Freitag, 7. April 2017

Epoxy Block, a good Protection in the 80's, not so good today!

Brian sent me two epoxy blocks from two Dodge City boards. Merit covered the CPU, a PAL and an 2816 eeprom inside an epoxy block. Mainly for protection reasons!
I have already seen this kind of protection quiet a lot of times on different gambling pcb's. Video Klein for example used this on basically every board they made.

The Merit games have some code inside the 2816 eeprom, so a dump of it is needed to get the games running! MAME has already three different revisions of Dodge City included, but all are missing the 2816 dump, so none of it is playable!

remove the epoxy to get to the chips, now!


heatgun, flat screwdriver and the 2 epoxy blocks


one Epoxy Block

use the heatgun to heat the epoxy to about 330° and you can brake it away with your screwdriver. this was done within 10 minutes

removed epoxy pieces

some minutes later, the 2816 and the PAL are desoldered and  can now get dumped

same procedure on the second epoxy block, as i now knew where the interesting chips are located, i only removed the epoxy at this area.


So it was possible to brake this protection for two games within 60 minutes. The good thing, it looks like these two blocks are from different revisions of Dodge City, so hopefully two revisions can now get playable!













Samstag, 1. April 2017

decapping is a Fun World #4

I got a donated FunWorld pcb yesterday. The board is basically in bad shape, but at least i got good reads from all eproms!
As the board is not working correctly, i looked threw the dumps to hopefully get at least the GameTitle...which i didn't find inside. But, i found something much more interesting inside one eprom!



After reading this i used some tools to scan the binary file for images and sounds.
I got this 15kb Image as a result:


After some research, i found infos about a guy called Hans Scherz, who worked for more than 15 years at FunWorld, but sadly no actual informations about him and how to contact him...


EDIT: 02.04.2017
1st APRIL is over....most of you already knew it...this was a Joke! It never gave an eprom with this text inside and the photo is a  picture from the net, a little bit photoshoped!
Btw. great job KITSUNE SNIPER for finding the original picture!!

Sonntag, 19. März 2017

decapping is a Fun World #3

Over the years, i got a lot machines, consoles and arcade boards, which had the CPU or decryption part hidden under Epoxy and that made it sometimes hard to get the game/program emulated correctly.

So i sent a package with some of those hidden DIE's to Sean, who is really an expert for removing the epoxy and he also has a great equipment for doing HighRes-Pictures of those DIE's, to indentify it.

So what new informations did we get with his help:

FRUIT STAR (Funworld)


this board, has an hidden CPU with decryption devices hidden inside an 40pin epoxy block (like many other Fun World boards, read more about it below)...while we at least were pretty sure the CPU is a Z80, we did not know what other parts were inside the block.

LSI Logic Corp gate array (68 pins)

24-pin chip from "WaferScale", marked CNW50

40-pin Zilog chip with a '75 copyright - pretty sure a Z80




Genius BrainStation 5505X (2001) (Germany)

Some of the VTech Learning Laptop's already work partially in MAME, but some do not, mostly because they used some unknown CPU-types, hidden under epoxy.



CPU (JV27005A) - Hopefully this information brings use one step closer...


Genius Leader 6600CX (1999) (Germany)

I already took a closer look at this CPU about 2 years ago, but with my cheap USB microsope i only got "NSC" as information from it.


National Semiconductor NSC1028B
On a press-release from 1999 you can read the following: National Semiconductor designed the Geode NSC1028 processor specifically for VTech's new email appliances. The system-on-a-chip integrates a powerful 16-bit RISC processor, keyboard and printer ports, LCD display controller and speech synthesis circuitry into a single piece of silicon. This custom integrated processor represents the first step in a partnership between VTech and National to bring attractively priced, easy-to-use information appliances to the consumer market.


Reader Laptop E (2004) (Germany)

Another Laptop from Vtech! This was the first Vtech-Laptop i dumped, about 5 years ago...i always tought the dump was added to MESS/MAME...but it looks like it wasn't. At least i did not find anything about in inside the current MAME-Version.


Elan EU3A12

Plug & Play Spongebob

Sometimes you have a system, were you are not sure, how to dump it! For me this are the Plug & Play TV-systems, which have everything hidden under epoxy...even the rom data. That's why i destroyed one system and sent the rom-epoxy to Sean to identify it!



"Winbond 2003 05 AA5853".  It's a 42-pin chip.

Mega Card 3 (Funworld)

I also sent the DIE's from the Mega MC3 board (which i did show in this blog already some posts below) to Sean, as he has the better equipment for photographing the DIE's.
 

F245 (TI 1986) [octal latch]

7400

65SC02
With this new/better pictures, he also could clear some mistakes with the previous decoder rom!



