them.

Write down the starting address line where you whish to enter into.
It is the line where the JZ command stand, can you remember? JZ is the security guard and he will let as in or not. J

That address is 0041E735 write down ore remember it.

Now is the time to open the program HIEW Hackers Eye View. You can download it from here:

Open HIEW and load into the CrackME.exe like on this pic.


Now press F4 on your keyboard and select DECODE option.
You should get a screen like this:


This is similar to IDA Pro content, is it?

Press F5 to go to the desired address, which in our case is 0041E735,
Be careful with the address. It must be the address 0041E735 and you have to write or copy paste it like this: .0041E735 with the dot in front of the first zero.
Can you see now the JZ again? It is the same as in IDA Pro.
Press F3 to edit the CrackMe.exe
Press F2 to open the windows where you can input the new instruction and tell the CPU to resign the JZ worker. Here is the picture it should be on your screen after pressing F2.



Before the number 90 was 74 at the same place in the exe file. Remember now the number 90. We will use them later in the hex editor.

Press the F9 to update the new code and press F10 to quit from HIEW.
NOP is an instruction for No Operation. We changed the program instruction from a comparing instruction to do nothing. Now the cpu will not compare what we fill in the login field but after the pressed login button they will continue to execute every line after the NOP operation.
Let’s start the newly modified app CrackMe.exe to see what it will do:

software 18

Here is the result.
You can play with different type of modification to overcome the security let say you can try to send the cpu from the address 0041E735 to the address 0041E737, or you can find the right username and pass too. Who knows, maybe this technique works too… let you a try. J

The code can be stored in the database too or in the eeprom but the JZ or similar instruction will compare the input and the stored data. If you have a device with an eeprom give you a try, backup the content and erase the whole eeprom. Some device will reset itself to a factory default state. Other device will give you an error no, which is a similar thing like the CrackMe.exe and his message of failure…
Let’s see if the CrackMe.exe is a car radio which one is coded.

From some source you got the code how to disable the security on the car radio. In our case this code is the magic number of 90.
If you read out the eeprom with your eeprom programmer you got a bin file. A file which content is written in binary format and so called eeprom dump.
You have to know two things:

  1. Where to write the code, in which line to write the code
  2. What to write to the desired location

Let’s compare the original CrackMe.exe with the cracked version. This is a simulation of two eeprom dumps. I use the Compare by content function from TotalCommander.


After compared the two files of CrackMe.exe I got a result screen:


As you can see, the left CrackMe.exe have a red 74 and in the right CrackMe.exe have a red 90. The right CrackMe.exe is the cracked.
Let say the left side is the dump from your car radio which should be unlocked. The right side is the dump from a car radio which is unlocked.

Now, you have to write the number to the place of 74 and save the content to the eeprom of your device.

Now open HxD hex editor or any other hex editor with the capability of content editing and changing option. And write the address 1E735 and press OK.

software 22

 1E730 + 5 = 1E735

Change the 74 to 90 and save the file by pressing the floppy under the Edit menu.

Start the CrackMe.exe and you can see the app is cracked, or in our simulation, the car radio will not ask anymore for a correct code, you can put whatever code and it will accept them.

This is the very basic principle how to come over security stuff in a program on PC or whatever device.

I hope you enjoy this article and it is useful.

Note: This article is written for learning and education purpose only, and I’m not responsible if something is damaged, misused or whatever in a negative meaning. The readers have to take full responsibilities of whatever action that have made from this article.









This article was prepared for you by Christian Robert Adzic from Novi Knezevac-Serbia


Please give a support by clicking  on the social buttons below. Your feedback on the post is welcome. Please leave it in the comments.

P.S-  If you enjoyed reading this, click here to subscribe to my blog (free subscription). That way, you’ll never miss a post. You can also forward this website link to your friends and colleagues-thanks!

You may check his previous repair article below:




  1. victor U

    July 3, 2015 at 12:12 am

    This is really very informative! I'm a novice in this area with so many questions: how to get backup of on-board eeprom in the first place, etc? But I certainly love the article. Thanks JY

    • Chris

      July 4, 2015 at 2:43 am

      Thank you for supporting my article. I appreciate your support.
      If we say "backup the eeprom" we mean to reading the content of the eeprom whit an eeprom reading tool ( use google for eeprom reading tools ) and save it on the hard drive or whatever where the content is safely stored.
      If you have any question I will try give you support.
      My best regards.

  2. Gopal Sharma

    July 3, 2015 at 2:01 am

    Thanks Mr. Christian for publishing such article. It can be very useful for me in eeprom debuging and programming.

