tag:blogger.com,1999:blog-58318085783263111322024-03-13T09:52:24.854-07:00CAPS0ffCAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.comBlogger38125tag:blogger.com,1999:blog-5831808578326311132.post-4264048110489957682024-01-30T20:07:00.000-08:002024-01-30T20:07:17.078-08:00Recapping Caps0ff<p> (repost from Patreon)</p><p>To recap on the project's history, Caps0ff entered the scene some years after the incumbent arcade decapper was no longer available. We were able to triage the chip stash with fresh eyes and get things moving again.</p><p>Unfortunately, as is likely evident, this project has been on hold for quite a while, both in terms of pausing pledges as well as work put into it. However normally during the holidays I'm at least able to catch up a bit and put some time into making at least some progress. However, as my life has evolved the holidays were instead spent on catching up on normal life.</p><p>Additionally, while there was always one primary contributor, the team includes a number of critical support roles (PCB design, ROM decoding, etc). While some of these team members are still available, it creates additional friction to coordinate restarting the pipeline.</p><p>With all of this in mind I don't see a regular cadence resuming in the near future. While the project will continue ad-hoc as possible I don't believe its in anyone's best interest to maintain this Patreon. Namely it is unnecessary distraction / pressure for me to keep remembering to pause it and, if forgotten, its not appropriate to charge people for work not done. This can cause both sides to get frustrated.</p><p>So what do I see as the next steps? First, the chips will remain here until either I can put more work into it or find a new champion. Unfortunately the previous attempt to farm out some chips did not work out, so this will require some thought how to do this appropriately. That aside, there are now many more "chip decappers" out there when this project started. So I'm optimistic that someone will be interested and qualified to pick up the torch. And I'm happy to work with them to pass off general knowledge and pedigree on the chips. In lieu of directing funds my way, please join their Patreons and help them on their journey. I will leave this notice up for a bit and then formally shut down this account.</p><p>I sincerely thank you all for supporting this project. Its quite expensive to run and Patreon really helped to keep things moving. Stealing a quote from a friend: "May all your die shots be clean, your laser hits on-target, and your glitches fast enough in 2024!"</p>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com0tag:blogger.com,1999:blog-5831808578326311132.post-73894609182690227942021-02-25T18:22:00.004-08:002021-02-26T12:43:32.728-08:00February laser glitching w/ P87C52EBPN and more<div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: left;"><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;"><div class="separator" style="clear: both; text-align: left;">In this post we give some brief status updates on recently completed and in progress projects. The main focus is using a laser to glitch security circuitry on several 8051 based MCUs from vintage arcade cabinets. Preserving this firmware allows people to better understand these games as well as fix broken cabinets.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-9bkCToJP2BE/YDK4Zlc3baI/AAAAAAAABIw/vJnqBsq_57U0PmSQU3HcXcAbVlmiTGWhwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="284" data-original-width="350" height="240" src="https://lh3.googleusercontent.com/-9bkCToJP2BE/YDK4Zlc3baI/AAAAAAAABIw/vJnqBsq_57U0PmSQU3HcXcAbVlmiTGWhwCLcBGAsYHQ/image.png" width="296" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://en.wikipedia.org/wiki/Cookie_and_Bibi_2#/media/File:Cookie_and_Bibi_2-1.png">Source</a></div><div class="separator" style="clear: both; text-align: center;"><br /></div></span><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">Recently we preserved the firmware from a few MCS51 chips via laser glitching. First, Cookie & Bibi 2 is a tile matching puzzle game from Taito. It's based on Puzzle Bobble which is in turn based on Bubble Bobble.</span></div><div class="separator" style="clear: both; text-align: left;"><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-N090Fhofh6w/YDL-8eezX-I/AAAAAAAABJk/7GkyDtu81TQYhh3daUdy-LsbaKKvB7_OQCLcBGAsYHQ/Cookie%2B%2526%2BBibi%2B2%2B-%2BParts%2BSide%2Broi.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1674" data-original-width="2048" height="240" src="https://lh3.googleusercontent.com/-N090Fhofh6w/YDL-8eezX-I/AAAAAAAABJk/7GkyDtu81TQYhh3daUdy-LsbaKKvB7_OQCLcBGAsYHQ/Cookie%2B%2526%2BBibi%2B2%2B-%2BParts%2BSide%2Broi.jpg" width="294" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div>In particular we are taking a look at preserving the firmware of the P87C52EBPN at lower left:<br /></div><div><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;"><br /></span></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qr44bWjRXuo/YDK0kiaxohI/AAAAAAAABIk/YXdhK4u_5EYwP6y3LuhjdurX9PL1ZXmFACLcBGAsYHQ/s2088/pack_top.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="2088" src="https://1.bp.blogspot.com/-qr44bWjRXuo/YDK0kiaxohI/AAAAAAAABIk/YXdhK4u_5EYwP6y3LuhjdurX9PL1ZXmFACLcBGAsYHQ/s320/pack_top.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">We've <a href="http://caps0ff.blogspot.com/2019/">processed a few P87C52EBPN before</a> and were surprised to find several very distinct chips all marked "P87C52EBPN." It's unclear if these were remarked or we just didn't understand Phillip's package marking scheme. In any case, here is the new die:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ESaSNjkauYE/YDKzC2OWAfI/AAAAAAAABIY/3d7yvQ6g-KQDW5Ix5Jjk5w4Mp-QFkAcCQCLcBGAsYHQ/s2048/die-r.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1779" data-original-width="2048" src="https://1.bp.blogspot.com/-ESaSNjkauYE/YDKzC2OWAfI/AAAAAAAABIY/3d7yvQ6g-KQDW5Ix5Jjk5w4Mp-QFkAcCQCLcBGAsYHQ/s320/die-r.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-2bUKqa7-jVA/YDKylJgZz1I/AAAAAAAABIM/-OJIIarO2zopzGE7CHuDKRh8lrpqXMARgCLcBGAsYHQ/s1755/logo.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1273" data-original-width="1755" src="https://1.bp.blogspot.com/-2bUKqa7-jVA/YDKylJgZz1I/AAAAAAAABIM/-OJIIarO2zopzGE7CHuDKRh8lrpqXMARgCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div><div style="text-align: center;">Above: new die (Cookie & Bibi 2 P87C52EBPN as XSC6407A)</div><p>Which is close to one we already saw:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ZczuFe8r5yY/YDKxf2c81CI/AAAAAAAABHo/hpxlMG88MkwVndTeEZ6OapO8JVsfwxpaACLcBGAsYHQ/s894/die1_die.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="865" data-original-width="894" src="https://1.bp.blogspot.com/-ZczuFe8r5yY/YDKxf2c81CI/AAAAAAAABHo/hpxlMG88MkwVndTeEZ6OapO8JVsfwxpaACLcBGAsYHQ/s320/die1_die.jpg" width="320" /></a></div><div style="text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-j-jk_LSoAl8/YDKxlrdQYMI/AAAAAAAABHs/VVmL7L4V84cPbjbFj97AugnGFlGvszpTwCLcBGAsYHQ/s1360/die1_logo.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="912" data-original-width="1360" src="https://1.bp.blogspot.com/-j-jk_LSoAl8/YDKxlrdQYMI/AAAAAAAABHs/VVmL7L4V84cPbjbFj97AugnGFlGvszpTwCLcBGAsYHQ/s320/die1_logo.jpg" width="320" /></a></div><div style="text-align: left;"></div><div style="text-align: center;">Above: previous P87C52EBPN as XSC6644A</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Note the lighting is different on these two die shots (metallurgical vs inspection microscope) but the overall layout is very similar. Still this is unfortunate because we didn't have any sample chips to test an attack against. However:</div><p></p><ol style="text-align: left;"><li>We've been able to develop attacks against similar chips fairly reliably</li><li>A replacement chip (board) would be about $60</li></ol><p></p><p>Given this we decided to try to develop the attack on the actual target without practicing first. We found the structure used in the previous article and found shining a laser on it gave a stable read out! We probed around a little more though and got a second binary that was also stable. There should only be one correct binary coming out. So how did we get two distinct binaries?</p><p>Often we run binaries through checker scripts that look for common errors like stuck address or data lines. When we ran these two binaries through they flagged some issues:</p><p></p><ul style="text-align: left;"><li>Binary 1 has bits 7 and 8 stuck high</li><li>Binary 2 has bit 8 stuck high</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BiRH-Q7EaB8/YDKuktirs0I/AAAAAAAABHc/twNGm_q9rM8HYWMziXXvrL3ZoiCTnLaiwCLcBGAsYHQ/s2029/c110.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1461" data-original-width="2029" src="https://1.bp.blogspot.com/-BiRH-Q7EaB8/YDKuktirs0I/AAAAAAAABHc/twNGm_q9rM8HYWMziXXvrL3ZoiCTnLaiwCLcBGAsYHQ/s320/c110.jpg" width="320" /></a></div><br /><div>So actually neither is correct, but might be close. We then integrated the binary checker into the fuzzing script to get quicker feedback. After a bit more searching we locked onto a location that passed all checks and also saw some strings:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-eMK1ETx-AZQ/YDMLjRfleJI/AAAAAAAABJw/0YtI09SAl9kBxu1ImECg9TzpVj-P73BYACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="233" data-original-width="696" height="107" src="https://lh3.googleusercontent.com/-eMK1ETx-AZQ/YDMLjRfleJI/AAAAAAAABJw/0YtI09SAl9kBxu1ImECg9TzpVj-P73BYACLcBGAsYHQ/image.png" width="320" /></a></div><br />Now with all bits toggling and strings visible we have a plausible dump! One early concern was a relatively unusual reset vector, but analysis shows it's fine.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-cSyDPsamxts/YDK_UcGeS_I/AAAAAAAABJE/ZGDtORGXtI8N05ZsUkGPHI3qDjY3hj0KgCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="240" data-original-width="320" height="240" src="https://lh3.googleusercontent.com/-cSyDPsamxts/YDK_UcGeS_I/AAAAAAAABJE/ZGDtORGXtI8N05ZsUkGPHI3qDjY3hj0KgCLcBGAsYHQ/image.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://www.arcade-museum.com/game_detail.php?game_id=10470">Source</a></div><br /></div><div>We also did a small project with S87C751 from World Beach Volley:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qbvEVUoKlEo/YDLBnGCN0MI/AAAAAAAABJQ/_lUurk3xB7wxi5O90dpf8DukCOfBWf_vwCLcBGAsYHQ/s2048/IMG_2664.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1470" data-original-width="2048" src="https://1.bp.blogspot.com/-qbvEVUoKlEo/YDLBnGCN0MI/AAAAAAAABJQ/_lUurk3xB7wxi5O90dpf8DukCOfBWf_vwCLcBGAsYHQ/s320/IMG_2664.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;">Above: "MAIN" board w/ chip. Handles sound</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-VI_ojNv6fpM/YDLBqlPw31I/AAAAAAAABJU/UgE49tKmq7czOoPqHCjrmJ2fflexJN8pgCLcBGAsYHQ/s2558/IMG_2782.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1229" data-original-width="2558" src="https://1.bp.blogspot.com/-VI_ojNv6fpM/YDLBqlPw31I/AAAAAAAABJU/UgE49tKmq7czOoPqHCjrmJ2fflexJN8pgCLcBGAsYHQ/s320/IMG_2782.JPG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;">Above: "LINK" board (chip was at right). Handles extended multiplayer</div><div><br /></div><div>One chip is marked "MAIN" and the other is marked "LINK." The smaller link board adds two additional players allowing up to four people to play at once.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-iT7N8igarNg/YDK-848-AEI/AAAAAAAABI8/jJeTslm19UA-ux_vUyLGIiBDsDe5NHY8ACLcBGAsYHQ/s2048/PXL_20201219_102237576.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1152" data-original-width="2048" src="https://1.bp.blogspot.com/-iT7N8igarNg/YDK-848-AEI/AAAAAAAABI8/jJeTslm19UA-ux_vUyLGIiBDsDe5NHY8ACLcBGAsYHQ/s320/PXL_20201219_102237576.jpg" width="320" /></a></div><div><br /></div><div>After a bit of poking around we found a glitch as seen above. The layout seems to loosely resemble what we saw on P87C52EBPN and is probably the same basic glitch on both chips.</div><div><br /></div><div>Currently we are looking at a few programmable logic chips such as PAL16R8A2NC. This chip can be extracted a number of ways including electrically testing all input combinations, imaging burned fuses, or microprobing. We have several of these methods under evaluation and it will hopefully be the subject of our next post. Finally, this project has pushed back some more conventional mask ROM captures that are queued such as Apple ADB PICs.</div><div><br /></div><div><span style="color: #222222; font-family: arial; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="color: #222222; font-family: arial; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; text-decoration-line: none;">support us on Patreon</a> or</span><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="color: #222222;"> </span><a href="https://twitter.com/Caps0xff" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; text-decoration-line: none;">follow us on Twitter</a><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="color: #222222;">! </span><span style="color: #222222; font-family: arial; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.w</span></div>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com8tag:blogger.com,1999:blog-5831808578326311132.post-43317467205782022482020-12-01T00:55:00.000-08:002020-12-01T00:55:20.481-08:00If at first you don't succeed boil it in acid<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-xPnm4C8HM6w/X779bJzvVfI/AAAAAAAABGI/oMBxQhtiFEI902DSU64NUj42RXNbABv5gCLcBGAsYHQ/s1073/image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="881" data-original-width="1073" src="https://1.bp.blogspot.com/-xPnm4C8HM6w/X779bJzvVfI/AAAAAAAABGI/oMBxQhtiFEI902DSU64NUj42RXNbABv5gCLcBGAsYHQ/s320/image.png" width="320" /></a></div><div class="separator"><br /></div><div class="separator"><a href="http://caps0ff.blogspot.com/2020/11/the-elusive-tms32010-mask-rom.html">In a previous post</a> we discussed extracting TMS32010 ROMs optically. This information helps the arcade community better understand these cabinets for repairs and historical reference. In this post we investigate later generation TMS320 using a combination of electrical test interfaces and microscope images.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-yIRFjQZSpFc/X77ynB4CvXI/AAAAAAAABFY/UDrIkJgTywImphSfv8Pzy1QQV0BHW-nCQCLcBGAsYHQ/s650/die2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="587" height="400" src="https://1.bp.blogspot.com/-yIRFjQZSpFc/X77ynB4CvXI/AAAAAAAABFY/UDrIkJgTywImphSfv8Pzy1QQV0BHW-nCQCLcBGAsYHQ/w361-h400/die2.jpg" width="361" /></a></div><div style="text-align: left;"><br /></div><div class="separator">The first generation Digital Signal Processor (DSP) chips in the first post were succeeded by the TMS320C10 and then the TMS320C25 as seen above. This is Namco Winning Run's <span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">TMS320C25FNL (decap G82) which was extracted via a similar decapping and imaging process as TMS32010. It's part of <a href="https://en.wikipedia.org/wiki/Namco_System_21">Namco System 21</a> where it accelerates 3D graphics operations. Additional analysis will give the community a much deeper understanding of how the graphics engine works. Special thanks to </span><span style="background-color: white; font-family: docs-Calibri; white-space: pre-wrap;">Nathan Gilbert for converting microscope images into firmware!</span></div><div style="text-align: left;"><br /></div><div style="text-align: left;">TMS320C25 was then succeeded by TMS320C5X which is the focus of this article.</div><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-LoXQiwpa3UU/X77YwbNr0rI/AAAAAAAABC8/wXKXlycLyKsh3tTNTFiEWi4mDkNDGePlwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="320" data-original-width="202" height="240" src="https://lh3.googleusercontent.com/-LoXQiwpa3UU/X77YwbNr0rI/AAAAAAAABC8/wXKXlycLyKsh3tTNTFiEWi4mDkNDGePlwCLcBGAsYHQ/image.png" width="152" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://www.arcade-museum.com/game_detail.php?game_id=8926">Source</a></div><br /><p></p><p>The origin of the TMS320C5X project is a <span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320BC53PQ80 found on Taito Operation Tiger. Similar to the Winning Run TMS320, Operation Tiger uses TMS320 as part of it's graphics engine and detailed analysis will help the community understand how it works. This was thought to possibly be a straightforward project as these chips have several digital interfaces that might be used to quickly extract firmware.</span></p><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-rSKEDQxoRiE/X77e5neXKUI/AAAAAAAABDY/bEh7Ng0DTSUg-Q03FVvADcaKSGhcQjB8ACLcBGAsYHQ/s1886/IMG_20201010_010635_roi.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1570" data-original-width="1886" src="https://1.bp.blogspot.com/-rSKEDQxoRiE/X77e5neXKUI/AAAAAAAABDY/bEh7Ng0DTSUg-Q03FVvADcaKSGhcQjB8ACLcBGAsYHQ/s320/IMG_20201010_010635_roi.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1DzQYpvhJ5Q/X77e5kXPIaI/AAAAAAAABDU/qpRKBtX4sQs0Esug_-Ve9tneYoYFLTasQCLcBGAsYHQ/s1173/IMG_20201010_010530_roi.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="606" data-original-width="1173" src="https://1.bp.blogspot.com/-1DzQYpvhJ5Q/X77e5kXPIaI/AAAAAAAABDU/qpRKBtX4sQs0Esug_-Ve9tneYoYFLTasQCLcBGAsYHQ/s320/IMG_20201010_010530_roi.jpg" width="320" /></a></div><p></p><p>To make things easy we got a TMS320C5X DSP Starter Kit (DSK) development board with matching software. It has a very similar part (<span style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320C50 vs </span><span style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320BC53)</span> in the same footprint which should allow us to run some tests and then transplant the target chip onto the DSK board.</p><p>This is roughly our understanding of how the intended development flow works:</p><p></p><ul style="text-align: left;"><li>Tiny mask ROM firmware loads an external PROM</li><li>External PROM knows how to talk to serial port</li><li>DOS system downloads debug kernel over serial port</li><li>Debug kernel can load additional programs</li></ul><div>We can omit the last step since we just need to send simple commands to the debug kernel. Let's see if we can get that running.</div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-wmzEL-jpm7M/X77fu86Vy2I/AAAAAAAABDo/VNHmJpgeeMwKCdTu8m3BhrmbGyr5eDEgACLcBGAsYHQ/s721/Screenshot%2Bfrom%2B2020-10-16%2B19-52-32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="668" data-original-width="721" height="370" src="https://1.bp.blogspot.com/-wmzEL-jpm7M/X77fu86Vy2I/AAAAAAAABDo/VNHmJpgeeMwKCdTu8m3BhrmbGyr5eDEgACLcBGAsYHQ/w400-h370/Screenshot%2Bfrom%2B2020-10-16%2B19-52-32.png" width="400" /></a></div><p>The big catch is that the software runs on DOS with unusual serial port settings (ex: 2 stop bits) which caused some setup issues. The DSK uses this to automatically detect baud rate based on timing between the first command data bits and the stop bits. In the end, VMWare with an FTDI adapter did the job.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1U2TrputgKk/X77gRco107I/AAAAAAAABDw/DVX6D8MceaANT5iAIkZdvEVpcXynGzRKwCLcBGAsYHQ/s726/Screenshot%2Bfrom%2B2020-10-16%2B19-52-50.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="407" data-original-width="726" height="224" src="https://1.bp.blogspot.com/-1U2TrputgKk/X77gRco107I/AAAAAAAABDw/DVX6D8MceaANT5iAIkZdvEVpcXynGzRKwCLcBGAsYHQ/w400-h224/Screenshot%2Bfrom%2B2020-10-16%2B19-52-50.png" width="400" /></a></div><br /><p>Once the software is up it's relatively straightforward as there are commands to dump memory to files. The only catch is that they have a bug/feature where address 0 can't be saved, but can be seen in the visual display. So we save most of the data and then manually patched the word at address 0. And so we have the <span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320C50 bootloader!</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-QTogTL8aIVY/X77ipLlv5mI/AAAAAAAABD8/eNZ3jYcjUMwO53oID6WZBKW_tl2w0FLwACLcBGAsYHQ/s2048/PXL_20201017_080406704_roi.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1615" data-original-width="2048" src="https://1.bp.blogspot.com/-QTogTL8aIVY/X77ipLlv5mI/AAAAAAAABD8/eNZ3jYcjUMwO53oID6WZBKW_tl2w0FLwACLcBGAsYHQ/s320/PXL_20201017_080406704_roi.jpg" width="320" /></a></div><p>Now to try the same thing but with <span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320BC53.</span></p><p><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;"><a href="https://1.bp.blogspot.com/-uoIjqzUYqCQ/X773qb-WYjI/AAAAAAAABFk/Za85oOcqH3cVxcdwyBHJ7S0wQvgmva9jQCLcBGAsYHQ/s1220/TMS320C50_mmap.png" style="font-size: medium; margin-left: 1em; margin-right: 1em; text-align: center; white-space: normal;"><img border="0" data-original-height="736" data-original-width="1220" height="386" src="https://1.bp.blogspot.com/-uoIjqzUYqCQ/X773qb-WYjI/AAAAAAAABFk/Za85oOcqH3cVxcdwyBHJ7S0wQvgmva9jQCLcBGAsYHQ/w640-h386/TMS320C50_mmap.png" width="640" /></a></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-s2cYXoW-vqw/X773qcx2ZVI/AAAAAAAABFo/mCr67bO9bxYxKtFnwTEjwzX85TOTowTrwCLcBGAsYHQ/s1458/c53.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="886" data-original-width="1458" height="389" src="https://1.bp.blogspot.com/-s2cYXoW-vqw/X773qcx2ZVI/AAAAAAAABFo/mCr67bO9bxYxKtFnwTEjwzX85TOTowTrwCLcBGAsYHQ/w640-h389/c53.png" width="640" /></a></div><p style="text-align: center;"><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;"><a href="https://www.ti.com/lit/ug/spru056d/spru056d.pdf">Source</a></span></p><p><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">However we weren't sure if this would work as the external PROM firmware was written for </span><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320C50 which has a different address layout than </span><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">TMS320C53.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-IvBTW_SZvTI/X77j-iJBj4I/AAAAAAAABEI/50NV9Iu8zD4udZCC5v3bkkcSPwOUbGlTACLcBGAsYHQ/s1368/Screenshot%2Bfrom%2B2020-10-19%2B02-08-56_roi.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="716" data-original-width="1368" height="209" src="https://1.bp.blogspot.com/-IvBTW_SZvTI/X77j-iJBj4I/AAAAAAAABEI/50NV9Iu8zD4udZCC5v3bkkcSPwOUbGlTACLcBGAsYHQ/w400-h209/Screenshot%2Bfrom%2B2020-10-19%2B02-08-56_roi.png" width="400" /></a></div><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;"><p>We swapped the chips and unfortunately it's not working. We put a logic analyzer on and are able to show that DOS is communicating with the board but then something goes wrong. Specifically above shows PROM memory fetches changing in response to serial port data. We can possibly adjust the PROM firmware but there are a few more options to explore.</p></span><p></p><p><span face="docs-Calibri" style="background-color: white; font-size: 16px; white-space: pre-wrap;">What about JTAG support? Even if this works we have a few chips that support JTAG but not the bootloader (ex: Winning Run). So seems like a good excuse to investigate that.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-G3gUMCIHspM/X77dbB5YCMI/AAAAAAAABDI/U-5bbbwbU44DF8gDMvjDRnueO0L2xB8eACLcBGAsYHQ/s1456/PXL_20201020_004652628_jtag_roi.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1306" data-original-width="1456" src="https://1.bp.blogspot.com/-G3gUMCIHspM/X77dbB5YCMI/AAAAAAAABDI/U-5bbbwbU44DF8gDMvjDRnueO0L2xB8eACLcBGAsYHQ/s320/PXL_20201020_004652628_jtag_roi.jpg" width="320" /></a></div><p>Unfortunately while these chips attempted to support JTAG there are several major issues. First, their JTAG implementation is non-compliant, making it incompatible with many adapters. Second, when it does work it's very bare bones and doesn't even support common instructions like IDCODE.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GbSA2dWEzTo/X77l1qRp8JI/AAAAAAAABEU/uO0XeSihzqs_i85diUy5_GhBAGkQXZnLwCLcBGAsYHQ/s601/Screenshot%2Bfrom%2B2020-10-10%2B17-38-13_roi.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="489" data-original-width="601" src="https://1.bp.blogspot.com/-GbSA2dWEzTo/X77l1qRp8JI/AAAAAAAABEU/uO0XeSihzqs_i85diUy5_GhBAGkQXZnLwCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-10%2B17-38-13_roi.png" width="320" /></a></div><p>Most importantly though even with the right adapter the software is very difficult to setup. The only reference we could find involved patching a very specific version of Code Composer Studio version 3. And even then this probably only gave you TMS320C25 support which we'd then have to extrapolate to TMS30C50.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-l_SQzwM3sWc/X78AVKUiCLI/AAAAAAAABGU/WAxgWIYaVyAGLe3LirpOZAN-RkkMo9OqgCLcBGAsYHQ/s600/xds.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="413" data-original-width="600" src="https://1.bp.blogspot.com/-l_SQzwM3sWc/X78AVKUiCLI/AAAAAAAABGU/WAxgWIYaVyAGLe3LirpOZAN-RkkMo9OqgCLcBGAsYHQ/s320/xds.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://www.artisantg.com/TestMeasurement/69470-1/Texas-Instruments-Burr-Brown-XDS510-Controller-Module">Source</a></div><p>We tried to find some older DOS software that might support some form of XDS510 (such as the original ISA card above) but were unsuccessful. Since completing this project we have received additional software that might help if we encounter more TMS320. That said, if you have more TMS320 software, especially related to JTAG, we'd love to hear from you.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mghpuMUqStg/X77oEEft-lI/AAAAAAAABEg/O-QqxWtf0rkdEQAmmpoJKWOaVm6ccURmwCLcBGAsYHQ/s808/tdie.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="717" data-original-width="808" src="https://1.bp.blogspot.com/-mghpuMUqStg/X77oEEft-lI/AAAAAAAABEg/O-QqxWtf0rkdEQAmmpoJKWOaVm6ccURmwCLcBGAsYHQ/s320/tdie.jpg" width="320" /></a></div><p>Anyway this means JTAG is not going to be easy. In the spirit of moving forward we begrudgingly decapped the chip and imaged the ROM. While somewhat labor intensive this has a relatively straightforward path to completion.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-vlLIobxdReM/X77oZOHSb9I/AAAAAAAABEo/WUanjZDCSqk42k_C6mczPebke7ElpMIgwCLcBGAsYHQ/s661/logo.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="338" data-original-width="661" src="https://1.bp.blogspot.com/-vlLIobxdReM/X77oZOHSb9I/AAAAAAAABEo/WUanjZDCSqk42k_C6mczPebke7ElpMIgwCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div><br /><p>Official designation is TMS320C53CS programmed with ROM D17336.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-V3tU7rANooA/X77pcEwEcCI/AAAAAAAABE0/uyHqnLolG-MV16rVDYFD3zcOFOUceZ2kQCLcBGAsYHQ/s1854/rom.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="1854" height="110" src="https://1.bp.blogspot.com/-V3tU7rANooA/X77pcEwEcCI/AAAAAAAABE0/uyHqnLolG-MV16rVDYFD3zcOFOUceZ2kQCLcBGAsYHQ/w400-h110/rom.png" width="400" /></a></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-IcTxScAls-k/X77rzLMvIEI/AAAAAAAABFA/zAVfa2lid9kXWdtPkzY8rtVfzk3vXw9PQCLcBGAsYHQ/s1308/2.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="638" data-original-width="1308" src="https://1.bp.blogspot.com/-IcTxScAls-k/X77rzLMvIEI/AAAAAAAABFA/zAVfa2lid9kXWdtPkzY8rtVfzk3vXw9PQCLcBGAsYHQ/s320/2.png" width="320" /></a></div><div><br /><p>Zooming in on the ROM you can see it's very <span id="docs-internal-guid-83633200-7fff-193b-82a5-c092b889f59c"><span style="background-color: white; color: #222222; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">sparsely</span></span> populated: there are a few bits at the top middle, and a few at the bottom. This makes sense as it only has a minimal bootloader and the vast majority of the code is in the external PROM.</p><p>A few puzzles though. First, why do the empty areas alternate 1's and 0's? Second, why is code split between the top and bottom? Fortunately we have the ROM from the TMS320C50 which significantly accelerates decoding. Take this section after the initial firmware:</p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000270 be 4d bf b0 00 ff 6d 68 90 68 be 1f a7 68 b8 01 |.M....mh.h...h..|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000280 be 1e 7b 90 01 31 69 66 be 20 be 4d e0 00 01 46 |..{..1if. .M...F|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000290 be 4c ec 00 79 80 01 49 ff ff ff ff ff ff ff ff |.L..y..I........|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">000002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000300 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000310 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p>We can see the transition from normal firmware to an alternating 1/0 fill pattern. While it's unclear why they do this, it's likely this is the actual ROM pattern as opposed to say obfuscation. Our best guess why they do this is that it plays a similar role to CMP fill on planarized ICs. That is, if it was filled with one polarity it would deviate a lot more from normal data and could cause yield issues. <span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">We couldn’t find an <span id="docs-internal-guid-43a9ccb3-7fff-6c1b-a383-6a983181beb1"><span style="background-color: white; color: #222222; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">introductory</span></span> article to link, but </span><a href="https://semiwiki.com/eda/670-smart-fill-replaces-dummy-fill-approach-in-a-dfm-flow/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">check out something like this</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> for more information.</span></p><p>Anyway, also note our TMS320C50 dump has a footer:</p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f10 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f30 00 00 00 00 00 00 00 00 00 00 bc 00 5d 07 00 30 |............]..0|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f40 ae 11 00 00 8b 8d bf 0d 80 00 bb 02 a5 a0 07 fd |................|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f50 f4 00 5d 6a 80 00 5d 26 02 f0 5e 26 ff ef b9 f8 |..]j..]&..^&....|</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="white-space: pre-wrap;"><span style="font-family: courier; font-size: x-small;">00000f60 88 22 88 32 ae 21 a5 96 ae 31 59 a3 b4 01 be c5 |.".2.!...1Y.....|</span></span></p><p><span style="background-color: white;"><span face="docs-Calibri"><span style="white-space: pre-wrap;"></span></span></span></p><p></p><p></p><p>Sometimes chip memory gets divided into pages to break up memory into small sections. It looks like TMS320C50 has one page and <span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">TMS320BC53 has four pages, so we think these might be page footers.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-0g5Whj-PrXo/X77vL9CtF9I/AAAAAAAABFM/YC5ylM3WMK816_z-Xyf_FBf4glojbwZmACLcBGAsYHQ/s1854/rom2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="1854" height="110" src="https://1.bp.blogspot.com/-0g5Whj-PrXo/X77vL9CtF9I/AAAAAAAABFM/YC5ylM3WMK816_z-Xyf_FBf4glojbwZmACLcBGAsYHQ/w400-h110/rom2.png" width="400" /></a></div><span style="background-color: white;"><span face="docs-Calibri"><span style="white-space: pre-wrap;"><p style="white-space: normal;"><span face="docs-Calibri" style="white-space: pre-wrap;">With this in mind </span><span style="font-family: docs-Calibri;">Nathan Gilbert did the heavy lifting here. First</span><span face="docs-Calibri" style="white-space: pre-wrap;"> he decoded the four pages separately and munged until they roughly resembled the </span><span style="background-color: transparent; white-space: pre-wrap;">TMS320C50 data. We then compared footers between pages and found bits to order the pages as labeled above. These bits are believed to be an absolute address as part of an assembly routine but significant analysis has not been done.</span></p><p><span style="background-color: transparent;">Now with the ROM decoded we can compare </span><span face="docs-Calibri">TMS320C50 and </span><span face="docs-Calibri">TMS320BC53. While the main firmware is identical the footer has a number of differences. We don't believe anyone has yet looked into specifics.</span></p></span></span></span><p><span face="docs-Calibri" style="background-color: white;"></span></p><div class="separator" style="clear: both; text-align: center; white-space: pre-wrap;"><span face="docs-Calibri" style="background-color: white;"><a href="https://1.bp.blogspot.com/-EmJQw5i1YnM/X7744d25ydI/AAAAAAAABF4/IhxKlPr1WgwSEAiqqGG0yBo9I4Vn_eAAgCLcBGAsYHQ/s736/c52.