Saturday, January 28, 2017

decapping is a Fun World #2

a new day, a new post.

short summary of the last days:
two days ago, we did not know what type the 3 die's and the plcc28 chip, inside the "security device", are.
today we know it!
thx to the help of f205v and Sean Riddle we now know the following.

The PLCC28 chip is a CY7C291A (a prom replacement)
DIE#1 is a TI74F245A
DIE#2 is the CPU, a 65sc02
DIE#3 is a 7400

with that informations i'm good hope that we understand the decoding of the program-roms.

the bit-area of the 65sc02, of which i posted a picture in the last post, is the decode rom. so basically shouldn't be needed for emulation stuff.

Sean Riddle made this:
1001101101100110101010
0101100101100110101010
1001101001101010101010
1001100101101010101010
1001011001101010101010
1001010101101010101010
1101010111101111100101
1101010101101010010110
0101011001101010101010
0101010101101010101010
0101101001101010101010
0101100101101010101010
0110101010100110101001
1110010111101111101001
1110010101101010011010
0110011011101111101001
1010101110100110011010
0110011110101011101010
0110011110101101101010
0110011001101010011010
1010101111011101010110
0110100110101111101010
0110100111101101101010
0110111010100110101010
1101010111011111100101
1111111111111111111111
1110111111011101010110
1010101011011101100110
1001101010011010101010
1001100010100110101010
1101010101011010010110
1101111111101111100101
1001011010101010100110
1001010111100101100110
1010101010011010100110
0101100110101010111010
1001010110010110101010
1010010111100101100110
0101100111101101110110
0101100110101010110110
1101111111101111010110
1001011111101101010110
1001011110100110010110
1001011110000110011010
0110100110101111011010
1010111110100110011010
0110100111101101011010
0110010110100110101010
0110100101100110011010
0110011010100110011010
1101111101101010101001
1101111101101010011010
1110111110011010101001
1101111110011010101001
1101111101101010101010
0101101010101010101010
1001011010011010101010
1001100110010110101010
1001100111101101100110
0101011101100110101010
1001101010101010100110
1101111011101111111111
1010100111100101101010
0110101010011010101010
1110111101011010101010
1001011101100110101010
1010111111101111101001
1010111101101010011010
0110100111101111101001
0110101001100110101010
0110100101101010011010
1010101101100110011010
0110101010100110011010
1101010101010110011010
1001101010101101100110
0110101001100101110110
1111111111111111111111
1010011101011000111010
1001010110101001101010
1010101010101011100110
1001101001101101100110
1010101010011010101010
1001100110011010101010
1101111101100110101001
1101111111100101111011
1001010111010101101010
1010010110101010100110
1010011010101010100110
1110111111101111111011
0101101001010101101010
1110111101101010010110
1110111110101010100101
1101111110101010011010
1101101111100110011010
0101011110100110011010
1101111101100110101010
1001101010101010101010
1010100110011010101010
0101111110100110101010
1010100110101010100110
0101101010100110100101
1101100101101010010110
1001010110101011100110
1010100111101001101010
0110101001010101101010
1101111111101010010110
0101011111101111100110
1001011011101001100110
0101010111101111100101
0101101010100110101010
1001111101100101011010
0101111101101001101010
1001100101101001101010
1001011101101001101010
1110101001011001101001
0110101001100111100101
0101101010010110101010
1001010111101111100101
0110101001011101111011
1001100101101010010110
0110101010010101101001
1001010111101111100101
1001010101101010010110
1111111111111111111111
1001100110100110011010
1101101001100101011010
1010011111010101111011
1110111111011010111011
1001100110101101010110
1101011000101010010110
0101011001101111100101
1001101111100110011010
0101011101100101011010
1001011010100101101010
1001010110100101101010
0101010101101010010110
1001010110100110011010
0101011111101111100101
1001101001110110011010
0101011110100110101010
1001111111011111110111
0101111111011111110111
0101100111101111100101
0101101010011010101010
1001101111101111100101
1001101011101101010110
1001110111101101010110
1001101110100110011010
1001110110100110101010
1111111111111111111111
1101010111101111110111
1101111101011010101000
1101010101100110011010
1001011110101010101010
1101011001100110011010
1001011010100110101010
0101011010101111100110
1110011101010010101001
0110101001011001101010
0110101010010101101010
0101111010100110101010
0101101011100110101010
0101100110100110101010
0101100101100101011010
1001011001100110011010
1001101010101101100110
1101111101100110101001
0101010101010110011010
0101010110101111100110
1001101001101010010110
1001011111101101010110
1001011110100110011010
0110101001011001011010
0101010110100110101010
0101111011100110011010
1111111111111111111111
1001010101100101101010
1101111101101001101010
1101101010101001011010
1001111101101001011010
1101111101101001101001
1101111110101010101001
1001011001101010010110
1001011011101111000101
0110101010010101011010
1001101011101111100101
0101111101010101101010
1101111101010101011010
0101100110100110011010
1101111100010111101001
1111111111111111111111
1101111101011010111001
0101100101010101011010
0101011101011111101001
0101011101010101111001
1001111101010101011010
0101100101011111101001
1001111101011111101001
1101100101010101111010
1010010111010101101010
1110111101011010101010
1001010101010110011010
1001100110101010100110
1110011001010110011010
0110101001100110011010
1101011011101101010110
1001111111101101010110
0101010111101101010110
0101100101100101101010
1001010110011010101010
1010111010010110101010
1010110110010110101010
1110010101010110011010
1010011110011010101010
1101011101101001011010
1001100110101010101010
0110101001100111110111
0110101011101010100101
0110101001101010010110
0101111101100101101010
1001100101100101101010
1101111101100101011010
1101111101100101101001
0101101110101001101001
0101101010101001111010
1110111101011010011010
0101100101100110011010
1010011010010101101010
0101101101101001011010
0101101010101001101010
0110101010011010101010
0110111111010101111011
1110111111011001111011
0110101010010101111011
1001101011101001101010
1101111110101001101001
1101111110101001111010
1101101101011010101001
1110100101100101100110
0110111101100111110101
1110111101100101010110
1110111101101111100101
1010011111010101011010
1010011111010101101001
1010101111010101111011
1110011101011001101001
1110011101011001011010
1010101101011001111011
0110011110010101111011
0110100110010101111011
1110110101011001111011


