Monday, December 23, 2019

Dump December: 8051 and lasers

First, we've we've created a Twitter account to help announce blog posts! As always, Patreon supporters get early access, but we'll tweet once they become public.


Anyway, in a previous post we mentioned a new shipment. We've been working it over and have a bunch of updates!



First, there were a few NES 2.0 Mapper 355 PIC16C54 from Block Force (C059) and 3D Block (C060). One of these has been obfuscated by sanding.



These are similar to other PIC16C5X we've done and were dumped using a UV mask roughly around the EPROM.



Next we targeted SemiCom Hatch Catch's Intel 87C52 (246) because we had dumped an Intel 87C51 and it seemed likely we'd be able to extend the attack. However, decapping yielded a surprise:





It's not an 87C52! After a little digging, it's become apparent that Intel 87C52 isn't a real part. Rather, it's a marketing name for the smallest member of the 87C51FX series marketed to people familiar with 8751/8752 differences.

In any case, this wasn't so bad as we heard there was a laser glitch attack against Intel 87C51FA. The basic idea is to randomly flip transistors with a laser until you find one that happens to unlock the chip. After a little prodding (100 mW green, 45 degree angle)...



...we found an area that unlocked the firmware! This resulted in a good dump for SemiCom Hatch Catch without any encryption applied (see for details on 8751 encryption).


Next we checked if we could extend the attack to the Philips 87C52 parts which are in various SemiCom games (ex: CHOKY!CHOKY!, 247). However we once again we encountered shenanigans with chip markings. Here are two chips that are both "P87C52EBPN":




Which are clearly different! Comparing logos:



So a similar scheme as Intel, but even within what should be the same model (P87C52EBPN) we are finding multiple dies. Without being familiar with Philips part numbering it's hard to say exactly why this is, but it's plausible some of these were remarked.

In any case, we explored a UV attack against 87C52 / XSC6644A as used in CHOKY!CHOKY!:


This is a very tight mask very close to data:


But it gets worse. It appears activating security involves row specific security fuses spread throughout the entire configuration section. So to fully unlock the chip you need to erase many fuses across the entire config column! With this in mind, we decided to use something with a naturally straight edge instead of making a tight nail polish mask along the entire column:


And above shows the actual mask used to dump CHOKY!CHOKY!



Next we looked at Philips 87C51RA+ which is used on several games such as SemiCom Dream World (248) and SemiCom Date Quiz GoGo (255). While we might be able to extend the masking attack on Philips 87C52, it was very touchy. With some experience with the Intel 87C51FA laser glitch, we wondered if Philips 87C51RA+ has a similar vulnerability?


And it does! This gave us what looked like encrypted binaries for both of these games. However, upon closer inspection Date Quiz wasn't encrypted, it just had an unusual structure. First, while most MCS51 binaries have a vector jump table at the beginning. Date Quiz immediately begins main() code. Second, most of the ROM is a large random binary. However, between these two it has a 00 filled section, the low entropy which indicates a trivial encryption key. Second, Dream World had a non-trivial key, but was FF filled at the end, which made the key trivial to extract.

Next, we wondered what else might be vulnerable to laser glitching? We tried Atmel AT89C51 and...


Much to our surprise we also found a glitch! We heard this part was likely going to require microprobing which, although not out of the question, was going to make it much harder.


This allowed dumping Quizard 2, German, TAB DN 122 D3 (C054) and Quizard 4, Czech, TS142 CZ1 (C057).

However, C057 has this near the end:

00000910  00 0a 14 02 00 0a 1e 03  00 0a 32 04 00 0f 1e 02  |..........2.....|
00000920  00 ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000930  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000a00  ff ff ff ff ff ff ff ff  ff ff fa ff ff ff ff ff  |................|
00000a10  ff ff fa ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000a20  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000a40  fa ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000a50  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000a80  ff ff ff ff ff ff ff ff  ff ff fa ff ff ff ff ff  |................|
00000a90  ff ff ff ff ff ff ff ff  fa ff ff ff ff ff ff ff  |................|
00000aa0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000ac0  ff ff ff ff ff ff ff ff  ff ff fb ff ff ff ff ff  |................|
00000ad0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

We often seem ROMs end in fill patterns like FF, but they should be solid without bit flips. So why do we think this is correct?

Let's dive a little deeper into our laser glitching approach. First, we program a sample with a known pattern and secure it. Next, we create a script that repeatedly reads the chip, saves the current read, and also displays the current read. While this is running, we sweep a laser around the die, focusing near EPROM, until valid looking data shows up. We then tweak the laser until we get a stable readout. In the case of C057, we held the laser stable and observed 40+ consecutive dumps with the same pattern. While we can't for sure rule out bit flips, this at least gives reasonable confidence the binary is correct. Finally, we also do quick disassembly of dumps to verify assembly looks mostly reasonable.


We also hoped to work on 8752BH, but had issues getting our samples programmed. We suspect they are faulty and have new samples on order. 

So between PIC16C54, Intel 87C51FA (87C52), Philips 87C52 (P87C52EBPN), Philips 87C51RA+ (P87C52EBPN), and Atmel AT89C51 dumps this month, we so far have been 8 dumps in December!


Now for some less good news. We developed a technique to dump EPM5032DC which is used on some Sega System 24 games. Unfortunately we had some issues while decapping Quiz Mekuromeku Story (249) and Quiz Rouka Ni Tattenasai (250). Specifically 249 appears to have been scratched (above), and 250 is under evaluation. We are determining what can be salvaged and, having resolved the decap issue, are looking for replacements if available.


Finally, stay tuned for ROM staining adventures! Part of the Furby ROM can be seen above. On that note, we've seen there are a few good resources on the Furby, scanned source code and a small effort to transcribe it. However, nobody has followed up to convert it into a full .asm for assembling, which would be very interesting to compare to our upcoming capture. We also need to figure out what info and tools are out there on the SPC81A architecture to compile the .asm and disassemble our binary.

Enjoy this post? Please support us on Patreon or follow us on TwitterNote: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.

4 comments:

  1. The hot air balloon with the Zia symbol is actually kind of interesting. The Phillips facility here in Albuquerque, NM USA closed years ago but I guess they were putting our local icons on their chip dies. Who knew?

    ReplyDelete
  2. I'd love to see a video of what you folks go through to get the chips de-capped and dumped. I have read about the subject, but have never seen the process. Many thanks for your work from the whole MAME/Arcade Community :)

    ReplyDelete
  3. Look great how decap this, is a nice work

    i wish soon decapping the cps1 bootlegs pics

    And merry xmas for al staff!

    ReplyDelete