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="529" data-original-width="736" src="https://1.bp.blogspot.com/-EmJQw5i1YnM/X7744d25ydI/AAAAAAAABF4/IhxKlPr1WgwSEAiqqGG0yBo9I4Vn_eAAgCLcBGAsYHQ/s320/c52.jpg" width="320" /></a></span></div><div class="separator" style="clear: both; text-align: center; white-space: pre-wrap;"><span face="docs-Calibri" style="background-color: white;"><br /></span></div><span face="docs-Calibri" style="background-color: white;"><span style="color: #222222; font-family: arial;"><span style="white-space: pre-wrap;">Finally, there was a brief effort to decode an unknown TMS320C52 wafer with a large amount of firmware. Someone attempted to use computer vision to automatically extract the bits but it was ultimately </span><span style="white-space: pre-wrap;">abandoned</span><span style="white-space: pre-wrap;"> due to some combination of insufficient data quality and low </span><span style="white-space: pre-wrap;">perceived</span><span style="white-space: pre-wrap;"> impact of having a </span><span style="white-space: pre-wrap;">successful</span><span style="white-space: pre-wrap;"> decode.</span></span></span><p></p><p><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;"><span style="color: #222222; font-family: arial; vertical-align: baseline;">That about wraps it up. Lots of people helped complete this project! Special thanks to the following:</span></span></p><p></p><ul style="text-align: left;"><li><span style="background-color: white; font-family: docs-Calibri;">Nathan Gilbert: decoding, bit typing</span></li><li><span style="background-color: white; font-family: docs-Calibri;">jordigahan: board purchase</span></li><li><span style="background-color: white; font-family: docs-Calibri;">ClawGrip</span>: board purchase</li><li><span style="background-color: white; font-family: docs-Calibri;">Montornés Solé</span>: board purchase</li><li><span style="background-color: white; font-family: docs-Calibri;">Philip Åkesson: bit typing</span></li><li><span style="background-color: white; font-family: docs-Calibri;">James Sun</span>: bit typing</li></ul><p></p><p><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;"><span style="color: #222222; font-family: arial; vertical-align: baseline;">Enjoy this post? Please </span><span style="color: #222222; font-family: arial; vertical-align: baseline;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; text-decoration-line: none;">support us on Patreon</a> or</span><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="color: #222222; white-space: normal;"> </span><a href="https://twitter.com/Caps0xff" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; text-decoration-line: none; white-space: normal;">follow us on Twitter</a><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="color: #222222; white-space: normal;">! </span><span style="color: #222222; font-family: arial;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></span></p></div>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com2tag:blogger.com,1999:blog-5831808578326311132.post-64516179297703384652020-11-04T11:09:00.003-08:002020-11-04T15:46:12.356-08:00Extracting the elusive TMS32010 mask ROM<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-9H53lvKslFo/X53yUIwbhzI/AAAAAAAABCc/b92Nbzcax-k8scnF5judQPxagKsDuSE0wCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="996" data-original-width="800" height="240" src="https://lh3.googleusercontent.com/-9H53lvKslFo/X53yUIwbhzI/AAAAAAAABCc/b92Nbzcax-k8scnF5judQPxagKsDuSE0wCLcBGAsYHQ/image.png" width="193" /></a></div><div style="text-align: center;"><a href="https://en.wikipedia.org/wiki/Speak_%26_Spell_(toy)#/media/File:Speak_&_Spell_(original_style).jpg">Source</a></div><p></p><p>In the late 1970s Texas Instruments made the TMS5100 for the Speak and Spell. This special purpose processor could quickly do math operations required for speech synthesis. This is an early form of Digital Signal Processing (DSP) where code creates signal digital filters instead of using discrete components like capacitors and resistors. Following the success of that project they looked into higher performance DSP architectures which resulted in the TMS320 family being released in the early 1980s.</p><p>This was welcome news to game designers of the 1980s. Arcade machines require a wide variety of high performance audio and video processing. Unfortunately CPUs of the day were relatively slow meaning cutting edge games required expensive custom logic made with large circuit boards or custom ASICs. DSPs introduced a new option by focusing on high performance math operations rather than traditional code execution.</p><div style="text-align: left;">Specifically the first generation TMS320 included the TMS320M10, a version with 3K bytes of mask ROM. This was used in a few Toaplan<span style="font-family: inherit;"> games like Flying Shark (decap G72, G210) and <span style="background-color: white; white-space: pre-wrap;">Kyukyoku Tiger (also known as Twin Cobra, decap G71):</span></span></div><p><span face="docs-Calibri" style="background-color: white; font-size: 15px; white-space: pre-wrap;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-Vj7Abibi1dA/X53eMyHCdaI/AAAAAAAABB0/rv7KBWe-mOsDkeAs6R6NRQD-vkleBoi6QCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="511" data-original-width="800" height="204" src="https://lh3.googleusercontent.com/-Vj7Abibi1dA/X53eMyHCdaI/AAAAAAAABB0/rv7KBWe-mOsDkeAs6R6NRQD-vkleBoi6QCLcBGAsYHQ/image.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://retro-video-gaming.com/famicom-cartridge-collage/kyukyoku-tiger_/">Source</a></div><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-xEHs1H79tAo/X53etctj9JI/AAAAAAAABCA/UBJTY2jBqiE5fmeap5UIIV3_EYzlLcedgCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="239" data-original-width="256" height="240" src="https://lh3.googleusercontent.com/-xEHs1H79tAo/X53etctj9JI/AAAAAAAABCA/UBJTY2jBqiE5fmeap5UIIV3_EYzlLcedgCLcBGAsYHQ/image.png" width="257" /></a></div></div><div class="separator" style="clear: both; text-align: center;"><a href="http://magweasel.com/2009/12/01/i-love-the-pc-engine-kyukyoku-tiger/">Source</a></div><p></p><p>More info <a href="https://github.com/mamedev/mame/blob/master/src/mame/drivers/twincobr.cpp">can be found here</a>. Anyway, here's a TMS320M10 die shot:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Q6C1lPFqajc/X5zzy5l9nEI/AAAAAAAAA_s/VPEQfxuGbjgl2PeS9iCm6amBjenhK5ocwCLcBGAsYHQ/s1073/Screenshot%2Bfrom%2B2020-10-30%2B22-17-04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="881" data-original-width="1073" src="https://1.bp.blogspot.com/-Q6C1lPFqajc/X5zzy5l9nEI/AAAAAAAAA_s/VPEQfxuGbjgl2PeS9iCm6amBjenhK5ocwCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-17-04.png" width="320" /></a></div><p>Close up of the logo:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-fJUs_MfagtY/X5z0TBjjGkI/AAAAAAAAA_4/S5-lt5FoHaYQsvAuasYLd24-Sm9XvQzKACLcBGAsYHQ/s770/Screenshot%2Bfrom%2B2020-10-30%2B22-20-18.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="587" data-original-width="770" src="https://1.bp.blogspot.com/-fJUs_MfagtY/X5z0TBjjGkI/AAAAAAAAA_4/S5-lt5FoHaYQsvAuasYLd24-Sm9XvQzKACLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-20-18.png" width="320" /></a></div><div><br /></div><div>Note the die part number is "32010C", not "320M10" as in marketing material. This is similar to how "TMS5100" is a marketing name but its internally a "TMC0280." Also note the second line of text, diffusion on the silicon substrate, matches the package:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-yXeC6HKWhiI/X50M16VhDfI/AAAAAAAABA8/wiz1HxoOpFUj8SXbzzIGBBBaT3U30t88QCLcBGAsYHQ/Screenshot%2Bfrom%2B2020-10-31%2B00-05-03.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="183" data-original-width="586" height="125" src="https://lh3.googleusercontent.com/-yXeC6HKWhiI/X50M16VhDfI/AAAAAAAABA8/wiz1HxoOpFUj8SXbzzIGBBBaT3U30t88QCLcBGAsYHQ/w400-h125/Screenshot%2Bfrom%2B2020-10-31%2B00-05-03.jpg" width="400" /></a></div><br />Checking out the ROM area we vaguely see bits but with poor contrast:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jzMzs69Zk5Q/X5z1dNvaSuI/AAAAAAAABAE/j7B5TqanGnUXvC-iZ6mFmJ2IKwRBNMNMQCLcBGAsYHQ/s727/Screenshot%2Bfrom%2B2020-10-30%2B22-24-26.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="597" data-original-width="727" src="https://1.bp.blogspot.com/-jzMzs69Zk5Q/X5z1dNvaSuI/AAAAAAAABAE/j7B5TqanGnUXvC-iZ6mFmJ2IKwRBNMNMQCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-24-26.png" width="320" /></a></div><div><br /></div><div>Zooming in helps a little, but its still pretty hard to read:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qx5lTjqX8R0/X5z2KAp2QPI/AAAAAAAABAM/Ez7QdL2i6Fwnh-Ivi_DUW6PUGpb-05VEgCLcBGAsYHQ/s501/Screenshot%2Bfrom%2B2020-10-30%2B22-27-54.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="501" src="https://1.bp.blogspot.com/-qx5lTjqX8R0/X5z2KAp2QPI/AAAAAAAABAM/Ez7QdL2i6Fwnh-Ivi_DUW6PUGpb-05VEgCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-27-54.png" width="320" /></a></div><br /><div>Looks like it might be a diffusion ROM and delayering to silicon substrate will improve contrast. This is consistent with D70015, presumably the mask ROM ID, being encoded in diffusion. Die after delayering:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-oOmZQjjQfVA/X5zz3dDagqI/AAAAAAAAA_w/DgKxyci-J6sdoTnfs7f_LqqjZMl0hczpQCLcBGAsYHQ/s1066/Screenshot%2Bfrom%2B2020-10-30%2B22-17-50.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="877" data-original-width="1066" src="https://1.bp.blogspot.com/-oOmZQjjQfVA/X5zz3dDagqI/AAAAAAAAA_w/DgKxyci-J6sdoTnfs7f_LqqjZMl0hczpQCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-17-50.png" width="320" /></a></div><p>The ROM is now way easier to read:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-u-nbRr_b4oo/X5z3Wjs9vtI/AAAAAAAABAY/lKETgWOrdFQ--m5SARK6HxmODAdchlxgACLcBGAsYHQ/s536/Screenshot%2Bfrom%2B2020-10-30%2B22-30-17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="536" src="https://1.bp.blogspot.com/-u-nbRr_b4oo/X5z3Wjs9vtI/AAAAAAAABAY/lKETgWOrdFQ--m5SARK6HxmODAdchlxgACLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-30%2B22-30-17.png" width="320" /></a></div><p>Now we can also see the contrast issue: the polysilicon and metal was mostly overlaid on the diffusion lines above, hiding most of the detail. Now that the polysilicon and metal is removed the bits can be resolved clearly.</p><p>Next the ROM photograph is converted into a 2D bit array so we can figure out the bit order. Usually bit order is very linear, such as grouping bits into columns with the least significant bit at the left and most significant bit at the right. Consider a 4 bit CPU with this ROM layout:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-D4S_p5xSz0M/X5z9qIqIQ0I/AAAAAAAABAk/njbTlDMV9GsforXa0Erf0DinQFU2vao2gCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="195" data-original-width="805" height="98" src="https://lh3.googleusercontent.com/-D4S_p5xSz0M/X5z9qIqIQ0I/AAAAAAAABAk/njbTlDMV9GsforXa0Erf0DinQFU2vao2gCLcBGAsYHQ/w400-h98/image.png" width="400" /></a></div><p>Where:</p><p></p><ul style="text-align: left;"><li>B0 means bit 0, the least significant bit and B3 is the most significant bit</li><li>Bits are grouped into columns</li><li>Each bit column starts upper left, scans right, and then wraps around to the next row</li></ul><p></p><p>Lets say your ROM is typed as:</p><div style="text-align: left;"><pre class="code" style="background-color: #f7f9fa; border: 1px dashed rgb(140, 172, 187); margin-bottom: 1em; margin-top: 0px; overflow: auto; padding: 0.5em; text-align: justify;"><span style="background-color: transparent; text-align: left;"><span style="font-size: 12.48px;"><b>0</b>1 <b>1</b>0 <b>1</b>0 <b>1</b>0<br /></span><span style="font-size: 12.48px;">00 10 01 11</span></span></pre></div><div>Where spaces have been added to emphasize the bit columns and the first word is highlighted in bold. Using the decoding scheme above results in the following 4 bit words:</div><div><ul style="text-align: left;"><li>0xE</li><li>0x1</li><li>0xA</li><li>0xC</li></ul></div><div>Unfortunately there are many variants on this type of scheme and it may not be obvious which scheme is used in this particular type of memory. However there are a couple of ways to narrow it down:</div><div><ul style="text-align: left;"><li>Reverse engineer logic and deduce the scheme from first principles</li><li>Make educated guesses</li></ul></div><div>The first always works, but can be a lot of effort. Instead, we usually rely on the fact that most architectures have a few regular patterns that we can look for. For example, here are a few TMS32010 binaries disassembled:</div><div><br /></div><div><pre class="code" style="background-color: #f7f9fa; border: 1px dashed rgb(140, 172, 187); margin-bottom: 1em; margin-top: 0px; overflow: auto; padding: 0.5em; text-align: justify;"><span style="font-size: 12.48px;">000: f900 0010 b 0010h
002: f900 00af b 00AFh
...
010: 7f8a rovm
011: f500 0013 bv 0013h</span></pre></div><div style="text-align: justify;"><br /></div><div><pre class="code" style="background-color: #f7f9fa; border: 1px dashed rgb(140, 172, 187); margin-bottom: 1em; margin-top: 0px; overflow: auto; padding: 0.5em; text-align: justify;"><span style="font-size: 12.48px;">000: f900 0004 b 0004h
002: f900 0d96 b 0D96h
004: 7f81 dint
005: 7f8a rovm
</span></pre></div><div><span style="font-size: 12.48px;"><br /></span></div><div><pre class="code" style="background-color: #f7f9fa; border: 1px dashed rgb(140, 172, 187); margin-bottom: 1em; margin-top: 0px; overflow: auto; padding: 0.5em; text-align: justify;"><span style="font-size: 12.48px;">000: f900 00d7 b 00D7h
002: f900 0642 b 0642h
...
0d7: 7f8b sovm
0d8: 6e00 ldpk 0</span>
</pre></div><div style="text-align: justify;"><span style="font-family: inherit; text-align: left;">It looks like a pretty good guess for the first word and third word is 0xF900. Let's use this as a heuristic to determine if we have the correct memory layout.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><div>It's also worth mentioning we don't yet know the bit polarity: does a squiggle in the image mean it's a 0 or a 1? One way to intuitively deal with this is to think about things more in terms of bit transitions or hamming distance than the actual values. If using a program to extract the bits we usually try both polarities and see which works better.</div></div><div><span style="font-family: inherit;"><br /></span></div><div>Unfortunately we tried a few simple layouts and didn't see 0xF900's coming out. Fortunately <span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">Nathan Gilbert volunteered to help and had several major contributions. First, h</span><span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">e digitized all three ROM photographs into bits in a .txt file.</span> The bits are then compared between chips which shows where common data is. In particular this gives us a hint which side of the memory layout the initial branch instruction, 0xF900, might be.</div><div><br /></div><div>Nathan then poured over the bits in great detail but had trouble finding a simple solution. Next he looked at our die shots to see if they provide hints. For example, they show how large memory blocks are and may show things like unusual bit ordering on data buses.</div><div><br /></div><div>Unfortunately we were still struggling. But we thought we might have a silver bullet: a previous project had decoded the BSMT2000 audio chip, a TMS320C15. Maybe we could dig up this data, study the encoding, and use that to decipher the order?</div><div><br /></div><div>We found the binary and bsmt2000 scanning electron microscope (SEM) images from Dr Decap:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-r1vwa-D8uwA/X50QaPvowRI/AAAAAAAABBI/HDc50Ev3qOckQVtR_AbVZ2baL6z-sV88ACLcBGAsYHQ/s595/Screenshot%2Bfrom%2B2020-10-31%2B00-19-25.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="595" height="161" src="https://1.bp.blogspot.com/-r1vwa-D8uwA/X50QaPvowRI/AAAAAAAABBI/HDc50Ev3qOckQVtR_AbVZ2baL6z-sV88ACLcBGAsYHQ/w400-h161/Screenshot%2Bfrom%2B2020-10-31%2B00-19-25.jpg" width="400" /></a></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-PppM3wq3--I/X53uk1BCmVI/AAAAAAAABCQ/CrMhqRJbDCAlkypYd1nNAJDKpd7et-7vgCLcBGAsYHQ/Screenshot%2Bfrom%2B2020-10-31%2B16-08-12.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="238" data-original-width="597" height="160" src="https://lh3.googleusercontent.com/-PppM3wq3--I/X53uk1BCmVI/AAAAAAAABCQ/CrMhqRJbDCAlkypYd1nNAJDKpd7et-7vgCLcBGAsYHQ/w400-h160/Screenshot%2Bfrom%2B2020-10-31%2B16-08-12.png" width="400" /></a></div><br /></div><div><div>Unfortunately we didn't find any info on the bit ordering or the intermediate photograph typed bits, but having the final binary and the source image is a good starting point nonetheless.</div><div><br /></div></div><div>Zooming in on some bits:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-iL7EzK2KI4A/X50QgXcJjpI/AAAAAAAABBM/HYoa2EEyeFAcszO85YRS_sXyvsJeT3KWQCLcBGAsYHQ/Screenshot%2Bfrom%2B2020-10-31%2B00-19-52.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="835" data-original-width="1310" height="255" src="https://lh3.googleusercontent.com/-iL7EzK2KI4A/X50QgXcJjpI/AAAAAAAABBM/HYoa2EEyeFAcszO85YRS_sXyvsJeT3KWQCLcBGAsYHQ/w400-h255/Screenshot%2Bfrom%2B2020-10-31%2B00-19-52.jpg" width="400" /></a></div><br />Where bits are represented by contacts shown in bright white. But that's a problem: TMS32010C is a diffusion ROM while TMS320C15 is a contact ROM. This means it may not help decoding TMS32010C. </div><div><span style="font-family: inherit;"><br /></span></div><div>First, you can figure out high level structure without knowing the exact data. For example, what is the relationship between the top and bottom memory blocks? There are a few ways they could structure this but generally the most simple is to put memories in parallel. This means half of the 16 bit word comes from the top and half from the bottom memory structure. This is a good baseline assumption and turns out to be true for this chip.</div><div><div><br /></div><div>Next, the specific column order needs to be figured out. <span style="background-color: white;"><span style="font-family: inherit;"><span style="white-space: pre-wrap;">Nathan dug in and matched the reference words (</span></span></span>0xF900<span style="background-color: white; font-family: inherit; white-space: pre-wrap;">) to find the bit order roughly looks like this (simplified example with 2 bits):</span></div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-pTTiEBDRveo/X50SgnKqg1I/AAAAAAAABBc/iOKREf5m5nQry8yhdWdzcib5O5I_lifxwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="204" data-original-width="822" height="99" src="https://lh3.googleusercontent.com/-pTTiEBDRveo/X50SgnKqg1I/AAAAAAAABBc/iOKREf5m5nQry8yhdWdzcib5O5I_lifxwCLcBGAsYHQ/w400-h99/image.png" width="400" /></a></div><div><br /></div>This ordering is a bit more complicated than previous as column layouts are in mirrored pairs rather than all being identical. Good to know, but unclear if anything that will help with TMS32010C.</div><div><br /></div><div>Going back to TMS32010C, let's summarize clues we have so far:</div><div><ul style="text-align: left;"><li>16 bit words</li><li>Expect first word to be 0xf900</li><li>Know possibly related memory layout</li><li>Hint which side of the die is address 0</li><li>Have several firmware files to try</li></ul></div><div>And then a breakthrough: Nathan notices that decaps 72 and 210, although very similar, have some code inserted in the middle, shifting words to a higher address. This is a crucial key: we have an example of what it looks like to move data to a higher address.</div><div><br /></div><div>After some serious permuting, intuition, and a little binary magic, <span face="docs-Calibri" style="background-color: white; white-space: pre-wrap;">Nathan discovers that bytes are permuted according to a table like "</span><span face="docs-Calibri"><span style="white-space: pre-wrap;">7, 2, 6, 3, 5, 4, 0, 1". It appears to be related to some logic in the address decoder itself:</span></span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;"><br /></span></span></div><div><span face="docs-Calibri"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8wjsvdaIt6c/X50bgyfncQI/AAAAAAAABBo/sVw1PLvi4ZAIZ-PIe0k0pG3zebbNz-kTgCLcBGAsYHQ/s464/Screenshot%2Bfrom%2B2020-10-31%2B00-56-25_3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="464" data-original-width="447" height="320" src="https://1.bp.blogspot.com/-8wjsvdaIt6c/X50bgyfncQI/AAAAAAAABBo/sVw1PLvi4ZAIZ-PIe0k0pG3zebbNz-kTgCLcBGAsYHQ/s320/Screenshot%2Bfrom%2B2020-10-31%2B00-56-25_3.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div></span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;">Where we find a very similar, but not identical table. This pattern is repeated all along the bit lines and is likely muxing them in roughly this fashion.</span></span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;"><br /></span></span></div><div><span face="docs-Calibri" style="white-space: pre-wrap;">Both the row and column depend on this table, so it makes for a somewhat involved decoding. We tossed around some engineering ideas for why this table might make sense (ex: similar to Gray encoding => may share address lines), its unclear if this is an optimization or an obfuscation strategy.</span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;"><br /></span></span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;">Anyway, nice! Let's take a look at 71 to verify we have a real binary:</span></span></div><div><span face="docs-Calibri"><span style="white-space: pre-wrap;"><br /></span></span></div><div><pre class="code" style="background-color: #f7f9fa; border: 1px dashed rgb(140, 172, 187); margin-bottom: 1em; margin-top: 0px; overflow: auto; padding: 0.5em; text-align: justify;"><div style="text-align: left;"><span style="font-size: 12.48px;">000: f900 0019 b 0019h
002: f900 0020 b 0020h
...
020: 7f81 dint
021: 7000 lark AR0,00h</span></div></pre></div><div><span style="font-family: inherit;">We see jumps to instructions like dint like seen before, so this seems like a plausible binary. Huzah!</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">Special thanks to <span style="background-color: white; white-space: pre-wrap;">Nathan Gilbert for processing the photographs into binaries</span>!</span><span style="font-family: inherit;"> </span><span style="font-family: inherit;">In our next post we'll discuss how we extracted TMS320C5X data using a combination of electronic and decapping techniques.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;"><span style="background-color: white; color: #222222; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="background-color: white; color: #222222; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; text-decoration-line: none;">support us on Patreon</a> or</span><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #222222;"> </span><a href="https://twitter.com/Caps0xff" style="background-color: white; color: #888888; text-decoration-line: none;">follow us on Twitter</a><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #222222;">! </span><span style="background-color: white; color: #222222; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></span></div><p></p>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com3tag:blogger.com,1999:blog-5831808578326311132.post-74375369605201714862020-09-16T00:42:00.001-07:002020-09-16T00:46:09.596-07:00Macroprobing a fried Dardomania EPROM<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-y5TyyvYhsMk/X1kbJdKNTaI/AAAAAAAAA84/fLzx2vH01asC-EzDOU51O2HQ2qU7ZpGbgCLcBGAsYHQ/s845/dardomania-e9521.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="845" data-original-width="284" height="320" src="https://1.bp.blogspot.com/-y5TyyvYhsMk/X1kbJdKNTaI/AAAAAAAAA84/fLzx2vH01asC-EzDOU51O2HQ2qU7ZpGbgCLcBGAsYHQ/s320/dardomania-e9521.jpg" /></a></div><p style="text-align: center;"><a href="https://www.recreativas.org/dardomania-5785-sleic">Source</a> (actual unit)</p><p>Dardomania is a dart throwing game from Sleic. Main circuit board:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LobVuRSrkvk/X1kbdNeSx9I/AAAAAAAAA9A/ciEKf-Zk-x0FClVT4SefoLC4cCaogexPwCLcBGAsYHQ/s1288/dardomania-p9509.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1288" data-original-width="1280" height="320" src="https://1.bp.blogspot.com/-LobVuRSrkvk/X1kbdNeSx9I/AAAAAAAAA9A/ciEKf-Zk-x0FClVT4SefoLC4cCaogexPwCLcBGAsYHQ/s320/dardomania-p9509.jpg" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://www.recreativas.org/dardomania-5785-sleic">Source</a></div><p>There are a few EPROMs seen with stickers. Unfortunately one of the EPROMs, marked in purple, is behaving erratically. Upon closer inspection:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-f_N_T5nZh-I/X1pnwXvAnMI/AAAAAAAAA-E/5BgJJrnmJfkZnTQdIfJ5Yt-ZQxcxHLDOwCLcBGAsYHQ/s1271/dardomania_02.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1219" data-original-width="1271" src="https://1.bp.blogspot.com/-f_N_T5nZh-I/X1pnwXvAnMI/AAAAAAAAA-E/5BgJJrnmJfkZnTQdIfJ5Yt-ZQxcxHLDOwCLcBGAsYHQ/s320/dardomania_02.JPG" width="320" /></a></div><p>The VCC bond wire is broken. Unfortunately it's not just snapped but rather has balled up. This implies it melted from excessive current and the die itself may be damaged. If this is the case the data may still be there but it would beyond our current capabilities to extract.</p><p>So how can we show the chip is still salvageable?</p><p></p><ul style="text-align: left;"><li>Run small test currents through I/O ESD diodes to verify they still function. This will help find gross damage on the chip by verifying bond wires and ground is intact</li><li>Inspect die, especially around the melted wire, for damage</li><li>Power VCC, carefully monitoring current draw</li></ul><p></p><p>Fortunately VSS is still intact which makes running the ESD diode test simple. It produced promising readings indicating most I/Os at least were intact.</p><p>Next we sawed off the top of the EPROM to reveal the bare die:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pzCReHfCunM/X1nckxOACbI/AAAAAAAAA94/m01iPTJbTXEbfjnkBudFctoKPGb2-qgIQCLcBGAsYHQ/s1772/IMG_20200906_174726.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1644" data-original-width="1772" src="https://1.bp.blogspot.com/-pzCReHfCunM/X1nckxOACbI/AAAAAAAAA94/m01iPTJbTXEbfjnkBudFctoKPGb2-qgIQCLcBGAsYHQ/s320/IMG_20200906_174726.jpg" width="320" /></a></div><div><br /></div>We used a diamond saw to cut the majority of the window away. The chip is soldered into a socket, filled with nail polish to protect the die, and then the center is mechanically sheared off:<div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-odpCZXhVLtc/X1ncI0rdL1I/AAAAAAAAA9w/hTQoTnL9S2wXUUhFilxQQRuKSgwgVvknACLcBGAsYHQ/s2023/IMG_20200906_180237_crop.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1782" data-original-width="2023" src="https://1.bp.blogspot.com/-odpCZXhVLtc/X1ncI0rdL1I/AAAAAAAAA9w/hTQoTnL9S2wXUUhFilxQQRuKSgwgVvknACLcBGAsYHQ/s320/IMG_20200906_180237_crop.jpg" width="320" /></a></div><p>Unfortunately this caused 2 more bond wires to come loose and now three need to be reattached. This is believed to be caused by the new procedure using a socket. The vise didn't grip the package as firmly and led to some slop during shearing. We believe using the socket is the right direction (strengthens pins during and after shearing) but in the future need to grip the package directly even if it's socketed.</p><p>Unfortunately aluminum wires have a non-conductive oxide surface that makes repairs more difficult. For example, while silver conductive epoxy bonds well to gold it doesn't to aluminum. This leaves two primary options:</p><p></p><ul style="text-align: left;"><li>Use wire bonder to place new wires</li><li>Microprobe the pads</li></ul><p></p><p>Wire bonders are finicky and if you aren't careful you can damage the chip. So we elected to probe the pads instead of attaching new wires.</p><p>Anyway, we inspected the die and didn't see anything alarming. For example here is what damaged I/O can look like:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6-0qdhHlNec/X1nW4iyt-xI/AAAAAAAAA9k/uEtmH4_0uREjL3tCAx7fKUHn2Nf7klR9ACLcBGAsYHQ/s1600/pad.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" src="https://1.bp.blogspot.com/-6-0qdhHlNec/X1nW4iyt-xI/AAAAAAAAA9k/uEtmH4_0uREjL3tCAx7fKUHn2Nf7klR9ACLcBGAsYHQ/s320/pad.jpg" width="320" /></a></div><p>With this out of the way, next step is to power up the chip. We probed VCC and put the EPROM into a high end chip reader that monitors for excessive current. We omitted probing the other two pins as they were just address/data. Somewhat to our surprise the read went normally: no overcurrent and plausible looking data came out!</p><p>So next we added a few more probes to get the other pins connected. This process is relatively straightforward as bond pads are relatively large ("macro") vs traditional microprobing.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GBcIAABo0M0/X1kawI0uQlI/AAAAAAAAA8w/h4sG7BsBJ1gmM0RVmnFCrlQIFR5HQWNywCLcBGAsYHQ/s2048/probe.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1730" data-original-width="2048" src="https://1.bp.blogspot.com/-GBcIAABo0M0/X1kawI0uQlI/AAAAAAAAA8w/h4sG7BsBJ1gmM0RVmnFCrlQIFR5HQWNywCLcBGAsYHQ/s320/probe.jpg" width="320" /></a></div><p></p><p>Unfortunately data did not come out reliably. Fortunately data analysis indicates read errors are closer to random noise than fundamental issues. We repositioned the probes for better contact and data began reading reliably! We compared the new stable result to older reads and found all older reads are just a few bits away from the new stable version. Success!</p><p>Finally preliminary inspection of the EPROM data vs the others in the set looks reasonable. Testing on real hardware is pending and we'll post a small update once its verified.</p><p>In other news we have also started more serious microprobing but a lot more effort is required before we get usable results. We also extracted some PICs:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pI-jSFpyvK4/X1nR0tp83AI/AAAAAAAAA9M/Z5xLFa94GbYmKt43IHQj14roijzWxQWyQCLcBGAsYHQ/s1779/pic.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1506" data-original-width="1779" src="https://1.bp.blogspot.com/-pI-jSFpyvK4/X1nR0tp83AI/AAAAAAAAA9M/Z5xLFa94GbYmKt43IHQj14roijzWxQWyQCLcBGAsYHQ/s320/pic.jpg" width="320" /></a></div><p>These include:</p><p style="background-color: white; color: #241e12; font-size: 16px; line-height: 1.5; margin: 0px; white-space: pre-line;"></p><ul style="text-align: left;"><li>Gaelco F3 Hardance (PIC16C56)</li><li>PUZZLE ME (PIC16C54)</li><li>Magic Card Export 94 (PIC16C54)</li><li>Magic Card Wien (PIC16C54A)</li><li>Bingo Roll / Turbo Bingo (PIC16C54)</li><li>Mystery chip "unkte06" (<span face="docs-Calibri" style="color: black; white-space: pre-wrap;">PIC16C56</span>)</li></ul><p></p><p>We also tried laser glitching some PIC16F84s but were unsuccessful. We've had success in the past and believe this is a test setup issue. We'll retry in the near future with a different laser.</p><p><span style="background-color: white; color: #222222; font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="background-color: white; color: #222222; font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 13.2px; text-decoration-line: none;">support us on Patreon</a> or</span><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #222222; font-size: 13.2px;"> </span><a href="https://twitter.com/Caps0xff" style="background-color: white; color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 13.2px; text-decoration-line: none;">follow us on Twitter</a><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #222222; font-size: 13.2px;">! </span><span style="background-color: white; color: #222222; font-family: arial; font-size: 11pt; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></p></div>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com3tag:blogger.com,1999:blog-5831808578326311132.post-87122103889738360952020-04-18T18:28:00.003-07:002020-04-28T10:44:51.114-07:00Help us preserve the original Furby!<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-QEfQjNLWl_k/Xp1iQMSzDOI/AAAAAAAAA64/tzrosgL6pvoRTNA12XQbmQUiiacmkL8rACLcBGAsYHQ/s1600/rect4349.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1530" height="320" src="https://1.bp.blogspot.com/-QEfQjNLWl_k/Xp1iQMSzDOI/AAAAAAAAA64/tzrosgL6pvoRTNA12XQbmQUiiacmkL8rACLcBGAsYHQ/s320/rect4349.jpg" width="305" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<h2 style="-webkit-text-stroke-width: 0px; color: black; font-family: "times new roman"; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Update 2020-04-27</h2>
<div>