  3. Multivits

    July 3, 2015 at 6:17 am

    Great, well laid out tutorial. Do you have any details on the steps prior to getting the code, like connecting to the EEPROM? Most EEPROM's don't come with a serial port attached! Did you de-solder or remove the EEPROM and mount it in a base to get connectivity to extract the program?


    • Chris

      July 4, 2015 at 2:49 am

      Thank you for supporting my article. I appreciate your support.
      Different eeproms use different type of communication and communication protocols. That are described in the datasheet of the eeprom. You can get the datasheet in most of case from the web site of the manufacturers.
      One of my favorite eeprom reader/writer are the SeeProg.
      SeeProg supports over 9000 types off eeproms, reading and writing...
      Use google and search for SeeProg.
      If you have any question I will try to help you and support if I can and know.
      My best regards.

  4. Mark

    July 3, 2015 at 8:29 am

    Hey Christian,
    Thanks for a very informative article. Most of it went over my head, but I appreciated your analogies about going thru a unsecured window. This sort of skill takes years to gain & I am glad that you were able to share it with us all.

  5. Jesse

    July 5, 2015 at 7:16 am

    Hi Christian,
    Excellent tutorial, thanks for posting it. It has helped me to understand how to begin to solve a problem that I'm facing at the moment. I'm working to resolve an issue with a 93A66 chip on my Honda ECU.

    Any resources that you could recommend to help me learn the details/steps of this article would be very much appreciated. I am really enjoying this area of electronics because it deals with programming and knowing how all electronics actually work!
    Keep up the awesome articles.
    Best Regards,

    • Chris

      July 7, 2015 at 5:42 am

      Thank's Jesse for supporting my article.
      What is or was the problem on your Honda ECU?

      I have no specific resources for learning the steps of my article but I can advice you should start from the beginning.
      You should decide for what and in which situation would you use a skill like an low-level programmer, and a low-level electronic expert. If I say low-level, that is a jargon for people who are behind of the regular scholar experts and have a skill to reverse stuff backward and trace all the information's what somebody done in a regular programming language.
      Start to learn Assembly language, not to write a good and complex software under Windows. Just know how the relationships works in that language. Learn about the PC hardware. Try to figure out in the smallest peaces how a cpu works and what is his elements.
      And be patient...

      • Jesse

        July 7, 2015 at 9:47 am

        Chris, thanks for your insight and the question.

        The problem with the ECU is that in doing an electrical wire repair on my 06 Civic, I fatally damaged the original ECU.

        Instead of repairing the ECU, I transferred the EEPROM to a used ECU that I picked up at a salvage yard. This did not solve the immobilizer/security problem (no start condition). What I think I need to do next is read the original EEPROM so that I can manually copy it and write it onto the used replacement ECU. An option I'm also considering if this does not work is modify the dump file to eliminate the immobilizer feature so that I can start my Honda again. Right now the EEPROM is not recognizing the immobilizer so it does not allow the engine to start.
        Thanks again,

  6. Robert Calk

    July 5, 2015 at 12:32 pm

    Nice article Chris, thanks. I wish they would get with the times. The people I bought my eeprom programmer from said it was compatible with Win8, but I couldn't get it to work. I would probably have to set my OS to Win7 for it to work. Maybe when Win10 is out for a year, they will work with 8 then. Luckily, I haven't needed the programmer yet.

    • Chris

      July 7, 2015 at 5:55 am

      Thank you Robert for supporting my article.
      Let me know please what type of eeprom programmer are you bought?
      I will suggest you to get the SeeProg. It will work under lot of versions of Windows, even on Win8 ( right now I use them under Win8 ).
      You can made the SeeProg yourselves too.
      For SeeProg you have to use a real LPT port.
      Trust me, in a pro situation like some investigation agencies and so, they use computers in their labs whit real hardware RS232 ports and hardware LPT ports. That ports are gone for the civil computer users and transformed into the USB port. USB ports have to much problems whit the drivers in some case like eeprom programmers. In some cases I tried to read a data protected eeprom content with an USB programmer, no way. I hooked up the eeprom on a LPT port programmer and I could get the data...

      • Robert Calk

        July 9, 2015 at 4:15 am

        Thanks Chris. I have 2 of them: A MiniPro TL866CS, and the other one is a little C-Right USB Programmer - or something like that. Also, the MiniPro website is all Chinese writing so that does me no good.
        The EEPROM programmers that I found that are made in the USA are expensive. I figured that I would wait till I could afford one and not buy any more equipment that is made in China. But I would rather spend my money right now on a Electronically Programmable DC Load, and a Digital Oscilloscope, and a Programmable Power supply. I could use them more than an EEPROM programmer.
        I guess I could check on forums about the MiniPro, but I haven't needed it yet and it got pushed back on the list of stuff I need to do.

