Beginning with Bus Pirate “Ultra” prototype v1d, all analog measurements are handled by the FPGA using an external serial Analog to Digital Converter chip. This lets us pipeline ADC measurements into the command queue so that bus interactions can be done with very precise timing.
We’ll be using Texas Instruments’ series of tiny ADCs with a max speed of 1MSPS: the ADS7041 (10bit) and ADS7042 (12bit). For the prototype we went with the 12bit version, but availability and final BOM price will dictate what goes into the final design.
The ADC uses a dead simple three wire interface that resembles SPI without a Master Out Slave In connection. CS falls, the first two clock ticks are 0, then the next 12 bits are the analog voltage measurement. We stripped down a copy of our Verilog SPI peripheral to drive the chip, the current source is here.
There are two methods of calibrating the ADC. Offset calibration can be done immediately after power up by sending 16 clock ticks, however it’s risky to depend on the ADC being in the reset state. Calibration can also be done at any time by sending 32 clock ticks, which is the method we used.
This is a very basic test that retrieves the raw ADC value from the FPGA while measuring the programmable output power supply voltage.
In the final revision, absolutely every aspect of the Bus Pirate hardware front end will be controlled from the FPGA:
IO pins (added in v1a)
Logic analyzer and SRAMs (added in v1a)
Analog voltage measurement (added in v1d)
Pull-up resistors (added in v1d)
Programmable output power supply (to be completed in v1e)
It’s possible we might use a 3.0volt reference for the analog section on the next revision. Currently we can measure 0-6.6volts with a divide-by-two resistor divider and a 3.3volt referent. A 3.0volt reference gives a 0-6volt measurement range, which increases the resolution over our target range of 0-5ish volts and might mean we can use a cheaper, lower resolution ADC. The Digital to Analog Converter used in the power supply has almost no noise rejection, so a dedicated reference voltage would help ensure clean DAC output as well.
This is a small board that plugs into one of the headers on an Arduino Uno or other board to provide 4Mbytes of non-volatile storage
It works with either 5V or 3.3V boards, and is based on the low-cost 4Mbyte Winbond W25Q32FVSIG DataFlash chip. It is ideal for applications such as data logging, playing audio samples, and storing text.
I also describe a simple DataFlash library to interface to the board.
The MMI 5300 was a memory chip from the early 1970s, storing 1024 bits in tiny fuses.1 Unlike regular RAM chips, this was a PROM (Programmable Read-Only Memory); you programmed it once by blowing fuses and then it held that data permanently.
Sjaak writes, “It has been a while before I posted something useful. On my search for obscure chips, I came around another interesting Chinese chip (which I don’t reveal yet). The chip was advertised as a cheap drop-in replacement for a American IC so I suspected it would be a clone. I wanted to look inside the chip to check if that is true.”
An excellent in-depth look at theTL084 op amp by Ken Shirriff:
Some integrated circuits have very interesting dies under a microscope, like the chip below with designs that look kind of like butterflies. These patterns are special JFET input transistors that improved the chip’s performance. This chip is a Texas Instruments TL084 quad op amp and the symmetry of the four op amps is visible in the photo. (You can also see four big irregular rectangular regions; these are capacitors to stabilize the op amps.) In this article, I describe these components and the other circuitry in the chip and explain how it works. This article also includes an interactive chip explorer that shows each schematic component on the die and explains what it does.
The 76477 Complex Sound Generation chip (1978) provided sound effects for Space Invaders1 and many other video games. It was also a popular hobbyist chip, easy to experiment with and available at Radio Shack. I reverse-engineered the chip from die photos and found some interesting digital circuitry inside. Perhaps the most interesting is a shift register based white noise generator, useful for drums, gunshots, explosions and other similar sound effects. The chip also uses a digital mixer to combine the chip’s different sound generators. An unusual feature of the chip is that it uses Integrated Injection Logic (I2L), a type of digital logic developed in the 1970s with the goal of high-density, high-speed chips. (I wrote about the chip’s analog circuitry last year in this article.)
In a previous post we described some early attempts to analyze the Taito C-Chip. See Haze’s forum post for some background on the C-Chip itself.
In particular we’re interested in the EPROM. Previous efforts focused on less invasive techniques with the goal of keeping the C-Chip alive after dumping. Unfortunately, we’ve been unable to successfully send an unlock command and efforts to rebond the EPROM die have been difficult with the equipment we have on hand.
With this in mind, we took a break to regroup. If we remove the ASIC we can solder to PCB traces shared with the EPROM. Traces are documented in our wiring diagram
Sjaak wrote about a Chinese ARM chip compared to a ST ARM chip:
Most of us do know the ST line of ARM chips called STM32. They come in multiple flavours and the STM32F103 is one of the most common entry level family of chips. They are called by ST as mainstream. They are a full featured 32 bit ARM Cortex M3 chip running at max. 72MHz with all the requisite peripherals like ADC, DAC, USB, CAN, I2C, I2S, SPI, SDIO, PWM, RTC, interrupts and various timers. Lets zoom into the STM32F103C8 chip (which seems the be the go-to choice of the Chinese el-cheapo development breakout boards)
Here’s an informative part 2 of the Capcom CPS2 reverse engineering series by Eduardo Cruz:
Capcom’s Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and a firm call on bootlegging. Featuring similar but improved specs to its predecessor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its main commercial lifespan and that even prevented projects like Mame from gaining proper emulation of the system for years.
Ken Shirriff writes, “A die photo of a vintage 64-bit TTL RAM chip came up on Twitter recently, but the more I examined the photo the more puzzled I became. The chip didn’t look at all like a RAM chip or even a TTL chip, and in fact appeared partially analog. By studying the chip’s circuitry closely, I discovered that this RAM chip was counterfeit and had an entirely different die inside. In this article, I explain how I analyzed the die photos and figured out what it really was.”