Given submissions have tapered off we've taken down the server. Thanks to all that have contributed so far! We'll let everyone know when more information is available.<br />
<br /></div>
<div>
</div>
<h2 style="font-family: "times new roman";">
Update 2020-04-26</h2>
<div>
Thanks to all of those who have contributed! We've been running for about a week, and results have leveled off around 80% complete and currently around 84 complete%. We've now have some statistics and a few proposals.</div>
<div>
<br /></div>
<div>
Some basic statistics:</div>
<div>
<ul>
<li>Pages: 297</li>
<li>Lines: 19510</li>
<li>Page submissions: 744</li>
<li>Line changes (roughly): 10297</li>
<li>Change 2/3 agree: 9191</li>
<li>Can't 2/3 agree: 1106</li>
</ul>
Of those 297 pages, we have all of them with at least two submits and about 50% have three submits. These results were combined to result in about 50% of lines flagged for adjustment. Of those suggestions, about 89% of agree. Based on existing data, getting all 3 sets of challenges completed will reduce that to about 600 still requiring manual review.</div>
<div>
<br /></div>
<div>
A few more advanced heuristics were also tried (ex: partial line matching, weighting user results based on how much we trust their results), but ultimately wasn't convinced any of these are the right approach.</div>
<div>
<br /></div>
<div>
So, where does this leave things? Two main options are being considered:</div>
<div>
<ul>
<li>Push the annotated source to github or gitlab as is. We estimate that it would take someone about 6-12 hours to fix, which is not intractable. Default would have been the furby-source repository on github, but they have stopped responding</li>
<li>Restart the crowdsource server using the best result with annotated conflicts. Users would need to delete the extra lines and submit. However, we suspect users need a break, so at a minimum we would probably hold off a few months to regain momentum</li>
</ul>
<div>
Note we suspect additional fixes will be required upon eventual manual review, whichever path is taken. Generally the first option seems like the best. A few dedicated users could knock this out fairly quickly without too much coordination. If we get a few volunteers (or one very dedicated volunteer), we'll figure out where to push this and move the project forward. Ideally one of these people would also be interested in coordinating other community contributions.</div>
</div>
<div>
<br /></div>
<div>
So we're asking if people are interested in the first option and we'll likely default to the second if we don't get traction. Please let us known here in the comments or on Twitter!</div>
<div>
<br /></div>
<h2 style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Update 2020-04-20</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4c8gL4CRL5s/Xp4Vmoy4YZI/AAAAAAAAA7k/cUO2m_lNwCUW-q7t2jL1-S2ak35aHhuUQCLcBGAsYHQ/s1600/better.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="540" data-original-width="910" height="236" src="https://1.bp.blogspot.com/-4c8gL4CRL5s/Xp4Vmoy4YZI/AAAAAAAAA7k/cUO2m_lNwCUW-q7t2jL1-S2ak35aHhuUQCLcBGAsYHQ/s400/better.png" width="400" /></a></div>
<div>
<br /></div>
<div>
Higher quality .pngs have been swapped in after reports that compression is swapping letters (!). Special thanks to Video Game Preservation Collective for the above image! The old set was from the text annotated version while the new set is believed to be the original scan. Unfortunately these images are about 5x larger, but should improve accuracy.</div>
<div>
<br />
Also now we've done a very crude analysis of the existing submits and used them to make a quick guess at better default text to present. This effects about 85% of entries. So going forward you'll typically get higher quality defaults. But please still be attentive and look for errors!<br />
<br />
There have also been a few backend tweaks, notably favoring showing pages with fewer submissions. However these generally should not be visible externally.<br />
<br /></div>
<h2>
Update 2020-04-19</h2>
<div>
<div>
We're up to 197 submissions! Thanks to all of you that have posted so far! We need to meet a minimum of 297, so we're making great progress. Our goal is to get 3 submissions to help correct errors, for a total of 891.</div>
<div>
<br /></div>
<div>
We will briefly bring down the site for maintenance at 2020-04-21 6:00 AM. We will use this window to improve the default text based on submissions so far. This should make challenges much easier as mostly you'll only need to do small corrections instead of large edits. We will also fix the overall progress indicator, which currently says 1485 required, but it should be 891.</div>
</div>
<div>
<br /></div>
<div>
<div>
Once again, thanks for your help and please let us know if you have any feedback!<br />
<br />
Micro update: the progress indicator fix has been pushed out (it was not necessary to bring the server down)<br />
<br /></div>
</div>
<h2>
Background</h2>
The Furby is an iconic talking toy from the late 90s. A couple of years ago scans of the original Furby source code were acquired. Unfortunately the scans are noisy and automatic image to text conversion is difficult. So we're asking the community to help preserve game history by proofreading computer generated transcripts. Generating a proper copy of the Furby source code will be enormously valuable to understanding how it works!<br />
<br />
Project TLDR:<br />
<ul>
<li>Complete using your web browser</li>
<li>You need a large screen (laptop or desktop)</li>
<li>Scanned image at left, noisy text interpretation at right</li>
<li>Fix errors in the image to text translation and submit</li>
<li>Remove headers and footers (ex: "Page 6", "A-121", "Diag7.asm" ) </li>
<li>Unreadable: put best guess if possible, or random characters as last resort (will flag for review)</li>
</ul>
<br />
Although the crowdsourcing system wasn't a good fit for <a href="https://caps0ff.blogspot.com/2020/04/you-are-great-swordsman.html">Great Swordsman</a>, it spurred some conversations on what it could be used for. It has been revived and adapted to work on improving pdf image to text conversion.<br />
<br />
Join the effort by signing up for an account! If you had an account on the previous TGP project, it likely is still available. Additional instructions are available after creating an account. If you have some time, please try a few images!<br />
<br />
Finally, the person who gets the most pages accepted (ie with acceptable accuracy) will get early blog access for 3 months! Note however you must provide your e-mail address to qualify so that we can actually send it to you.<br />
<br />
Sounds good? Sign up here! Instructions are available after logging in.<br />
<br />
Note: due to various issues we are unable to split the pages into smaller tasks. So the images are relatively large and this is best completed on systems with a large screen such as a laptop or a desktop. So apologies if you only have mobile, but you may not be able to help with this specific project.<br />
<br />
Special thanks to Andrew Gardner for writing <a href="https://github.com/andrew-gardner/django-monkeys/">the original tool</a> and <a href="https://twitter.com/johndmcmaster">John McMaster</a> for recent modifications!<br />
<br />
<h2>
FAQ</h2>
We'd also love if you have suggestions for improving the work flow. These are things already on our mind:<br />
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-RmlQN0KqyDM/Xp1kDHBpS-I/AAAAAAAAA7Y/PFTLabn_0YwfkcysApbfHlJP60I7l7msgCLcBGAsYHQ/s1600/crowdsource.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="212" src="https://1.bp.blogspot.com/-RmlQN0KqyDM/Xp1kDHBpS-I/AAAAAAAAA7Y/PFTLabn_0YwfkcysApbfHlJP60I7l7msgCLcBGAsYHQ/s1600/crowdsource.jpg" /></a></div>
<br /></div>
<div>
Q: What happened after the last crowd sourcing project? (Fujitsu DSPs / TGPs)<br />
<br />
A: Post processing took a while, but it ultimately led to massive improvements on how well the community understands these games. However we've been doing a poor job at communicating those results and still need to write a post about it. See for example <a href="https://www.mamedev.org/?p=478">this MAME post</a> which mentions recovering "...the Sega Model 1 coprocessor TGP programs for Star Wars Arcade and Wing War, making these games fully playable."<br />
<br /></div>
<div>
<br /></div>
Q: Can you make the challenges smaller?<br />
<br />
A: Not easily. The pages aren't well aligned, we'd need to both figure out correct straightening and cropping<br />
<br />
<br />
Q: Can you align the text editor to the images better? Maybe rich text features like find and replace?<br />
<br />
A: While the chip community can unlock the secrets of the micro universe, we can't code websites for beans. Really it's a miracle that the site is running at all. If you can help with improving text entry, please reach out! FYI its written in Python/Django and could use some cleanup. If you haven't been scared off, <a href="https://github.com/JohnDMcMaster/django-monkeys/tree/furby_pdf">more info is here</a><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-yn9M-AtpONo/Xp1jJY1JmbI/AAAAAAAAA7M/1D4nsbux7hwMF001Sl5V-MUUwHyiZzCAQCLcBGAsYHQ/s1600/stain.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://1.bp.blogspot.com/-yn9M-AtpONo/Xp1jJY1JmbI/AAAAAAAAA7M/1D4nsbux7hwMF001Sl5V-MUUwHyiZzCAQCLcBGAsYHQ/s320/stain.jpeg" width="320" /></a></div>
<br />
Q: What happens after its captured?<br />
<br />
A: First we'll post process to remove errors. After that we'll use the CPU manual to make a special 6502 assembler to create a binary. Ideally we'll also combine this with the Furby 70-800 ROM microscope images (sample above) at some point.<br />
<br />
<br />
Q: Where did the source come from?<br />
<br />
A: Not sure exactly, but some information is available at the <a href="https://archive.org/details/furby-source/page/n1/mode/2up">Internet Archive</a><br />
<div>
<br />
<br />
Q: Can I edit my result after submission?<br />
<br />
A: It is not possible to modify it at this time. But don't worry, most of the time we can detect errors by combining a few results.<br />
<br />
<br />
Q: Can you reset my password?<br />
<br />
A: Yes, but it requires manual admin intervention. We suggest creating a new account if you aren't really tied to your old one<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-pu7nHEcntGA/Xp1im_XFXlI/AAAAAAAAA7A/7-2d3oHfmiEGVH-A7Ks2Z2a6fmF8OM6oQCLcBGAsYHQ/s1600/rect4349.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="554" data-original-width="532" height="320" src="https://1.bp.blogspot.com/-pu7nHEcntGA/Xp1im_XFXlI/AAAAAAAAA7A/7-2d3oHfmiEGVH-A7Ks2Z2a6fmF8OM6oQCLcBGAsYHQ/s320/rect4349.jpg" width="307" /></a></div>
Q: Isn't that Furby image for the Furby 2012, not the original Furby?<br />
<br />
A: Maybe... Actually we have a 70-800 image now<br />
<br />
<h2>
Prologue</h2>
</div>
<div>
More questions? Type them below, or <a href="https://twitter.com/Caps0xff">reach out to us on Twitter</a>. Thanks again for your help!</div>
CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com13tag:blogger.com,1999:blog-5831808578326311132.post-79257450698458246762020-04-14T11:23:00.000-07:002020-04-14T11:23:27.472-07:00You are great swordsman!<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-853VF68pAzQ/XoxQU7EhzgI/AAAAAAAAA3U/tFdc18K6Z0EScl_Q6GrDFG7E7owDYfViwCLcBGAsYHQ/s1600/screencap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="566" data-original-width="725" height="249" src="https://1.bp.blogspot.com/-853VF68pAzQ/XoxQU7EhzgI/AAAAAAAAA3U/tFdc18K6Z0EScl_Q6GrDFG7E7owDYfViwCLcBGAsYHQ/s320/screencap.png" width="320" /></a></div>
<div style="text-align: center;">
<a href="https://www.youtube.com/watch?v=7xgeKHMGJ5U">Source</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Great Swordsman (not to be confused with <a href="http://3.bp.blogspot.com/-H-2zwd8fT7A/UcYzagJKo9I/AAAAAAAAAvU/6VWchuNhhas/s1600/hiro-business-card.jpg">Hiro Protagonist</a>) is a Taito arcade game where you engage in various styles of sword play ranging from fencing to samurai combat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ZscPQayoGwM/XpC1PB3qtuI/AAAAAAAAA34/21xNEx35R3o1te9kveIdUaXxN_tyVd1FQCLcBGAsYHQ/s1600/pcb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1152" data-original-width="648" height="320" src="https://1.bp.blogspot.com/-ZscPQayoGwM/XpC1PB3qtuI/AAAAAAAAA34/21xNEx35R3o1te9kveIdUaXxN_tyVd1FQCLcBGAsYHQ/s320/pcb.jpg" width="180" /></a></div>
<div style="text-align: center;">
<a href="https://forums.arcade-museum.com/showthread.php?t=396023">Source</a></div>
<br />
The game firmware is comprised of Z80 EPROMs, AA-013, AA-016, and AA-017. The EPROM is easy as Z80 architecture is well understood and EPROMs are trivial to extract. However, little was known about the last three. <a href="https://github.com/mamedev/mame/blob/master/src/mame/drivers/gsword.cpp#L144">Collectively though</a> they handle things like getting player inputs, reading DIP switches, and tracking coins.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-oqVCUnZt_Kg/XpDNSeCQcaI/AAAAAAAAA4U/p4NV-0air_4I-JMTG7wAeQMjzO_mLJg1ACLcBGAsYHQ/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="949" data-original-width="1118" height="271" src="https://1.bp.blogspot.com/-oqVCUnZt_Kg/XpDNSeCQcaI/AAAAAAAAA4U/p4NV-0air_4I-JMTG7wAeQMjzO_mLJg1ACLcBGAsYHQ/s320/die.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-qOTpT72JIeA/XpDNI7l5ZHI/AAAAAAAAA4Q/p5RP5ftZm3UlJsSB4Ezsv0rGucpBvX0fQCLcBGAsYHQ/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://1.bp.blogspot.com/-qOTpT72JIeA/XpDNI7l5ZHI/AAAAAAAAA4Q/p5RP5ftZm3UlJsSB4Ezsv0rGucpBvX0fQCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div>
<br />
Previous decapping showed that AA-013 is an Intel D8741A.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-jxpHM5Y95Zo/XpDMtZU5d-I/AAAAAAAAA4E/ht_n82KA9WE3eJCiOCWTmshpTMBVQLbLgCLcBGAsYHQ/s1600/pack_top.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="536" data-original-width="1600" height="107" src="https://1.bp.blogspot.com/-jxpHM5Y95Zo/XpDMtZU5d-I/AAAAAAAAA4E/ht_n82KA9WE3eJCiOCWTmshpTMBVQLbLgCLcBGAsYHQ/s320/pack_top.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Lb4_P-cWCoY/XpDNDDKY2KI/AAAAAAAAA4M/TjmSpyvb_nI5yoSyd8pyV2N2MjA7VRxLACLcBGAsYHQ/s1600/damage.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://1.bp.blogspot.com/-Lb4_P-cWCoY/XpDNDDKY2KI/AAAAAAAAA4M/TjmSpyvb_nI5yoSyd8pyV2N2MjA7VRxLACLcBGAsYHQ/s320/damage.jpg" width="320" /></a></div>
<br />
Unfortunately it was received with severe damage which discouraged us from looking at it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-j-WWwje10HI/XpDOCSIrESI/AAAAAAAAA4o/Jy_fdiY-I6sA6k2ff2BgsR3UgW7fkNHUQCLcBGAsYHQ/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="787" data-original-width="895" height="281" src="https://1.bp.blogspot.com/-j-WWwje10HI/XpDOCSIrESI/AAAAAAAAA4o/Jy_fdiY-I6sA6k2ff2BgsR3UgW7fkNHUQCLcBGAsYHQ/s320/die.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-SVo36kFOa3k/XpDOi5mYjhI/AAAAAAAAA4w/cw93ALVDdVg2r8xr0uYVt1CkDXcEDvqgACLcBGAsYHQ/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="128" data-original-width="675" height="60" src="https://1.bp.blogspot.com/-SVo36kFOa3k/XpDOi5mYjhI/AAAAAAAAA4w/cw93ALVDdVg2r8xr0uYVt1CkDXcEDvqgACLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div>
<br />
We then decapped AA-016 (#8) and AA-017 (#9) which are both NEC D8041AH.<span style="background-color: white; white-space: pre-wrap;"> </span>Fortunately neither NEC D8041AH nor Intel 8741A have protection schemes, so in theory we can simply read the data out. Unfortunately we were unable to activate the test interface. <span style="background-color: white; white-space: pre-wrap;">After some analysis we suspected that the algorithm we tried to dump them with (as 8741 IIRC) might have over-voltaged EA and damaged them. </span>More on that later.<br />
<br /></div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-u6flofi9WDE/XpD48h4qb9I/AAAAAAAAA5I/R92u_FQHGVgcir8Q1RPDP2ds2QEQfuAJQCLcBGAsYHQ/s1600/roi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="1112" height="210" src="https://1.bp.blogspot.com/-u6flofi9WDE/XpD48h4qb9I/AAAAAAAAA5I/R92u_FQHGVgcir8Q1RPDP2ds2QEQfuAJQCLcBGAsYHQ/s320/roi.jpg" width="320" /></a></div>
<span style="background-color: white; white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;">Unfortunately</span><span style="background-color: white; white-space: pre-wrap;"> the EPROM based 8741A is difficult to read as is. But </span><span style="white-space: pre-wrap;">D8041AH are </span><span style="background-color: white; white-space: pre-wrap;">contact ROMs which traditionally we've been reasonably successful with (</span><a href="http://caps0ff.blogspot.com/2016/12/39-rom-extracted.html" style="white-space: pre-wrap;">example</a><span style="background-color: white; white-space: pre-wrap;">). So we attempted to visually read them but got a lot of errors. It was hard to read the bits and attempting to disassemble them resulted in something only vaguely reassembling a valid program.</span><br />
<span style="background-color: white; white-space: pre-wrap;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-5yO1txAIF_o/XpD9EH6TueI/AAAAAAAAA5U/0pkeCdwJxsstAtjavq6kbU0oGnl771R_wCLcBGAsYHQ/s1600/mw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="247" src="https://1.bp.blogspot.com/-5yO1txAIF_o/XpD9EH6TueI/AAAAAAAAA5U/0pkeCdwJxsstAtjavq6kbU0oGnl771R_wCLcBGAsYHQ/s1600/mw.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="background-color: white;"><span style="white-space: pre-wrap;">So due to the combination of noisy bits and severely damaged chips the project essentially got shelved some time ago. However somewhat recently we got another chip set and a little later there was a </span><a href="https://www.mameworld.info/ubbthreads/showthreaded.php?Cat=&Number=385511" style="white-space: pre-wrap;">forum post asking about the state of the project</a><span style="white-space: pre-wrap;">. In general lockdown and with a little more time right now, this prompted us to take a second look. These acquisitions ultimately gave us 3 ROM sets to work with: the original </span></span><span style="white-space: pre-wrap;">STARRIDER set via </span><span style="background-color: white;"><span style="white-space: pre-wrap;">Guru (8/9/10), a set from </span></span><span id="docs-internal-guid-53a57473-7fff-f194-a7a6-9443d7e26e54"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">STARRIDER via </span></span>Smitdogg (C030/C031/C032)<span style="background-color: white;"><span style="white-space: pre-wrap;">, and a set that was separately</span> <span style="white-space: pre-wrap;">acquired.</span></span><br />
<br />
With these extra sets, the first priority was to analyze the test interface and assess if it was healthy. We used small test currents to characterize the ESD diodes on sample chips and compared them to 8741A and 8041AH chips from Great Swordsman. This showed the chips from Great Swordsman consistently have different responses on EA pins vs samples, indicating this pin was likely intentionally damaged to prevent read out.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-FvnwBzE0IeQ/XpDSqsiRiSI/AAAAAAAAA48/1iETSSQCrkAT-31Yaht2uQxibZwaciNaQCLcBGAsYHQ/s1600/blown_ea.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://1.bp.blogspot.com/-FvnwBzE0IeQ/XpDSqsiRiSI/AAAAAAAAA48/1iETSSQCrkAT-31Yaht2uQxibZwaciNaQCLcBGAsYHQ/s320/blown_ea.jpg" width="320" /></a></div>
<br />
This may have been a common practice at one time as commercial systems from companies like RunFei have a "special protect" option that does exactly this. We've also seen it on other chips like the NEC D8748D EA pin shown above<br />
<br />
So a few options. One is that we may be able to repair or bypass the blown pad. Repair would be easier if we had FIB access but this isn't easily available. We could bypass it but there were misc complications at the time and this wasn't seriously considered. We do however plan on attempting this for AA-013.<br />
<br />
That said we figured there was a chance that the test interface *might* still work even if it was damaged. To our surprise we managed to get a plausible dump out of one of the new AA-016s! The interface only worked once or twice and then rapidly deteriorated. Unfortunately due to the test interface instability and some disassembly errors we weren't confident we had a good dump. Finally it didn't remotely match our earlier attempts to decode the mask ROM into binaries. This gave us low confidence that the EPROM dump was correct.<br />
<br />
<div style="text-align: left;">
So anyway we at least had an answer: the test interface is not reliable and probably wont't yield anything more. So we decided to revisit brute force ROM capture by photographing bits. How could we improve the accuracy? Let's say the existing capture has about 100 bad bits out of 8192 => about 1% error rate. This means that if you took two of these captures, the expected number of bad bits is about 8192 * 0.01 * 0.01 = 0.8. So while it might not be perfect (say a few bit errors might be expected), it would drastically improve the accuracy to something usable.</div>
<div style="text-align: left;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-a_9HUPDo4BI/XpEBS0Kp3XI/AAAAAAAAA5g/k007JGTeDU4jjroH1470HqUtvfyzy6AVACLcBGAsYHQ/s1600/old.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="658" data-original-width="1073" height="245" src="https://1.bp.blogspot.com/-a_9HUPDo4BI/XpEBS0Kp3XI/AAAAAAAAA5g/k007JGTeDU4jjroH1470HqUtvfyzy6AVACLcBGAsYHQ/s400/old.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-s7_10jkxTvI/XpEBY9g7LsI/AAAAAAAAA5k/4mn-dRtvJe8xaIEvVup_TRv5h582DCePwCLcBGAsYHQ/s1600/new.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="655" data-original-width="1073" height="243" src="https://1.bp.blogspot.com/-s7_10jkxTvI/XpEBY9g7LsI/AAAAAAAAA5k/4mn-dRtvJe8xaIEvVup_TRv5h582DCePwCLcBGAsYHQ/s400/new.jpg" width="400" /></a></div>
<br /></div>
<div style="text-align: left;">
With this in mind, few weeks ago we decapped the second ROM set as C031 (AA-016) and C032 (AA-017). And for one reason or another the contrast was considerably better!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-HdRHxbEiTCM/XpEDrmdqapI/AAAAAAAAA6A/51X6ikQwClsIpISZw29ajeRvlHvqukYTwCLcBGAsYHQ/s1600/rompar16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="658" data-original-width="1080" height="242" src="https://1.bp.blogspot.com/-HdRHxbEiTCM/XpEDrmdqapI/AAAAAAAAA6A/51X6ikQwClsIpISZw29ajeRvlHvqukYTwCLcBGAsYHQ/s400/rompar16.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<div style="text-align: left;">
We then asked the community to help convert these images into bits. This was broadcast here on this blog, on twitter, and on mameworld. We suggested using rompar, a specialized tool for this task, although in general it wasn't easy enough for people to setup. There is an open ticket about <a href="https://github.com/AdamLaurie/rompar/issues/17">easier Windows support</a> which the rompar team has been working on addressing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-t0lzkr-0z3Y/XpECdRMjSxI/AAAAAAAAA5w/NB6QT5U5lmAjP95gO0sHHO0a5TSqKUBhQCLcBGAsYHQ/s1600/spread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="349" data-original-width="1041" height="133" src="https://1.bp.blogspot.com/-t0lzkr-0z3Y/XpECdRMjSxI/AAAAAAAAA5w/NB6QT5U5lmAjP95gO0sHHO0a5TSqKUBhQCLcBGAsYHQ/s400/spread.png" width="400" /></a></div>
<br />
That said, we got a combination of submissions in rompar, typed as .txt files, or even as colorful spreadsheets (AA-017 above, other images are AA-016).</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
One lesson learned is that we should have aligned all of the image sets (or at least C031 and C032). This would have made some of the post processing easier as sometimes we were trying to resolve bits by comparing several different image sets.</div>
<div style="text-align: left;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-aR5SQ5tWZm4/XpEEwpiLhrI/AAAAAAAAA6M/UEuoeIkD3Pk8wHgPO7G5OrUHCvgg8DWPgCLcBGAsYHQ/s1600/rompar_mark.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="961" data-original-width="1101" height="279" src="https://1.bp.blogspot.com/-aR5SQ5tWZm4/XpEEwpiLhrI/AAAAAAAAA6M/UEuoeIkD3Pk8wHgPO7G5OrUHCvgg8DWPgCLcBGAsYHQ/s320/rompar_mark.png" width="320" /></a></div>
<br /></div>
<div style="text-align: left;">
Anyway, once we got around 3 submits for each set we did a cursory inspection on each set to gauge the submission quality. If the submission is reasonable (say 99%+ accurate), we then add it to the submission pool. Then all of the locations in the pool that didn't fully agree with the entire ROM pool are flagged for review and displayed in rompar. After reviewing these we got ROMs that we think are probably within a few bits of being correct.</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-_8_fIqKtXfk/Xoxdqyb6P8I/AAAAAAAAA3g/3tfZGYq-QXMU5rAn3MJ9GiKjhTvGBvWrACLcBGAsYHQ/s1600/Screenshot%2Bfrom%2B2020-04-07%2B04-00-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="786" data-original-width="601" height="400" src="https://1.bp.blogspot.com/-_8_fIqKtXfk/Xoxdqyb6P8I/AAAAAAAAA3g/3tfZGYq-QXMU5rAn3MJ9GiKjhTvGBvWrACLcBGAsYHQ/s400/Screenshot%2Bfrom%2B2020-04-07%2B04-00-54.png" width="305" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
D8041AH datasheet</div>
<div style="text-align: left;">
<br /></div>
But unfortunately we have a problem: the ROMs still don't disassemble well. So next we read up a bit on MCS-48 architecture and learned that the interrupt vectors are at the start of the chip: 0, 3, and 7. Usually these are comprised of either a jump (typically LJMP, 0xX4 0xXX, or RET 0x83). Here's the start of a sample keyboard BIOS ROM:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00000000 04 08 00 83 00 00 00 83 15 23 f0 90 85 95 22 14 |………#….“.|</span><br />
<br />
<div style="text-align: left;">
Here you can at 0x0000 (reset) there's JMP 0x008 which skips over the reset of the vector table. Similarly there's RET on the other vectors to basically ignore them.<br />
<br />
With that in mind, here's the start of our old AA-016 microscope based submit:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00000000 40 d9 96 a9 fa 03 1f aa e8 a8 04 13 04 d8 04 e0 |@...............|</span><br />
<div>
<br /></div>
Hmm there are some 4's in there, but doesn't really look valid. For comparison though, here is the AA-016 EPROM submit:<br />
<br />
00000000 04 08 00 83 00 00 00 83 15 23 f0 90 85 95 22 14 |.........#....".|<br />
<div>
<br /></div>
</div>
<div style="text-align: left;">
Aha! This looks much better. So we started thinking: maybe the ROM decoding script doesn't really work? It is producing mostly valid disassembly, but maybe we missed something? The scheme was relatively complicated and its entirely possible something was missed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/j4VAWy0kKmk/0.jpg" src="https://www.youtube.com/embed/j4VAWy0kKmk?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br />
So after some munging, we came up with a new physical address space layout. Now AA-016 starts with:</div>
<div style="text-align: left;">
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00000000 04 08 00 83 00 00 00 83 15 23 f0 90 85 95 22 14 |.........#....".|</span><br />
<div>
<br /></div>
</div>
<div style="text-align: left;">
Aha! Now this matches the EPROM dump. In fact we verified against the original EPROM dump and decided it is 100% accurate.<br />
<br />
But there's still one more problem: if the EPROM dump is good, why didn't it disassemble properly? Why did we get told the submitted dump was unusable? First, the unusable dump was probably someone talking about the earlier AA-016 dump vs the newer EPROM dump. Second, although we tried several ways to disassemble the dumps (notably MAME, Ghidra, but also some others), they generally were biased towards MCS-48 (classic 8048) and not some of the finer points of UPI-41, the family D8041AH is from. <a href="http://devster.monkeeh.com/z80/upi42/">One source</a> described it as “The 8042 and 8041 is code compatible with the 8048, except that there are no external program memory instructions, and that data bus register instructions have been added.” For example, Ghidra 8048 gave:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><span style="background-color: white; color: #222222; font-size: x-small;">CODE:0008 15 DIS I</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">CODE:0009 23 f0 MOV A,#0xf0</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">CODE:000b 90 MOVX @R0,A</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">CODE:000c 85 CLR F0</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">CODE:000d 95 CPL F0</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">CODE:000e 22 ?? 22h "</span></span><br />
<br />
MAME mcs48 gave:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><span style="background-color: white; color: #222222; font-size: x-small;">unidasm -arch mcs48 great_swordsman_aa-016_</span><wbr style="background-color: white; color: #222222; font-size: small;"></wbr><span style="background-color: white; color: #222222; font-size: x-small;">d8041ah_decap-c031.bin</span></span><br />
<span style="font-family: Courier New, Courier, monospace;">...<br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:008: 15 dis i</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:009: 23 f0 mov a,#$F0</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:00b: 90 movx @r0,a</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:00c: 85 clr f0</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:00d: 95 sel an1</span><br style="background-color: white; color: #222222; font-size: small;" /><span style="background-color: white; color: #222222; font-size: x-small;">0:00e: 22 illegal</span></span><br />
<br />
But really should have been upi41:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">unidasm -arch upi41 great_swordsman_aa-016_d8041ah_decap-c031.bin</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">...</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">008: 15 dis i</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">009: 23 f0 mov a,#$F0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00b: 90 mov sts,a</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00c: 85 clr f0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00d: 95 sel an1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00e: 22 in a,dbb</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
Which looks good!<br />
<br />
So to summarize, the hurdles were:<br />
<br />
<ul>
<li>Intentionally damaged test interface</li>
<li>Possibly unintentionally damaged test interface</li>
<li>Noisy microscope images</li>
<li>Not using the right disassembler</li>
<li>Getting people to look at the data</li>
<li>Incorrect address decoding</li>
</ul>
<br />
Finally, there were a lot of people that helped with this project. Some of them include:<br />
<br />
<ul>
<li>Our Patreon contributors</li>
<li>STARRIDER: chips, ROM capture</li>
<li>rompar team (John McMaster et al): software support</li>
<li>EdHunter: ROM layout decoding</li>
<li>Guru: logistics</li>
<li>Smitdogg: logistics</li>
<li>f205v: ROM capture</li>
<li>sadikyo: ROM capture</li>
<li>belegdol: ROM capture</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-sZqcyzDycZQ/Xo_0Uc__24I/AAAAAAAAA3s/VxXomFQ6z9ksRvfKIP_7GJp3f5_nNL4LACLcBGAsYHQ/s1600/swords2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="500" height="237" src="https://1.bp.blogspot.com/-sZqcyzDycZQ/Xo_0Uc__24I/AAAAAAAAA3s/VxXomFQ6z9ksRvfKIP_7GJp3f5_nNL4LACLcBGAsYHQ/s320/swords2.jpeg" width="320" /></a></div>
<div style="text-align: center;">
<a href="https://www.buzzfeed.com/javiermoreno/times-snls-celebrity-jeopardy-was-hilariously-perfect">Source</a></div>
<br />
<span style="background-color: white; color: #222222; font-family: arial; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="background-color: white; color: #222222; font-family: arial; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif;">support us on Patreon</a> or</span><span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"> </span><a href="https://twitter.com/Caps0xff" style="background-color: white; color: #888888; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; text-decoration-line: none;">follow us on Twitter</a><span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">! </span><span style="background-color: white; color: #222222; font-family: arial; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com1tag:blogger.com,1999:blog-5831808578326311132.post-78253924429729315372020-04-02T23:20:00.001-07:002020-04-06T00:17:33.295-07:00Help us preserve Great Swordsman!<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
