Cartridge keys and emulation

[troed]

I've come into the possession of a Steinberg Avalon original package. After having dumped the disks, I realised they wouldn't run in Hatari since I had no way of plugging in the cartridge.

This thread is about solving that problem. The target is to be able to mount a cloned key to emulator cartridge space, to be able to run original disk dumps under emulation.

avalon.JPG

top.JPG

bottom.JPG

MMI_PAL_16R6.jpg

My assumption is that we're dealing with an MMI PAL16R8 - and the connections are as follows:

Code: Select all

Top side:
UDS          1 (CLK on R8, I0 on L8)
ROM3       11 (OE on R8, I9 on L8)
A5             9 (I8)
A6             8 (I7)
A7             7 (I6)
A8             6 (I5)
D8             16 (O5)
D10           17 (O6)
D12           18 (O7)
D14           19 (O8 on R8/L8, could have been I on R6/R4)
+5V           20 (VCC)
Bottom side:
GND          10 (GND)
A1              2 (I1)
A2              3 (I2)
A3              4 (I3)
A4              5 (I4)
D9              12 (O1)
D11            13 (O2)
D13            14 (O3)
D15            15 (O4)

tl;dr: OE on accessing FA bank, clocked by upper bus byte access, takes address low byte (watch the nibble bit order) as input and outputs byte at high byte (D9-D15).

1) Brute force
2) Decap and restore security fuse
3) Glitch-hack using under-voltage and clock-skew when trying to read out the contents

I know which method I will begin with. What would you?

/Troed

[exxos]

I would say just put a logic analyser on it, and look for what patterns are going in, and coming out... Such a small chip it cannot really be doing much..

[czietz]

Having reverse-engineered (and subsequently bug-fixed) the PAL in an Atari SH204 host adapter, obviously I would start with "brute force", too. If it was a combinatorial PAL, the equations could be extracted by applying all possible inputs and minimizing the resulting outputs using something like Espresso (https://en.wikipedia.org/wiki/Espresso_ ... _minimizer).

However, I agree with you, @troed, that this will be registered PAL, which complicates matters significantly. (The SH204 PAL is also registered.) You can use the fact that a PAL16R8 has no hidden registers. Whenever /OE is active, you can observe all register contents at the respective output pins.

[troed]

Exactly - brute force it is.

When I started, I was sure this cartridge would be similar to Cubase cartridges, this being another Steinberg product. However, I'm less sure now. From what I can see, a simple assembler program on the ST with the cartridge inserted will result in a nice 256 byte table (which might need to be mirrored over the whole address space). If it was that easy to clone Cubase keys, surely that would've been done - and even sw hacks just redirecting cart memory space reads etc.

In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs. Let's see tomorrow.

edit: 256*number of clocks/reads

/Troed

[adam]

In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs.

There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)

[troed]

There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)

Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed

[beel1]

I made a few posts about my findings on a Synthworks dongle in AF a few years ago.
Unfortunately AF is down for now so here is an archive.org link: https://web.archive.org/web/20190309135 ... &start=100

I started by putting a breakpoint in Hatari on ROM port addresses to find the routine I described

[exxos]

I would assume cubase has a serial number which would match the same number in the gal ? Then it would output some sequence to say yes or no back to cubase. Though the gal probably couldn't process many bits anyway.

[czietz]

Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

Yes, the outputs are visible (fortunately). But you cannot directly control them. To reverse-engineer the logic equations by minimization you need to exercise all input terms. Since -- as you mention -- the output pins are possible input terms into the equations as well, you first have to figure out a way to set/reset the outputs.

It's helpful to hook a logic analyzer to the chip while using the dongle as a starting point for reverse-engineering.

If I had to implement a dongle with a PAL, I'd probably go with an LFSR, which can produce quite long sequences of pseudo-random numbers. Using the input data as seed.

[terriblefire]

Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed

Its not quite this simple. A PAL can keep state based on previous inputs clocked into D type flip flops internally. Maybe it doesnt do this, maybe it does but it has that capability.