        • Chris

          July 10, 2015 at 3:41 am

          Hi Robert, I checked what type of eeprom programmers are they.
          Search for schematic of SeeProg and made it yourself. It is very inexpensive and it is ideal for home made.
          It will cos around $20-$30 not more.
          You can find on the internet the schematic for the pcb, so you have only print out and made the pcb and put the parts together.
          Whit SeeProg you can read and write over 9000 eeprom type.
          Only think what is worse, you must have a true LPT port on your PC.
          If you have any question please feel free to contact me.

          • Robert Calk

            July 10, 2015 at 11:44 pm

            Hi Chris,
            I have never heard of a LPT port. But if I decide to build the SeeProg, I will just wire in a USB port or something else. Thanks for the help.

  7. Jesse

    July 8, 2015 at 6:45 am

    I have a follow up question regarding my EEPROM, a 93A66 chip. The problem is that I cannot find a programmer that can read it(including SeeProg/BeeProg). Most of them advertise they work with the 93C66 but don't list the 93A66.
    Any suggestions?.

    • Chris

      July 9, 2015 at 5:06 am

      Hi Jesse!
      I checked back on my eeprom reader software which is the SeeProg and I can find lot of variation of the 93A66 eeprom. As I figured out through reading datasheets there some other letters and numbers on the IC. Can you provide pleas the whole text from the IC? The manufacturer of your eeprom is Rohm or Seiko Instruments?
      If the text on the eeprom starts whit BR then it is a Rohm, if it starts whit S- then it is a Seiko Instruments.
      Sometime it is not enough to swap the ECU. I don't know if the VIN number is in your new ECU and maybe in the eeprom is another VIN number. This could be another reason why your ECU would not fire up the engine.
      This is only a speculation of me. I have no Honda cars in my area sorry.
      Car manufacturers sometime bound together the VIN numbers whit the parts. Sometime there are smart sensors on the car which has the VIN number from the host car and if you try to reuse that sensor on another car the sensor fail to work.

      • Jesse

        July 9, 2015 at 11:06 am

        Hello Chris,
        Your time is very much appreciated.
        All the text on the surface is the following 3 sets of values:
        S93A66, ADAVE6, 1166.

        Based on my research so far, the EEPROM in the ECU is the gate keeper and either enables or disables the engine from starting.
        Since I'm using a salvage yard ECM/EEPROM, it expects encoded data (from immobilizer) to match with that particular VIN number, which we know it cannot match. I have the unsoldered EEPROM from my ECM and just want to copy it and write it on the used ECM, which I believe is the goal. Alternatively, based on your article, I thought maybe there's a way to try to manually modify the dump file to match the car's/immobilizer VIN and see what happens.

        [Background: Before taking this path, I towed the car to the local auto dealership for programming. They said they could not write to the ECM because it was "used" and asked to replace the ECM with a new one for a cost of $800. Because it's a spare car, I took it as an opportunity and a challenge to attempt to resolve the issue and learn a few things in the process]

  8. Chris

    July 10, 2015 at 4:07 am

    Hello Jesse, I would do this:
    Put the ECU to the car and take an OBD diagnostic equipment.
    Read the fault codes.
    Erase the fault codes.
    Read again the fault codes.
    From the DTC (Diagnostic Trouble Codes) you can see how is the behavior of the ECU. With the diag tool you can see is the ECU alive or not. If yes you will get some infos about what is wrong.
    After that I suggest you to change the eeproms. Put the original eeprom from your car into the new ECU. Start testing again whit diag equipment and remember the information's and compare it with the infos about the earlier diag.
    After that we will be more clue.
    Post the result and I will see whit friend what is to do.

    About the local dealers and there repairing:
    That is not true does the ECU can not be reprogrammed. Every ECU can be erased and reprogrammed. The firmware and the eeprom too.
    I done a lot of ECU repairing on new and old cars, tractors, combine, motorcycles, trucks.
    Today I repaired a combine ECU and made a full firmware update into the cpu.

    Your eeprom:
    It is a Seiko Instruments part. It is full suported by SeeProg.
    Download the schematic, pcb form the inet and make one for you.
    It is easy to make it at home and will not cost more then $20-$30.

    I hope you will fire up your car in a few days...