<div style="text-align: center;">
<div style="text-align: left;">
UPDATE 2020-04-06: <b>we tentatively have enough submissions to decode the ROMs</b>, assuming a few people we know are working on them finish. Thanks to all of those that have submitted and we'll try to post an update in the near future!</div>
<br />
<img alt="Arcade Game: Great Swordsman (1984 Taito) - YouTube" height="180" src="https://i.ytimg.com/vi/7xgeKHMGJ5U/maxresdefault.jpg" width="320" /></div>
</div>
<br />
Previously we decapped a few NEC D8041AH MCUs from Great Swordsman in order to better document the game. Unfortunately the images were a little hard to read. However we recently decapped a new AA-016 (C031) and a new AA-017 (C032) and the contrast is much better! Specific cause hasn't been investigated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-baysgQ3T9Qc/XobUMIgmxbI/AAAAAAAAA2w/p0e2J3W4TnIdvgT6sa8DjxTD_0w_NrrzgCLcBGAsYHQ/s1600/2020-04-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="961" data-original-width="1101" height="279" src="https://1.bp.blogspot.com/-baysgQ3T9Qc/XobUMIgmxbI/AAAAAAAAA2w/p0e2J3W4TnIdvgT6sa8DjxTD_0w_NrrzgCLcBGAsYHQ/s320/2020-04-02.png" width="320" /></a></div>
<br />
Anyway, we are looking for help digitizing the firmware microscope images into bits. This can be done either by manually typing out all 8192 bits or using the <a href="https://github.com/AdamLaurie/rompar">rompar utility</a> (preferred)<br />
<br />
If you're interested, here is the raw data:<br />
<br />
<ul>
<li><a href="https://drive.google.com/drive/folders/162CrhGw1W2FSINRFWBKi4v_hsv-78ltR?usp=sharing">AA-016</a></li>
<ul>
<li>Suggested: nec_8041ah_gswm_aa-016_decap-c031_xpol.jpg</li>
</ul>
<li><a href="https://drive.google.com/open?id=1QQ5s1RxOhFxBJ1J4yRbN3V_j19atNNGk">AA-017</a>:</li>
<ul>
<li>Suggested: nec_8041ah_gswm_aa-017_decap-c032_xpol.jpg</li>
</ul>
</ul>
<br />
Specifically:<br />
<ul>
<li>We are especially looking for help with AA-016</li>
<li>Multiple people submitting improves accuracy</li>
<li>There are some stitching artifacts. If they get in the way of digitizing we can revisit stitching</li>
<li>If applicable, please provide rompar project file</li>
<li>We will take care of post processing into binary</li>
<li>rompar_decap-8_rom_mit20x_xpol is provided as a reference project. Note the image contrast wasn't great, so there were a lot of errors</li>
<li>By convention, brighter bits are generally typed as "1" and dark as "0". But we can accept either</li>
<li>Advanced rompar users: you can use the reference project as a template, but you'll need to re-align the images. We did this to produce the above rompar image while checking AA-017 results</li>
</ul>
<div>
Please let us know if you have any questions!<br />
<br />
<h2>
Update 2020-04-04</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-VtZdwGxPNvo/XokKO4Bvr7I/AAAAAAAAA28/9N0R257Yjz4_IBNJ3T7CHOrV45YzZcgXACLcBGAsYHQ/s1600/group.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="220" data-original-width="293" src="https://1.bp.blogspot.com/-VtZdwGxPNvo/XokKO4Bvr7I/AAAAAAAAA28/9N0R257Yjz4_IBNJ3T7CHOrV45YzZcgXACLcBGAsYHQ/s1600/group.png" /></a></div>
<div>
<br /></div>
<div>
We are starting to process submissions. Thanks to everyone who has submitted so far!</div>
<div>
<br /></div>
<div>
It seems there's some confusion as to where the ROM starts and ends. The above image shows the first 4 rows. When this is exported from rompar it looks like this:</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">11101011</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01001000</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01101011</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">11001101...</span></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<br /></div>
<div>
This is because the the rows are designed in pairs, but the paired bits have some space between them. That is, the bits that actually are adjacent are not from the same pair. This has caused some people to skip the first row:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-2QFiM6qcrFQ/XokL1MgkvxI/AAAAAAAAA3I/4i-8ME_a-PcVcFanv1mXU1axCAC4mlZpACLcBGAsYHQ/s1600/skip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="233" data-original-width="317" src="https://1.bp.blogspot.com/-2QFiM6qcrFQ/XokL1MgkvxI/AAAAAAAAA3I/4i-8ME_a-PcVcFanv1mXU1axCAC4mlZpACLcBGAsYHQ/s1600/skip.png" /></a></div>
<div>
<br /></div>
<div>
And give it as:</div>
<div>
<br /></div>
<div>
<div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01001000</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01101011</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">11001101...</span></div>
</div>
</div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
So with that in mind, we suggest you type it up closer to this if you want to preserve a rough visual layout:</div>
<div>
<br /></div>
<div>
<div>
<div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">11101011</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01001000</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">01101011</span><span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">11001101...</span></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">...</span></div>
<div>
<br /></div>
</div>
</div>
</div>
<div>
This won't match rompar output, but this doesn't effect post processing. Hope that helps clarify!</div>
<div>
<br /></div>
<h2>
Prologue</h2>
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="background-color: white; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="color: #888888; font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 13.2px;">support us on Patreon</a><span style="color: #222222;"> or</span></span> <a href="https://twitter.com/Caps0xff">follow us on Twitter</a>! <span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></div>
CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com17tag:blogger.com,1999:blog-5831808578326311132.post-45679775597681801192019-12-23T16:07:00.000-08:002019-12-24T11:04:07.901-08:00Dump December: 8051 and lasers<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
First, we've <a href="https://twitter.com/Caps0xff">we've created a Twitter account</a> to help announce blog posts! As always, <a href="https://www.patreon.com/user?u=4805718">Patreon supporters</a> get early access, but we'll tweet once they become public.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-5__9Er04bEY/XftPOWJpNFI/AAAAAAAAAxQ/Ejlk5B7mS0Ye43TXqXrOj34UYcj2w3-iwCLcBGAsYHQ/s1600/ship.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="982" data-original-width="1600" height="196" src="https://1.bp.blogspot.com/-5__9Er04bEY/XftPOWJpNFI/AAAAAAAAAxQ/Ejlk5B7mS0Ye43TXqXrOj34UYcj2w3-iwCLcBGAsYHQ/s320/ship.jpg" width="320" /></a></div>
<br />
Anyway, in a previous post we mentioned a new shipment. We've been working it over and have a bunch of updates!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-qzrGm_fWACI/XgJhEXGekyI/AAAAAAAAA1w/sO8i-ufDuFMrjny7lUnYRIIOe623ZTtoQCLcBGAsYHQ/s1600/uiseblock2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="256" src="https://1.bp.blogspot.com/-qzrGm_fWACI/XgJhEXGekyI/AAAAAAAAA1w/sO8i-ufDuFMrjny7lUnYRIIOe623ZTtoQCLcBGAsYHQ/s1600/uiseblock2.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-eCGas7gFQuU/XgJhEbEPioI/AAAAAAAAA1s/5LQCdx4h7zkzTYol3Cop2lZYGQuZRMKGgCLcBGAsYHQ/s1600/useblock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="256" src="https://1.bp.blogspot.com/-eCGas7gFQuU/XgJhEbEPioI/AAAAAAAAA1s/5LQCdx4h7zkzTYol3Cop2lZYGQuZRMKGgCLcBGAsYHQ/s1600/useblock.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
First, there were a few <a href="https://wiki.nesdev.com/w/index.php/NES_2.0_Mapper_355">NES 2.0 Mapper 355</a> PIC16C54 from <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Block Force (</span>C059<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">) and 3D Block (</span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">C060</span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">). One of these has been obfuscated by sanding.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-1JGg1Nkigu0/XftQFETKpNI/AAAAAAAAAxc/DoouIXFM_qwkTI1lnDM5KGvbZO9VIYGvgCLcBGAsYHQ/s1600/IMG_20191218_161254.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="995" data-original-width="1600" height="199" src="https://1.bp.blogspot.com/-1JGg1Nkigu0/XftQFETKpNI/AAAAAAAAAxc/DoouIXFM_qwkTI1lnDM5KGvbZO9VIYGvgCLcBGAsYHQ/s320/IMG_20191218_161254.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-mH4ebpnGZXI/Xf6WOVHvkGI/AAAAAAAAA1I/yEauPCQRHs4Ho-SAAetIyV_JrErGiexIgCLcBGAsYHQ/s1600/IMG_20191218_164834.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1000" data-original-width="1516" height="211" src="https://1.bp.blogspot.com/-mH4ebpnGZXI/Xf6WOVHvkGI/AAAAAAAAA1I/yEauPCQRHs4Ho-SAAetIyV_JrErGiexIgCLcBGAsYHQ/s320/IMG_20191218_164834.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
These are similar to <a href="https://caps0ff.blogspot.com/2019/06/mosaic-space-pic16c5x.html">other PIC16C5X we've done</a> and were dumped using a UV mask roughly around the EPROM.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-5AfbYWFGiuM/XfyRVERGyGI/AAAAAAAAA0A/i_RaYnq7B4cqAAEp2muLS9UPeiiIYCGlACLcBGAsYHQ/s1600/hatchcatch.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="320" src="https://1.bp.blogspot.com/-5AfbYWFGiuM/XfyRVERGyGI/AAAAAAAAA0A/i_RaYnq7B4cqAAEp2muLS9UPeiiIYCGlACLcBGAsYHQ/s1600/hatchcatch.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-3zJFB_-FdDg/XftS5N7LiZI/AAAAAAAAAxw/jb6vVxWbrqA32IYNgEVe03Cfg06R79ovACLcBGAsYHQ/s1600/246.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br class="Apple-interchange-newline" /><img border="0" data-original-height="176" data-original-width="503" height="111" src="https://1.bp.blogspot.com/-3zJFB_-FdDg/XftS5N7LiZI/AAAAAAAAAxw/jb6vVxWbrqA32IYNgEVe03Cfg06R79ovACLcBGAsYHQ/s320/246.jpg" width="320" /></a></div>
<br />
Next we targeted <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">SemiCom </span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Hatch Catch's </span>Intel <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">87C52</span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"> (</span>246<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">)</span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"> because we had <a href="http://caps0ff.blogspot.com/2019/10/c055-changyu2cye-87c51.html">dumped an Intel 87C51</a> and it seemed likely we'd be able to extend the attack. However, decapping yielded a surprise:</span><br />
<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-qUCOd6GwuYU/XftTgGn9eqI/AAAAAAAAAyA/CThNchFT4JEBaL4PYdv-y3WkhCD5XROGgCLcBGAsYHQ/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="907" data-original-width="896" height="320" src="https://1.bp.blogspot.com/-qUCOd6GwuYU/XftTgGn9eqI/AAAAAAAAAyA/CThNchFT4JEBaL4PYdv-y3WkhCD5XROGgCLcBGAsYHQ/s320/die.jpg" width="316" /></a></div>
<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-jd04KuSYAWw/XftTFSlyAKI/AAAAAAAAAx0/YpWYcXWpT8MrL4Evwr-il_bzUP6qAdTywCLcBGAsYHQ/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="912" data-original-width="1360" height="214" src="https://1.bp.blogspot.com/-jd04KuSYAWw/XftTFSlyAKI/AAAAAAAAAx0/YpWYcXWpT8MrL4Evwr-il_bzUP6qAdTywCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div>
<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white;"><span style="font-family: docs-Calibri;"><span style="white-space: pre-wrap;">It's not an 87C52! After a little digging, it's become apparent that Intel 87C52 isn't a real part. Rather, it's a marketing name for the smallest member of the 87C51FX series marketed to people familiar with 8751/8752 differences.</span></span></span><br />
<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">In any case, this wasn't so bad as we heard there was a laser glitch attack against Intel 87C51FA. The basic idea is to randomly flip transistors with a laser until you find one that happens to unlock the chip. </span>After a little prodding (100 mW green, 45 degree angle)...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-WVssFWUHHPE/XftJRuoShnI/AAAAAAAAAw4/eX-CKOKIhToJDjV6R2L44Q1Xhn1M0eoXACLcBGAsYHQ/s1600/IMG_20191217_213715_roi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br class="Apple-interchange-newline" /><img border="0" data-original-height="357" data-original-width="716" height="159" src="https://1.bp.blogspot.com/-WVssFWUHHPE/XftJRuoShnI/AAAAAAAAAw4/eX-CKOKIhToJDjV6R2L44Q1Xhn1M0eoXACLcBGAsYHQ/s320/IMG_20191217_213715_roi.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-2JQdCffTWTk/XftSPWdyZ4I/AAAAAAAAAxo/ta-9eA_jnrk9KharVFvBjLpnlZiXXCprwCLcBGAsYHQ/s1600/intel_87c51fa_laser.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1180" data-original-width="1264" height="298" src="https://1.bp.blogspot.com/-2JQdCffTWTk/XftSPWdyZ4I/AAAAAAAAAxo/ta-9eA_jnrk9KharVFvBjLpnlZiXXCprwCLcBGAsYHQ/s320/intel_87c51fa_laser.jpg" width="320" /></a></div>
<br />
...we found an area that unlocked the firmware! This resulted in a good dump for <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">SemiCom </span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Hatch Catch</span> without any encryption applied (<a href="https://caps0ff.blogspot.com/2019/10/c055-changyu2cye-87c51.html">see for details on 8751 encryption</a>).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Y9wF7g5WU5Q/XfyTYhPKdBI/AAAAAAAAA0U/O12zJIcuDMMuTqNrHPZhYPcdxAMGH4r1gCLcBGAsYHQ/s1600/chocky.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="480" height="240" src="https://1.bp.blogspot.com/-Y9wF7g5WU5Q/XfyTYhPKdBI/AAAAAAAAA0U/O12zJIcuDMMuTqNrHPZhYPcdxAMGH4r1gCLcBGAsYHQ/s320/chocky.jpg" width="320" /></a></div>
<br />
Next we checked if we could extend the attack to the Philips 87C52 parts which are in various SemiCom games (ex: CHOKY!CHOKY!, 247). However we once again we encountered shenanigans with chip markings. Here are two chips that are both "<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">P87C52EBPN</span>":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ZDbxpCQPxNQ/XftY_Drh4FI/AAAAAAAAAzg/9OiILAtJ2R0q1AdSTPS430Cj0MRLLZkUQCLcBGAsYHQ/s1600/IMG_20191215_224851.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="992" data-original-width="1580" height="200" src="https://1.bp.blogspot.com/-ZDbxpCQPxNQ/XftY_Drh4FI/AAAAAAAAAzg/9OiILAtJ2R0q1AdSTPS430Cj0MRLLZkUQCLcBGAsYHQ/s320/IMG_20191215_224851.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-bB7yWi_1Xdg/XftUt5rKg_I/AAAAAAAAAyM/Bsh41orPw60PS16nsp8O2BQcHFHCxZMOQCLcBGAsYHQ/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="865" data-original-width="894" height="309" src="https://1.bp.blogspot.com/-bB7yWi_1Xdg/XftUt5rKg_I/AAAAAAAAAyM/Bsh41orPw60PS16nsp8O2BQcHFHCxZMOQCLcBGAsYHQ/s320/die.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-gYHWeY3RuEI/XftUxS1t_XI/AAAAAAAAAyQ/WW0WoGhFgogyFfFCmpoxO0hGDPMVXDBjwCLcBGAsYHQ/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="687" height="320" src="https://1.bp.blogspot.com/-gYHWeY3RuEI/XftUxS1t_XI/AAAAAAAAAyQ/WW0WoGhFgogyFfFCmpoxO0hGDPMVXDBjwCLcBGAsYHQ/s320/die.jpg" width="292" /></a></div>
<br />
Which are clearly different! Comparing logos:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wtSR9vSTz-M/XftU1y4yenI/AAAAAAAAAyU/NYB2FcBB8AoEi4DEJgbSdEC6JzCKUSPfQCLcBGAsYHQ/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="912" data-original-width="1360" height="214" src="https://1.bp.blogspot.com/-wtSR9vSTz-M/XftU1y4yenI/AAAAAAAAAyU/NYB2FcBB8AoEi4DEJgbSdEC6JzCKUSPfQCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-BsRnpXeibSg/XftU4zis6yI/AAAAAAAAAyY/RS_qPXZG3ogwfbZx4puyDwBBBvHdLlNtQCLcBGAsYHQ/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="714" height="193" src="https://1.bp.blogspot.com/-BsRnpXeibSg/XftU4zis6yI/AAAAAAAAAyY/RS_qPXZG3ogwfbZx4puyDwBBBvHdLlNtQCLcBGAsYHQ/s320/logo.jpg" width="320" /></a></div>
<br />
So a similar scheme as Intel, but even within what should be the same model (<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">P87C52EBPN</span>) we are finding multiple dies. Without being familiar with Philips part numbering it's hard to say exactly why this is, but it's plausible some of these were remarked.<br />
<br />
In any case, we explored a UV attack against 87C52 / XSC6644A as used in CHOKY!CHOKY!:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Jo0SzB5XD94/XftWBVqZuWI/AAAAAAAAAyw/YAt9c5kEQk4m7sRiD8VkfAHSnwUb1Ik-wCLcBGAsYHQ/s1600/IMG_20191215_194606.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1368" data-original-width="1548" height="282" src="https://1.bp.blogspot.com/-Jo0SzB5XD94/XftWBVqZuWI/AAAAAAAAAyw/YAt9c5kEQk4m7sRiD8VkfAHSnwUb1Ik-wCLcBGAsYHQ/s320/IMG_20191215_194606.jpg" width="320" /></a></div>
<br />
This is a very tight mask very close to data:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-DBP9mVjCQ38/XftWpT9d84I/AAAAAAAAAy4/0UIc1X8s9IsWVTq4Ib1iKGm0lVLYny5AwCLcBGAsYHQ/s1600/IMG_20191215_191950_mark.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="524" data-original-width="540" height="310" src="https://1.bp.blogspot.com/-DBP9mVjCQ38/XftWpT9d84I/AAAAAAAAAy4/0UIc1X8s9IsWVTq4Ib1iKGm0lVLYny5AwCLcBGAsYHQ/s320/IMG_20191215_191950_mark.jpg" width="320" /></a></div>
<br />
But it gets worse. It appears activating security involves row specific security fuses spread throughout the entire configuration section. So to fully unlock the chip you need to erase many fuses across the entire config column! With this in mind, we decided to use something with a naturally straight edge instead of making a tight nail polish mask along the entire column:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-8WG_2o1gv3c/XftXHMF594I/AAAAAAAAAzA/1Qs9Wtxhch0o90JXZ6f2JaAlBVeo9Un0gCLcBGAsYHQ/s1600/IMG_20191215_213203.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1268" data-original-width="1356" height="299" src="https://1.bp.blogspot.com/-8WG_2o1gv3c/XftXHMF594I/AAAAAAAAAzA/1Qs9Wtxhch0o90JXZ6f2JaAlBVeo9Un0gCLcBGAsYHQ/s320/IMG_20191215_213203.jpg" width="320" /></a></div>
<br />
And above shows the actual mask used to dump <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">CHOKY!CHOKY!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-NQbcqBZhMVc/XfyU2ay0xpI/AAAAAAAAA0g/9cTYg-YQYKEdj4XFM7VF4z630c2IRHBiACLcBGAsYHQ/s1600/Dream_World_-_2000_-_SemiCom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1061" data-original-width="1440" height="235" src="https://1.bp.blogspot.com/-NQbcqBZhMVc/XfyU2ay0xpI/AAAAAAAAA0g/9cTYg-YQYKEdj4XFM7VF4z630c2IRHBiACLcBGAsYHQ/s320/Dream_World_-_2000_-_SemiCom.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-2CM1XvAOhh8/XfyWDPazYeI/AAAAAAAAA0s/7WJ_Heg8hsMxMe67TOyFmMM1zNVxmPZJQCLcBGAsYHQ/s1600/date.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="925" data-original-width="1246" height="237" src="https://1.bp.blogspot.com/-2CM1XvAOhh8/XfyWDPazYeI/AAAAAAAAA0s/7WJ_Heg8hsMxMe67TOyFmMM1zNVxmPZJQCLcBGAsYHQ/s320/date.png" width="320" /></a></div>
<br />
Next we looked at Philips 87C51RA+ which is used on several games such as SemiCom <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Dream World (248) and SemiCom </span><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Date Quiz GoGo (255). While we might be able to extend the masking attack on Philips 87C52, </span>it was very touchy. With some experience with the Intel 87C51FA laser glitch, we wondered if Philips 87C51RA+ has a similar vulnerability?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-3RHiHnJ2_tc/XftXed6IdfI/AAAAAAAAAzI/EOz3i57LVJc_gvtzPLhZjL95E3iqTCQrgCLcBGAsYHQ/s1600/phil_87c51rap_laser.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1445" data-original-width="1600" height="289" src="https://1.bp.blogspot.com/-3RHiHnJ2_tc/XftXed6IdfI/AAAAAAAAAzI/EOz3i57LVJc_gvtzPLhZjL95E3iqTCQrgCLcBGAsYHQ/s320/phil_87c51rap_laser.jpg" width="320" /></a></div>
<br />
And it does! This gave us what looked like encrypted binaries for both of these games. However, upon closer inspection Date Quiz wasn't encrypted, it just had an unusual structure. First, while most MCS51 binaries have a vector jump table at the beginning. Date Quiz immediately begins main() code. Second, most of the ROM is a large random binary. However, between these two it has a 00 filled section, the low entropy which indicates a trivial encryption key. Second, Dream World had a non-trivial key, but was FF filled at the end, which made the key trivial to extract.<br />
<br />
Next, we wondered what else might be vulnerable to laser glitching? We tried Atmel AT89C51 and...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-s9M7h2tiXko/XftYYCF5tWI/AAAAAAAAAzY/0KLe2w4qRI4UtAwtcKLWSsdaR-pqGPnfwCLcBGAsYHQ/s1600/at89c51_19052_laser.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1219" data-original-width="1600" height="243" src="https://1.bp.blogspot.com/-s9M7h2tiXko/XftYYCF5tWI/AAAAAAAAAzY/0KLe2w4qRI4UtAwtcKLWSsdaR-pqGPnfwCLcBGAsYHQ/s320/at89c51_19052_laser.jpg" width="320" /></a></div>
<br />
Much to our surprise we also found a glitch! We heard this part was likely going to require microprobing which, although not out of the question, was going to make it much harder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-KTQKQ7UTKx0/XfyYdPFQjKI/AAAAAAAAA04/4bCwfQX_pmwMZVCifGNjDJb1D_lFKF1fACLcBGAsYHQ/s1600/quizard_17-image.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="310" data-original-width="384" height="258" src="https://1.bp.blogspot.com/-KTQKQ7UTKx0/XfyYdPFQjKI/AAAAAAAAA04/4bCwfQX_pmwMZVCifGNjDJb1D_lFKF1fACLcBGAsYHQ/s320/quizard_17-image.jpg" width="320" /></a></div>
<br />
This allowed dumping Quizard 2, German, TAB DN 122 D3 (C054) and Quizard 4, Czech, TS142 CZ1 (C057).<br />
<br />
However, C057 has this near the end:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000910 00 0a 14 02 00 0a 1e 03 00 0a 32 04 00 0f 1e 02 |..........2.....|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000920 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000930 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">*</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a00 ff ff ff ff ff ff ff ff ff ff fa ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a10 ff ff fa ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a20 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">*</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a40 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a50 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">*</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a80 ff ff ff ff ff ff ff ff ff ff fa ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000a90 ff ff ff ff ff ff ff ff fa ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000aa0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">*</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000ac0 ff ff ff ff ff ff ff ff ff ff fb ff ff ff ff ff |................|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000ad0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|</span><br />
<div>
<br /></div>
<div>
We often seem ROMs end in fill patterns like FF, but they should be solid without bit flips. So why do we think this is correct?</div>
<div>
<br /></div>
<div>
Let's dive a little deeper into our laser glitching approach. First, we program a sample with a known pattern and secure it. Next, we create a script that repeatedly reads the chip, saves the current read, and also displays the current read. While this is running, we sweep a laser around the die, focusing near EPROM, until valid looking data shows up. We then tweak the laser until we get a stable readout. In the case of C057, we held the laser stable and observed 40+ consecutive dumps with the same pattern. While we can't for sure rule out bit flips, this at least gives reasonable confidence the binary is correct. Finally, we also do quick disassembly of dumps to verify assembly looks mostly reasonable.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-SnjiXn1wF0A/XftbXShXB_I/AAAAAAAAAzs/XxUANz-Ln5kv_tMNVyuhnQrRLq5QI3xuACLcBGAsYHQ/s1600/IMG_20191214_210600.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1205" data-original-width="1600" height="240" src="https://1.bp.blogspot.com/-SnjiXn1wF0A/XftbXShXB_I/AAAAAAAAAzs/XxUANz-Ln5kv_tMNVyuhnQrRLq5QI3xuACLcBGAsYHQ/s320/IMG_20191214_210600.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
We also hoped to work on 8752BH, but had issues getting our samples programmed. We suspect they are faulty and have new samples on order. </div>
<div>
<br /></div>
<div>
<div>
So between PIC16C54, Intel 87C51FA (87C52), Philips 87C52 (<span style="background-color: white; white-space: pre-wrap;">P87C52EBPN</span>), Philips 87C51RA+ (<span style="background-color: white; white-space: pre-wrap;">P87C52EBPN</span>), and Atmel AT89C51 dumps this month, we so far have been 8 dumps in December!</div>
<div>
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/--CUQ9e8DjGQ/XftcEMPigPI/AAAAAAAAAz0/8sYFToBGA_8pA9Z3yNEdB-FMF4sJQSVSgCLcBGAsYHQ/s1600/IMG_20191207_165328_mark.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1431" data-original-width="1600" height="286" src="https://1.bp.blogspot.com/--CUQ9e8DjGQ/XftcEMPigPI/AAAAAAAAAz0/8sYFToBGA_8pA9Z3yNEdB-FMF4sJQSVSgCLcBGAsYHQ/s320/IMG_20191207_165328_mark.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
Now for some less good news. We developed a technique to dump EPM5032DC which is used on some <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Sega System 24 games. </span>Unfortunately we had some issues while decapping <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Quiz Mekuromeku Story (</span>249) and <span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Quiz Rouka Ni Tattenasai (</span>250). Specifically 249 appears to have been scratched (above), and 250 is under evaluation. We are determining what can be salvaged and, having resolved the decap issue, are looking for replacements if available.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-LbjZeHd1ayw/XftN-UD_koI/AAAAAAAAAxE/FPMxQNQEmb0UCf35Tab190NVE6lsayhZwCLcBGAsYHQ/s1600/IMG_20191219_000412.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1429" data-original-width="1600" height="285" src="https://1.bp.blogspot.com/-LbjZeHd1ayw/XftN-UD_koI/AAAAAAAAAxE/FPMxQNQEmb0UCf35Tab190NVE6lsayhZwCLcBGAsYHQ/s320/IMG_20191219_000412.jpg" width="320" /></a></div>
<div>
<br /></div>
Finally, stay tuned for ROM staining adventures! Part of the Furby ROM can be seen above. On that note, we've seen there are a few good resources on the Furby, <a href="https://www.seanriddle.com/furbysource.pdf">scanned source code</a> and a <a href="https://github.com/gnomon-/furby-source">small effort to transcribe it</a>. However, nobody has followed up to convert it into a full .asm for assembling, which would be very interesting to compare to our upcoming capture. We also need to figure out what info and tools are out there on the SPC81A architecture to compile the .asm and disassemble our binary.<br />
<br />
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><span style="background-color: white; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.patreon.com/user?u=4805718" style="background-color: white; color: #888888; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px; text-decoration-line: none;">support us on Patreon</a><span style="color: #222222;"> or</span></span> <a href="https://twitter.com/Caps0xff">follow us on Twitter</a>! <span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com4tag:blogger.com,1999:blog-5831808578326311132.post-91115384585597027012019-10-24T12:21:00.000-07:002019-10-24T12:21:40.266-07:00C055: changyu2/CYE 87C51<a href="https://team-europe.blogspot.com/">TeamEurope</a> recently asked us to dump an 87C51. We thought we had done this before, but turns out we had only looked at related chips like 8751H and 87C51FA. This adds a few complications:<br />
<ul>
<li>Not known if vulnerable to laser glitching like 87C51FA</li>
<li>Don't have a known fuse location like 8751H</li>
<li>Not familiar with the XOR encryption scheme</li>
</ul>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-PolwfprPYmQ/XZAgNDlQHZI/AAAAAAAAAvE/JfSsTwRgoJgR5YqKfGxuxpb3PHdKh1xVACLcBGAsYHQ/s1600/20190926_153502.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1316" data-original-width="1540" height="273" src="https://1.bp.blogspot.com/-PolwfprPYmQ/XZAgNDlQHZI/AAAAAAAAAvE/JfSsTwRgoJgR5YqKfGxuxpb3PHdKh1xVACLcBGAsYHQ/s320/20190926_153502.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
So we procured some sample chips, this time literally marked SAMPLE.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-X0UoJlLeLOs/XZAjRIHY_2I/AAAAAAAAAvY/mj0whkQr-P0xRAbwg6Qw1_X4zYQU_IeLgCLcBGAsYHQ/s1600/20190928_201904.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1378" height="320" src="https://1.bp.blogspot.com/-X0UoJlLeLOs/XZAjRIHY_2I/AAAAAAAAAvY/mj0whkQr-P0xRAbwg6Qw1_X4zYQU_IeLgCLcBGAsYHQ/s320/20190928_201904.jpg" width="275" /></a></div>
<div>
<br /></div>
<div>
Sample decapped</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Rklgw4WQvl0/XZAjtWU0T1I/AAAAAAAAAvg/Jw9ufraFBIAb6i16fL2qMFOZoInN4F9EQCLcBGAsYHQ/s1600/20190928_201701_mark.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1600" height="320" src="https://1.bp.blogspot.com/-Rklgw4WQvl0/XZAjtWU0T1I/AAAAAAAAAvg/Jw9ufraFBIAb6i16fL2qMFOZoInN4F9EQCLcBGAsYHQ/s320/20190928_201701_mark.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
After a few masking tests, we discover the security fuses are in the location marked above. This makes the project interesting because its rather close to the EPROM. However, we are able to apply masks reasonably precisely, so didn't worry about this too much.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-fzirPCkkBZc/XZAkUQ2InBI/AAAAAAAAAvs/zPNhEzVrrzgwQA_aVf1OnTVylm_l-wyfACLcBGAsYHQ/s1600/20190928_172140.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1572" data-original-width="1600" height="314" src="https://1.bp.blogspot.com/-fzirPCkkBZc/XZAkUQ2InBI/AAAAAAAAAvs/zPNhEzVrrzgwQA_aVf1OnTVylm_l-wyfACLcBGAsYHQ/s320/20190928_172140.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Here is the final mask on C055. Note that the mask was applied pretty heavily to try to minimize edge leakage.</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000000 ec e1 45 b3 09 23 a2 dc fd bf 76 65 8d 61 20 a3 |..E..#....ve.a .|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000010 21 54 fc 76 da ef 54 32 44 da bc 30 54 33 35 61 |!T.v..T2D..0T35a|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000020 12 32 45 83 f4 5d a2 dc fd bf 76 55 fa c8 12 9e |.2E..]....vU....|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000030 51 de b3 b3 66 a0 a3 b8 2b e5 10 92 5b 8f 5a a9 |Q...f...+...[.Z.|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000040 98 44 ab c4 87 7f 28 a9 13 35 01 16 fa d8 02 28 |.D....(..5.....(|</span></div>
</div>
<div style="text-align: center;">
...</div>
<div>
This yields the ROM above!</div>
<div>
<br /></div>
<div>
However, this is encrypted, so we now need to address cracking the XOR table. The basic idea is that there are 0x20 XOR encryption key bytes that are linearly applied, modulo the address. However, since the default key of 0xFF should not change the contents, the result is also inverted. This yields something like this:</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">for address, pt_byte in enumerate(plaintext):</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> encrypted[i] = </span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">pt_byte</span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ^ key[address % len(key)] ^ 0xFF</span></div>
</div>
<div>
<br /></div>
<div>
Now with this in mind, note that the key cannot be read out, even if the chip is unprotected. Some options to deal with this:</div>
<div>
<ul>
<li>Reprogram the table and XOR out the key from the new ROM readout</li>
<li>Guess the key</li>
</ul>
<div>
Guessing the key is probably not too hard as, for example, usually firmware starts with LJMP (0x02). More on this later.</div>
<div>
<br /></div>
<div>
We started by looking at reprogramming the XOR table as a direct extraction technique. Unfortunately, our primary programmer (BP Microsystems) doesn't allow directly programming the table. However, the commercial minipro software did:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-uMUzM-bO9_4/XZAoPY_qB3I/AAAAAAAAAv4/3BMOqheYVnAtRAEb8gtp7f9BcUhEVpMFwCLcBGAsYHQ/s1600/Screenshot%2Bfrom%2B2019-09-28%2B19-46-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="1015" height="408" src="https://1.bp.blogspot.com/-uMUzM-bO9_4/XZAoPY_qB3I/AAAAAAAAAv4/3BMOqheYVnAtRAEb8gtp7f9BcUhEVpMFwCLcBGAsYHQ/s640/Screenshot%2Bfrom%2B2019-09-28%2B19-46-04.png" width="640" /></a></div>
<div>
<br /></div>
