The 8087 chip provided fast floating point arithmetic for the original IBM PC and became part of the x86 architecture used today. One unusual feature of the 8087 is it contained a multi-level ROM (Read-Only Memory) that stored two bits per transistor, twice as dense as a normal ROM. Instead of storing binary data, each cell in the 8087’s ROM stored one of four different values, which were then decoded into two bits. Because the 8087 required a large ROM for microcode1 and the chip was pushing the limits of how many transistors could fit on a chip, Intel used this special technique to make the ROM fit. In this article, I explain how Intel implemented this multi-level ROM.
I’m glad to announce the successful reverse engineering of Sega’s System 16 cpu security modules. This development will enable collectors worldwide preserving hardware unmodified, and stop the general discarding of Hitachi FD modules.
The project is right now involving external testers so expect further details and full disclosure over the coming weeks.
For many years, finding how and where did Capcom hid away its security implementation has been a pending critical task for the arcade community. CPS2 systems running out of battery were rendered useless forcing collectors worldwide to perform board conversions or let go of their favorite games.
The 76477 Complex Sound Generation chip (1978) provided sound effects for Space Invaders1 and many other video games. It was also a popular hobbyist chip, easy to experiment with and available at Radio Shack. I reverse-engineered the chip from die photos and found some interesting digital circuitry inside. Perhaps the most interesting is a shift register based white noise generator, useful for drums, gunshots, explosions and other similar sound effects. The chip also uses a digital mixer to combine the chip’s different sound generators. An unusual feature of the chip is that it uses Integrated Injection Logic (I2L), a type of digital logic developed in the 1970s with the goal of high-density, high-speed chips. (I wrote about the chip’s analog circuitry last year in this article.)
Here’s an informative part 2 of the Capcom CPS2 reverse engineering series by Eduardo Cruz:
Capcom’s Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and a firm call on bootlegging. Featuring similar but improved specs to its predecessor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its main commercial lifespan and that even prevented projects like Mame from gaining proper emulation of the system for years.
Intel’s first product was not a processor, but a memory chip: the 31011 RAM chip, released in April 1969. This chip held just 64 bits of data (equivalent to 8 letters or 16 digits) and had the steep price tag of $99.50.2 The chip’s capacity was way too small to replace core memory, the dominant storage technology at the time, which stored bits in tiny magnetized ferrite cores. However, the 3101 performed at high speed due to its special Schottky transistors, making it useful in minicomputers where CPU registers required fast storage. The overthrow of core memory would require a different technology—MOS DRAM chips—and the 3101 remained in use in the 1980s.3
This article looks inside the 3101 chip and explains how it works. I received two 3101 chips from Evan Wasserman and used a microscope to take photos of the tiny silicon die inside.4 Around the outside of the die, sixteen black bond wires connect pads on the die to the chip’s external pins. The die itself consists of silicon circuitry connected by a metal layer on top, which appears golden in the photo. The thick metal lines through the middle of the chip power the chip.
Ken Shirriff has written an article on reverse engineering the 76477 “Space Invaders” sound effect chip:
Remember the old video game Space Invaders? Some of its sound effects were provided by a chip called the 76477 Complex Sound Generation chip. While the sound effects1 produced by this 1978 chip seem primitive today, it was used in many video games, pinball games. But what’s inside this chip and how does it work internally? By reverse-engineering the chip from die photos, we can find out. (Photos courtesy of Sean Riddle.) In this article, I explain how the analog circuits of this chip works and show how the hundreds of transistors on the silicon die form the circuits of this complex chip.
The 74181 ALU (arithmetic/logic unit) chip powered many of the minicomputers of the 1970s: it provided fast 4-bit arithmetic and logic functions, and could be combined to handle larger words, making it a key part of many CPUs. But if you look at the chip more closely, there are a few mysteries. It implements addition, subtraction, and the Boolean functions you’d expect, but why does it provide several bizarre functions such as “A plus (A and not B)”? And if you look at the circuit diagram (below), why does it look like a random pile of gates rather than being built from standard full adder circuits. In this article, I explain that the 74181’s set of functions isn’t arbitrary but has a logical explanation. And I show how the 74181 implements carry lookahead for high speed, resulting in its complex gate structure.
The revolutionary Intel 8008 microprocessor is 45 years old today (March 13, 2017), so I figured it’s time for a blog post on reverse-engineering its internal circuits. One of the interesting things about old computers is how they implemented things in unexpected ways, and the 8008 is no exception. Compared to modern architectures, one unusual feature of the 8008 is it had an on-chip stack for subroutine calls, rather than storing the stack in RAM. And instead of using normal binary counters for the stack, the 8008 saved a few gates by using shift-register counters that generated pseudo-random values. In this article, I reverse-engineer these circuits from die photos and explain how they work.
Johan Kanflo’s OpenDPS project, a free firmware replacement for the DPS5005:
This write up of the OpenDPS project is divided into three parts. Part one (this one) covers reverse engineering the stock firmware and could be of interest for those looking at reverse engineering STM32 devices in general. Part two covers the design of OpenDPS, the name given to the open DPS5005 firmware. Part three covers the upgrade process of stock DPS:es and connecting these to the world. If you only want to upgrade your DPS you may skip directly to part three.