All upper DIE shots can be downloaded here in FULL HIGH RESOLUTION!





SEGA PICO

we got two new Pico cartridges dumped! Previously we did not know that Sega also made swedish games for the PICO, but we know now!

MK-49021-24 - Ett Ar Med Nalle Puh (Sweden)


MK-49037-24 - Lejonkungen Äventyr (Sweden)
 

Sonntag, 5. Februar 2017

PICO and MCU confirmation

Got a nice package from Italy last week!

Thanks to f205v who donated a package of italian Pico-Stuff too me. So we got a new previously undumped PICO game!

Ecco Jr. E La Grande Caccia Al Tesoro Nell'Oceano! (Italy)



Quizard MCU's:
If you look at this post  you can read about my progress dumping the locked MCU for Quizard 4. About one day later i decapped the MCU for an Quizard 1, but was not 100% sure the dump is GOOD.
So i ordered a couple of new D8751H MCU's to try the dumps on the real hardware.

I can now confirm, both dumps are GOOD and working perfectly on the real system!
 


Samstag, 28. Januar 2017

decapping is a Fun World #2

a new day, a new post.

short summary of the last days:
two days ago, we did not know what type the 3 die's and the plcc28 chip, inside the "security device", are.
today we know it!
thx to the help of f205v and Sean Riddle we now know the following.

The PLCC28 chip is a CY7C291A (a prom replacement)
DIE#1 is a TI74F245A
DIE#2 is the CPU, a 65sc02
DIE#3 is a 7400

with that informations i'm good hope that we understand the decoding of the program-roms.

the bit-area of the 65sc02, of which i posted a picture in the last post, is the decode rom. so basically shouldn't be needed for emulation stuff.

Sean Riddle made this:
1001101101100110101010
0101100101100110101010
1001101001101010101010
1001100101101010101010
1001011001101010101010
1001010101101010101010
1101010111101111100101
1101010101101010010110
0101011001101010101010
0101010101101010101010
0101101001101010101010
0101100101101010101010
0110101010100110101001
1110010111101111101001
1110010101101010011010
0110011011101111101001
1010101110100110011010
0110011110101011101010
0110011110101101101010
0110011001101010011010
1010101111011101010110
0110100110101111101010
0110100111101101101010
0110111010100110101010
1101010111011111100101
1111111111111111111111
1110111111011101010110
1010101011011101100110
1001101010011010101010
1001100010100110101010
1101010101011010010110
1101111111101111100101
1001011010101010100110
1001010111100101100110
1010101010011010100110
0101100110101010111010
1001010110010110101010
1010010111100101100110
0101100111101101110110
0101100110101010110110
1101111111101111010110
1001011111101101010110
1001011110100110010110
1001011110000110011010
0110100110101111011010
1010111110100110011010
0110100111101101011010
0110010110100110101010
0110100101100110011010
0110011010100110011010
1101111101101010101001
1101111101101010011010
1110111110011010101001
1101111110011010101001
1101111101101010101010
0101101010101010101010
1001011010011010101010
1001100110010110101010
1001100111101101100110
0101011101100110101010
1001101010101010100110
1101111011101111111111
1010100111100101101010
0110101010011010101010
1110111101011010101010
1001011101100110101010
1010111111101111101001
1010111101101010011010
0110100111101111101001
0110101001100110101010
0110100101101010011010
1010101101100110011010
0110101010100110011010
1101010101010110011010
1001101010101101100110
0110101001100101110110
1111111111111111111111
1010011101011000111010
1001010110101001101010
1010101010101011100110
1001101001101101100110
1010101010011010101010
1001100110011010101010
1101111101100110101001
1101111111100101111011
1001010111010101101010
1010010110101010100110
1010011010101010100110
1110111111101111111011
0101101001010101101010
1110111101101010010110
1110111110101010100101
1101111110101010011010
1101101111100110011010
0101011110100110011010
1101111101100110101010
1001101010101010101010
1010100110011010101010
0101111110100110101010
1010100110101010100110
0101101010100110100101
1101100101101010010110
1001010110101011100110
1010100111101001101010
0110101001010101101010
1101111111101010010110
0101011111101111100110
1001011011101001100110
0101010111101111100101
0101101010100110101010
1001111101100101011010
0101111101101001101010
1001100101101001101010
1001011101101001101010
1110101001011001101001
0110101001100111100101
0101101010010110101010
1001010111101111100101
0110101001011101111011
1001100101101010010110
0110101010010101101001
1001010111101111100101
1001010101101010010110
1111111111111111111111
1001100110100110011010
1101101001100101011010
1010011111010101111011
1110111111011010111011
1001100110101101010110
1101011000101010010110
0101011001101111100101
1001101111100110011010
0101011101100101011010
1001011010100101101010
1001010110100101101010
0101010101101010010110
1001010110100110011010
0101011111101111100101
1001101001110110011010
0101011110100110101010
1001111111011111110111
0101111111011111110111
0101100111101111100101
0101101010011010101010
1001101111101111100101
1001101011101101010110
1001110111101101010110
1001101110100110011010
1001110110100110101010
1111111111111111111111
1101010111101111110111
1101111101011010101000
1101010101100110011010
1001011110101010101010
1101011001100110011010
1001011010100110101010
0101011010101111100110
1110011101010010101001
0110101001011001101010
0110101010010101101010
0101111010100110101010
0101101011100110101010
0101100110100110101010
0101100101100101011010
1001011001100110011010
1001101010101101100110
1101111101100110101001
0101010101010110011010
0101010110101111100110
1001101001101010010110
1001011111101101010110
1001011110100110011010
0110101001011001011010
0101010110100110101010
0101111011100110011010
1111111111111111111111
1001010101100101101010
1101111101101001101010
1101101010101001011010
1001111101101001011010
1101111101101001101001
1101111110101010101001
1001011001101010010110
1001011011101111000101
0110101010010101011010
1001101011101111100101
0101111101010101101010
1101111101010101011010
0101100110100110011010
1101111100010111101001
1111111111111111111111
1101111101011010111001
0101100101010101011010
0101011101011111101001
0101011101010101111001
1001111101010101011010
0101100101011111101001
1001111101011111101001
1101100101010101111010
1010010111010101101010
1110111101011010101010
1001010101010110011010
1001100110101010100110
1110011001010110011010
0110101001100110011010
1101011011101101010110
1001111111101101010110
0101010111101101010110
0101100101100101101010
1001010110011010101010
1010111010010110101010
1010110110010110101010
1110010101010110011010
1010011110011010101010
1101011101101001011010
1001100110101010101010
0110101001100111110111
0110101011101010100101
0110101001101010010110
0101111101100101101010
1001100101100101101010
1101111101100101011010
1101111101100101101001
0101101110101001101001
0101101010101001111010
1110111101011010011010
0101100101100110011010
1010011010010101101010
0101101101101001011010
0101101010101001101010
0110101010011010101010
0110111111010101111011
1110111111011001111011
0110101010010101111011
1001101011101001101010
1101111110101001101001
1101111110101001111010
1101101101011010101001
1110100101100101100110
0110111101100111110101
1110111101100101010110
1110111101101111100101
1010011111010101011010
1010011111010101101001
1010101111010101111011
1110011101011001101001
1110011101011001011010
1010101101011001111011
0110011110010101111011
0110100110010101111011
1110110101011001111011


