IC unlock (also called chip decryption, MCU code extraction or firmware recovery) is the process of reading the protected program out of an integrated circuit such as a microcontroller, EEPROM or programmable logic device, even when the chip's read-protection fuse or lock bits are enabled.

What are the steps of IC unlock?

The typical steps are: identify and evaluate the chip, prepare the sample, bypass the security protection, read out the memory, verify and reconstruct the firmware binary, then deliver the .hex/.bin file or programmed chips.

Which ICs can be unlocked?

Common families include Microchip PIC and AVR, STMicroelectronics STM32 and STM8, NXP/Freescale LPC, Kinetis and S08/S12, Texas Instruments MSP430, Renesas, Silicon Labs C8051, Cypress/Infineon PSoC, Nuvoton, GigaDevice GD32, Holtek, plus EEPROM, serial flash and many CPLD/FPGA devices.

Is the firmware kept confidential?

Yes. Professional providers handle every project under confidentiality. Customers are responsible for confirming they own or have the rights to the firmware being recovered.

Chip Decryption · Firmware Recovery

The complete guide to IC Unlock

Read the protected program out of a locked microcontroller, EEPROM or logic device — for firmware recovery, legacy maintenance and re-engineering. Need it done? Get professional IC Unlock services from PCBSync.

Start an IC Unlock Enquiry → See the 6 steps

2,000+

Part numbers handled

8 / 16 / 32-bit

MCU architectures

3–7 days

Typical turnaround

Firmware extractedflash_dump.hex · 64 KB

Microchip PIC / AVR ST STM32 / STM8 NXP LPC / Kinetis TI MSP430 Renesas RL78 / RX Silicon Labs C8051 EEPROM · Flash · CPLD · FPGA

Definition

What is IC unlock?

IC unlock is the engineering process of reading the protected firmware out of an integrated circuit — most often a microcontroller (MCU), EEPROM or programmable logic device — even when the chip's read-protection fuse, security bit or lock bits have been switched on.

Manufacturers enable these protections to stop the on-chip program from being copied. When the original source code or HEX file is lost, IC unlock recovers a faithful binary image of that program so the design can be maintained, repaired or migrated forward. The result is delivered as a .hex / .bin file, and blank chips can be programmed from it on request.

The same service is known by several names across the industry:

Chip decryptionMCU code extractionFirmware recovery Microcontroller crackMemory read-outCode reading

Why engineers use IC unlock

Recover lost source code or HEX files for a product still in production
Maintain and repair legacy or obsolete equipment with no documentation
Perform failure analysis and verify firmware integrity
Create a secure backup before a sole supplier disappears
Re-engineer an end-of-life design onto a modern, available MCU
Duplicate a programmed chip you own for production continuity

Process

IC unlock steps — from locked chip to firmware

Every project follows the same disciplined sequence. The exact technique inside each step depends on the chip, but the order does not change.

Identify & evaluate

Confirm the exact part number, package and protection mechanism, then assess feasibility, method and turnaround before any work begins.

Prepare the sample

Set up the programmer interface, or decapsulate the package when an invasive or semi-invasive approach is required to reach the die.

Bypass the protection

Disable or circumvent the read-protection — fuse, security bit or lock bits — using the technique matched to that specific device family.

Read out the memory

Dump the Flash, EEPROM or OTP contents to obtain the raw firmware image, capturing configuration words and calibration data too.

Verify & reconstruct

Check integrity, rebuild a clean .hex/.bin, and optionally disassemble for analysis or porting.

Deliver

Hand over the verified firmware file and, if requested, program blank chips so production can resume immediately.

Techniques

IC unlock methods

Different chips demand different attacks on their protection. A good lab chooses the least invasive method that will reliably succeed.

Lowest cost · No damage

Non-invasive

Works entirely from the chip's pins — no decapsulation. The package is returned intact.

Fuse / lock-bit reset via programmer
Voltage & clock glitching (fault injection)
Timing attacks on the security check
Bootloader & debug-interface exploits

Mid cost · Die exposed

Semi-invasive

The die is exposed but the metal layers stay untouched. Light and lasers manipulate the security cell.

UV erasure of the protection cell
Optical / laser fault injection
Light attacks on EEPROM security bits
Localised die-surface probing

Highest cost · Most powerful

Invasive (micro-probing)

Full decapsulation and direct access to internal buses for the most strongly protected devices.

