Thursday, February 25, 2021

February laser glitching w/ P87C52EBPN and more

In this post we give some brief status updates on recently completed and in progress projects. The main focus is using a laser to glitch security circuitry on several 8051 based MCUs from vintage arcade cabinets. Preserving this firmware allows people to better understand these games as well as fix broken cabinets.

Recently we preserved the firmware from a few MCS51 chips via laser glitching. First, Cookie & Bibi 2 is a tile matching puzzle game from Taito. It's based on Puzzle Bobble which is in turn based on Bubble Bobble.

In particular we are taking a look at preserving the firmware of the P87C52EBPN at lower left:

We've processed a few P87C52EBPN before and were surprised to find several very distinct chips all marked "P87C52EBPN." It's unclear if these were remarked or we just didn't understand Phillip's package marking scheme. In any case, here is the new die:

Above: new die (Cookie & Bibi 2 P87C52EBPN as XSC6407A)

Which is close to one we already saw:

Above: previous P87C52EBPN as XSC6644A

Note the lighting is different on these two die shots (metallurgical vs inspection microscope) but the overall layout is very similar. Still this is unfortunate because we didn't have any sample chips to test an attack against. However:

  1. We've been able to develop attacks against similar chips fairly reliably
  2. A replacement chip (board) would be about $60

Given this we decided to try to develop the attack on the actual target without practicing first. We found the structure used in the previous article and found shining a laser on it gave a stable read out! We probed around a little more though and got a second binary that was also stable. There should only be one correct binary coming out. So how did we get two distinct binaries?

Often we run binaries through checker scripts that look for common errors like stuck address or data lines. When we ran these two binaries through they flagged some issues:

  • Binary 1 has bits 7 and 8 stuck high
  • Binary 2 has bit 8 stuck high

So actually neither is correct, but might be close. We then integrated the binary checker into the fuzzing script to get quicker feedback. After a bit more searching we locked onto a location that passed all checks and also saw some strings:

Now with all bits toggling and strings visible we have a plausible dump! One early concern was a relatively unusual reset vector, but analysis shows it's fine.

We also did a small project with S87C751 from World Beach Volley:

Above: "MAIN" board w/ chip. Handles sound

Above: "LINK" board (chip was at right). Handles extended multiplayer

One chip is marked "MAIN" and the other is marked "LINK." The smaller link board adds two additional players allowing up to four people to play at once.

After a bit of poking around we found a glitch as seen above. The layout seems to loosely resemble what we saw on P87C52EBPN and is probably the same basic glitch on both chips.

Currently we are looking at a few programmable logic chips such as PAL16R8A2NC. This chip can be extracted a number of ways including electrically testing all input combinations, imaging burned fuses, or microprobing. We have several of these methods under evaluation and it will hopefully be the subject of our next post. Finally, this project has pushed back some more conventional mask ROM captures that are queued such as Apple ADB PICs.

Enjoy this post? Please support us on Patreon or follow us on TwitterNote: with the Indiegogo campaign over we unfortunately don't currently have a way to accept one time donations.w