and sent me a binary file of it: DOWNLOAD

Friday, January 27, 2017

decapping is a Fun World


i got a poker board, made by Fun World in the early 90's.



Roberto Fresca and i know this kind of boards already, as i dumped at least 2 of these boards in the last years. The big problem is, they are using a protection device (yellow chip on the board) and the program-code is decrypted.

if you remove the cover of this chip you get this (i broke two edges (3 pins) while removing the cover)

inside we have a (so far) unknown plcc28 chip and 3 DIE's...


Let's start with the DIE's from LEFT to RIGHT:

1.
a F245 from TI 1986...a octal latch


2. 
can you see/identify the markings on the right top corner?

it's easier with a better microscope...had to order a better one. 
it's a U65 from GTE

3.
Need a better pic of the markings, but it's from SIGNETICS...

EDIT: better pics of the markings:

 does somebody know what this is?

Sean Riddle emailed me the following:
 I think the 3rd die is a 74-series logic chip.  You can see that there are 4 sections, each associated with 3 leads, plus power and ground.  My guess is that it's address decoding for the PROM.
On the complete pic, you can see that the 2 sections on the right have the inputs grounded and the outputs aren't bonded.  The top left section has 2 inputs coming from a middle layer, and the output is going to the 2 inputs of the bottom left section.  The bottom left section's output goes to the PROM.
In your detail pic, it looks like there's text 00A, which might indicate 7400.  Tying the inputs of the bottom left section together would make an inverter, meaning that the 2 inputs are being ANDed.
30mins later i got a second mail:

I'm pretty sure it's a 7400.  It's got to be NAND or NOR because they are tying those inputs together to make an inverter, but the 7402 NOR has output on pin 1 and inputs on 2 and 3, so an unused NOR gate would have pin 1 not bonded and pins 2 and 3 grounded, which is not what we're seeing.
Pin  7 is the big pad at bottom center; the pins are numbered counterclockwise, so pin 1 is just right of top center.  And the output is going to die 1, not the PROM.

It looks like die 1 is a TI 74F245A octal bus transceiver with tristate outputs.  The output of the 7400 goes to pin 1, which is direction.  Pins 10 and 20 are the giant pads on the top metal power layer; 10 on the right and 20 on the left.

and 30mins later:
Pin 1 is just *left( of top center and is an input along with pin 2, coming from a lower layer of the PCB.  Pins 3, 4 and 5 are connected together, and pin 6 goes to the 74F245, pin 19, /OE.

another 30mins later:
I'm just confirming that things look correct; power and ground traces at first, then signals.  It looks good so far; pin 30 of the 6502 is D3, and that's connected to pin 16 of the PROM, which is O3.  That also goes to the 74F245 pin 15, so it can be gated out to one of the pins on the PCB. 

 



4. and last the unknown PLCC28 chip (markings scratched off)
i/we think it could be a CY7C291A or CY7C168A, i need more time to try dumping it.

EDIT: I'm now 99% sure that it's a CY7C291A (thx to f205v, who gave this hint)
I already wired an adapter and dumped it.



As i bought a new microscope, i did highres pictures of the bit-area from the U65 chip (DIE #2) and stiched it together.
currently i don't know if it's a rom or ram area, but at least it's now documented and the 0's and 1's can be read by hand...

the goal is to understand the decryption of these poker boards. and i really hope it will be possible to dump the plcc28 chip.



if you want to support my work, the best way is to donate some money over paypal to crazy2001@cooltoad.com
all donated money will get used to buy new games or dumping equipment, like the new/better microscope.