    • Jesse

      July 10, 2015 at 11:40 am

      I agree with you and I do not understand why the dealership did not at least give me rationale as to why the tech could not do it.
      Anyways, I scanned the the ECM with no codes reported. I cleared and scanned again with no change...all normal.
      While at it, I queried the ECM to get the VIN and some kind of device ID.
      As recommended, I will proceed to install the original EEPROMs onto the ECM.
      Before doing that though, I better to copy and save the bin file just in case I fry it during the solder process :).
      So, actually I shall go the SeeProg route first.
      It's great to know that you live and breath this stuff!..It's a blast learning all about it and putting it to practice...thanks a million, yes when the Civic comes back to life hopefully soon, it will be so incredible!
      Looks like I have work to do but will report back in a couple days after some progress. jesse

  9. Jesse

    July 15, 2015 at 11:01 am

    Hi Chris,
    After failed attempts at reading the EEPROM with a cheap universal programmer, I decided to take a chance and solder them to the ECM. Fortunately the soldering operation went smooth. I also fully charged the battery ahead of time. After installing the ECM, I scanned for trouble codes. One trouble code came up: P0603 Keep alive memory error. It had not shown up before.
    I proceeded to turn the key to start it and the green flashing key/immobililzer came on. Of course it would not start. Then, I re-connected the OBDII scanner to see if it would read the VIN number but it did not come up, it showed N/A or something like that. For the heck of it I cleared the code and read again with the same code showing up.
    This seems to indicate a problem with the eeprom? The last thing I did was to check the solder on the eeprom legs and pads..and they looked fine. I am in the process of procuring the parts to build the circuit card for SeeProg. Hopefully this will shed some light. Not sure what else to try at this point while I make the ciruit. Any ideas? j

  10. Jesse

    July 19, 2015 at 11:36 am

    Hello Chris,
    I bought a better programmer, GQ universal USB programmer for now. I checked the EEPROMs that are on the ECU now and just for giggles compared the bins..the correct VIN showed up on both and Hex data were the same. I went ahead and re-installed and repeated the procedure mentioned previously. Still no better results and the same code from before P0603. I tried reading the VIN number again and this time it does show up on the scanner instead of N/A like before. Other than that, no improvement. I will continue doing research in syncing it to the immobilizer next, which means I may be taking the immobilizer apart to try to read the memory there to read for comparison purpose. So, far I have learned more about EEPROMs and mapping than I was ever aware of..this has really been awesome!. I'll report soon on any new developments. j

  11. Chris

    August 8, 2015 at 7:04 am

    Sorry because I'm late.
    Are you made any progress?
    Maybe you have a problem in the CPU firmware of your ECU.
    Than you have to flash the CPU firmware.
    That is another stuff than reading/writing eeproms.

    • Jesse

      August 9, 2015 at 1:48 pm

      Hi Chris,
      I have made little progress. I have been learning Assembly language.
      What I did was disassemble the hex dump and I have been studying it to find the line where the comparison is made between the stored pass code in the EEPROM and the one coming in from the immo. I was thinking to change the result of the comparison result (prior to the reporting of its value to the CPU so that it does not stop execution/ignition/fuel.

      You're right, I've discovered this is a lot deeper than reading and writing eeproms. The positive side of it is that I think may have found the subroutine where the comparison is made and stored in the EAX register. I should know soon.
      My next challenge will be figuring out how to translate the needed change on to the hex dump file. I disassembled the file online on this website and I do not have the ability to modify it there.

      Am I approaching this the right way?
      thanks for your response!

    • Jesse

      August 11, 2015 at 7:48 am

      The lines that I believe are part of the subroutine that makes the first digit comparison for correct pin number reads as the following. Here's how it reads and my understanding. I may be completely wrong on this but it's the best I can do at this point.

      cmp eax, 0x7207b0f - If eax is equal to the source, go to jp
      or ebp, DWORD PTR [ecx+0xf] - if eax is not equal come here next
      jp loc 0000031 - comes here if eax equals value

      I'm still studying the logic that follows to see how it is checking the remaining digits.

    • Jesse

      August 20, 2015 at 8:06 am

      Chris,I am still working on understanding assembly code and how it processes during engine start up to keep the engine running. It appears that when in open loop, it may be running on preset table values in the CPU..however, it relies on the security check results; it runs the subroutine in the eeprom to either keep the engine running or not. This is very challenging work, but making slow progress. So far, I have made a couple of changes to the bin file with no improvements. Will carry on.

  12. Chris

    May 17, 2016 at 12:26 am

    Somehow you are correct but it is hard to be a part of your work from my point of view because the distance between as.
    My first question is:
    What is your machine architecture what you are used to disassembling the firmware from the cpu?

    • Ravi kumar

      September 7, 2016 at 8:16 am

      Good morning sir,
      what is difference between EEPROM dump,BIN,and firmwrae


Leave a Reply

Your email address will not be published. Required fields are marked *