<div>
We set the key to 0 which yielded this:</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000000 fe d3 00 fd fd 7e 00 00 00 00 00 fd fd fe cd 00 |.....~..........|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000010 00 00 00 cd 00 00 00 00 00 00 00 cd 00 00 00 00 |................|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000020 00 00 00 cd 00 00 00 00 00 00 00 cd 8a 57 ff 3d |.............W.=|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000030 70 8a 4f 08 bc 4f f7 8a 6f 3f ac 6f 0f bc 6f c8 |p.O..O..o?.o..o.|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000040 8a 76 ee 8a 73 22 8a 75 ee 8a 77 8e 8a 47 ef 8b |.v..s".u..w..G..|</span></div>
</div>
<div style="text-align: center;">
<br /></div>
<div>
Now XOR'ing the two dumps:</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000000 12 32 45 4e f4 5d a2 dc fd bf 76 98 70 9f ed a3 |.2EN.]....v.p...|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000010 21 54 fc bb da ef 54 32 44 da bc fd 54 33 35 61 |!T....T2D...T35a|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000020 12 32 45 4e f4 5d a2 dc fd bf 76 98 70 9f ed a3 |.2EN.]....v.p...|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000030 21 54 fc bb da ef 54 32 44 da bc fd 54 33 35 61 |!T....T2D...T35a|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000040 12 32 45 4e f4 5d a2 dc fd bf 76 98 70 9f ed a3 |.2EN.]....v.p...|</span></div>
</div>
<div style="text-align: center;">
<br /></div>
<div>
Which means the encryption key is:</div>
</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000000 12 32 45 4e f4 5d a2 dc fd bf 76 98 70 9f ed a3 |.2EN.]....v.p...|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000010 21 54 fc bb da ef 54 32 44 da bc fd 54 33 35 61 |!T....T2D...T35a|</span></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<div>
Applying the key now to the original dump:</div>
</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000000 01 2c ff 02 02 81 ff ff ff ff ff 02 02 01 32 ff |.,............2.|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000010 ff ff ff 32 ff ff ff ff ff ff ff 32 ff ff ff ff |...2.......2....|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000020 ff ff ff 32 ff ff ff ff ff ff ff 32 75 a8 00 c2 |...2.......2u...|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000030 8f 75 b0 f7 43 b0 08 75 90 c0 53 90 f0 43 90 37 |.u..C..u..S..C.7|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000040 75 89 11 75 8c dd 75 8a 11 75 88 71 75 b8 10 74 |u..u..u..u.qu..t|</span></div>
</div>
<div style="text-align: center;">
<br /></div>
<div>
However, this is suspicious. Usually the first mcs51 instruction is 0x02 (LJMP). However, popping into Ghidra:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-VHkF2eoL7ok/XZApHH3-rzI/AAAAAAAAAwE/rq9YxGpkvrAocsCMWcfv7dNPAU0QNtQygCLcBGAsYHQ/s1600/Screenshot%2Bfrom%2B2019-09-28%2B19-13-37_thumb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="901" height="241" src="https://1.bp.blogspot.com/-VHkF2eoL7ok/XZApHH3-rzI/AAAAAAAAAwE/rq9YxGpkvrAocsCMWcfv7dNPAU0QNtQygCLcBGAsYHQ/s640/Screenshot%2Bfrom%2B2019-09-28%2B19-13-37_thumb.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Aha! They've just used AJMP instead of LJMP. Additionally we see clean disassembly and familiar register initialization. We have a dump!</div>
<div>
<br /></div>
<div>
Finally, what if we tried guessing the key? Well, we probably undersold just how bad this scheme is. One major flaw is that often people don't use the entire chip and its partly left unprogrammed (ie 0xFF filled). Here's the end of the encrypted dump:</div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000fa0 ae cd bc bd f5 82 66 23 04 4c 77 47 ba 60 14 50 |......f#.LwG.`.P|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000fb0 20 8b 2c 44 23 1c 55 cd bb 25 43 02 ab cc ca 9e | .,D#.U..%C.....|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000fc0 ed cd ba b1 0b a2 5d 23 02 40 89 67 8f 60 12 5c |......]#.@.g.`.\|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000fd0 de ab 03 44 25 10 ab cd bb 25 43 02 ab cc ca 9e |...D%....%C.....|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000fe0 ed cd ba b1 0b a2 5d 23 02 40 89 67 8f 60 12 5c |......]#.@.g.`.\|</span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00000ff0 de ab 03 44 25 10 ab cd bb 25 43 02 ab cc ca 9e |...D%....%C.....|</span></div>
</div>
<div style="text-align: center;">
<br /></div>
<div>
Where near the end we clearly see a pattern repeated every 0x20 bytes, the telltale sign of filling with 0xFF. So yeah...pretty weak encryption as this is simply inverted to extract the key.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4N2XsO-gw18/XavVtE1HzPI/AAAAAAAAAwY/rYmnBSFO0Ls4l9q-09m4Z8skjkJu-VG9QCLcBGAsYHQ/s1600/20191019_200953.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="983" data-original-width="1600" height="196" src="https://1.bp.blogspot.com/-4N2XsO-gw18/XavVtE1HzPI/AAAAAAAAAwY/rYmnBSFO0Ls4l9q-09m4Z8skjkJu-VG9QCLcBGAsYHQ/s320/20191019_200953.jpg" width="320" /></a></div>
<br />
We also recently received a bunch more chips, including a number of 87C5X. So hopefully there will be a follow up soon.<br />
<br /></div>
<div>
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><a href="https://www.patreon.com/user?u=4805718" style="text-decoration-line: none;"><span style="background-color: white; color: #888888; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">support us on Patreon</span></a><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></div>
CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com6tag:blogger.com,1999:blog-5831808578326311132.post-83268079631329865862019-10-02T08:31:00.001-07:002019-10-13T01:49:23.158-07:00AT89C51 glitching<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-HvFDbM20p_A/XY__eSaYqXI/AAAAAAAAAuk/UoYeSv0vTxkFYI8RtZZjP3-BdrJ8O_CuwCLcBGAsYHQ/s1600/sparrow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1127" data-original-width="1600" height="225" src="https://1.bp.blogspot.com/-HvFDbM20p_A/XY__eSaYqXI/AAAAAAAAAuk/UoYeSv0vTxkFYI8RtZZjP3-BdrJ8O_CuwCLcBGAsYHQ/s320/sparrow.jpg" width="320" /></a></div>
<br />
Above: MJ-DFMJ. AT89C51 lower left<br />
<br />
We have a number of inherited dumped AT89C51 chips in our inventory as well as a few new undumped ones:<br />
<br />
<ul>
<li><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">C017: </span><a href="http://caps0ff.blogspot.com/2018/02/decap-c016-gms-mj-dfmj-pic16f84.html">MJ-DFMJ / "Real Battle Top Phoenix Sparrow"</a></li>
<li><span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">C054: Quizard 2 (German, </span>TAB DN 122 D3)</li>
<li>C056: Quizard 4 (<span style="background-color: white; font-family: docs-Calibri; font-size: 16px; white-space: pre-wrap;">Czech, </span>TS142)</li>
</ul>
<div>
AT89C51 is known to be vulnerable to voltage glitching. Basically there is a race condition when erasing where the security fuse is erased before the main data. If you pull power at just the right time, you clear protection without erasing the data.</div>
<div>
<br /></div>
<div>
However, we had a few concerns approaching this:</div>
<div>
<ol>
<li>If glitching fails, it may erase the part</li>
<li>Concerns over EA damaged to prevent readout</li>
<li>Known microprobing alternate attack</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-SdW1gy0jRH8/XZAAqzFfGsI/AAAAAAAAAu4/dm5eBTXr6j43JA9hGAMU_Td63SFvaRKBACLcBGAsYHQ/s1600/at89c51.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="904" data-original-width="1388" height="208" src="https://1.bp.blogspot.com/-SdW1gy0jRH8/XZAAqzFfGsI/AAAAAAAAAu4/dm5eBTXr6j43JA9hGAMU_Td63SFvaRKBACLcBGAsYHQ/s320/at89c51.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
We started by analyzing the chip health to see if they had damaged EA or other issues. While we didn't detect any issues with EA, we did see some odd behavior on C056. When an AT89C51 is protected, the debug interface shuts down and results in the following observations:</div>
<div>
<ol>
<li>Memory is read as 0xFF</li>
<li>Chip ID as 0xFFF00</li>
</ol>
</div>
</div>
<div>
C056 reported its memory as 0xFF, but the chip ID was reported correctly (0x1E51FF). This implies that the chip is not only unlocked, but its also erased! To confirm this, we did the following:</div>
<div>
<div>
<ol>
<li>Create a test pattern of all FF's, except FE on the first byte</li>
<li>Program test pattern, making sure erase is not selected. Programming will likely fail due to first byte not matching</li>
<li>Read back chip. If unprotected, bit 0x01 is cleared on the first byte</li>
</ol>
</div>
<div>
When tested on C056 programming did not fail and the first bit was cleared. Unfortunately this is pretty concrete evidence the chip is not protected, and is indeed blank.</div>
<div>
<br /></div>
</div>
<div>
Moving on, we still have two chips that we'd like to dump. After some discussion, we decided the best approach was to attempt glitching once. If it fails, fallback to microprobing. Originally we tried implementing the glitch ourselves, but got access to a RunFei commercial voltage glitcher and went with that instead. Unfortunately, C054 did not dump via glitching and will have to be microprobed. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-tOCzXcNW5Qs/XZAACfV4LwI/AAAAAAAAAus/kDllt2vTkzcGDelcA2fAaOL2Bbo5bEAjwCLcBGAsYHQ/s1600/secure.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="419" height="245" src="https://1.bp.blogspot.com/-tOCzXcNW5Qs/XZAACfV4LwI/AAAAAAAAAus/kDllt2vTkzcGDelcA2fAaOL2Bbo5bEAjwCLcBGAsYHQ/s320/secure.png" width="320" /></a></div>
<div>
<br /></div>
<div>
However, C017 succeeded! It's unfortunate we only got 1/3 dumped so far, but its still good progress that 2/3 of our AT89C51 inventory is processed. We are also investigating using the RunFei for related chips like AT89C2051.</div>
<div>
<br /></div>
<div>
Stay tuned for a post on 87C51!</div>
<div>
<br /></div>
<div>
<span id="docs-internal-guid-b22ede69-7fff-ffd9-5cd5-8911653ddf4a"></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-b22ede69-7fff-ffd9-5cd5-8911653ddf4a"><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Enjoy this post? Please </span><a href="https://www.patreon.com/user?u=4805718" style="text-decoration-line: none;"><span style="background-color: white; color: #888888; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">support us on Patreon</span></a><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></span></div>
<span id="docs-internal-guid-b22ede69-7fff-ffd9-5cd5-8911653ddf4a">
</span></div>
CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com4tag:blogger.com,1999:blog-5831808578326311132.post-12221135952072710782019-10-02T08:24:00.002-07:002019-10-02T08:24:53.760-07:00Lucky HD647180<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-j6xspCt64oE/XY_rNselUMI/AAAAAAAAAuM/qUO8rlYqb5chJmHhsgxtJtLjrDay-5mTwCLcBGAsYHQ/s1600/Lucky21D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1110" data-original-width="1600" height="276" src="https://1.bp.blogspot.com/-j6xspCt64oE/XY_rNselUMI/AAAAAAAAAuM/qUO8rlYqb5chJmHhsgxtJtLjrDay-5mTwCLcBGAsYHQ/s400/Lucky21D.jpg" width="400" /></a></div>
<br />
We <a href="http://caps0ff.blogspot.com/2016/12/hd647180-19-58-102-terrific-toaplan.html">previously dumped some HD647180</a> and <a href="https://team-europe.blogspot.com/">TeamEurope</a> asked if we could do a few more.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-kL3YeVd85SY/XY_uYDwoDpI/AAAAAAAAAuY/fp6wfq5aXZwITt4uAPeaIH8CYXx-7W14QCLcBGAsYHQ/s1600/lucky74.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="640" height="240" src="https://1.bp.blogspot.com/-kL3YeVd85SY/XY_uYDwoDpI/AAAAAAAAAuY/fp6wfq5aXZwITt4uAPeaIH8CYXx-7W14QCLcBGAsYHQ/s320/lucky74.png" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
The new chips are in obscure gambling machines of which little is known other than a little work on <a href="http://www.progettoemma.net/gioco.php?game=lucky74">Lucky 74</a>. The boards don't even work, but we hope that a successful ROM extraction could be used to learn more about them.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-3RPmu8W5XMU/XYz9nS5waFI/AAAAAAAAAtA/A1P63rVIUQEdl7s6nlAnqAq1PxfTr-TdACLcBGAsYHQ/s1600/20190912_001447_thumb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1456" data-original-width="1364" height="320" src="https://1.bp.blogspot.com/-3RPmu8W5XMU/XYz9nS5waFI/AAAAAAAAAtA/A1P63rVIUQEdl7s6nlAnqAq1PxfTr-TdACLcBGAsYHQ/s320/20190912_001447_thumb.jpg" width="299" /></a></div>
<br />
However, these were in the more obscure SDIP90 package. To truly appreciate their massive size, here'ss one with a DIP40.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-fGRQDsk5EiY/XYz1cKm6KYI/AAAAAAAAAsk/OnEhszLg12oiQvGidm-e97k0eKX7ib3YwCLcBGAsYHQ/s1600/20190921_165711.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1440" data-original-width="1580" height="291" src="https://1.bp.blogspot.com/-fGRQDsk5EiY/XYz1cKm6KYI/AAAAAAAAAsk/OnEhszLg12oiQvGidm-e97k0eKX7ib3YwCLcBGAsYHQ/s320/20190921_165711.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Io9pRX7AGrU/XYz1cFAIaZI/AAAAAAAAAsg/naulgpPIIjIjLFaWA4Sf9JeEa8DJPqxMQCEwYBhgL/s1600/20190921_165735.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1472" data-original-width="1596" height="295" src="https://1.bp.blogspot.com/-Io9pRX7AGrU/XYz1cFAIaZI/AAAAAAAAAsg/naulgpPIIjIjLFaWA4Sf9JeEa8DJPqxMQCEwYBhgL/s320/20190921_165735.jpg" width="320" /></a></div>
<br />
We've numbered these C050 to C053. They are the same size as a Motorola 68K, but have a 0.07" pitch instead of 0.1". SDIP90 seems rather uncommon and I wonder if there are any other chips that use this package.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-0fbU0X1x9zU/XYz2je_-QfI/AAAAAAAAAs0/cXoOMyakH9AJO-3szEKifcUa4x4Rq6DWACLcBGAsYHQ/s1600/20190906_182608_thumb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1158" data-original-width="1600" height="231" src="https://1.bp.blogspot.com/-0fbU0X1x9zU/XYz2je_-QfI/AAAAAAAAAs0/cXoOMyakH9AJO-3szEKifcUa4x4Rq6DWACLcBGAsYHQ/s320/20190906_182608_thumb.jpg" width="320" /></a></div>
<br />
Unfortunately, while we both BP Microsystems and Xeltek make SDIP adapters, we've only seen them to 64 pins.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-WP71_Rj_bhM/XYz_oRHwyrI/AAAAAAAAAtM/i3SzC8gCIAUsqXYXsbZYBMV0C3rZCfHpQCLcBGAsYHQ/s1600/20190913_234624.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1170" data-original-width="1600" height="234" src="https://1.bp.blogspot.com/-WP71_Rj_bhM/XYz_oRHwyrI/AAAAAAAAAtM/i3SzC8gCIAUsqXYXsbZYBMV0C3rZCfHpQCLcBGAsYHQ/s320/20190913_234624.jpg" width="320" /></a></div>
<br />
So TeamEurope helped design an SDIP90 to 27C256 EPROM adapter so that we could use a commodity device programmer. Originally we thought we'd have to solder each chip in, but somehow managed to find an SDIP90 socket.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wvCcpeHYyfY/XY0AckN6LhI/AAAAAAAAAtU/_6QyXaAV0r4fk9xG7nILg8YA27yIml00QCLcBGAsYHQ/s1600/20190921_010034_thumb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="739" data-original-width="607" height="320" src="https://1.bp.blogspot.com/-wvCcpeHYyfY/XY0AckN6LhI/AAAAAAAAAtU/_6QyXaAV0r4fk9xG7nILg8YA27yIml00QCLcBGAsYHQ/s320/20190921_010034_thumb.jpg" width="262" /></a></div>
<br />
We proceeded to decap a sample SDIP90 part to try to reduce the following risks:<br />
<br />
<ol>
<li>Organic film over chip can be difficult to remove</li>
<li>Some QFN parts have a wire bonding defect (see previous post)</li>
<li>The SDIP adapter was untested</li>
</ol>
<div>
Early testing also revealed the sample was received protected. Interestingly, it had a similar sticker residue (the sticker itself was gone) to the target chips.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-1iJo7r9d6LI/XY0BcSOw_JI/AAAAAAAAAtg/K74wwAdsWAcoe9kh-YBN6VT3Ukg8NUkUgCLcBGAsYHQ/s1600/20190921_010401_thumb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="658" height="277" src="https://1.bp.blogspot.com/-1iJo7r9d6LI/XY0BcSOw_JI/AAAAAAAAAtg/K74wwAdsWAcoe9kh-YBN6VT3Ukg8NUkUgCLcBGAsYHQ/s320/20190921_010401_thumb.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Here's some of an organic layer that wasn't fully removed. It must at least be partially removed to expose the security fuse and allow applying a mask to protect the EPROM. We're not sure what its made out of, but its possibly silicone. Its very chemically resistant but is relatively soft and, if the bond pads are strong, can be removed mechanically by gently tugging on it. More chemical treatment seems to soften it more, so is a delicate balance between prolonged acid exposure (weakens material but can weaken pads) and mechanical force applied to the wires. On the sample we used a mix of white fuming nitric acid (WFNA) and H2SO4 at a relatively low temperature based on some previous notes. This seemed to work pretty well and the sample was processed successfully.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-hdfj03VDomc/XY0FC3B8eDI/AAAAAAAAAt4/A0VBuWqsNhci0ntMTDwnh1qSXQtFbpj_ACLcBGAsYHQ/s1600/20190921_010442_thumb2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="435" data-original-width="639" height="217" src="https://1.bp.blogspot.com/-hdfj03VDomc/XY0FC3B8eDI/AAAAAAAAAt4/A0VBuWqsNhci0ntMTDwnh1qSXQtFbpj_ACLcBGAsYHQ/s320/20190921_010442_thumb2.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
No bonding defects were found.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-7XxNtcV7BT0/XY0FSAjBCbI/AAAAAAAAAt8/hUyyECqxhNEVi4YlRk6zdlYkidIIkwP2wCLcBGAsYHQ/s1600/20190921_013011.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1518" data-original-width="1600" height="303" src="https://1.bp.blogspot.com/-7XxNtcV7BT0/XY0FSAjBCbI/AAAAAAAAAt8/hUyyECqxhNEVi4YlRk6zdlYkidIIkwP2wCLcBGAsYHQ/s320/20190921_013011.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We applied a UV mask like done previously and cleared the security bit. Fortunately the adapter worked we we successfully dumped the sample! Unfortunately, there are no strings in it, so we really aren't sure what it is.<br />
<br />
Anyway, the process was then repeated to successfully dump C051 to C053! Sample strings from Lucky 21-D / C051:<br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">000011d0 13 e1 c1 23 23 10 dc cd 08 06 c9 18 43 52 45 44 |...##.......CRED|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">000011e0 49 54 20 49 4e 00 18 43 52 45 44 49 54 20 4f 55 |IT IN..CREDIT OU|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">000011f0 54 00 18 43 52 45 44 49 54 20 25 00 18 25 00 18 |T..CREDIT %..%..|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001200 54 4f 54 41 4c 20 42 45 54 00 18 54 4f 54 41 4c |TOTAL BET..TOTAL|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001210 20 57 49 4e 00 18 57 49 4e 20 25 00 18 25 00 18 | WIN..WIN %..%..|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001220 50 4c 41 59 20 43 4f 55 4e 54 00 18 25 53 45 54 |PLAY COUNT..%SET|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001230 20 43 4f 55 4e 54 00 18 50 4f 57 45 52 20 4f 4e | COUNT..POWER ON|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001240 20 43 4f 55 4e 54 00 10 50 55 53 48 20 53 54 41 | COUNT..PUSH STA|</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-small;">00001250 52 54 20 53 57 20 46 4f 52 20 51 55 49 54 00 20 |RT SW FOR QUIT. |</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<span style="font-family: inherit;">However, you may have noticed we omitted C050 (Lucky 25). We were having some issues removing the organic layer and so did a little more H2SO4 acid soak at a relatively low temperature. While this was fine in testing, it resulted in corrosion on C050 pads. We switched to pure WFNA for C051 to C053, which results in more package wear but, when done properly, is gentler on the actual die. We're looking into options to repair the pads. This would be pretty straightforward with a FIB, but unfortunately don't have access to one. There are also some alternatives under investigation.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Special thanks to TeamEurope for both supplying the chips and designing the adapter board! Finally, stay tuned for AT89C51 glitching post!</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><span style="background-color: white; color: #222222;">Enjoy this post? Please </span><a href="https://www.patreon.com/user?u=4805718" style="background-color: white; color: #888888; text-decoration-line: none;">support us on Patreon</a><span style="background-color: white; color: #222222;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com2tag:blogger.com,1999:blog-5831808578326311132.post-54393470150593052172019-07-04T23:37:00.000-07:002019-07-04T23:37:17.677-07:00Rainbow Islands (Extra Version) C-Chip<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-RIHsdHgv7Q0/XRanoCQjysI/AAAAAAAAArE/Kz33dBe7GOUXfXBu67qcky4AHsn5RFGTQCLcBGAs/s1600/RainbowIslandsExtra_Title.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="224" data-original-width="256" src="https://1.bp.blogspot.com/-RIHsdHgv7Q0/XRanoCQjysI/AAAAAAAAArE/Kz33dBe7GOUXfXBu67qcky4AHsn5RFGTQCLcBGAs/s1600/RainbowIslandsExtra_Title.png" /></a></div>
<div style="text-align: center;">
<a href="https://segaretro.org/images/9/97/RainbowIslandsExtra_Title.png">Source</a></div>
<div style="text-align: center;">
<a href="https://1.bp.blogspot.com/-RVQzU4eL5NM/XRatbQaqDXI/AAAAAAAAArg/PZ_2LPIsH6ofrJ0Tywj-rVPE39TdI919wCLcBGAs/s1600/20190624_165305_chip.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="452" data-original-width="1256" height="115" src="https://1.bp.blogspot.com/-RVQzU4eL5NM/XRatbQaqDXI/AAAAAAAAArg/PZ_2LPIsH6ofrJ0Tywj-rVPE39TdI919wCLcBGAs/s320/20190624_165305_chip.jpg" width="320" /></a></div>
<br />
Rainbow Islands (Extra Version) is a variant of the original Rainbow Islands game with tweaked enemies and music. While this game was well enough understood that it was playable in MAME, it had some hacks to get around differences between the classic and extra version. While we've been interested to dump it from the beginning, our c-chip dumping process is destructive and unfortunately this game is relatively rare. However, Kevin Eshbach donated a chip in the spirit of faithfully preserving this game for generations to come. Thank you!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4an00J5gEC4/XRas2HMGqEI/AAAAAAAAArY/tY8bjX8xTl8O8ysyxZnaLJ_FYF9xfKc8wCLcBGAs/s1600/20190628_161800.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1469" height="320" src="https://1.bp.blogspot.com/-4an00J5gEC4/XRas2HMGqEI/AAAAAAAAArY/tY8bjX8xTl8O8ysyxZnaLJ_FYF9xfKc8wCLcBGAs/s320/20190628_161800.jpg" width="293" /></a></div>
<br />
Originally we hoped to experiment with a tungsten probe card and/or pogo pin PCB to make dumping quicker and/or maybe even keep the chip alive. However, it's been sitting in inventory for a few months now and we decided to do <a href="http://caps0ff.blogspot.com/2018/03/taito-c-chip-data-by-lobotomy.html">the existing method</a> in the interest of progress. After all, there would be nothing worse than sacrificing a rare game to get nothing at all!<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Yy3dXyiKQyM/XRatjraV0mI/AAAAAAAAArk/vtaTP-xKUVEZ2eaB6_2Vr7v5QoTtWccjQCLcBGAs/s1600/20190624_175633_roi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="573" data-original-width="1600" height="114" src="https://1.bp.blogspot.com/-Yy3dXyiKQyM/XRatjraV0mI/AAAAAAAAArk/vtaTP-xKUVEZ2eaB6_2Vr7v5QoTtWccjQCLcBGAs/s320/20190624_175633_roi.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-cVLKuc4KoX4/XRatmpRsrdI/AAAAAAAAAro/CFtR02DJpiAxmfTx3ksuJkCA-AQ_R_eSACLcBGAs/s1600/20190624_220412.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1296" data-original-width="1600" height="259" src="https://1.bp.blogspot.com/-cVLKuc4KoX4/XRatmpRsrdI/AAAAAAAAAro/CFtR02DJpiAxmfTx3ksuJkCA-AQ_R_eSACLcBGAs/s320/20190624_220412.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So the traditional procedure was done and successfully gave us a dump!<br />
<br />
So what did we learn from the dump? First, some details about existing MAME workarounds. MAME devs observed enemy attribute and world structure differences that could be explained by simple table changes from the classic c-chip firmware. Additionally, some tables needed to be reordered due to level order changes. MAME developers then wrote a new extra edition ROM that behaved like the Taito extra edition ROM by tweaking the table data and adding code to swap table order.<br />
<br />
However, it was expected that the real Rainbow Islands Extra c-chip ROM would reorder <span id="docs-internal-guid-d006c93c-7fff-58f0-6af4-1bb8cbffa0cf"><span style="color: #222222; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">ROM tables</span></span> according to the order expected by the game. To our surprise, Taito instead modified the pointer table. Data structure aside, the table data itself matches the predicted values. Finally, the dump confirmed no fundamentally new features were added.<br />
<br />
<div style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; height: 0px;">
Enjoy this post? Please <a href="https://www.patreon.com/user?u=4805718" style="color: #888888; text-decoration-line: none;">support us on Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</div>
<div style="height: 0px;">
<br />
x</div>
<br style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px;" />CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com8tag:blogger.com,1999:blog-5831808578326311132.post-32459482720003181222019-06-01T01:15:00.000-07:002019-06-01T01:15:56.998-07:00Mosaic (Space) PIC16C5X<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-BB7KFMdJI9k/XOW3ZukP3WI/AAAAAAAAAqY/mwQHScToDmsZ5jj79n1f93CuWlgu_7gvACLcBGAs/s1600/Mosaic_-_1990_-_Space.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1008" data-original-width="1440" height="224" src="https://3.bp.blogspot.com/-BB7KFMdJI9k/XOW3ZukP3WI/AAAAAAAAAqY/mwQHScToDmsZ5jj79n1f93CuWlgu_7gvACLcBGAs/s320/Mosaic_-_1990_-_Space.jpg" width="320" /></a></div>
<div style="text-align: center;">
<a href="https://www.gamesdatabase.org/media/arcade/artwork-in-game/mosaic">Imaage Source</a></div>
<br />
The PCB for this game has this curious chip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-XTMREfZMqQc/XOSxe_CoJZI/AAAAAAAAAok/SrXoLJZW5UwuVSA4hv9SWrLBzUHTR9iewCEwYBhgL/s1600/20190403_143840.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="740" data-original-width="1580" height="149" src="https://1.bp.blogspot.com/-XTMREfZMqQc/XOSxe_CoJZI/AAAAAAAAAok/SrXoLJZW5UwuVSA4hv9SWrLBzUHTR9iewCEwYBhgL/s320/20190403_143840.jpg" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-rlJTFZJPKsE/XOSxe1Jg--I/AAAAAAAAAoc/O7knY20SN9oOglSDhfJ6BDsfntjr3E74gCEwYBhgL/s1600/20190403_143806.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="720" data-original-width="1600" height="143" src="https://3.bp.blogspot.com/-rlJTFZJPKsE/XOSxe1Jg--I/AAAAAAAAAoc/O7knY20SN9oOglSDhfJ6BDsfntjr3E74gCEwYBhgL/s320/20190403_143806.jpg" width="320" /></a></div>
<br />
<br />
Chip markings have been shaved off leaving just "A" visible on top and "357" on the bottom.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-dRiJj7m2hSw/XOSxe_Ier7I/AAAAAAAAAog/8nyXRfi4FjE-B3Lvp_teCqb7Pn-dNDTYQCLcBGAs/s1600/20190403_143759.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="749" data-original-width="1600" height="149" src="https://4.bp.blogspot.com/-dRiJj7m2hSw/XOSxe_Ier7I/AAAAAAAAAog/8nyXRfi4FjE-B3Lvp_teCqb7Pn-dNDTYQCLcBGAs/s320/20190403_143759.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
However, it was suspected to be a PIC16C57. <span style="text-align: center;">Looking at this table, based on package, it could also be PIC16C55:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-WP2RVskXbhk/XOSyp8DdOBI/AAAAAAAAAo0/oOI-Vz5vQk4ixEzqgSOBHWdFtH-Yr90swCLcBGAs/s1600/table.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="601" data-original-width="583" height="320" src="https://4.bp.blogspot.com/-WP2RVskXbhk/XOSyp8DdOBI/AAAAAAAAAo0/oOI-Vz5vQk4ixEzqgSOBHWdFtH-Yr90swCLcBGAs/s320/table.png" width="310" /></a></div>
<br />
We stuck it in our programmer and successfully dumped it as a PIC16C57 protected/truncated binary. Unfortunately the programmer didn't recognize a device ID for PIC16C55 vs PIC16C57, so still not sure.<br />
<br />
It was then decapped:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-vzBXV-KlQqk/XOS0pVWmNrI/AAAAAAAAApQ/NjUVK5GIizkQOkIJl4kEJAKFz9VTC7-ZgCLcBGAs/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1270" data-original-width="1388" height="292" src="https://1.bp.blogspot.com/-vzBXV-KlQqk/XOS0pVWmNrI/AAAAAAAAApQ/NjUVK5GIizkQOkIJl4kEJAKFz9VTC7-ZgCLcBGAs/s320/1.jpg" width="320" /></a></div>
<br />
Which looks more like a PIC16C55 like we saw before on High Seas Havoc:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-NZ1wS_qHKZ0/XOS13LACSiI/AAAAAAAAApc/LbMdd7Ks2W0N6gTEUKL_paGs8mq2GqnpwCLcBGAs/s1600/hsh.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1277" data-original-width="1600" height="255" src="https://4.bp.blogspot.com/-NZ1wS_qHKZ0/XOS13LACSiI/AAAAAAAAApc/LbMdd7Ks2W0N6gTEUKL_paGs8mq2GqnpwCLcBGAs/s320/hsh.jpg" width="320" /></a></div>
<br />
Masked:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-mW-5kZmuZz0/XOS25Lqi5CI/AAAAAAAAApw/r1c_eWQAUbcxYcxUTiWkh0-Dqv4MBAOWwCLcBGAs/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1384" data-original-width="1596" height="277" src="https://1.bp.blogspot.com/-mW-5kZmuZz0/XOS25Lqi5CI/AAAAAAAAApw/r1c_eWQAUbcxYcxUTiWkh0-Dqv4MBAOWwCLcBGAs/s320/2.jpg" width="320" /></a></div>
<br />
Which was successfully unlocked! When dumped as a PIC16C57 (2K words) we get two identical dumps, noting that half of it looked like reserved / internal PIC data. So really only one unique 512 word code section. With all of this we are pretty sure its PIC16C55.<br />
<br />
Finally, we briefly compared it to the existing workaround in <a href="https://github.com/mamedev/mame/blob/master/src/mame/drivers/mosaic.cpp">mosaic.cpp</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-RX5appOlYUs/XOW13AfVRsI/AAAAAAAAAqQ/c84mNmg2qTYKpbSJ5_O1S0xsr6nnmx2nQCEwYBhgL/s1600/jumptable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="50" data-original-width="429" height="46" src="https://2.bp.blogspot.com/-RX5appOlYUs/XOW13AfVRsI/AAAAAAAAAqQ/c84mNmg2qTYKpbSJ5_O1S0xsr6nnmx2nQCEwYBhgL/s400/jumptable.png" width="400" /></a></div>
<br />
Now compare this to some Ghidra disassembly:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-tO_LtjWUDws/XOW1kSft56I/AAAAAAAAAqE/PrfmkEKdgVQbrmFzhKIC_0N4Xgd_bqkywCLcBGAs/s1600/instruction.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="301" src="https://3.bp.blogspot.com/-tO_LtjWUDws/XOW1kSft56I/AAAAAAAAAqE/PrfmkEKdgVQbrmFzhKIC_0N4Xgd_bqkywCLcBGAs/s1600/instruction.png" /></a></div>
<br />
<div style="clear: both; text-align: left;">
And we see the same table!</div>
<div style="clear: both; text-align: left;">
<br />
<span style="background-color: white; color: #222222; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;">Enjoy this post? Please </span><a href="https://www.patreon.com/user?u=4805718" style="background-color: white; color: #888888; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; text-decoration-line: none;">support us on Patreon</a><span style="background-color: white; color: #222222; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span></div>
<span style="background-color: white; color: #222222; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13.2px;"><br /></span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com3tag:blogger.com,1999:blog-5831808578326311132.post-73445951483477910762018-08-30T10:37:00.000-07:002018-08-30T10:37:26.612-07:00Operation Wolf c-chip c-omplete!Background:<br />
<ul>
<li><a href="http://caps0ff.blogspot.com/2017/10/looking-inside-taito-c-chip.html">Looking inside Taito C-Chip</a></li>
<li><a href="http://caps0ff.blogspot.com/2018/03/taito-c-chip-data-by-lobotomy.html">Taito C-Chip: data by lobotomy</a></li>
</ul>
Our quest to acquire the Operation Wolf c-chip EPROM content was the most exciting. Since they are relatively common we used a few Operation Wolf c-chips for some early dump attempts. For example, we milled just above the EPROM, cut the wires, and tried to patch in. However, this was deemed too risky with the time and equipment we were willing to put into it.<br />
<br />
Next, we explored a badly damaged Bonze Adventure c-chip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-SkMOvtOimuA/W4Ns5Lm7bYI/AAAAAAAAAls/T899vNFtWAUUv93MWOEUoO5U5y53upPFACLcBGAs/s1600/c-chip_0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="584" data-original-width="1396" height="133" src="https://2.bp.blogspot.com/-SkMOvtOimuA/W4Ns5Lm7bYI/AAAAAAAAAls/T899vNFtWAUUv93MWOEUoO5U5y53upPFACLcBGAs/s320/c-chip_0.jpg" width="320" /></a></div>
