[anemic]

Most interesting part is that they managed to get the hex dump of the software. Quick glance shows there are no copyright texts in it, bummer!

I'm not an expert in PIC assembly but it seems there is very little code and there are no obvious code paths, like a switch..case like construct for processing the serial commands. Lots of I/O and not much more. Most likely they are not decoding the magstripe data in PIC but just get the decoded data and store it.

[jerryr]

I just tried disassembling the hex file. Unfortunately, the code protect bits are set (location 0x300008 is 0x00). This means that the ROM from 0x000800 to 0x007FFF will read as zero. And indeed, that entire space is filled with zero. So, I think we're missing much of the actual firmware.

Edit: And the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I'm pretty sure most of the firmware was not read out due to the code protection.

[Aissen]

From a quick Google Search, a Russian company is offering microcontroller code-dumping services: https://russiansemiresearch.com/en/faq/

I have no idea if this is legit or not. I doubt your law enforcement would let you access their services anyway.

Edit: My guess would be they work with industrialized de-capping + software to dump the memory, like this: https://www.bunniestudios.com/blog/?page_id=40

There are other "chip intelligence" companies in the US, some of which probably have such services. At a different cost.

[captaindiego]

On some of these embedded chips there are methods to glitch the fuses for read protection by messing with the power (a form of fault injection attacks). These used to work a few years back but I haven't heard if they still do.