and sent me a binary file of it: DOWNLOAD

Freitag, 27. Januar 2017

decapping is a Fun World


i got a poker board, made by Fun World in the early 90's.



Roberto Fresca and i know this kind of boards already, as i dumped at least 2 of these boards in the last years. The big problem is, they are using a protection device (yellow chip on the board) and the program-code is decrypted.

if you remove the cover of this chip you get this (i broke two edges (3 pins) while removing the cover)

inside we have a (so far) unknown plcc28 chip and 3 DIE's...


Let's start with the DIE's from LEFT to RIGHT:

1.
a F245 from TI 1986...a octal latch


2. 
can you see/identify the markings on the right top corner?

it's easier with a better microscope...had to order a better one. 
it's a U65 from GTE

3.
Need a better pic of the markings, but it's from SIGNETICS...

EDIT: better pics of the markings:

 does somebody know what this is?

Sean Riddle emailed me the following:
 I think the 3rd die is a 74-series logic chip.  You can see that there are 4 sections, each associated with 3 leads, plus power and ground.  My guess is that it's address decoding for the PROM.
On the complete pic, you can see that the 2 sections on the right have the inputs grounded and the outputs aren't bonded.  The top left section has 2 inputs coming from a middle layer, and the output is going to the 2 inputs of the bottom left section.  The bottom left section's output goes to the PROM.
In your detail pic, it looks like there's text 00A, which might indicate 7400.  Tying the inputs of the bottom left section together would make an inverter, meaning that the 2 inputs are being ANDed.
30mins later i got a second mail:

I'm pretty sure it's a 7400.  It's got to be NAND or NOR because they are tying those inputs together to make an inverter, but the 7402 NOR has output on pin 1 and inputs on 2 and 3, so an unused NOR gate would have pin 1 not bonded and pins 2 and 3 grounded, which is not what we're seeing.
Pin  7 is the big pad at bottom center; the pins are numbered counterclockwise, so pin 1 is just right of top center.  And the output is going to die 1, not the PROM.

