Saturday, March 10, 2018

Taito C-Chip: data by lobotomy


In a previous post we described some early attempts to analyze the Taito C-Chip. See Haze's forum post for some background on the C-Chip itself.

In particular we're interested in the EPROM. Previous efforts focused on less invasive techniques with the goal of keeping the C-Chip alive after dumping. Unfortunately, we've been unable to successfully send an unlock command and efforts to rebond the EPROM die have been difficult with the equipment we have on hand.

With this in mind, we took a break to regroup. If we remove the ASIC we can solder to PCB traces shared with the EPROM. Traces are documented in our wiring diagram:


Which allows us to make an attack (soldering) plan:



The basic idea is to mill and etch away the purple masked area to expose the PCB. Then, solder wires as indicated by the green dots.

A few issues, but nothing too bad. First, this implies requires removing the ASIC to have enough room to work. As there is not a reliable way to safely remove it (or easily put it back for that matter), this means killing the module. Second, the PCB traces are roughly 6 mil (ie 0.006" => 0.15 mm) width and roughly 12 mil (0.3 mm) pitch. These are non-trivial to solder, although doesn't require as much precision as hand wire bonding (roughly 0.1 mm pads at 0.2 mm pitch). Sort of like soldering a bunch of "0201" size resistors in close proximity.

Lets get started. First, take a c-chip:


Mill it to near PCB:


We went about 2.5 mils down at a time until the ASIC paddle just starts to show. You can see bits of shattered die clinging to the paddle corners.

Then use acid to fully expose PCB:


Next tin areas where we'll make connections:


Now mount to protoboard:


And wire up:


Which successfully dumped the EPROM!

A little hard to measure, but it takes roughly 3 hours per module using this technique. Definitely better at soldering since starting this project.

To date we've dumped Volfied, Superman, and Bonze Adventure (not shown):


Volfied (top) was our first attempt and has the CPU removed due to some early issues getting a dump. We thought the CPU might have been driving some control lines, but it turned out to actually be some solder debris shorting out the power rails. Surprisingly our programmer didn't generate any error messages (over current, continuity, etc).

We have a few more chips in the pipeline that we expect to finish over the next couple of weeks. We're still figuring out which chips, if any, we still need to source to cover all known games.

We've also continued to think about the best ways to keep the module alive. There are still a few options like decapping the area between the dies and using a laser cutter to isolate the EPROM control lines from the ASIC. This is a littler riskier though as we might accidentally sever a bond wire or corrode EPROM pads. For example, if any solder crept to the bond wire it would dissolve the gold, severing the connection.

Finally, what about keeping the PCBs alive after the C-Chip lobotomy? At this point we're thinking the best option is to design a C-Chip compatible module. We know the CPU, have the firmware, and have a reasonable understanding about how the ASIC works. We suspect with a little fiddling one should be able to figure out the remaining details. That said, we'd like to focus on the extracting data rather than repairing PCBs. So this may be left as an exercise to the reader.

Enjoy this post? Please support us on Patreon! Note: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.







EDIT: Rainbow Islands dumped!

15 comments:

  1. Great! Operation Wolf and Rainbow Island/Ex will finally be emulated correctly after 30+ years!

    ReplyDelete
  2. You guys are amazing I couldn't solder anything that small. Thanks for all the work you do

    ReplyDelete
  3. Super impressed with your skills! May I ask what kind of wire type you used when soldering to the EPROM and where I might buy some ?

    ReplyDelete
    Replies
    1. Found it at a local surplus store, not sure where you can get more. Its marked: RUBADUE WIRE COMPANY, VDE-R, COLOR: ORANGE, AWG: 38, PRT NO: TCA138 AWG. I'm not sure what the insulation is, but I'd guess PVC. Its uncommon to find plastic coated wire at this AWG, but FWIW magnet wire is readily available

      Delete
    2. Thank you for the information CAPS0ff very much appreciated!

      Delete
    3. go to your local electronics parts store and buy a roll of transformer/coil/inductor wire ($5). it's enamel coated and available in many thicknesses, used for re-winding coils etc. I've seen it as small as 0.25mm. To remove the enamel coating put the wire on your workbench and scrape it off with the end of a hot soldering iron (takes about 2 seconds to remove it). For very small work (like tightly-packed PCB traces) I usually use multi-strand copper wire and take a single strand out.... it's 0.15mm wide. Obviously it's not insulated but for patching PCB tracks it doesn't matter.
      Here's an example of my handy-work....
      http://members.iinet.net.au/~lantra9jp1_nbn/gurudumps/wip/tgm4.jpg

      :-D

      Delete
    4. I wondered if any of the caps0ff methods actually involve taking the board to a "clean room" where data recovery of chips happens and procedures are followed to reduce damaging, static and dust.

      Delete
  4. Rubadue Tca Insulation is tefelz (etfe)

    ReplyDelete
    Replies
    1. it's single strand teflon coated wire. they used to use it in the telecommunication industry for wiring the exchanges and street inter-connecting boxes. it's very rare now. closest thing for normal people is Kynar wire, which is 30AWG.

      Delete
  5. A suggestion for you Patreon campaign: the gap between $10 and $100 is pretty steep, especially since it is about monthly payments. You might want to introduce one or two "levels" in between, $20 and $50, say. It is more cumbersome (i.e. less likely) that someone chooses $10 and enters $20 afterwards because he wants to donate more. Whereas people are more like to donate $20 if it is just a click away.

    Just saying...

    ReplyDelete
  6. Fantastic news, finally c-chip games will be correctly emulated. Thanks guys :)

    ReplyDelete
  7. Awesome hack! I admire your soldering skills.

    ReplyDelete
  8. Insane work... thanks for sharing, really cool......

    ReplyDelete
  9. Tatio games are the toughest to emulate rather than imitate? Did the Koreans (the guys who did the copy boards) - resort to decapping custom ICs? You know actually, come to think of it - I do not think that I have ever seen a bootleg Superman.

    ReplyDelete