<br />
We were able to patch onto the busted EPROM pads and verify the chip was still alive. This inspired us repackage an Operation Wolf die:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-LRsn4bLL6RU/W4NtC6bjQ2I/AAAAAAAAAlw/YLRRZ7PGAlk0vnQqQwBjBpuR8I8DD8o6gCLcBGAs/s1600/c-chip_repack_die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1580" data-original-width="1600" height="316" src="https://3.bp.blogspot.com/-LRsn4bLL6RU/W4NtC6bjQ2I/AAAAAAAAAlw/YLRRZ7PGAlk0vnQqQwBjBpuR8I8DD8o6gCLcBGAs/s320/c-chip_repack_die.jpg" width="320" /></a></div>
<br />
This gave us more room to work and resulted in a partial dump. For example, we got this string:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">By_TAITO_Copration_On_OSAKA_BUNSHITU._01.Sep.1987_Toshiaki.Kato_Tsutomu.Yoshikawa_4</span><br />
<br />
However, the setup was flaky and we decided it would be better to try something else than improve this method.<br />
<br />
We analyzed the c-chip further and came up with a plan to replace the ASIC with external EPROM hookups:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ku7hFKO39dA/W4NvVfgTMEI/AAAAAAAAAmg/mYJaHgeAzEgamPF9qvdO3A_CORHxzxuLwCLcBGAs/s1600/c-chip_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="857" data-original-width="812" height="320" src="https://4.bp.blogspot.com/-ku7hFKO39dA/W4NvVfgTMEI/AAAAAAAAAmg/mYJaHgeAzEgamPF9qvdO3A_CORHxzxuLwCLcBGAs/s320/c-chip_1.png" width="303" /></a></div>
<br />
This successfully dumped various c-chips. However, we used all of our Operation Wolf chips during initial testing, and needed another. So someone donated this c-chip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0uOQOksyi6w/W4Nt6au7XyI/AAAAAAAAAmA/cjFYnyDH9y0ePkm2ykD5wP_2NFRPYxvxgCLcBGAs/s1600/20180730_220508.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="608" data-original-width="1456" height="133" src="https://2.bp.blogspot.com/-0uOQOksyi6w/W4Nt6au7XyI/AAAAAAAAAmA/cjFYnyDH9y0ePkm2ykD5wP_2NFRPYxvxgCLcBGAs/s320/20180730_220508.jpg" width="320" /></a></div>
<br />
We soldered it up:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-OVYSvtQ8cAo/W4NwlfYalsI/AAAAAAAAAmw/lNAXGIL55HcyF1zX8TPtHOV-MjahTT13ACLcBGAs/s1600/c033.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="654" data-original-width="1011" height="207" src="https://4.bp.blogspot.com/-OVYSvtQ8cAo/W4NwlfYalsI/AAAAAAAAAmw/lNAXGIL55HcyF1zX8TPtHOV-MjahTT13ACLcBGAs/s320/c033.jpg" width="320" /></a></div>
<br />
<br />
...but it didn't resemble the original Operation Wolf dump! The ROM was much shorter and lacked the "By_TAITO_Copration" (sic) string. We checked our archives and discovered it matched the existing Superman dump! This board was in unknown condition and we suspect someone (unsuccessfully) swapped parts trying to fix one. With the sticker worn off we didn't have a way to verify contents without doing our extraction procedure.<br />
<br />
Fortunately our donor had another chip, this time with an intact sticker:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-P-Q8_OBoyVY/W4N16muAYvI/AAAAAAAAAnI/wwij2bycr7wGlv-cN7HcOhPMos088XoKACLcBGAs/s1600/20180819_183446.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="1600" height="114" src="https://1.bp.blogspot.com/-P-Q8_OBoyVY/W4N16muAYvI/AAAAAAAAAnI/wwij2bycr7wGlv-cN7HcOhPMos088XoKACLcBGAs/s320/20180819_183446.jpg" width="320" /></a></div>
<br />
Soldered up:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-7xojx-UkWrM/W4NuFwk78NI/AAAAAAAAAmE/HXgC5uL0chEIOWXvo1_DPZnVOaHZ0rmhgCLcBGAs/s1600/20180822_111445.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1171" data-original-width="1600" height="234" src="https://2.bp.blogspot.com/-7xojx-UkWrM/W4NuFwk78NI/AAAAAAAAAmE/HXgC5uL0chEIOWXvo1_DPZnVOaHZ0rmhgCLcBGAs/s320/20180822_111445.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ypoO3re6ZKk/W4NuI8YFnOI/AAAAAAAAAmI/Ff9tx29L4ogLkGJrjT_j205F22MqgW_bACLcBGAs/s1600/20180822_111622.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1452" data-original-width="1340" height="320" src="https://1.bp.blogspot.com/-ypoO3re6ZKk/W4NuI8YFnOI/AAAAAAAAAmI/Ff9tx29L4ogLkGJrjT_j205F22MqgW_bACLcBGAs/s320/20180822_111622.jpg" width="295" /></a></div>
<br />
And got a good dump!<br />
<br />
This makes a total of 7 c-chips wired up:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Tyv37V-1zXw/W4NysCSNduI/AAAAAAAAAm8/s7AxMLikIqgtHGC43pEy5e20IiqIiaXNACLcBGAs/s1600/20180826_200731.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="993" data-original-width="1600" height="198" src="https://1.bp.blogspot.com/-Tyv37V-1zXw/W4NysCSNduI/AAAAAAAAAm8/s7AxMLikIqgtHGC43pEy5e20IiqIiaXNACLcBGAs/s320/20180826_200731.jpg" width="320" /></a></div>
<br />
<br />
for a total of 6 EPROM dumps.<br />
<br />
<span style="background-color: white; color: #222222; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13.2px;">Enjoy this post? Please support us on </span><a href="https://www.patreon.com/user?u=4805718" style="background-color: white; color: #888888; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px; text-decoration-line: none;">Patreon</a><span style="background-color: white; color: #222222; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13.2px;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com7tag:blogger.com,1999:blog-5831808578326311132.post-91047603309141822462018-05-23T14:13:00.003-07:002018-05-23T14:13:48.809-07:008751 close shaveIn the previous post we discussed <a href="http://caps0ff.blogspot.com/2018/05/mostly-pic16c57.html">dumping a lot of mostly PIC16C57s</a>. These also came with a pair of 8751 chips. The first being F-1 Dream (C014):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-H3PcQ0W7RG4/WveJjjxBerI/AAAAAAAAAj0/5ySOsXwkN-EXHVbXzHs1v_u-IXto7M4jACLcBGAs/s1600/IMG_20180414_172937_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="610" data-original-width="1600" height="122" src="https://4.bp.blogspot.com/-H3PcQ0W7RG4/WveJjjxBerI/AAAAAAAAAj0/5ySOsXwkN-EXHVbXzHs1v_u-IXto7M4jACLcBGAs/s320/IMG_20180414_172937_1.jpg" width="320" /></a></div>
<br />
And the second being Breywood (C015):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-l2jMtWfdJxA/WveJqM5gFaI/AAAAAAAAAj4/daS2-DjkUyM9Uycz0plkMk5PConfysPCACLcBGAs/s1600/IMG_20180414_172937_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="560" data-original-width="1600" height="112" src="https://1.bp.blogspot.com/-l2jMtWfdJxA/WveJqM5gFaI/AAAAAAAAAj4/daS2-DjkUyM9Uycz0plkMk5PConfysPCACLcBGAs/s320/IMG_20180414_172937_1.jpg" width="320" /></a></div>
<br />
The Breywood gold top packages are rather easy to decap as the package is simply heated up and the steel cap is lifted off:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Q7soi5tQ-Ic/WveLtsJ6OMI/AAAAAAAAAkI/d2GmM4LMa44QFX0CADvriNXd-eZhmq9nACLcBGAs/s1600/IMG_20180414_181951.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1552" data-original-width="1580" height="314" src="https://4.bp.blogspot.com/-Q7soi5tQ-Ic/WveLtsJ6OMI/AAAAAAAAAkI/d2GmM4LMa44QFX0CADvriNXd-eZhmq9nACLcBGAs/s320/IMG_20180414_181951.jpg" width="320" /></a></div>
<br />
This was then masked and dumped with a masked UV attack <a href="http://caps0ff.blogspot.com/2016/12/8751-rampage-220-225-233-238-239.html">as done in previous posts</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-N4WK5vMkv34/WveL3rKcj-I/AAAAAAAAAkM/nmJLE-0qOOIlgySEtq9rm-oNbtlidRP2QCLcBGAs/s1600/IMG_20180414_190433.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1576" data-original-width="1572" height="320" src="https://1.bp.blogspot.com/-N4WK5vMkv34/WveL3rKcj-I/AAAAAAAAAkM/nmJLE-0qOOIlgySEtq9rm-oNbtlidRP2QCLcBGAs/s320/IMG_20180414_190433.jpg" width="319" /></a></div>
<br />
The F-1 Dream is a glass frit CERDIP which is a little trickier to decap. Glossing over details, the best technique we've come up with is to strongly heat the top to release it. This melts the glass holding it on without melting the glass holding the pins in place. However, this is a delicate operation that can go wrong in many ways.<br />
<br />
Here's the die after decap:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-UWaBnAjRlD0/WveMW_OwyCI/AAAAAAAAAkY/arM_evhIo1QOzYkZilTn7ViEmSGnla6ugCLcBGAs/s1600/IMG_20180414_190614.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1557" data-original-width="1600" height="311" src="https://4.bp.blogspot.com/-UWaBnAjRlD0/WveMW_OwyCI/AAAAAAAAAkY/arM_evhIo1QOzYkZilTn7ViEmSGnla6ugCLcBGAs/s320/IMG_20180414_190614.jpg" width="320" /></a></div>
<br />
Which was masked like on Breywood:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-1KNF6fAscks/WveMxjiEo-I/AAAAAAAAAkg/9nW0lnD8NA4uE93EBYzAjJc9ZDdIxCCCQCLcBGAs/s1600/IMG_20180414_190828.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1309" data-original-width="1600" height="261" src="https://2.bp.blogspot.com/-1KNF6fAscks/WveMxjiEo-I/AAAAAAAAAkg/9nW0lnD8NA4uE93EBYzAjJc9ZDdIxCCCQCLcBGAs/s320/IMG_20180414_190828.jpg" width="320" /></a></div>
<br />
However, the chip did not dump. Closer inspection revealed the leadframe had shifted a bit and had caused some minor bond wire damage, notably one had completely snapped. This is very hard to see in the pictures, but was easily found with a continuity test and some probing. So it was patched with some epoxy:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ZlgzLU3ZLjc/WveNWBahCWI/AAAAAAAAAks/eswH4i9F0j8i2JfqAUj1AgScgElwkPk6ACLcBGAs/s1600/IMG_20180414_202334.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1530" data-original-width="1600" height="306" src="https://3.bp.blogspot.com/-ZlgzLU3ZLjc/WveNWBahCWI/AAAAAAAAAks/eswH4i9F0j8i2JfqAUj1AgScgElwkPk6ACLcBGAs/s320/IMG_20180414_202334.jpg" width="320" /></a></div>
<br />
Even after this, dumps were very flaky. We got a few decent looking dumps but they started getting worse. We suspected bad pin connections and tried to clean up the chip a bit more. However, on closer inspection we noticed microfractures on the die:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-h_l6eZek72M/WwGuhHf1P9I/AAAAAAAAAlc/z9NvNIbuMu4GIiHIewz6gPW_fA6gG73ogCLcBGAs/s1600/snapshot_002_mark_big.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="493" data-original-width="690" height="285" src="https://2.bp.blogspot.com/-h_l6eZek72M/WwGuhHf1P9I/AAAAAAAAAlc/z9NvNIbuMu4GIiHIewz6gPW_fA6gG73ogCLcBGAs/s400/snapshot_002_mark_big.jpg" width="400" /></a></div>
<br />
So, it seems that we narrowly got this chip dumped before it stopped working. We could have potentially patched some of these up, but this would have gotten complicated quickly.<br />
<br />
What happened? In the past we had pre-heated the chip / workholder for longer, but this time didn't wait quite as long. We suspect that the chip was cooled faster than expected, causing the microfractures. Suppose all is well that ends well, but a lesson for the future to be more conservative on these parts.<br />
<br /><span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px;">Enjoy this post? Please </span><a href="https://www.patreon.com/user?u=4805718" style="background-color: white; color: #888888; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px; text-decoration-line: none;">support us on Patreon</a><span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13.2px;">! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</span>CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com0tag:blogger.com,1999:blog-5831808578326311132.post-45317143141632373062018-05-07T17:23:00.000-07:002018-05-08T11:35:14.987-07:00Mostly PIC16C57We were recently sent 8 "PIC16C57s" from:<br />
<br />
<br />
<br />
<li>High Seas Havoc (403/C013)</li>
<li>Wargods (U69, C020)</li>
<li>MACE (U96, C021)</li>
<li>Carnevil (U96, C022)</li>
<li>BioFreaks (C023)</li>
<li>Gauntlet Dark Legacy (C024)</li>
<li>Gauntlet (U37, C025)</li>
<li>Blitz 99 (U96, C026)</li>
<br />
<br />
Here are the packages:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-BMpte0NdQMk/WtTm6buo3WI/AAAAAAAAAhg/jp3f6rtO4GIPv1fd5fszxFM7Jqf-0qSPgCLcBGAs/s1600/IMG_20180415_111736.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="694" data-original-width="1600" height="138" src="https://3.bp.blogspot.com/-BMpte0NdQMk/WtTm6buo3WI/AAAAAAAAAhg/jp3f6rtO4GIPv1fd5fszxFM7Jqf-0qSPgCLcBGAs/s320/IMG_20180415_111736.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-e8gFh0vp4Tg/WtTm6fnoKvI/AAAAAAAAAhk/zScKgqLVjdMJ5V8ZWkZ7__329JUHthjUgCLcBGAs/s1600/IMG_20180415_112116.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="804" data-original-width="1600" height="160" src="https://3.bp.blogspot.com/-e8gFh0vp4Tg/WtTm6fnoKvI/AAAAAAAAAhk/zScKgqLVjdMJ5V8ZWkZ7__329JUHthjUgCLcBGAs/s320/IMG_20180415_112116.jpg" width="320" /></a></div>
<br />
First, note the upper left chip (BioFreaks):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-nfebIv1qbhw/WtTnM_3PoBI/AAAAAAAAAho/7TOwmNacRc01jqB8_6aKQLlSQS9b4FCmgCLcBGAs/s1600/pic16f57.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="867" height="156" src="https://2.bp.blogspot.com/-nfebIv1qbhw/WtTnM_3PoBI/AAAAAAAAAho/7TOwmNacRc01jqB8_6aKQLlSQS9b4FCmgCLcBGAs/s320/pic16f57.jpg" width="320" /></a></div>
<br />
Hmm, that's not a PIC16C57 but rather a PIC16F57. We decapped a sample and its much finer technology than we've dealt with so far. This one's been shelved for now in lieu of easier targets.<br />
<br />
Next, note the lower left chip (High Seas Havoc (HSH)):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-iGukuWtww7M/WtTnxKutRaI/AAAAAAAAAh4/089hIxuFMKkNXeCJ6BBeUQGPPK5OJPGsACLcBGAs/s1600/high_seas.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="465" data-original-width="913" height="162" src="https://1.bp.blogspot.com/-iGukuWtww7M/WtTnxKutRaI/AAAAAAAAAh4/089hIxuFMKkNXeCJ6BBeUQGPPK5OJPGsACLcBGAs/s320/high_seas.jpg" width="320" /></a></div>
<br />
The marking has been removed, but this is allegedly a PIC16C57. We popped it into a reader and it spit back a scrambled (protected) dump, so this was plausible.<br />
<br />
Here are most (Gauntlet Dark Legacy not shown) of the PIC16C57s after decapping and masking:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-wOduMQswMLw/Wuv3rxp_fhI/AAAAAAAAAjU/odnbBmbA6n036Xls24whD4eeE6HOr-m3QCLcBGAs/s1600/IMG_20180503_224129.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1296" data-original-width="1568" height="264" src="https://2.bp.blogspot.com/-wOduMQswMLw/Wuv3rxp_fhI/AAAAAAAAAjU/odnbBmbA6n036Xls24whD4eeE6HOr-m3QCLcBGAs/s320/IMG_20180503_224129.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Uj5DNZnJMhw/Wuv3vkybGCI/AAAAAAAAAjY/UL7sxn-3Lx48gS0tZjSMebWRazvQq1H1wCLcBGAs/s1600/IMG_20180503_224544.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1150" data-original-width="1600" height="229" src="https://2.bp.blogspot.com/-Uj5DNZnJMhw/Wuv3vkybGCI/AAAAAAAAAjY/UL7sxn-3Lx48gS0tZjSMebWRazvQq1H1wCLcBGAs/s320/IMG_20180503_224544.jpg" width="320" /></a></div>
<br />
These were dumped <a href="http://caps0ff.blogspot.com/2017/01/conquering-pic16c57-234-241-242.html">as done in previous posts</a>. Here's Wargods close up:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-I2RSRj0P2Os/Wuv37k-EGrI/AAAAAAAAAjg/43QflZEwz4ERvcDUakamt3SD2DlIvC7DQCLcBGAs/s1600/IMG_20180503_224756.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1568" height="320" src="https://4.bp.blogspot.com/-I2RSRj0P2Os/Wuv37k-EGrI/AAAAAAAAAjg/43QflZEwz4ERvcDUakamt3SD2DlIvC7DQCLcBGAs/s320/IMG_20180503_224756.jpg" width="313" /></a></div>
<br />
Next, you'll notice there are only 6 chips left of the original 8. In addition to BioFreaks, HSH was in fact not a PIC16C57. Additionally, its wires were a bit higher and got trimmed during decap:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-JdIQtGQOMos/WtTo76AJDeI/AAAAAAAAAiE/PHsOeof32hc0gYOjM90ATHLJeZDKSXYlwCLcBGAs/s1600/IMG_20180415_164955.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1277" data-original-width="1600" height="255" src="https://4.bp.blogspot.com/-JdIQtGQOMos/WtTo76AJDeI/AAAAAAAAAiE/PHsOeof32hc0gYOjM90ATHLJeZDKSXYlwCLcBGAs/s320/IMG_20180415_164955.jpg" width="320" /></a></div>
<br />
While its not a PIC16C57, it does look close, basically just with a smaller EPROM. It looks to be about 1/4 the size of PIC16C57 (2K), so lets say its probably 512 words. There are two members of the PIC16C5X family with 512 words: PIC16C54 and PIC16C55. PIC16C54 doesn't come in DIP28, so its probably PIC16C55.<br />
<br />
Fortunately we had a PIC16C55 on hand:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-dgfKoxSudzE/WtTvlQ4n4LI/AAAAAAAAAi4/6aO_f_GT7Uwrd8ppXfjSSM3EVUFGgut4wCLcBGAs/s1600/IMG_20180416_001438.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="582" data-original-width="1600" height="116" src="https://2.bp.blogspot.com/-dgfKoxSudzE/WtTvlQ4n4LI/AAAAAAAAAi4/6aO_f_GT7Uwrd8ppXfjSSM3EVUFGgut4wCLcBGAs/s320/IMG_20180416_001438.jpg" width="320" /></a></div>
<br />
Here's the identifying info on HSH:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/--ELmFj1Blv8/WtTp80SigbI/AAAAAAAAAiQ/aUhGKJ6cWrwk5Rd73xo6b_bvu4XnvASRACLcBGAs/s1600/IMG_20180415_170331.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1495" height="320" src="https://2.bp.blogspot.com/--ELmFj1Blv8/WtTp80SigbI/AAAAAAAAAiQ/aUhGKJ6cWrwk5Rd73xo6b_bvu4XnvASRACLcBGAs/s320/IMG_20180415_170331.jpg" width="299" /></a></div>
<br />
And here's a PIC16C55 sample:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-uuCk6kjldRI/WtTqAyb3D9I/AAAAAAAAAiU/n05GGkiteKAJHyUf3zDRzxDqwb4VvtjGgCLcBGAs/s1600/IMG_20180415_190434.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1525" height="320" src="https://2.bp.blogspot.com/-uuCk6kjldRI/WtTqAyb3D9I/AAAAAAAAAiU/n05GGkiteKAJHyUf3zDRzxDqwb4VvtjGgCLcBGAs/s320/IMG_20180415_190434.jpg" width="305" /></a></div>
<br />
Odd...the die ID matches but the masks don't completely match. After some discussion, we decided this was close enough to proceed. The main concern is that PIC16C55A has some more sophisticated protection that might be problematic if we tried a simple UV attack. However, HSH has a 1988 copyright, and the sample has a 1988 copyright as well. Additionally, we know that PIC16C57C was a big redesign over PIC16C57. So all evidence points that this really is a PIC16C55 despite the different masks.<br />
<br />
We secured a sample and applied a mask:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-tCipc_tT0N0/WtTvcqhkb8I/AAAAAAAAAiw/xTW1avK0ClEt9BCceIRcblPEvrogbR0DQCLcBGAs/s1600/IMG_20180415_193201.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1560" data-original-width="1600" height="311" src="https://4.bp.blogspot.com/-tCipc_tT0N0/WtTvcqhkb8I/AAAAAAAAAiw/xTW1avK0ClEt9BCceIRcblPEvrogbR0DQCLcBGAs/s320/IMG_20180415_193201.jpg" width="320" /></a></div>
<br />
Which after 15 minute or so of UV erasing had lost protection but retained the original data.<br />
<br />
Next we mended the broken wires. When we <a href="http://caps0ff.blogspot.com/2016/12/taking-down-45-tatakae-big-fighter.html">fixed similar chips in the past</a>, we installed new wires. However, there are mostly wires intact, they just need some bridging. So instead of adding wires, we just carefully added conductive epoxy tracks to bridges them back together:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5qSueM0jZow/WtTunnUra7I/AAAAAAAAAik/Ce2W2cwdudwR1VBULI3z7X2uDrdCKBTyACLcBGAs/s1600/IMG_20180415_231509.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1232" data-original-width="1600" height="246" src="https://2.bp.blogspot.com/-5qSueM0jZow/WtTunnUra7I/AAAAAAAAAik/Ce2W2cwdudwR1VBULI3z7X2uDrdCKBTyACLcBGAs/s320/IMG_20180415_231509.jpg" width="320" /></a></div>
<br />
Here the nail polish is being used to strengthen the wires from breaking as they get pushed around and also from having the epoxy short out against the edge of the die (see the lower left connection for example). This passed continuity and gave out the scrambled output we saw before decap.<br />
<br />
We then added additional masking to fully cover the EPROM;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5M9JqWiYM2M/WtTvJRPrxEI/AAAAAAAAAis/ErSKoU8ZYzA29uBhAN4l39WS7tSE5o0SgCLcBGAs/s1600/IMG_20180415_232157.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1458" data-original-width="1600" height="291" src="https://2.bp.blogspot.com/-5M9JqWiYM2M/WtTvJRPrxEI/AAAAAAAAAis/ErSKoU8ZYzA29uBhAN4l39WS7tSE5o0SgCLcBGAs/s320/IMG_20180415_232157.jpg" width="320" /></a></div>
<br />
After 15 minutes of UV erasing we were able to retrieve the ROM.<br />
<br />
Finally, a few small updates on works in progress:<br />
<br />
<ul>
<li>Taito C-Chip: we've dumped all samples we have except Operation Wolf (partial dump only). We have a spare chip in hand but we'd like to try a bit more to extract one of the existing decaps first</li>
<li>Contact mask ROMs (TGP + MCS48 such as Great Swordsman): general consensus is that the TGP captures are mostly acceptable, but the MCS48 captures are too noisy. We've briefly explored a few alternate capture techniques to improve accuracy, but haven't found something we are satisfied with yet</li>
<li>Altera FPGAs: we've been unable to identify the specific chip used for 79/80 based on samples we've procured. Reach out if you have interest in this / think you might have something to contribute</li>
<li>As the chips that can be trivially dumped dwindles, we are evaluating new analysis techniques. Some of these updates may be less frequent, but the write ups should be more involved</li>
</ul>
<div>
<br /></div>
Enjoy this post? Please <a href="https://www.patreon.com/user?u=4805718">support us on Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com5tag:blogger.com,1999:blog-5831808578326311132.post-48227571138682452922018-03-10T19:46:00.000-08:002018-03-13T01:42:15.379-07:00Taito C-Chip: data by lobotomy<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-PjTtlrSN3Ko/Wp2kzWS3oyI/AAAAAAAAAfw/7BCJWDgKnh4IhYjOp7adm8hnUN91iuJ-gCLcBGAs/s1600/IMG_20170709_133450.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1033" data-original-width="1600" height="206" src="https://3.bp.blogspot.com/-PjTtlrSN3Ko/Wp2kzWS3oyI/AAAAAAAAAfw/7BCJWDgKnh4IhYjOp7adm8hnUN91iuJ-gCLcBGAs/s320/IMG_20170709_133450.jpg" width="320" /></a></div>
<br />
In a <a href="http://caps0ff.blogspot.com/2017/10/looking-inside-taito-c-chip.html">previous post</a> we described some early attempts to analyze the Taito C-Chip. See <a href="http://www.mameworld.info/ubbthreads/showthreaded.php?Cat=&Number=370681&page=&view=&sb=5&o=&fpart=1&vc=1">Haze's forum post</a> for some background on the C-Chip itself.<br />
<br />
In particular we're interested in the EPROM. Previous efforts focused on less invasive techniques with the goal of keeping the C-Chip alive after dumping. Unfortunately, we've been unable to successfully send an unlock command and efforts to rebond the EPROM die have been difficult with the equipment we have on hand.<br />
<br />
With this in mind, we took a break to regroup. If we remove the ASIC we can solder to PCB traces shared with the EPROM. Traces are documented in our wiring diagram:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5qfiX0FH3K0/Wp2zMgSLFbI/AAAAAAAAAg4/Okfmz9CQY-ME7BIXAlBol2Q8Vmgv5G2_QCLcBGAs/s1600/overview.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="521" data-original-width="1417" height="146" src="https://4.bp.blogspot.com/-5qfiX0FH3K0/Wp2zMgSLFbI/AAAAAAAAAg4/Okfmz9CQY-ME7BIXAlBol2Q8Vmgv5G2_QCLcBGAs/s400/overview.jpg" width="400" /></a></div>
<br />
Which allows us to make an attack (soldering) plan:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-9SZekjhoSe8/Wp2i4JQ2vbI/AAAAAAAAAfY/8VvvU28fZQIqu46lKHhOAzXgx5AA0GZKwCLcBGAs/s1600/plan_out.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="366" data-original-width="1000" height="145" src="https://2.bp.blogspot.com/-9SZekjhoSe8/Wp2i4JQ2vbI/AAAAAAAAAfY/8VvvU28fZQIqu46lKHhOAzXgx5AA0GZKwCLcBGAs/s400/plan_out.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-EvmIlBUPz1I/Wp2i9N_XzmI/AAAAAAAAAfc/6l8AoNrcvwoILqDhnHMYwehpEgaMBCHvgCLcBGAs/s1600/plan_zoom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="812" data-original-width="852" height="304" src="https://4.bp.blogspot.com/-EvmIlBUPz1I/Wp2i9N_XzmI/AAAAAAAAAfc/6l8AoNrcvwoILqDhnHMYwehpEgaMBCHvgCLcBGAs/s320/plan_zoom.jpg" width="320" /></a></div>
<br />
The basic idea is to mill and etch away the purple masked area to expose the PCB. Then, solder wires as indicated by the green dots.<br />
<br />
A few issues, but nothing too bad. First, this implies requires removing the ASIC to have enough room to work. As there is not a reliable way to safely remove it (or easily put it back for that matter), this means killing the module. Second, the PCB traces are roughly 6 mil (ie 0.006" => 0.15 mm) width and roughly 12 mil (0.3 mm) pitch. These are non-trivial to solder, although doesn't require as much precision <a href="http://caps0ff.blogspot.com/2016/12/taking-down-45-tatakae-big-fighter.html">as hand wire bonding</a> (roughly 0.1 mm pads at 0.2 mm pitch). Sort of like soldering a bunch of "0201" size resistors in close proximity.<br />
<br />
Lets get started. First, take a c-chip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-B89SObJiC0s/Wp2q_oGBSbI/AAAAAAAAAgE/LAgXS0-LvyoJR_AAyzAi0h587aWGPx8-QCLcBGAs/s1600/IMG_9710_2018-03-04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="601" data-original-width="1600" height="120" src="https://1.bp.blogspot.com/-B89SObJiC0s/Wp2q_oGBSbI/AAAAAAAAAgE/LAgXS0-LvyoJR_AAyzAi0h587aWGPx8-QCLcBGAs/s320/IMG_9710_2018-03-04.jpg" width="320" /></a></div>
<br />
Mill it to near PCB:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-VR__M8Meq0A/Wp2vcbZpcrI/AAAAAAAAAgY/IkY_e-eJoEYupt8NOSaz5wZu6X8jQ9U5wCLcBGAs/s1600/IMG_20180304_140143.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1509" height="320" src="https://4.bp.blogspot.com/-VR__M8Meq0A/Wp2vcbZpcrI/AAAAAAAAAgY/IkY_e-eJoEYupt8NOSaz5wZu6X8jQ9U5wCLcBGAs/s320/IMG_20180304_140143.jpg" width="301" /></a></div>
<br />
We went about 2.5 mils down at a time until the ASIC paddle just starts to show. You can see bits of shattered die clinging to the paddle corners.<br />
<br />
Then use acid to fully expose PCB:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-tH1bVKB6Vr8/Wp2vjX16PVI/AAAAAAAAAgc/2zuota2N_6I5PIsTjH_8gSGrOig4tNf8wCLcBGAs/s1600/IMG_20180304_142715_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1577" data-original-width="1600" height="315" src="https://1.bp.blogspot.com/-tH1bVKB6Vr8/Wp2vjX16PVI/AAAAAAAAAgc/2zuota2N_6I5PIsTjH_8gSGrOig4tNf8wCLcBGAs/s320/IMG_20180304_142715_1.jpg" width="320" /></a></div>
<br />
Next tin areas where we'll make connections:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-dFj1Llsdxcs/Wp2vs5QhzXI/AAAAAAAAAgg/uz-5AByoAx4HCUl2NDq1dU4fyomn-3eugCLcBGAs/s1600/IMG_20180304_172519.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1427" data-original-width="1600" height="285" src="https://2.bp.blogspot.com/-dFj1Llsdxcs/Wp2vs5QhzXI/AAAAAAAAAgg/uz-5AByoAx4HCUl2NDq1dU4fyomn-3eugCLcBGAs/s320/IMG_20180304_172519.jpg" width="320" /></a></div>
<br />
Now mount to protoboard:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-q4WGNyX6Rps/Wp2rLgzoV-I/AAAAAAAAAgI/iT3aQjJgMK0eISShpLkP5y3IbhurLn4twCLcBGAs/s1600/IMG_9714_2018-03-04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1133" data-original-width="1600" height="226" src="https://1.bp.blogspot.com/-q4WGNyX6Rps/Wp2rLgzoV-I/AAAAAAAAAgI/iT3aQjJgMK0eISShpLkP5y3IbhurLn4twCLcBGAs/s320/IMG_9714_2018-03-04.jpg" width="320" /></a></div>
<br />
And wire up:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-EPZZx-8iVys/Wp3AEQXOJeI/AAAAAAAAAhI/P7DS-5UlUBE_g3vSoUilbBeUfFMwL02EgCLcBGAs/s1600/IMG_20180305_134123.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1460" data-original-width="1600" height="292" src="https://1.bp.blogspot.com/-EPZZx-8iVys/Wp3AEQXOJeI/AAAAAAAAAhI/P7DS-5UlUBE_g3vSoUilbBeUfFMwL02EgCLcBGAs/s320/IMG_20180305_134123.jpg" width="320" /></a></div>
<br />
Which successfully dumped the EPROM!<br />
<br />
A little hard to measure, but it takes roughly 3 hours per module using this technique. Definitely better at soldering since starting this project.<br />
<br />
To date we've dumped Volfied, Superman, and Bonze Adventure (not shown):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-PzIG6gLfnik/Wp2v_I9m_YI/AAAAAAAAAgk/K09X4YwogeMJ1pIYoNdPa2AYhNMrxoXrACLcBGAs/s1600/IMG_9791.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1545" height="320" src="https://2.bp.blogspot.com/-PzIG6gLfnik/Wp2v_I9m_YI/AAAAAAAAAgk/K09X4YwogeMJ1pIYoNdPa2AYhNMrxoXrACLcBGAs/s320/IMG_9791.jpg" width="309" /></a></div>
<br />
Volfied (top) was our first attempt and has the CPU removed due to some early issues getting a dump. We thought the CPU might have been driving some control lines, but it turned out to actually be some solder debris shorting out the power rails. Surprisingly our programmer didn't generate any error messages (over current, continuity, etc).<br />
<div>
<br /></div>
We have a few more chips in the pipeline that we expect to finish over the next couple of weeks. We're still figuring out which chips, if any, we still need to source to cover all known games.<br />
<br />
We've also continued to think about the best ways to keep the module alive. There are still a few options like decapping the area between the dies and using a laser cutter to isolate the EPROM control lines from the ASIC. This is a littler riskier though as we might accidentally sever a bond wire or corrode EPROM pads. For example, if any solder crept to the bond wire it would dissolve the gold, severing the connection.<br />
<br />
Finally, what about keeping the PCBs alive after the C-Chip lobotomy? At this point we're thinking the best option is to design a C-Chip compatible module. We know the CPU, have the firmware, and have a reasonable understanding about how the ASIC works. We suspect with a little fiddling one should be able to figure out the remaining details. That said, we'd like to focus on the extracting data rather than repairing PCBs. So this may be left as an exercise to the reader.<br />
<br />
<div style="height: 0px;">
Enjoy this post? Please <a href="https://www.patreon.com/user?u=4805718" style="color: #888888; text-decoration-line: none;">support us on Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.</div>
<div style="height: 0px;">
<br />
<br />
<br />
<br /></div>
<br />
<br />
<br />
EDIT: Rainbow Islands dumped!<br />
<br />CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com15tag:blogger.com,1999:blog-5831808578326311132.post-60938628553449049052018-02-14T01:17:00.000-08:002018-02-14T01:17:32.854-08:00Decap C016: GMS' MJ-DFMJ (PIC16F84)<div class="separator" style="clear: both; text-align: left;">
We <a href="http://www.mameworld.info/ubbthreads/showflat.php?Cat=&Number=371423&page=0&view=expanded&sb=5&o=&vc=1">got this PCB</a>:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-2yVrhbhpdlU/Wn6oxSck2aI/AAAAAAAAAdI/v9gGVBQctHkjpPNJR_zysXFjTUAagHATgCLcBGAs/s1600/IMG_20180131_221220_crop.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1127" data-original-width="1600" height="225" src="https://3.bp.blogspot.com/-2yVrhbhpdlU/Wn6oxSck2aI/AAAAAAAAAdI/v9gGVBQctHkjpPNJR_zysXFjTUAagHATgCLcBGAs/s320/IMG_20180131_221220_crop.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Sounds like there's some debate as to what this game is called, and we couldn't find much info elsewhere about it either. The EPROM's have "MJ-DFMJ" stickers, so we're rolling with that for now.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It has a secured PIC16F84 here:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ezf8Rx4XpBU/Wn6l_eH46hI/AAAAAAAAAc8/eIm9OCoyEmkvvPReDKuJ1QxuCBayOt0kwCLcBGAs/s1600/IMG_20180131_221322.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="900" data-original-width="1600" height="180" src="https://4.bp.blogspot.com/-ezf8Rx4XpBU/Wn6l_eH46hI/AAAAAAAAAc8/eIm9OCoyEmkvvPReDKuJ1QxuCBayOt0kwCLcBGAs/s320/IMG_20180131_221322.jpg" width="320" /></a></div>
<br />
A sample PIC16F84 was decapped to yield:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-5jAPPcyL1C4/Wn6pMPEx0nI/AAAAAAAAAdM/SePntOuyUGM48Fczp5wIzUJDI9E3He7aQCLcBGAs/s1600/thumb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="755" data-original-width="645" height="320" src="https://1.bp.blogspot.com/-5jAPPcyL1C4/Wn6pMPEx0nI/AAAAAAAAAdM/SePntOuyUGM48Fczp5wIzUJDI9E3He7aQCLcBGAs/s320/thumb.jpg" width="273" /></a></div>
<br />
With the main memory areas as:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-MUrEtpYLWps/Wn8Xe8k4kRI/AAAAAAAAAd4/_mvEQUyDxqMDosm9cOLly0QDXxSOBN1bACLcBGAs/s1600/thumb_mark2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="755" data-original-width="645" height="320" src="https://2.bp.blogspot.com/-MUrEtpYLWps/Wn8Xe8k4kRI/AAAAAAAAAd4/_mvEQUyDxqMDosm9cOLly0QDXxSOBN1bACLcBGAs/s320/thumb_mark2.jpg" width="273" /></a></div>
<br />