It looks like die 1 is a TI 74F245A octal bus transceiver with tristate outputs.  The output of the 7400 goes to pin 1, which is direction.  Pins 10 and 20 are the giant pads on the top metal power layer; 10 on the right and 20 on the left.

and 30mins later:
Pin 1 is just *left( of top center and is an input along with pin 2, coming from a lower layer of the PCB.  Pins 3, 4 and 5 are connected together, and pin 6 goes to the 74F245, pin 19, /OE.

another 30mins later:
I'm just confirming that things look correct; power and ground traces at first, then signals.  It looks good so far; pin 30 of the 6502 is D3, and that's connected to pin 16 of the PROM, which is O3.  That also goes to the 74F245 pin 15, so it can be gated out to one of the pins on the PCB. 

 



4. and last the unknown PLCC28 chip (markings scratched off)
i/we think it could be a CY7C291A or CY7C168A, i need more time to try dumping it.

EDIT: I'm now 99% sure that it's a CY7C291A (thx to f205v, who gave this hint)
I already wired an adapter and dumped it.



As i bought a new microscope, i did highres pictures of the bit-area from the U65 chip (DIE #2) and stiched it together.
currently i don't know if it's a rom or ram area, but at least it's now documented and the 0's and 1's can be read by hand...

the goal is to understand the decryption of these poker boards. and i really hope it will be possible to dump the plcc28 chip.



if you want to support my work, the best way is to donate some money over paypal to crazy2001@cooltoad.com
all donated money will get used to buy new games or dumping equipment, like the new/better microscope.

Dienstag, 27. Dezember 2016

MCU decapping



A basically very interesting arcade system is Quizard from TAB Austria. This CD-I based quiz-system uses an Standard CD-I Player and an external Jamma-PCB which is connected to the CD-I Player over the serial port on the back of the Player.
The Jamma PCB has an MCU (D8751H) as a copy protection on it and by starting the game, the CD-I player communicates over the serial port with the MCU.

There are 4 different CD-Versions for the Quizard (1, 2, 3 and 4) and a couple of different revisions for each version. For example version 1 got 8 different revisions (1.0 to 1.7).
To play a version you need the matching MCU for it! So to play any revision of version 1 you a need an MCU for version 1. The same goes for version 2, 3 and 4. So you can not play a version 1 CD with the MCU from version 4...



As it's an austrian System, and i'm austrian too, i got very soon interested in finding some CD's for it and to get it included in MAME. Thx to the help of harmony, it was also possible to play some the games very shortly after! (http://harmoniouscode.blogspot.co.at/2010/10/quizard-22-patch-free.html)



harmony got the Version 1 and 2 fully working, by hacking/patching the copy protection and without a dump of the MCU! Version 3 and 4 are bootable, but crash after you press START.
So we tought, that the copy protections from version 3 and 4 are more complex and the game needs some other values from the MCU to get it fully working...



6 years fast forward....CAPS0ff (Blog here) is doing fantastic work with decapping MCU's and other stuff! And i nearly look daily on their blog to see if new magic happened!
But i was also fascinated about the work they have done with the D8751 MCU's, and how it was possible to de-secure the lock bit!
I got so fascinated that i had to try it myself, as i have a couple of D8751's for the Version 4 here. So basically no big deal if one get's broken.

I used the following equipment:
- Galep5 Programmer (500eur)
- cheap digital Microscope (200x zoom) (25eur)
- Heat-Gun (30eur)
- cheap China Eprom UV-Eraser (15eur)

So basically cheap equipment...beside the programmer, but you can easily find cheaper ones which can also dump d8751's.

here's the mcu, before i did start:


so i heated the top of the chip at about 330° for about 20 seconds, and used a flat screwdriver to remove the top of the chip:

before i could erase the lock bit, i had to cover the eprom part with something, i did not have professional uv opaque material (like CAPS0ff), so i used electrical tape which i cut to the correct size. thx to the blog of CAPS0ff i basically knew were the lock bit is located...

so the chip was now ready for the uv eraser! 15 minutes later i tried dumping it and voila i got consistent reads! --> and yes, the chip was locked before, only giving FF's when reading...

let's hope this will get the games running in MAME! We will see soon!
For sure it's a good thing to have a dump of it, so basically now everyone can burn it's own MCU for version 4!

This was a fun challenge and it proofs that it's possible to do decaps with cheap materials and equipment! But please don't try this with EXPENSIVE and RARE games\chips!!! there's just to much risc for destroying them! leave them to professionals like the guys from CAPS0ff....

Thx again to CAPS0ff, who basically inspired me for doing this!