Micro-probing of internal bus lines
FIB (focused ion beam) circuit edit
Memory cell read-out under microscope
Layout reconstruction & analysis

Key extraction

Side-channel analysis

Statistical analysis of physical leakage to recover keys without breaking the package open.

SPA / DPA power analysis
Electromagnetic (EM) analysis
Correlation power analysis
Glitch-assisted key recovery

Equipment

IC unlock tools & lab equipment

Reliable chip decryption depends as much on the bench as on the technique. These are the core tools of an IC unlock lab.

Universal programmers

Read, verify and write Flash, EEPROM and OTP across thousands of device profiles.

Decapsulation rigs

Acid, plasma and laser decap stations expose the die without harming the circuitry.

Microscopes & SEM

Optical and scanning-electron imaging to locate fuses, cells and probe points on the die.

Oscilloscopes & logic analyzers

Capture timing and bus activity for glitch tuning and protocol analysis.

Fault-injection rigs

Precision voltage, clock and EM glitchers for non-invasive protection bypass.

FIB workstation

Focused ion beam for nanoscale circuit edits on the most secure devices.

JTAG / SWD / ICSP probes

Adapters for every in-circuit debug and serial-programming interface.

Disassemblers & hex editors

Reverse-engineering software to verify, analyse and re-target the recovered code.

Coverage

List of ICs we can unlock

From classic 8-bit microcontrollers to modern ARM Cortex-M devices, secure memories and programmable logic. Filter by manufacturer to find your part family.

Microchip PIC

8/16/32-bit

PIC10FPIC12FPIC16FPIC18FPIC24FdsPIC30dsPIC33PIC32MXPIC32MZ

Atmel AVR

8-bit

ATtinyATmega8ATmega16ATmega328AT90SATxmegaAT89C51AT89S52

ST STM32

ARM Cortex-M

STM32F0STM32F1STM32F3STM32F4STM32F7STM32H7STM32L0STM32L4STM32G0STM32G4

ST STM8

8-bit

STM8SSTM8LSTM8ASTM8AFSTM8ALSTM8T

NXP LPC / Kinetis

ARM

LPC8xxLPC11xxLPC17xxLPC18xxKinetis KKinetis Li.MX RT

Freescale S08 / S12

8/16-bit

MC9S08MC9S12MC68HC08MC68HC11MC68HC908MPC5xx

TI MSP & C2000

16/32-bit

MSP430MSP432C2000TMS320CC2530CC2540

Renesas

8/16/32-bit

R8CM16CM32CRL78RXRAV850SH-2

Silicon Labs

8051 / ARM

C8051FEFM8EFM32EFR32

Cypress / Infineon

PSoC / XMC

PSoC 1PSoC 4PSoC 5LPPSoC 6XMC1000XMC4000TriCore

Nuvoton / GigaDevice

8051 / ARM / RISC-V

N76ENUC100M0516W78EGD32FGD32EGD32VF

Holtek / STC / others

8051 & OTP

HT66FHT46RHT48RSTC89STC12STC15SyncMOSMegawin

Serial EEPROM

I²C / SPI / MW

24C0224C0424C1624C6424C25693C4693C5693C66

Serial & NOR Flash

SPI / QSPI

25Q1625Q3225Q6425Q128AT45DBSST25MX25L

CPLD

Programmable logic

MAX IIMAX VXC9500CoolRunnerMachXOispMACH

FPGA & secure logic

Flash / antifuse

ProASIC3IGLOOSmartFusionSpartanCycloneMachXO2

Don't see your exact part number? The list grows constantly — ask PCBSync about your specific IC and we'll confirm feasibility.

Interfaces

MCU programming types

Each microcontroller family is programmed and read through a specific interface. Knowing the programming type is the first step in any IC unlock job.