We then live decapped a few:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-4v1cIdCuzt8/Wn_M4xvPBCI/AAAAAAAAAek/KvbteKtBrUsjYw61EJ4u9n2AsdrIX-xNACLcBGAs/s1600/pic_decap.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="564" data-original-width="210" height="320" src="https://3.bp.blogspot.com/-4v1cIdCuzt8/Wn_M4xvPBCI/AAAAAAAAAek/KvbteKtBrUsjYw61EJ4u9n2AsdrIX-xNACLcBGAs/s320/pic_decap.jpg" width="119" /></a></div>
<br />
And put them into a UV EPROM eraser but, while flash and EPROM were erased, the security fuse was not. No dice either using angled erasure even with varying angles and long erasure time.<br />
<br />
Time to regroup. Where are the fuses on the die? These seem like a good candidate:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-tnD-LJOo8a0/Wn6rVgWIYdI/AAAAAAAAAds/9BxW3VaBbpYbuQd_rMPuYFqz-KmbSGD5QCEwYBhgL/s1600/fuses.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="205" data-original-width="461" height="142" src="https://1.bp.blogspot.com/-tnD-LJOo8a0/Wn6rVgWIYdI/AAAAAAAAAds/9BxW3VaBbpYbuQd_rMPuYFqz-KmbSGD5QCEwYBhgL/s320/fuses.jpg" width="320" /></a></div>
<br />
Such that the metal rectangles are shielding. Configuration words correspond to 4 14 bit (56 bit total) user configurable words and 1 general configuration word that's either 4 or 14 bits depending on how literally you interpret the datasheet. The left grouping has 6 * 8 rectangles above and 2 * 3 rectangles below = 54. Close, but not quite right. This area is still plausible if you count adjacent rectangles, but more likely these are capacitors for ADC or something of that sort.<br />
<br />
But not to worry. Part of the reason we agreed to do this part is that there are several known attacks against it. First, there are <a href="http://www.cl.cam.ac.uk/~sps32/mcu_lock.html">voltage glitching attacks</a>. Second, the same author also mentions that PIC16F84 is <a href="https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf">vulnerable to optical glitching</a> (pg 104): "The light from the 20 W halogen bulb installed inside our probing station microscope’s illuminator".<br />
<br />
Optical glitching is somewhat straightforward to try out, so we started with that. One risk with optical glitching though is that it can cause the chip to latchup (short out), destroying it. Fortunately we have a high end programmer that cuts power if it detects unusual power draw. Anyway, first a sample chip was decapped live. Then, we enabled protection and started repeatedly reading the chip. At the same time we shined a red 5 mW laser pointer randomly across the die and observed responses. Unfortunately, this didn't do much...maybe gave a few bad reads. However, we re-tried with a green 5 mW laser pointer and got it to dump its contents despite being protected!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-KvVwYf9QDdA/Wn_N2KN7sNI/AAAAAAAAAew/ECWIQk5pOAcy4udrggJsnCsqOZTlGiJmACLcBGAs/s1600/roi_ht.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1044" data-original-width="1184" height="282" src="https://1.bp.blogspot.com/-KvVwYf9QDdA/Wn_N2KN7sNI/AAAAAAAAAew/ECWIQk5pOAcy4udrggJsnCsqOZTlGiJmACLcBGAs/s320/roi_ht.jpg" width="320" /></a></div>
<br />
Unfortunately, this was really hard to reproduce. Fortunately Tim the Toolman Taylor taught us the solution to every problem: MORE POWER! We switched to a 200 mW 650 nm red laser and got more reliable dumps.<br />
<br />
We were able to roughly narrow it down to the lower right of the die (relative to above images) but for various reasons decided to get more specific information. Targeting a region also reduces the chances of latchup, although tests showed that the programmer was sufficiently protecting against everything we tried.<br />
<br />
Towards that goal we put the sample on our microscope XY stage and tried to trigger glitches using its illuminator. Unfortunately, we were unable to get any responses at all, protection or otherwise. However, we know the high power red laser works reliably. So we mounted it to the microscope XY stage and recorded responses. This roughly gave:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/--UYEbJ0OEd0/Wn8n-XQp0QI/AAAAAAAAAeI/zUjtKgPG0J0LXQCOnYoOdXyptoG-c6-mACLcBGAs/s1600/pic16f84_overlay.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="605" height="320" src="https://4.bp.blogspot.com/--UYEbJ0OEd0/Wn8n-XQp0QI/AAAAAAAAAeI/zUjtKgPG0J0LXQCOnYoOdXyptoG-c6-mACLcBGAs/s320/pic16f84_overlay.jpg" width="273" /></a></div>
Where:<br />
<ul>
<li>Red: power out of spec / overcurrent shutdown</li>
<li>Green: protection disabled</li>
<li>Gray (hard to see): no response</li>
<li>The left and bottom (beyond the red/gray) are not entirely in the scan</li>
</ul>
<div>
Close up of this region:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-zSP8DYgJZt4/Wn8rtVV3SBI/AAAAAAAAAeU/_4cN23JekzoFbx8rQ09HWJDD-CuAiMUXQCLcBGAs/s1600/fuses2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="705" data-original-width="1120" height="201" src="https://1.bp.blogspot.com/-zSP8DYgJZt4/Wn8rtVV3SBI/AAAAAAAAAeU/_4cN23JekzoFbx8rQ09HWJDD-CuAiMUXQCLcBGAs/s320/fuses2.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
There are 14 repeated units, so its plausible this is the configuration word. Presumably shining the laser here forces the entire configuration word to all 1's, unlocking the chip.</div>
<div>
<br /></div>
With this in mind we decapped the real PIC16F84 and repeated the attack, successfully dumping its flash and EEPROM. Victory!<br />
<br />
We also did a few follow up experiments. First, we added neutral density filters to the high power red laser, attenuating the beam by 64x (ie <5 mW), and was still able to dump. Second, we re-tried microscope illumination glitching and were able to get this region to glitch:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-nr0QCXluMms/Wn_XPNdidtI/AAAAAAAAAfA/ZFnIYOqVvj4lhhv5Ud8jhSL6aCiy5dSUgCLcBGAs/s1600/IMG_20180210_163518.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1531" height="320" src="https://4.bp.blogspot.com/-nr0QCXluMms/Wn_XPNdidtI/AAAAAAAAAfA/ZFnIYOqVvj4lhhv5Ud8jhSL6aCiy5dSUgCLcBGAs/s320/IMG_20180210_163518.jpg" width="306" /></a></div>
<br />
Which is in this area:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Mjhndm9-OSA/Wn_XTmVDeUI/AAAAAAAAAfE/NKSVHyuFhkgIy_zLE-l6wlDTqZx5SmN-QCLcBGAs/s1600/IMG_20180210_163605.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1556" data-original-width="1600" height="311" src="https://3.bp.blogspot.com/-Mjhndm9-OSA/Wn_XTmVDeUI/AAAAAAAAAfE/NKSVHyuFhkgIy_zLE-l6wlDTqZx5SmN-QCLcBGAs/s320/IMG_20180210_163605.jpg" width="320" /></a></div>
<br />
Shrinking the region or moving away removes the glitch. Other regions may work; it wasn't investigated thoroughly. 100x magnification was required at max power (50W bulb, no polarizers, etc).<br />
<br />
We also have an AT89C51 in the pipeline from the same board, but are hitting a snag related to getting samples successfully programmed. Hopefully this will be resolved soon and we'll shortly have a follow up post.<br />
<br />
Special thanks to EdHunter for supporting this project!<br />
<br />
Enjoy this post? Please <a href="https://www.patreon.com/user?u=4805718">support us on Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com4tag:blogger.com,1999:blog-5831808578326311132.post-4373070170499901962017-12-01T09:26:00.000-08:002017-12-01T09:26:15.081-08:00Sega 315-5XXX ULAs: #214, #217, #218In a previous post we mentioned that a few of the Sega 315-5XXX series are special. This brief post documents what we found.<br />
<br />
To review, the following chips were lumped together for analysis:<br />
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style><br />
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: Calibri; font-size: 12pt; table-layout: fixed; width: 0px;"><colgroup><col width="120"></col><col width="120"></col></colgroup><tbody>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"Sega #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Sega #</td><td data-sheets-value="{"1":2,"2":"Decap #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Decap #</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5571"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5571</td><td data-sheets-value="{"1":3,"3":14}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">14</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5572"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5572</td><td data-sheets-value="{"1":3,"3":15}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">15</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5573"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5573</td><td data-sheets-value="{"1":3,"3":16}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">16</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5672"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5672</td><td data-sheets-value="{"1":3,"3":217}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">217</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5673"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5673</td><td data-sheets-value="{"1":3,"3":214}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">214</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5674"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5674</td><td data-sheets-value="{"1":3,"3":218}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">218</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677</td><td data-sheets-value="{"1":3,"3":211}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">211</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677A</td><td data-sheets-value="{"1":3,"3":215}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">215</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5678"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5678</td><td data-sheets-value="{"1":3,"3":212}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">212</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679A</td><td data-sheets-value="{"1":3,"3":213}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">213</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679B"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679B</td><td data-sheets-value="{"1":3,"3":216}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">216</td></tr>
</tbody></table>
<br />
For the most part these were assumed to be a mix of Fujitsu DSPs. For example, here's an <span data-sheets-userformat="{"2":513,"3":[null,0],"12":0}" data-sheets-value="{"1":2,"2":"MB86234"}" style="font-family: "calibri" , "arial"; font-size: 12pt; font-style: normal;">MB86233 (315-5571</span>):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-3DPGruyD9BI/Whi81C-6kAI/AAAAAAAAAcc/YKigHxQlnKYq77FaGtdBKrz0WU9OamqrwCLcBGAs/s1600/die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="811" data-original-width="802" height="320" src="https://2.bp.blogspot.com/-3DPGruyD9BI/Whi81C-6kAI/AAAAAAAAAcc/YKigHxQlnKYq77FaGtdBKrz0WU9OamqrwCLcBGAs/s320/die.jpg" width="316" /></a></div>
<br />
<br />
While the MB86234 (315-5677) is very close:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-iAqeeBh5g8Y/Whe-8I5UiAI/AAAAAAAAAa0/IIZFWVKq6pMwj1nd_BHpbsy6K4hjFVXkQCLcBGAs/s1600/die_315-5677.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="449" height="320" src="https://3.bp.blogspot.com/-iAqeeBh5g8Y/Whe-8I5UiAI/AAAAAAAAAa0/IIZFWVKq6pMwj1nd_BHpbsy6K4hjFVXkQCLcBGAs/s320/die_315-5677.jpg" width="301" /></a></div>
<br />
So what about the others? <br />
<h2>
Sega 315-5673 (#214)</h2>
Here's the package:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-EcwS-24My90/WhfK_Vx05tI/AAAAAAAAAbo/YFKB3qxACoUPI9-x7bKlqcGfecTzNHXgACLcBGAs/s1600/pack_top.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1124" data-original-width="1212" height="296" src="https://4.bp.blogspot.com/-EcwS-24My90/WhfK_Vx05tI/AAAAAAAAAbo/YFKB3qxACoUPI9-x7bKlqcGfecTzNHXgACLcBGAs/s320/pack_top.jpg" width="320" /></a></div>
<br />
Which has this die:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-z_0HWVnYhY0/WhfKBPZM3EI/AAAAAAAAAbU/AMkBWGYVN2QtN7Tzq9ZBuAAwFz6AVIVjgCLcBGAs/s1600/die_214.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="751" data-original-width="750" height="320" src="https://1.bp.blogspot.com/-z_0HWVnYhY0/WhfKBPZM3EI/AAAAAAAAAbU/AMkBWGYVN2QtN7Tzq9ZBuAAwFz6AVIVjgCLcBGAs/s320/die_214.jpg" width="319" /></a></div>
<br />
Which is clearly not one of the DSPs. Markings:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-x1jxStFYQ7k/WhfLUvibPVI/AAAAAAAAAbs/WaSWNyKLuN4YJc1Dp8nPlw-qmKSa3TsYQCLcBGAs/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="383" data-original-width="455" height="269" src="https://2.bp.blogspot.com/-x1jxStFYQ7k/WhfLUvibPVI/AAAAAAAAAbs/WaSWNyKLuN4YJc1Dp8nPlw-qmKSa3TsYQCLcBGAs/s320/logo.jpg" width="320" /></a></div>
<h2>
Sega 315-5672 (#217)</h2>
Here's the package:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-19R7sVUA0Lk/WhfL49paXHI/AAAAAAAAAb4/RgxAIT7nQks1qe6X8ZGvgAcHX7GnqT9GACLcBGAs/s1600/pack_top.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="932" data-original-width="1328" height="224" src="https://1.bp.blogspot.com/-19R7sVUA0Lk/WhfL49paXHI/AAAAAAAAAb4/RgxAIT7nQks1qe6X8ZGvgAcHX7GnqT9GACLcBGAs/s320/pack_top.jpg" width="320" /></a></div>
<br />
A bit suspicious since it has a wildly different number of pins than the others. Anyway, here's its die:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-nNP396ps0gg/WhfKFYuRLPI/AAAAAAAAAbY/ZYFAPMeJCT041JGBSm2X6VBIaadV8stSACLcBGAs/s1600/die_217.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="622" height="318" src="https://4.bp.blogspot.com/-nNP396ps0gg/WhfKFYuRLPI/AAAAAAAAAbY/ZYFAPMeJCT041JGBSm2X6VBIaadV8stSACLcBGAs/s320/die_217.jpg" width="320" /></a></div>
<br />
Which is also clearly does not look like the others. Markings:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-v2ulM9bH7F0/WhfMP07TMqI/AAAAAAAAAb8/NryGTIwIpC4Ascuv4mPxoTwGh6LFSdFsQCLcBGAs/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="686" data-original-width="837" height="262" src="https://1.bp.blogspot.com/-v2ulM9bH7F0/WhfMP07TMqI/AAAAAAAAAb8/NryGTIwIpC4Ascuv4mPxoTwGh6LFSdFsQCLcBGAs/s320/logo.jpg" width="320" /></a></div>
<h2>
Sega 315-5674 (#216)</h2>
Here's the package:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-y6Oiqgy7J9M/WhfMwFpLGvI/AAAAAAAAAcI/gLDgR9mDq6kcx8_vKlAGR3y52uliHa5kgCLcBGAs/s1600/pack_top.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1072" data-original-width="1156" height="296" src="https://2.bp.blogspot.com/-y6Oiqgy7J9M/WhfMwFpLGvI/AAAAAAAAAcI/gLDgR9mDq6kcx8_vKlAGR3y52uliHa5kgCLcBGAs/s320/pack_top.jpg" width="320" /></a></div>
<br />
Also a different package, it was suspected this wasn't like the others. And here's the die:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-2xxOS2jw1KM/WhfKJTCF_HI/AAAAAAAAAbc/ukuyRCcXNfApwHTPF9ZzRVzrCt9Fy2jgQCLcBGAs/s1600/die_218.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="490" data-original-width="491" height="319" src="https://3.bp.blogspot.com/-2xxOS2jw1KM/WhfKJTCF_HI/AAAAAAAAAbc/ukuyRCcXNfApwHTPF9ZzRVzrCt9Fy2jgQCLcBGAs/s320/die_218.jpg" width="320" /></a></div>
<br />
Confirming this. Markings:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-411D3_Z52F4/WhfNG6YNyrI/AAAAAAAAAcM/NVswXMwfWbI3YQzcvlQyUBxkdaPnaiXGACLcBGAs/s1600/logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="841" height="262" src="https://1.bp.blogspot.com/-411D3_Z52F4/WhfNG6YNyrI/AAAAAAAAAcM/NVswXMwfWbI3YQzcvlQyUBxkdaPnaiXGACLcBGAs/s320/logo.jpg" width="320" /></a></div>
<h2>
Summary</h2>
These chips are <a href="https://www.mentor.com/products/fpga/synthesis/partners/asic/fujitsu">Fujitsu CG24</a> uncommitted logic arrays (ULAs). With the above new information, our Sega 315-XXXX table now has:<br />
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style><br />
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: Calibri; font-size: 12pt; table-layout: fixed; width: 0px;"><colgroup><col width="120"></col><col width="120"></col><col width="120"></col></colgroup><tbody>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"Sega #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Sega #</td><td data-sheets-value="{"1":2,"2":"Part"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Part</td><td data-sheets-value="{"1":2,"2":"Decap #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Decap #</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5571"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5571</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":14}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">14</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5572"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5572</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":15}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">15</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5573"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5573</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":16}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">16</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5672"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5672</td><td data-sheets-value="{"1":2,"2":"ASIC"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">CG24 ULA</td><td data-sheets-value="{"1":3,"3":217}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">217</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5673"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5673</td><td data-sheets-value="{"1":2,"2":"ASIC"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">CG24 ULA</td><td data-sheets-value="{"1":3,"3":214}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">214</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5674"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5674</td><td data-sheets-value="{"1":2,"2":"ASIC"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">CG24 ULA</td><td data-sheets-value="{"1":3,"3":218}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">218</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":211}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">211</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677A</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":215}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">215</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5678"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5678</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":212}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">212</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679A</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":213}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">213</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679B"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679B</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":216}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">216</td></tr>
</tbody></table>
<br />
Summarized as: <br />
<ul>
<li>315-557X: Fujitsu MB86233 DSP</li>
<li>315-567X (lower): Fujitsu CG24 ULA</li>
<li>315-567X (higher): Fujitsu MB86233 DSP</li>
</ul>
<br />
As there is no firmware to document on these chips, no further work will be done at this time. If at some point it becomes feasible to capture the original layout, we'll revisit.<br />
<br />
Enjoy this post? Please support us on <a href="https://www.patreon.com/user?u=4805718">Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations. CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com2tag:blogger.com,1999:blog-5831808578326311132.post-53453327336917808202017-11-29T01:08:00.001-08:002017-11-29T01:10:02.264-08:00TGP status update<h2>
ROM status</h2>
In a <a href="http://caps0ff.blogspot.com/2017/02/fujitsu-mb86233-tgp-dsp.html">previous post</a> we talked about capturing TGP ROMs and <a href="http://caps0ff.blogspot.com/2017/07/gotta-capture-em-all.html">later discussed a project</a> to digitize them. However, as digitization proceeded, the quality of digitization was going down. After a bit of sleuthing, we noticed we had overlooked something.<br />
<br />
First, one thing that had been noticed was that some chips have this interesting alternating bit appearance (ex: 315-5677a):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-LAfWMBTejLs/WhJ4AkMucfI/AAAAAAAAAZs/9eu2RfvviCgfkydgKQAkE6Zms7NjUoxwgCLcBGAs/s1600/315-5677a_roi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="462" height="221" src="https://4.bp.blogspot.com/-LAfWMBTejLs/WhJ4AkMucfI/AAAAAAAAAZs/9eu2RfvviCgfkydgKQAkE6Zms7NjUoxwgCLcBGAs/s320/315-5677a_roi.jpg" width="320" /></a></div>
<br />
That is, the bits on the left of the column pairs are lighter than the ones on the right. Wasn't sure what to make of this, but most of the bits were resolvable, so didn't care too much.<br />
<br />
Anyway, here's 315-5571 at 20x:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-1oMPQpKZB50/WhJv0icSmKI/AAAAAAAAAZY/41Pa3siJcRYKb-odiJnzT_5XiYGDgRWjwCLcBGAs/s1600/315-5571_old_20x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="574" data-original-width="844" height="217" src="https://3.bp.blogspot.com/-1oMPQpKZB50/WhJv0icSmKI/AAAAAAAAAZY/41Pa3siJcRYKb-odiJnzT_5XiYGDgRWjwCLcBGAs/s320/315-5571_old_20x.jpg" width="320" /></a></div>
<br />
And here's 315-5677 at 20x:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-rlOU3WY4ZKc/WhJv8LYJ__I/AAAAAAAAAZc/ETN5bvqcl8czz6k1yIDdLu_x1WyFhTSkwCLcBGAs/s1600/315-5677_new_20x_roi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="463" data-original-width="684" height="216" src="https://1.bp.blogspot.com/-rlOU3WY4ZKc/WhJv8LYJ__I/AAAAAAAAAZc/ETN5bvqcl8czz6k1yIDdLu_x1WyFhTSkwCLcBGAs/s320/315-5677_new_20x_roi.jpg" width="320" /></a></div>
<br />
Other than some color differences, at first these look identical. But let's put them together:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-19TOV8WLBaY/WhJ5jsUvmOI/AAAAAAAAAZ4/xPmRGVxRl3UkEohEpp1RPsqfnOo99cy1QCLcBGAs/s1600/both_20x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="715" data-original-width="844" height="271" src="https://1.bp.blogspot.com/-19TOV8WLBaY/WhJ5jsUvmOI/AAAAAAAAAZ4/xPmRGVxRl3UkEohEpp1RPsqfnOo99cy1QCLcBGAs/s320/both_20x.jpg" width="320" /></a></div>
<br />
Aha! There was a slight process shrink. This turns out to be enough that it slightly reduced the accuracy of recovering some of the ROMs. Specifically, MB86233 is the large process, and MB86234 is the smaller process.<br />
<br />
That aside, these dies are actually quite similar.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-3DPGruyD9BI/Whi81C-6kAI/AAAAAAAAAcc/YKigHxQlnKYq77FaGtdBKrz0WU9OamqrwCLcBGAs/s1600/die.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="811" data-original-width="802" height="320" src="https://2.bp.blogspot.com/-3DPGruyD9BI/Whi81C-6kAI/AAAAAAAAAcc/YKigHxQlnKYq77FaGtdBKrz0WU9OamqrwCLcBGAs/s320/die.jpg" width="316" /></a></div>
<br />
And here's a <span data-sheets-userformat="{"2":513,"3":[null,0],"12":0}" data-sheets-value="{"1":2,"2":"MB86234"}" style="font-family: "calibri" , "arial"; font-size: 12pt; font-style: normal;">MB86234 (</span>315-5677):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-iAqeeBh5g8Y/Whe-8I5UiAI/AAAAAAAAAa0/IIZFWVKq6pMwj1nd_BHpbsy6K4hjFVXkQCLcBGAs/s1600/die_315-5677.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="449" height="320" src="https://3.bp.blogspot.com/-iAqeeBh5g8Y/Whe-8I5UiAI/AAAAAAAAAa0/IIZFWVKq6pMwj1nd_BHpbsy6K4hjFVXkQCLcBGAs/s320/die_315-5677.jpg" width="301" /></a></div>
<br />
At first these look identical, but there are some small differences, such as upper left layout. Here's <span data-sheets-userformat="{"2":513,"3":[null,0],"12":0}" data-sheets-value="{"1":2,"2":"MB86234"}" style="font-family: "calibri" , "arial"; font-size: 12pt; font-style: normal;">MB86233 (315-5571</span>):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-e4L3qFjnjeo/WhjBUlnKHgI/AAAAAAAAAco/Yjx6YimraPMWzO_iw-XuWAnt1h_NA4ghACLcBGAs/s1600/first.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="829" height="136" src="https://1.bp.blogspot.com/-e4L3qFjnjeo/WhjBUlnKHgI/AAAAAAAAAco/Yjx6YimraPMWzO_iw-XuWAnt1h_NA4ghACLcBGAs/s320/first.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
While MB86234 (315-5677) looks like this;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Gah0Y7ClcDM/WhjBkPQD9pI/AAAAAAAAAcs/lEBfiJfF468dlx1EtT-j3tUaUG0na-znQCLcBGAs/s1600/second.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="1334" height="136" src="https://4.bp.blogspot.com/-Gah0Y7ClcDM/WhjBkPQD9pI/AAAAAAAAAcs/lEBfiJfF468dlx1EtT-j3tUaUG0na-znQCLcBGAs/s320/second.jpg" width="320" /></a></div>
<br />
Upper right also has some noticeable differences. <br />
<h2>
Moving forward</h2>
Following this, MB86234 were cleaned and re-shot at much higher resolution. This was a bit tricky as it made image stitching a lot harder, but most of the issues have now been resolved.<br />
<br />
While some of the 20x MB86234 were fine, for example (315-5679A):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ainvxymHuGM/WhJ9juh1gAI/AAAAAAAAAaQ/mqcrot1awP0-ekOpZk1x1cc7wmFpxZVNQCLcBGAs/s1600/315-5679b_zoom_20x.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="315" height="406" src="https://3.bp.blogspot.com/-ainvxymHuGM/WhJ9juh1gAI/AAAAAAAAAaQ/mqcrot1awP0-ekOpZk1x1cc7wmFpxZVNQCLcBGAs/s640/315-5679b_zoom_20x.jpg" width="640" /></a></div>
<br />
Others we couldn't get as nice an image at 20x (315-5679B):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-7Vm_9RC_cpo/WhMd0ZZVcOI/AAAAAAAAAag/NIg1VOYuaLwh5wb1F3uisC9GjIEpk0EOACLcBGAs/s1600/315-5679b_real.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="193" data-original-width="315" height="392" src="https://4.bp.blogspot.com/-7Vm_9RC_cpo/WhMd0ZZVcOI/AAAAAAAAAag/NIg1VOYuaLwh5wb1F3uisC9GjIEpk0EOACLcBGAs/s640/315-5679b_real.jpg" width="640" /></a></div>
<br />
But looked a lot better at 100x (315-5679B):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Wf-fxXL1gjg/WhJ8I68YQAI/AAAAAAAAAaE/XJVzX3iW0cI1IROKQglmiJCB59SS4YOUwCLcBGAs/s1600/315-5679b_zoom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="531" data-original-width="855" height="397" src="https://3.bp.blogspot.com/-Wf-fxXL1gjg/WhJ8I68YQAI/AAAAAAAAAaE/XJVzX3iW0cI1IROKQglmiJCB59SS4YOUwCLcBGAs/s640/315-5679b_zoom.jpg" width="640" /></a></div>
<br />
Although the contrast may not be as good, more detail is available, such as bits appearing as a + instead of a white blob. This allows, for example, differentiating a dust blob from a bit.<br />
<br />
We are currently checking over results to see if the new results can be captured with CV or should be given to the typing monkeys. Most likely though we'll generate a CV reference and compare it to the crowdsourced result. We are also evaluating if any of the existing captured sets need to be re-done due to suspected errors. Hopefully though we can simply filter out inconsistent tiles and just recheck those.<br />
<h2>
Die ID</h2>
One interesting tidbit is comparing die IDs. For example, here is 315-5677:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-0xLxsoKSir0/WhfEy26d-lI/AAAAAAAAAbE/aFKG8ayJ4XI8cZ0AtVkfuI06vw36jvS1ACLcBGAs/s1600/id.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="298" data-original-width="869" height="136" src="https://3.bp.blogspot.com/-0xLxsoKSir0/WhfEy26d-lI/AAAAAAAAAbE/aFKG8ayJ4XI8cZ0AtVkfuI06vw36jvS1ACLcBGAs/s400/id.jpg" width="400" /></a></div>
<br />
Here is a table documenting the relationship between the various parts:<br />
<br />
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style><br />
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: Calibri; font-size: 12pt; table-layout: fixed; width: 0px;"><colgroup><col width="120"></col><col width="120"></col><col width="60"></col><col width="103"></col><col width="56"></col></colgroup><tbody>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"Sega #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Sega #</td><td data-sheets-value="{"1":2,"2":"Part"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Part</td><td data-sheets-value="{"1":2,"2":"Decap #"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Decap #</td><td data-sheets-value="{"1":2,"2":"Die ID"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Die ID</td><td data-sheets-value="{"1":2,"2":"Process"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Process</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5571"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5571</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":14}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">14</td><td data-sheets-value="{"1":2,"2":"MB 86233-002 "}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86233-002 </td><td data-sheets-value="{"1":2,"2":"Large"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Large</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5572"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5572</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":15}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">15</td><td data-sheets-value="{"1":2,"2":"MB 86233-005"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86233-005</td><td data-sheets-value="{"1":2,"2":"Large"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Large</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5573"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5573</td><td data-sheets-value="{"1":2,"2":"MB86233"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86233</td><td data-sheets-value="{"1":3,"3":16}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">16</td><td data-sheets-value="{"1":2,"2":"MB 86233-004"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86233-004</td><td data-sheets-value="{"1":2,"2":"Large"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Large</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":211}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">211</td><td data-sheets-value="{"1":2,"2":"MB 86234-004"}" style="font-weight: bold; overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86234-004</td><td data-sheets-value="{"1":2,"2":"Small"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Small</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5678"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5678</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":212}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">212</td><td data-sheets-value="{"1":2,"2":"MB 86234-002"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86234-002</td><td data-sheets-value="{"1":2,"2":"Small"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Small</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679A</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":213}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">213</td><td data-sheets-value="{"1":2,"2":"MB 86234-004"}" style="font-weight: bold; overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86234-004</td><td data-sheets-value="{"1":2,"2":"Small"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Small</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5677A"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5677A</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":215}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">215</td><td data-sheets-value="{"1":2,"2":"MB 86234-005"}" style="font-weight: bold; overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86234-005</td><td data-sheets-value="{"1":2,"2":"Small"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Small</td></tr>
<tr style="height: 20px;"><td data-sheets-value="{"1":2,"2":"315-5679B"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">315-5679B</td><td data-sheets-value="{"1":2,"2":"MB86234"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB86234</td><td data-sheets-value="{"1":3,"3":216}" style="overflow: hidden; padding: 0px 3px 0px 3px; text-align: right; vertical-align: bottom;">216</td><td data-sheets-value="{"1":2,"2":"MB 86234-005"}" style="font-weight: bold; overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">MB 86234-005</td><td data-sheets-value="{"1":2,"2":"Small"}" style="overflow: hidden; padding: 0px 3px 0px 3px; vertical-align: bottom;">Small</td></tr>
</tbody></table>
<br />
In particular, there are duplicate IDs! Haven't looked over these yet to see if the ROMs are identical.<br />
<br />
Finally, where are the other Sega 315-5XXX parts? Stay tuned for a post in the near future.<br />
<h2>
Summary</h2>
We have collected sufficient data to document the TGP ROMs, but need to spend some time sifting through it to determine next steps. Stay tuned on the MW forum for announcements from Monkey administrators.<br />
<br />
Enjoy this post? Please support us on <a href="https://www.patreon.com/user?u=4805718">Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.
CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com0tag:blogger.com,1999:blog-5831808578326311132.post-27326862001331901132017-10-30T12:08:00.000-07:002017-11-02T15:01:36.200-07:00Looking inside Taito C-ChipThis is a long standing WIP. Although this is not complete, thought we'd give an update as to where this project is and where its going.<br />
<h2>
Background</h2>
EDIT: we forgot to add background information. There's some <a href="http://www.mameworld.info/ubbthreads/showthreaded.php?Cat=&Number=370681&page=&view=&sb=5&o=&fpart=1&vc=1">info by Haze here</a>. <br />
<h2>
Package analysis</h2>
Among the samples received are some TAITO TC0030CMD "C-CHIP" integrated circuits.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-NbRQqNlq53o/WXj-Z3HtDvI/AAAAAAAAAVs/cZ6GSvJewQ8P-mY566fq1YGcSfRZgoqWQCLcBGAs/s1600/IMG_9219_2016-12-27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="599" data-original-width="1600" height="148" src="https://4.bp.blogspot.com/-NbRQqNlq53o/WXj-Z3HtDvI/AAAAAAAAAVs/cZ6GSvJewQ8P-mY566fq1YGcSfRZgoqWQCLcBGAs/s400/IMG_9219_2016-12-27.jpg" width="400" /></a></div>
<br />
Although generally little is known about this, a previous decap revealed its a multi-chip module (MCM). Given these are relatively scarce, we started by analyzing an x-ray someone took:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5Svn0YFumk0/WXj-abu16II/AAAAAAAAAVw/D9EFRrOwj-wrlC8_pAH9mLg7-a9wKw1ygCLcBGAs/s1600/TC0030CMD_xray_stitch.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="631" data-original-width="1600" height="156" src="https://4.bp.blogspot.com/-5Svn0YFumk0/WXj-abu16II/AAAAAAAAAVw/D9EFRrOwj-wrlC8_pAH9mLg7-a9wKw1ygCLcBGAs/s400/TC0030CMD_xray_stitch.jpg" width="400" /></a></div>
<br />
The package is filled with all kinds of goodies attached to an etched substrate!<br />
This lines up with the previous decap, but also shows the missing bit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-_w9G9N2vwjs/Wd-D943akSI/AAAAAAAAAXg/Za9NeF3PcmAtPPPYkRkJmJbskkp4DNivgCEwYBhgL/s1600/123.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="584" data-original-width="1396" height="133" src="https://3.bp.blogspot.com/-_w9G9N2vwjs/Wd-D943akSI/AAAAAAAAAXg/Za9NeF3PcmAtPPPYkRkJmJbskkp4DNivgCEwYBhgL/s320/123.jpg" width="320" /></a></div>
<br />
Unfortunately, the above sample is missing the MCU section, which is critical for our analysis. After some discussion we decided we need to decap one ourselves to better understand the surrounding circuitry. Preparing for decap:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Ns0tT2PJsdI/WXj-ZlyQzUI/AAAAAAAAAVk/xRGiXW-YWfMMM7VWtUsqejmcexR-bvw2wCLcBGAs/s1600/IMG_9240_2016-12-27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="588" data-original-width="1600" height="146" src="https://1.bp.blogspot.com/-Ns0tT2PJsdI/WXj-ZlyQzUI/AAAAAAAAAVk/xRGiXW-YWfMMM7VWtUsqejmcexR-bvw2wCLcBGAs/s400/IMG_9240_2016-12-27.jpg" width="400" /></a></div>
<br />
This was then filled with a relatively large pool of fuming nitric acid, heated, and rinsed, until the substrate was revealed:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-8G6ZPq6h7Zc/WXj-Z_pSIDI/AAAAAAAAAVo/roskKAcmAUssa0oEYARIXeBgHanuNJYLQCLcBGAs/s1600/IMG_9283_2016-12-27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="596" data-original-width="1600" height="148" src="https://1.bp.blogspot.com/-8G6ZPq6h7Zc/WXj-Z_pSIDI/AAAAAAAAAVo/roskKAcmAUssa0oEYARIXeBgHanuNJYLQCLcBGAs/s400/IMG_9283_2016-12-27.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
And we have a full decap! Here's a close up of an NEC uPD4464A SRAM: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-nDNT8IFM5Tk/Wd-E_5ZDL4I/AAAAAAAAAXQ/xvgQS0Hkozcw26oY4APeVyduByNITBDZQCLcBGAs/s1600/ram.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="841" data-original-width="1552" height="173" src="https://4.bp.blogspot.com/-nDNT8IFM5Tk/Wd-E_5ZDL4I/AAAAAAAAAXQ/xvgQS0Hkozcw26oY4APeVyduByNITBDZQCLcBGAs/s320/ram.jpg" width="320" /></a></div>
<br />
An NEC D27C64 EPROM: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-iym3REMFAqo/Wd-FGg2AZvI/AAAAAAAAAXU/-jGH7fw9Y90y-zTXdFg0StBkcKx3ugqPgCLcBGAs/s1600/eprom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1114" data-original-width="1600" height="222" src="https://1.bp.blogspot.com/-iym3REMFAqo/Wd-FGg2AZvI/AAAAAAAAAXU/-jGH7fw9Y90y-zTXdFg0StBkcKx3ugqPgCLcBGAs/s320/eprom.jpg" width="320" /></a></div>
<br />
An NEC 65012-229 ASIC:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-8iZebBncuN0/Wd-C81jx0sI/AAAAAAAAAXA/iDlQAR48COI0xr7g71GcN965qvr1w6AxgCLcBGAs/s1600/asic.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="500" height="290" src="https://3.bp.blogspot.com/-8iZebBncuN0/Wd-C81jx0sI/AAAAAAAAAXA/iDlQAR48COI0xr7g71GcN965qvr1w6AxgCLcBGAs/s320/asic.jpg" width="320" /></a></div>
<br />
<br />
An uPD78C11 MCU:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-j_6l413_V_s/Wd-FlNJMrhI/AAAAAAAAAXY/DHZOjtQX_YA2T_6YSoQ3OkCIsok7Pi4NACLcBGAs/s1600/mcu.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="640" height="320" src="https://3.bp.blogspot.com/-j_6l413_V_s/Wd-FlNJMrhI/AAAAAAAAAXY/DHZOjtQX_YA2T_6YSoQ3OkCIsok7Pi4NACLcBGAs/s320/mcu.jpeg" width="315" /></a></div>
<br />
We then imaged the MCU ROM:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-NeUNrN4equ8/Wd-Gs5Jjt7I/AAAAAAAAAXk/7eVGy8POrogSzGlOxReJ46p0sOkS_qRVwCLcBGAs/s1600/rom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="470" data-original-width="655" height="229" src="https://2.bp.blogspot.com/-NeUNrN4equ8/Wd-Gs5Jjt7I/AAAAAAAAAXk/7eVGy8POrogSzGlOxReJ46p0sOkS_qRVwCLcBGAs/s320/rom.jpg" width="320" /></a></div>
<br />
to allow analyzing the boot ROM firmware for test modes. <br />
<h2>
UPD78C11 mask ROM analysis</h2>
The primary aim of analyzing the boot ROM is to find test modes that allow reading out the EPROM. Such methods might include:<br />
<ul>
<li>Find a test mode to directly read out EPROM</li>
<li>Find a way to load code into MCU to have it dump ROM ("trojan")</li>
<li>Repeatedly compute checksums and write bits, seeing if checksum changes</li>
<li>Analyze protection mechanisms, such as those that might require glitching</li>
</ul>
With that in mind, lets take a look.<br />
<br />
Here is some early boot code:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">; We land here if the “secret handshake” didn’t pass, i.e. the “normal” case.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; clear internal RAM</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000514: 34 00 FF LXI HL,$FF00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000517: 6A FF MVI B,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000519: 60 91 XRA A,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000051B: 3D STAX (HL+)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000051C: 52 DCR B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000051D: FD JR $051B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; zero the stack pointer</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000051E: 04 00 00 LXI SP,$0000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000521: 69 F0 MVI A,$F0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000523: 40 29 0F CALL $0F29 ; Set_bank</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000526: 40 43 05 CALL $0543 ; boot_mask_checksum</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000529: 69 01 MVI A,$01</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000052B: 70 79 01 14 MOV ($1401),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; main “loop”</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000052F: 70 69 01 14 MOV A,($1401)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000533: 67 03 NEI A,$03 ; is 0x1401 == 0x03?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000535: 54 69 05 JMP $0569 ; sub_command_handler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000538: 67 02 NEI A,$02 ; is 0x1401 == 0x02?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000053A: 54 0C 20 JMP $200C ; run the eprom code</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000053D: 67 04 NEI A,$04 ; is 0x1401 == 0x04?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000053F: 54 00 00 JMP $0000 ; reset the mcu</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000542: EC JR $052F ; is 0x1401 anything else? Goto main</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; end of main “loop”</span><br />
<br />
We know that under normal circumstance (a game booting) it reaches this point and waits for "command 0x02" (run the EPROM code).<br />
<br />
For reference, addresses 0x1401, 0x1402, 0x1403 are between the UPD78C11 and the 68K, these act as communication ports for sending / receiving commands. They are used extensively by the games.<br />
<br />
0x1000 – 0x13ff: banked RAM window. Also shared between 68K and UPD7811<br />
0x2000 – 0x3fff: where EPROM lives in UPD78C11 space, not visible to 68K<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
However, there are a couple of other options in this table: one to reset the MCU and another to jump to an internal sub-command handler. This sub-command handler is a sort of "test mode" for the MCU and offers several debug features. The idea of the trojan was to exploit these commands by changing the initial value sent by the 68K from 0x02 to 0x03 and make use of a specific command that would copy the EPROM area of the ROM to RAM, as documented later.<br />
<br />
Here's the sub-command handler:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">; sub_command_handler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set bank to 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000569: 69 F0 MVI A,$F0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000056B: 40 29 0F CALL $0F29 ; Set_bank</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set high two portF bits to 11 to disable PROG and ???</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000056E: 64 05 C0 MVI PF,$C0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set portA data to 0xFF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000571: 64 00 FF MVI PA,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set portA mode to output</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000574: 69 00 MVI A,$00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000576: 4D D2 MOV MA,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set portA data to 0xFF AGAIN [why?]</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000578: 64 00 FF MVI PA,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; write 0x0a to $1401 status/mode reg (1010)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000057B: 69 0A MVI A,$0A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000057D: 70 79 01 14 MOV ($1401),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set REG_C to 0x00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000581: 6B 00 MVI C,$00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; set REG_B to 0x00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000583: 6A 07 MVI B,$07</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; load HL with 0x05A7 which points to a table of test indices</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000585: 34 A7 05 LXI HL,$05A7</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; read ($1401) to A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000588: 70 69 01 14 MOV A,($1401)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">; compare secondary test value with table of valid test commands at 5A7 and use the ‘offset’ into the table at 5a7 as the parameter for the TABLE opcode at 596</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000058C: 70 ED NEAX (HL+)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000058E: C4 JR $0593</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000058F: 43 INR C</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000590: 52 DCR B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000591: FA JR $058C</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000592: EE JR $0581</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000593: 0B MOV A,C</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000594: 60 C1 ADD A,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000596: 48 A8 TABLE</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000598: 21 JB</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000599: AE 05 ; Program_all_banks (0B)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000059B: 34 06 ; Program_and_verify_all_banks (0C)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000059D: E4 06 ; Eprom_blank_check (0F)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000059F: 0F 07 ; Eprom_verify (14)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000005A1: 79 07 ; Eprom_sum16 (12)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000005A3: A7 07 ; Reset_mcu (04)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000005A5: AA 07 ; Eprom_unlock (17) ?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; table of valid ‘sub-commands’ which can be written by host to $1401 (external 0x401); these correspond to the 7 TableSubroutines above.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000005A7: 0B 0C 0F 14 12 04 17</span><br />
<br />
We intended to exploit the EPROM unlock command, which expects you to feed a 128 byte key (magic word) in (with careful timing) at which point it will copy the content of the EPROM to the RAM. Details here: <br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">; Eprom_unlock - compare the block at 81B-89A against data input through $1402.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007AA: 64 05 C0 MVI PF,$C0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007AD: 34 1B 08 LXI HL,$081B ; point HL at the table</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B0: 6A 7F MVI B,$7F ; length of table</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B2: 24 80 01 LXI DE,$0180 ; delay 0x180 times</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B5: 23 DCX DE</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B6: 0C MOV A,D</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B7: 60 9D ORA A,E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007B9: 48 0C SK Z</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007BB: F9 JR $07B5</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007BC: 70 69 02 14 MOV A,($1402) ; read 402</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C0: 70 FD EQAX (HL+) ; equal to table?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C2: 4E 37 JRE $07FB ; mismatch</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C4: 52 DCR B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C5: EC JR $07B2 ; match</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; if match and B=0, fall through</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">; dump_eprom_to_sram</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C6: 34 00 20 LXI HL,$2000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007C9: 86 CALT ($008C) ; SetRAMBank0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007CA: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007CD: 87 CALT ($008E) ; SetRAMBank1</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007CE: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007D1: 88 CALT ($0090) ; SetRAMBank2</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007D2: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007D5: 89 CALT ($0092) ; SetRAMBank3</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007D6: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007D9: 8A CALT ($0094) ; SetRAMBank4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007DA: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007DD: 8B CALT ($0096) ; SetRAMBank5</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007DE: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007E1: 8C CALT ($0098) ; SetRAMBank6</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007E2: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007E5: 8D CALT ($009A) ; SetRAMBank7</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007E6: 40 0B 08 CALL $080B ; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007E9: 40 9B 08 CALL $089B ; Wait0xE10</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007EC: 40 9B 08 CALL $089B ; Wait0xE10</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007EF: 69 18 MVI A,$18</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007F1: 70 79 01 14 MOV ($1401),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007F5: 40 9B 08 CALL $089B ; Wait0xE10</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007F8: 54 69 05 JMP $0569 ; sub_command_handler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">; mismatch...</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007FB: 70 7A 03 14 MOV ($1403),B ; write how far we got in the table comparison to 403</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000007FF: 69 19 MVI A,$19</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000801: 70 79 01 14 MOV ($1401),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000805: 40 9B 08 CALL $089B ; Wait0xE10</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000808: 54 69 05 JMP $0569 ; sub_command_handler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">; dump_hl_to_sram_page</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000080B: 24 00 10 LXI DE,$1000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000080E: 14 00 04 LXI BC,$0400</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000811: 2D LDAX (HL+)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000812: 3C STAX (DE+)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000813: 13 DCX BC</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000814: 0A MOV A,B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000815: 60 9B ORA A,C</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000817: 48 0C SK Z</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000819: F7 JR $0811</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000081A: B8 RET</span><br />
<br />
The UP78C11 has two different outcomes from this function that the 68K should be able to see:<br />
<ul>
<li>Failure writes</li>
<ul>
<li>1401 = 0x19</li>
<li>1403 = number of bytes that were correct</li>
</ul>
<li>Pass writes</li>
<ul>
<li>1401 = 0x18</li>
</ul>
</ul>
As the exact timing between the 68k and 78C11 is unknown, and the only result we can get from this command is "the number of correct values" that were passed, we have to try and brute force the timings needed. Too slow or too fast will result in failure.<br />
<br />
To do this we made a table on the 68K side containing a "delay" value for each of the 128 bytes that needed sending.<br />
<br />
I sent each byte, waited the delay in my table, sent the next byte etc. (not caring if the UPD78C11 code was accepting or rejecting that specific byte).<br />
<br />
At some point during this stream of bytes being sent the UPD78C11 would respond, giving us the position of the last byte that was actually successfully received by the internal code.<br />
<br />
Once we had that response we could stop sending, because we knew the position last byte that had been successfully received.<br />
<br />
With this knowledge the timing delay could be adjusted, and the whole process tried again until a timing window that worked for each byte was found. Essentially we reduced the delay for that byte, then restarted the process.<br />
<br />
By repeating this process until the timing was correct for each byte we were able to send the whole key, and, in MAME, using hacked up Volfied code managed to pass the key check and trigger the "copy to RAM" process, at which point the 68K was able to see whatever we’d put in the C-Chip EPROM area.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-bW13xTcfCB8/WeEtD5aiNXI/AAAAAAAAAZE/8YLkte88fUIyZXevGjkY0MTf1kydR31dQCLcBGAs/s1600/IMG_20170709_190826_roi.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="965" data-original-width="1600" height="192" src="https://3.bp.blogspot.com/-bW13xTcfCB8/WeEtD5aiNXI/AAAAAAAAAZE/8YLkte88fUIyZXevGjkY0MTf1kydR31dQCLcBGAs/s320/IMG_20170709_190826_roi.jpg" width="320" /></a></div>
Above: early test rig before using a full PCB<br />
<br />
The code in MAME was extensively tested and worked for a wide margin of timing videos, allowing for the 68K and UPD78C11 to be running up to 10x different speed than we were guessing. It was robust, and SHOULD have worked on a PCB.<br />
<h2>
It didn’t</h2>
We are speculating that the following line is to blame:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">0000056E: 64 05 C0 MVI PF,$C0</span><br />
<br />
This is called immediately after going into the sub-command handler.<br />
<br />
At that point, the 68K no longer saw any of the status bytes in the 0x1401, 0x1403 comms ports, as if access to the ports had been blocked or remapped. The UPD87C11 also no longer seemed to respond to commands written to these ports (such as the one to reset the MCU) suggesting that this ‘MVI PF, $C0’ was completely disabling the communication area between the CPUs.<br />
<br />
We know the CPU entered the sub-command handler, because we know it was waiting for command 0x02 at the point where we sent command 0x03 on startup, meaning we knew exactly where it was in it’s internal code, but after that line is executed we no longer see any of the expected responses.<br />
<br />
It’s possible it remaps it to somewhere else, but limited evidence meant we had no way of knowing this.<br />
<br />
The only other place PF is written is early in startup, with another fairly odd piece of code. From what we could tell PF goes to the ASIC so could be doing anything.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">; from RST</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">_start:</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; disable interrupt</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001E5: BA DI</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Mask all interrupts</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; figure 5-24</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001E6: 64 07 FF MVI MKL,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001E9: 64 06 FF MVI MKH,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Memory mapping</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; pg 25, figure 4-9</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; 0x0E:</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; External access enable</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; 16 KB</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001EC: 69 0E MVI A,$0E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001EE: 4D D0 MOV MM,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Figure 4-10: Mode F Register (MF)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; configures I/O for input vs output</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; 1 => input</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001F0: 69 3F MVI A,$3F</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001F2: 4D D7 MOV MF,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; A/D channel mode</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001F4: 64 80 0F MVI ANM,$0F</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Set ASIC upd4464 SRAM bank to bank 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001F7: 69 F0 MVI A,$F0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001F9: 70 79 00 16 MOV ($1600),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Ports A-C all inputs</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001FD: 69 FF MVI A,$FF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">000001FF: 4D D2 MOV MA,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000201: 4D D3 MOV MB,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000203: 4D D4 MOV MC,A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; zero the latter 3 of the ASIC RAM/Semaphore bytes</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000205: 69 00 MVI A,$00</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000207: 70 79 01 14 MOV ($1401),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000020B: 70 79 02 14 MOV ($1402),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000020F: 70 79 03 14 MOV ($1403),A</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">; for (B = 0x12, B > 0; ++B)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Move immediate data byte to register.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000213: 6A 12 MVI B,$12</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Decrement register and skip next instruction if borrow.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000215: 52 DCR B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000216: FE JR $0215</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">/*</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">if ((adc_regs[0] == 0x80) || have CY interrupt) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> PF = 0x40;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">} else {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> PF = 0xC0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">*/</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; CR0 ADC result?</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; conversion result register</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; unclear why comparing with 0x80</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000217: 4C E0 MOV A,CR0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Skip next instruction if immediate data byte equal to register</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000219: 77 80 EQI A,$80</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; Skip next instruction if no interrupt flag is set.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000021B: 48 1A SKN CY</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000021D: C4 JR $0222</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; neither condition</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">0000021E: 64 05 C0 MVI PF,$C0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000221: C3 JR $0225</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">; ADC or have interrupt</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">00000222: 64 05 40 MVI PF,$40</span><br />
<br />
So while in theory, and in MAME the "read out EPROM" area brute force trojan worked by exploiting this internal test mode of the UPD78C11, on real hardware it absolutely did not, leaving us with little to go on.<br />
<h2>
Brute force</h2>
We also considered a few other things like glitching or relatively small package modifications like taking control of a few bus lines.<br />
<br />
One option is to directly read out the EPROM by rebonding it. Although this is a lot of work, it is relatively straightforward and will work if done correctly. Also getting a single full ROM extracted may ease boot ROM analysis by seeing how the game uses it. Finally getting a single game completed would be very valuable in the interest of progress.<br />
<br />
We first came up with a plan how to cut it out of the package:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-mIIJKJZYDVI/Wd-OSzQZIsI/AAAAAAAAAX4/FgI3ZxMDUWYKa1CjLvOiwDb6zpAI1jqgwCLcBGAs/s1600/c-chip_eprom_mill2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="734" data-original-width="1600" height="146" src="https://2.bp.blogspot.com/-mIIJKJZYDVI/Wd-OSzQZIsI/AAAAAAAAAX4/FgI3ZxMDUWYKa1CjLvOiwDb6zpAI1jqgwCLcBGAs/s320/c-chip_eprom_mill2.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Then planned out a PCB to hold it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-nd_s_3h2shs/Wd-PKDaJkjI/AAAAAAAAAYA/hg5_Ud5tEpwSr4vCWHSQRV0GAbvmR8jEQCLcBGAs/s1600/c-chip_pcb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="830" data-original-width="418" height="320" src="https://2.bp.blogspot.com/-nd_s_3h2shs/Wd-PKDaJkjI/AAAAAAAAAYA/hg5_Ud5tEpwSr4vCWHSQRV0GAbvmR8jEQCLcBGAs/s320/c-chip_pcb.jpg" width="161" /></a></div>
<br />
And modeled them together (scaled images) to make sure everything would reasonably fit together:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-NnQtH-n05Js/Wd-PYLyLoJI/AAAAAAAAAYE/By_mqdejy4YfCib2AAXx-gBXlNROYLEAgCLcBGAs/s1600/c-chip_pcb_both.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1432" data-original-width="721" height="320" src="https://3.bp.blogspot.com/-NnQtH-n05Js/Wd-PYLyLoJI/AAAAAAAAAYE/By_mqdejy4YfCib2AAXx-gBXlNROYLEAgCLcBGAs/s320/c-chip_pcb_both.jpg" width="161" /></a></div>
<br />
Note the actual board is cut out in the center and the chip rests on a carrier PCB below (shown later). This allows the bond wires to drop down straight onto the chip. Otherwise, if attached from the same plane, they would need to be formed to avoid hitting the edge of the die.<br />
<br />
First, pins were removed from the package and it was backthinned to reveal the PCB:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Il_0sa7lKCI/Wd-cor53CsI/AAAAAAAAAYY/1XDd9ETUl-QV0YAVJbk4_r4lZ2C0khPYACLcBGAs/s1600/IMG_20170218_153945.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="470" data-original-width="1600" height="94" src="https://3.bp.blogspot.com/-Il_0sa7lKCI/Wd-cor53CsI/AAAAAAAAAYY/1XDd9ETUl-QV0YAVJbk4_r4lZ2C0khPYACLcBGAs/s320/IMG_20170218_153945.jpg" width="320" /></a></div>
<br />
Backthinning is required to keep a low profile on the lower mezzanine.<br />
<br />
Anyway, cut to size, using the PCB traces / vias as a guide:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-lrVtT3d5ANo/Wd-dPPuIeUI/AAAAAAAAAYg/dxV-kaza7U8tUCtNVPK4fiVnIQifAN98QCLcBGAs/s1600/repack2_r.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="696" data-original-width="1455" height="153" src="https://3.bp.blogspot.com/-lrVtT3d5ANo/Wd-dPPuIeUI/AAAAAAAAAYg/dxV-kaza7U8tUCtNVPK4fiVnIQifAN98QCLcBGAs/s320/repack2_r.jpg" width="320" /></a></div>
<br />
And then epoxied onto the bottom mezzanine:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-gTHRepO9RS8/Wd-cJ-CN8QI/AAAAAAAAAYU/zPy8PvivLuIihD5dRjNKITPMW2t8TfWswCLcBGAs/s1600/repack1_r.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="515" data-original-width="995" height="165" src="https://4.bp.blogspot.com/-gTHRepO9RS8/Wd-cJ-CN8QI/AAAAAAAAAYU/zPy8PvivLuIihD5dRjNKITPMW2t8TfWswCLcBGAs/s320/repack1_r.jpg" width="320" /></a></div>
<br />
And then stacked into the full assembly:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-gIruyB9-rlk/Wd-CL6ZZLWI/AAAAAAAAAW4/6pI79ivULtIIBRCKni4yFRaibM_Y7j_8wCLcBGAs/s1600/repack_r.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="684" data-original-width="1188" height="184" src="https://4.bp.blogspot.com/-gIruyB9-rlk/Wd-CL6ZZLWI/AAAAAAAAAW4/6pI79ivULtIIBRCKni4yFRaibM_Y7j_8wCLcBGAs/s320/repack_r.jpg" width="320" /></a></div>
<br />
This was then bonded <a href="http://caps0ff.blogspot.com/2016/12/taking-down-45-tatakae-big-fighter.html">as done in previous posts</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-MhxqLdV8Ewo/Wd-CQ-TvVnI/AAAAAAAAAW8/2lRESC1iFs86dgOSnpO_DxSxp7S_rrdhACLcBGAs/s1600/repack_die.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1581" data-original-width="1600" height="316" src="https://2.bp.blogspot.com/-MhxqLdV8Ewo/Wd-CQ-TvVnI/AAAAAAAAAW8/2lRESC1iFs86dgOSnpO_DxSxp7S_rrdhACLcBGAs/s320/repack_die.jpg" width="320" /></a></div>
<br />
Finally, this was dropped into an EPROM reader. Unfortunately, the connections are flaky and we were only able to get half of the ROM (one address line not connected). The discolored connections above are from re-dissolving some of them with nitric acid to attempt rebonding flaky connections.<br />
<h2>
Next steps</h2>
We are looking into a few options to proceed such as better understanding the ASIC. For
example, there is at least one pin we don't understand well that could
be required to activate the test mode. We may also re-capture the boot ROM to ensure we are analyzing the right code.<br />
<br />
However, we are likely going to get access to a bonding machine in the near future. This will hopefully make rebonding the EPROM die relatively straightforward. Stay tuned for more info!<br />
<br />
Enjoy this post? Please support us on <a href="https://www.patreon.com/user?u=4805718">Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com3tag:blogger.com,1999:blog-5831808578326311132.post-4672468113482422172017-08-21T16:20:00.000-07:002017-08-21T16:22:20.299-07:00HD647180 Ghox/Whoopee bonus roundIn <a href="http://caps0ff.blogspot.com/2016/12/hd647180-19-58-102-terrific-toaplan.html">an earlier post</a> we looked at processing firmware from HD647180 chips in the original decap lot. However, there are several related MCUs that were not included: Ghox and Whoopee:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-TkpA-pfrpGU/WYzRKKf2Z_I/AAAAAAAAAWI/yf4vYAuMRBYj0yEKSrmFciboh0-2eM1IQCLcBGAs/s1600/IMG_20170723_221751.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="1600" height="132" src="https://3.bp.blogspot.com/-TkpA-pfrpGU/WYzRKKf2Z_I/AAAAAAAAAWI/yf4vYAuMRBYj0yEKSrmFciboh0-2eM1IQCLcBGAs/s320/IMG_20170723_221751.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Although we aren't generally accepting new chips, these were evaluated on case-by-case basis to be both easy to process and of moderate interest.<br />
<br />
Like previous chips, we milled a cavity for acid:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-RPv-npQ0Yjs/WY0OSGUb61I/AAAAAAAAAWc/zYVzGPwgHFANplt6XTJMgf9fldfkP7cBACLcBGAs/s1600/IMG_20170729_183911.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="1132" height="200" src="https://3.bp.blogspot.com/-RPv-npQ0Yjs/WY0OSGUb61I/AAAAAAAAAWc/zYVzGPwgHFANplt6XTJMgf9fldfkP7cBACLcBGAs/s320/IMG_20170729_183911.jpg" width="320" /></a></div>
<br />
Then decapped and masked them:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-mRaGaJH6wLE/WY0OYe37sPI/AAAAAAAAAWg/KH0rfg_q7YASB5DTYCOELqBhOXmsOX_rgCLcBGAs/s1600/IMG_20170806_165734.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1109" data-original-width="1600" height="221" src="https://3.bp.blogspot.com/-mRaGaJH6wLE/WY0OYe37sPI/AAAAAAAAAWg/KH0rfg_q7YASB5DTYCOELqBhOXmsOX_rgCLcBGAs/s320/IMG_20170806_165734.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-C4EU54KnIVA/WY0OYX1lnfI/AAAAAAAAAWk/QaXB1KKxEWMEqdA7A2DbWBVtuKX7nJDrQCLcBGAs/s1600/IMG_20170806_165816.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1124" data-original-width="1600" height="224" src="https://4.bp.blogspot.com/-C4EU54KnIVA/WY0OYX1lnfI/AAAAAAAAAWk/QaXB1KKxEWMEqdA7A2DbWBVtuKX7nJDrQCLcBGAs/s320/IMG_20170806_165816.jpg" width="320" /></a></div>
<br />
Which was followed with soldering to adapter boards and exposing to UV light.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-3XbejGg4ib0/WYzROBij9xI/AAAAAAAAAWQ/5yTebxl6xAg5JP2UCN6I3Ec0i1heXznUwCEwYBhgL/s1600/IMG_20170806_165630.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1402" data-original-width="1600" height="280" src="https://3.bp.blogspot.com/-3XbejGg4ib0/WYzROBij9xI/AAAAAAAAAWQ/5yTebxl6xAg5JP2UCN6I3Ec0i1heXznUwCEwYBhgL/s320/IMG_20170806_165630.jpg" width="320" /></a></div>
<br />
<br />
Finally, they were inserted into an EPROM reader and which successfully extracted the data.<br />
<br />
Enjoy this post? Please support us on <a href="https://www.patreon.com/user?u=4805718">Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.<br />
<br />CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com0tag:blogger.com,1999:blog-5831808578326311132.post-60892634961260407572017-07-24T12:13:00.000-07:002017-07-24T12:13:57.370-07:00Gotta capture 'em all!<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Bp7W-3Q6jlI/WXZGfvhd2HI/AAAAAAAAAVU/4CnBnpDa2KQ4mOWJKhV-5sfopx-i4kPMACLcBGAs/s1600/xpol.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="592" data-original-width="685" height="172" src="https://3.bp.blogspot.com/-Bp7W-3Q6jlI/WXZGfvhd2HI/AAAAAAAAAVU/4CnBnpDa2KQ4mOWJKhV-5sfopx-i4kPMACLcBGAs/s200/xpol.jpg" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The <a href="http://caps0ff.blogspot.com/2017/02/fujitsu-mb86233-tgp-dsp.html">TGP ROM die images</a> are going through extended processing <a href="http://www.mameworld.info/ubbthreads/showflat.php?Number=368149">as detailed here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-P2rellDyfPE/WXZGJtuMvxI/AAAAAAAAAVQ/-d-ut6weKL4mRrklhqzNggUu7gUD8PS4QCLcBGAs/s1600/instructions_03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="212" src="https://3.bp.blogspot.com/-P2rellDyfPE/WXZGJtuMvxI/AAAAAAAAAVQ/-d-ut6weKL4mRrklhqzNggUu7gUD8PS4QCLcBGAs/s1600/instructions_03.png" /></a></div>
<br />
If you get some time swing on by and <a href="http://cs.sipr0n.org/">capture some bits</a>!<br />
<br />
Other: while there is a suggestion box, the sourcecode is also <a href="https://github.com/andrew-gardner/django-monkeys">available on github</a> if you want to directly make a pull request.CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com3tag:blogger.com,1999:blog-5831808578326311132.post-69921456520713592192017-05-02T14:43:00.001-07:002018-03-25T13:32:39.541-07:00Decap #145: Croupier (PIC16C74)The Croupier IC markings have been removed:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-XG65ZxopEKY/WP6K-fDRNUI/AAAAAAAAAUA/5jPnk9p1aKgS0wI6KSbrNVIQ-uoh0B3qgCLcB/s1600/pack_top.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://4.bp.blogspot.com/-XG65ZxopEKY/WP6K-fDRNUI/AAAAAAAAAUA/5jPnk9p1aKgS0wI6KSbrNVIQ-uoh0B3qgCLcB/s320/pack_top.jpg" width="320" /></a></div>
<br />
Unlike some other obfuscated/remarked chips we did not have identification leads from the arcade community. So we decapped it to gather more information:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-EpWmepzwXPc/WP6FTQ10gaI/AAAAAAAAATY/SrBieAsj90YX8PhQa03-mczPKaekvAAGQCLcB/s1600/IMG_20161227_171048.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://1.bp.blogspot.com/-EpWmepzwXPc/WP6FTQ10gaI/AAAAAAAAATY/SrBieAsj90YX8PhQa03-mczPKaekvAAGQCLcB/s320/IMG_20161227_171048.jpg" width="285" /></a></div>
<br />
Clearly made by microchip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-jBCBySPuHng/WP6GxQi-5mI/AAAAAAAAATk/wA5VNbezRwYmjRvfrvCj93NU-E6ROT-pQCLcB/s1600/145_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-jBCBySPuHng/WP6GxQi-5mI/AAAAAAAAATk/wA5VNbezRwYmjRvfrvCj93NU-E6ROT-pQCLcB/s320/145_1.jpg" width="240" /></a></div>
<br />
Cross referencing 97074 with <a href="http://cocatalog.loc.gov/cgi-bin/Pwebrecon.cgi?v1=1&ti=1,1&SAB1=97074&BOOL1=all%20of%20these&FLD1=Keyword%20Anywhere%20%28GKEY%29%20%28GKEY%29&GRP1=OR%20with%20next%20set&SAB2=&BOOL2=as%20a%20phrase&FLD2=Keyword%20Anywhere%20%28GKEY%29%20%28GKEY%29&CNT=25&PID=SqVia0uOTMXm-NUouj-7yhhtkisAQ&SEQ=20161231111005&SID=8">public copyright records</a> yields "97074 PIC16C74 CMOS PIC." Great!<br />
<br />
Next, we acquired samples to practice on. One of them was decapped with pure WFNA which, unlike the real chip, badly corroded the leadframe but was easily fixed with silver epoxy:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-iYLbo9bJhuM/WP6JwizD1NI/AAAAAAAAAT0/RwiSST6O2nwpxSiOjFKmaMFGg0lob9c9ACLcB/s1600/IMG_20170418_214900.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://3.bp.blogspot.com/-iYLbo9bJhuM/WP6JwizD1NI/AAAAAAAAAT0/RwiSST6O2nwpxSiOjFKmaMFGg0lob9c9ACLcB/s320/IMG_20170418_214900.jpg" width="268" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Note bond pads were not damaged, only leadframe. Anyway, the second sample used WFNA/H2SO4 mix and so didn't suffer from this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ySCdmC3rybM/WP6NScusapI/AAAAAAAAAUM/w4y7owJYwAAc6IpgMZhtHf_-sC0qS3q-QCLcB/s1600/IMG_20170411_000418.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://2.bp.blogspot.com/-ySCdmC3rybM/WP6NScusapI/AAAAAAAAAUM/w4y7owJYwAAc6IpgMZhtHf_-sC0qS3q-QCLcB/s320/IMG_20170411_000418.jpg" width="320" /></a></div>
<br />
We attempted to program and UV erase the PIC with a mask:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-yJz_KsYnR7I/WP6PMkZNvrI/AAAAAAAAAUk/eTyP2c5k5ywkw7VBJlmkjesmZgg_cQJ1ACLcB/s1600/IMG_20170418_220741.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-yJz_KsYnR7I/WP6PMkZNvrI/AAAAAAAAAUk/eTyP2c5k5ywkw7VBJlmkjesmZgg_cQJ1ACLcB/s320/IMG_20170418_220741.jpg" width="319" /></a></div>
<br />
but were unable to clear the security fuse. Oh no!<br />
<br />
Fortunately, <a href="https://www.bunniestudios.com/blog/?page_id=40">we are not the first person</a> to encounter this and so tried to erase at an angle:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/--UA_lUoBrEA/WP6OWxvXWLI/AAAAAAAAAUY/jeZbjs-PJ7w4UAStxwCvARAWj4MbemzmwCLcB/s1600/IMG_20170418_234641.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://3.bp.blogspot.com/--UA_lUoBrEA/WP6OWxvXWLI/AAAAAAAAAUY/jeZbjs-PJ7w4UAStxwCvARAWj4MbemzmwCLcB/s320/IMG_20170418_234641.jpg" width="276" /></a></div>
<br />
This had mixed results, but trying sharp angles angles (sharper than above) and long exposure times generally worked. We played a little with different sides of the chip. In all tests main EPROM was untouched.<br />
<br />
<br />
Not perfect, but should be good enough for the real chip. Masking:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-uvn9yXuaIRA/WP6P3CMMuKI/AAAAAAAAAUs/BpPugDpFXG4HmogWuGYm2k7LIkfHMAIYQCLcB/s1600/IMG_20170422_223234.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="309" src="https://2.bp.blogspot.com/-uvn9yXuaIRA/WP6P3CMMuKI/AAAAAAAAAUs/BpPugDpFXG4HmogWuGYm2k7LIkfHMAIYQCLcB/s320/IMG_20170422_223234.jpg" width="320" /></a></div>
<br />
And tried a few angles until the security fuse got cleared. Yipee!<br />
<br />
Enjoy this post? Please support us on <a href="https://www.patreon.com/user?u=4805718">Patreon</a>! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.<br />
<br />CAPS0ffhttp://www.blogger.com/profile/01614107641236756516noreply@blogger.com0