Wednesday, May 23, 2018

8751 close shave

In the previous post we discussed dumping a lot of mostly PIC16C57s. These also came with a pair of 8751 chips. The first being F-1 Dream (C014):

And the second being Breywood (C015):

The Breywood gold top packages are rather easy to decap as the package is simply heated up and the steel cap is lifted off:

This was then masked and dumped with a masked UV attack as done in previous posts:

The F-1 Dream is a glass frit CERDIP which is a little trickier to decap. Glossing over details, the best technique we've come up with is to strongly heat the top to release it. This melts the glass holding it on without melting the glass holding the pins in place. However, this is a delicate operation that can go wrong in many ways.

Here's the die after decap:

Which was masked like on Breywood:

However, the chip did not dump. Closer inspection revealed the leadframe had shifted a bit and had caused some minor bond wire damage, notably one had completely snapped. This is very hard to see in the pictures, but was easily found with a continuity test and some probing. So it was patched with some epoxy:

Even after this, dumps were very flaky. We got a few decent looking dumps but they started getting worse. We suspected bad pin connections and tried to clean up the chip a bit more. However, on closer inspection we noticed microfractures on the die:

So, it seems that we narrowly got this chip dumped before it stopped working. We could have potentially patched some of these up, but this would have gotten complicated quickly.

What happened? In the past we had pre-heated the chip / workholder for longer, but this time didn't wait quite as long. We suspect that the chip was cooled faster than expected, causing the microfractures. Suppose all is well that ends well, but a lesson for the future to be more conservative on these parts.

Enjoy this post? Please support us on Patreon! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.

Monday, May 7, 2018

Mostly PIC16C57

We were recently sent 8 "PIC16C57s" from:

  • High Seas Havoc (403/C013)
  • Wargods (U69, C020)
  • MACE (U96, C021)
  • Carnevil (U96, C022)
  • BioFreaks (C023)
  • Gauntlet Dark Legacy (C024)
  • Gauntlet (U37, C025)
  • Blitz 99 (U96, C026)

  • Here are the packages:

    First, note the upper left chip (BioFreaks):

    Hmm, that's not a PIC16C57 but rather a PIC16F57. We decapped a sample and its much finer technology than we've dealt with so far. This one's been shelved for now in lieu of easier targets.

    Next, note the lower left chip (High Seas Havoc (HSH)):

    The marking has been removed, but this is allegedly a PIC16C57. We popped it into a reader and it spit back a scrambled (protected) dump, so this was plausible.

    Here are most (Gauntlet Dark Legacy not shown) of the PIC16C57s after decapping and masking:

    These were dumped as done in previous posts. Here's Wargods close up:

    Next, you'll notice there are only 6 chips left of the original 8. In addition to BioFreaks, HSH was in fact not a PIC16C57. Additionally, its wires were a bit higher and got trimmed during decap:

    While its not a PIC16C57, it does look close, basically just with a smaller EPROM. It looks to be about 1/4 the size of PIC16C57 (2K), so lets say its probably 512 words. There are two members of the PIC16C5X family with 512 words: PIC16C54 and PIC16C55. PIC16C54 doesn't come in DIP28, so its probably PIC16C55.

    Fortunately we had a PIC16C55 on hand:

    Here's the identifying info on HSH:

    And here's a PIC16C55 sample:

    Odd...the die ID matches but the masks don't completely match.  After some discussion, we decided this was close enough to proceed. The main concern is that PIC16C55A has some more sophisticated protection that might be problematic if we tried a simple UV attack. However, HSH has a 1988 copyright, and the sample has a 1988 copyright as well. Additionally, we know that PIC16C57C was a big redesign over PIC16C57. So all evidence points that this really is a PIC16C55 despite the different masks.

    We secured a sample and applied a mask:

    Which after 15 minute or so of UV erasing had lost protection but retained the original data.

    Next we mended the broken wires. When we fixed similar chips in the past, we installed new wires. However, there are mostly wires intact, they just need some bridging. So instead of adding wires, we just carefully added conductive epoxy tracks to bridges them back together:

    Here the nail polish is being used to strengthen the wires from breaking as they get pushed around and also from having the epoxy short out against the edge of the die (see the lower left connection for example). This passed continuity and gave out the scrambled output we saw before decap.

    We then added additional masking to fully cover the EPROM;

    After 15 minutes of UV erasing we were able to retrieve the ROM.

    Finally, a few small updates on works in progress:

    • Taito C-Chip: we've dumped all samples we have except Operation Wolf (partial dump only). We have a spare chip in hand but we'd like to try a bit more to extract one of the existing decaps first
    • Contact mask ROMs (TGP + MCS48 such as Great Swordsman): general consensus is that the TGP captures are mostly acceptable, but the MCS48 captures are too noisy. We've briefly explored a few alternate capture techniques to improve accuracy, but haven't found something we are satisfied with yet
    • Altera FPGAs: we've been unable to identify the specific chip used for 79/80 based on samples we've procured. Reach out if you have interest in this / think you might have something to contribute
    • As the chips that can be trivially dumped dwindles, we are evaluating new analysis techniques. Some of these updates may be less frequent, but the write ups should be more involved

    Enjoy this post? Please support us on Patreon! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.