Programming type	Wires	Typical families	Notes
ISP	SPI · 4-wire	Atmel AVR (ATmega, ATtiny)	In-System Programming over the SPI lines while powered.
ICSP	2-wire + clk	Microchip PIC, dsPIC	In-Circuit Serial Programming via PGC/PGD.
JTAG	4–5-wire	ARM, many MCUs, FPGA/CPLD	IEEE 1149.1 boundary scan, debug and programming.
SWD	2-wire	ARM Cortex-M (STM32, NXP, SiLabs)	Serial Wire Debug — compact 2-pin ARM interface.
UART bootloader	2-wire	STM32, NXP, many 8051	Built-in serial bootloader entered via BOOT pins.
BDM	1–2-wire	Freescale/NXP S08, S12, ColdFire	Background Debug Mode for single-wire access.
SBW / Spy-Bi-Wire	2-wire	TI MSP430	Two-wire JTAG variant for small packages.
PDI / UPDI / TPI	1–2-wire	Atmel/Microchip XMEGA & tinyAVR	Modern single-wire Atmel programming interfaces.
C2	2-wire	Silicon Labs C8051, EFM8	Proprietary 2-wire debug/programming bus.
I²C / SPI	2–4-wire	Serial EEPROM & Flash	Direct memory read/write for 24Cxx, 25Qxx, 93Cxx.
HV parallel	Parallel	Older OTP / EPROM / fuse reset	High-voltage parallel mode for legacy devices.

Pricing

How much does IC unlock cost?

There is no single price — cost scales with the chip and the method. Use these tiers as a guide, then request an exact quote for your part.

Tier 1 · Standard

8-bit MCU & memory

Lowest cost / per device

Classic, widely-supported parts with known non-invasive routes.

Common PIC, AVR, 8051, STM8
Serial EEPROM & SPI Flash
Fastest turnaround
Non-invasive methods

Get a quote

Tier 2 · Advanced

32-bit ARM & secured MCU

Mid range / per device

Modern Cortex-M and protected parts needing glitching or semi-invasive work.

STM32, LPC, Kinetis, GD32
PSoC, Renesas RX/RL78
Fault-injection & die access
Verified firmware delivery

Get a quote

Tier 3 · Complex

High-security & logic

Quote only / per project

Strongly protected devices requiring invasive or side-channel work.

Secure ARM, secure elements
CPLD & FPGA bitstreams
FIB & micro-probing
Feasibility study first

Get a quote

What determines your IC unlock cost

Chip family & node. Older 8-bit parts are far cheaper than modern, deeply-scaled ARM silicon.

Protection strength. Simple fuses cost little; hardened secure cells raise the effort.

Method required. Non-invasive is economical; FIB and side-channel work cost the most.

Turnaround. Rush jobs carry a premium; standard scheduling keeps cost down.

Sample availability. More spare chips give more attempts and improve success odds.

Volume. Programming many blank chips from the recovered image lowers per-unit cost.

Why PCBSync

Engineering depth behind every unlock

2k+

Proven part numbers

A deep catalogue of devices already cracked across every major MCU vendor.

Methods in-house

Non-invasive, semi-invasive, invasive and side-channel capability under one roof.

NDA

Strict confidentiality

Every project handled discreetly; your files and design stay yours.

PCB

End-to-end support

Pair firmware recovery with PCBSync's board manufacturing and assembly.

FAQ

IC unlock questions, answered

IC unlock is a legitimate engineering service used for firmware recovery, legacy maintenance, failure analysis and re-engineering. Customers are responsible for confirming they own, or are authorised to access, the firmware being recovered. Reputable providers decline requests that would infringe third-party intellectual property.

Common 8-bit parts are often turned around in a few days. Modern secured ARM devices, CPLDs or FPGAs can take longer, and strongly protected chips may begin with a short feasibility study. You'll get a timeline with your quote.

The exact chip part number and package, the quantity of sample chips you can supply, and a short note on your goal — firmware file only, or programmed blank chips as well. More samples generally improve the success rate.

Yes — these are among the most frequently handled families, alongside NXP/Freescale, TI MSP430, Renesas, Silicon Labs, GigaDevice and many more. Check the supported list above, or send your part number to confirm.

For well-known parts with established methods, success is very high. For newer or strongly protected silicon, feasibility is assessed up front and communicated honestly before you commit, so there are no surprises.

Yes. Projects are handled under confidentiality and the recovered firmware is delivered only to you. NDAs are available on request.

Get started

Send an IC unlock enquiry

Tell us your chip and goal and PCBSync's engineers will reply with feasibility, method and price. Prefer the full service page? Visit PCBSync IC Unlock.

Email an engineersales@pcbsync.com
Quote in 1 business dayfeasibility · method · price
Confidential & NDA-readyyour design stays yours

Request a quote

Fields marked with the chip part number help us respond fastest.

Name

Company

Chip part number

Quantity / samples

What do you need?

Or go straight to the PCBSync IC Unlock service page →