Sega System 16 security reverse engineering

sega-programmer

Reverse engineering of Sega’s System 16 Hitachi FD1089 cpu security module by Eduardo Cruz:

I’m glad to announce the successful reverse engineering of Sega’s System 16 cpu security modules. This development will enable collectors worldwide preserving hardware unmodified, and stop the general discarding of Hitachi FD modules.
The project is right now involving external testers so expect further details and full disclosure over the coming weeks.

Further details on Arcade Hacker blog.

Check out the video after the break.

A journey into Capcom’s CPS2 silicon – part 3

cps2-battery

Eduardo Cruz published the third and last post in the Capcom CPS2 reverse engineering series we covered previously:

For many years, finding how and where did Capcom hid away its security implementation has been a pending critical task for the arcade community. CPS2 systems running out of battery were rendered useless forcing collectors worldwide to perform board conversions or let go of their favorite games.

See the full post on the Arcade Hacker blog. Be sure to see Part 1 and 2.

Inside the 76477 space invaders sound effect chip: Digital logic implemented with I2L

p-die-blocks

Ken Shirriff has written an excellent in-depth look at the 76477 sound effects chip:

The 76477 Complex Sound Generation chip (1978) provided sound effects for Space Invaders1 and many other video games. It was also a popular hobbyist chip, easy to experiment with and available at Radio Shack. I reverse-engineered the chip from die photos and found some interesting digital circuitry inside. Perhaps the most interesting is a shift register based white noise generator, useful for drums, gunshots, explosions and other similar sound effects. The chip also uses a digital mixer to combine the chip’s different sound generators. An unusual feature of the chip is that it uses Integrated Injection Logic (I2L), a type of digital logic developed in the 1970s with the goal of high-density, high-speed chips. (I wrote about the chip’s analog circuitry last year in this article.)

See the full post on his blog here.

Repairing the card reader for a 1960s mainframe: cams, relays and a clutch

p-1402-card-reader-600

Ken Shirriff writes:

I recently helped repair the card reader for the Computer History Museum’s vintage IBM 1401 mainframe. In the process, I learned a lot about the archaic but interesting electromechanical systems used in the card reader. Most of the card reader is mechanical, with belts, gears, and clutches controlling the movement of cards through the mechanism. The reader has a small amount of logic, but instead of transistorized circuits, the logic is implemented with electromechanical relays.1 Timing signals are generated by spinning electromechanical cams that generate pulses at the proper rotation angles. This post explains how these different pieces work together, and how a subtle timing problem caused the card reader to fail.

See the full post on his blog.

A journey into Capcom’s CPS2 silicon – Part 2

capcom_dl1727

Here’s an informative part 2 of the Capcom CPS2 reverse engineering series by Eduardo Cruz:

Capcom’s Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and a firm call on bootlegging. Featuring similar but improved specs to its predecessor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its main commercial lifespan and that even prevented projects like Mame from gaining proper emulation of the system for years.

See the full post on the Arcade Hacker blog. Be sure to see Part 1 here.

Reverse engineering of BK Precision 1696 switching power supply’s LCD protocol

ppreverseengineeringwiring-600

Kerry Wong writes:

As mentioned in my previous post, besides the broken LCD there was also an issue with the power supply portion of the unit and the output voltage was clamped at around 10 to 11V. The digital circuitry portion however seemed to be intact. Unfortunately since an identical LCD is virtually unobtanium, I thought I’d reverse engineer the LCD protocol so once the power supply is fixed I can fix the display by hooking up a different LCD.

See the full post on his blog.

Check out the video after the break.

Examining a vintage RAM chip, I find a counterfeit with an entirely different die inside

picture-die-structures

Ken Shirriff writes, “A die photo of a vintage 64-bit TTL RAM chip came up on Twitter recently, but the more I examined the photo the more puzzled I became. The chip didn’t look at all like a RAM chip or even a TTL chip, and in fact appeared partially analog. By studying the chip’s circuitry closely, I discovered that this RAM chip was counterfeit and had an entirely different die inside. In this article, I explain how I analyzed the die photos and figured out what it really was.”

See the full post on his blog.

A look inside the DS3231 real-time clock

S20170727_0001-600

Pete posted an article taking a closer look at Maxim’s DS3231 real-time clock:

Fortunately, Maxim also offers the DS3231, which is advertised as an “Extremely Accurate I2C-Integrated RTC/TCXO/Crystal”. This chip has the 32kHz crystal integrated into the package itself and uses a built-in temperature sensor to periodically measure the temperature of the crystal and, by switching different internal capacitors in and out of the crystal circuit, can precisely adjust its frequency so it remains constant. It’s specified to keep time within 2ppm from 0°C to +40°C, and 3.5ppm from -40°C to +85°C, which means the clock would only drift 63 and 110 seconds per year, respectively. Very cool.

See the full post at HeyPete.com blog.

Inside Intel’s first product: the 3101 RAM chip held just 64 bits

chip-labeled

Ken Shirriff writes:

Intel’s first product was not a processor, but a memory chip: the 31011 RAM chip, released in April 1969. This chip held just 64 bits of data (equivalent to 8 letters or 16 digits) and had the steep price tag of $99.50.2 The chip’s capacity was way too small to replace core memory, the dominant storage technology at the time, which stored bits in tiny magnetized ferrite cores. However, the 3101 performed at high speed due to its special Schottky transistors, making it useful in minicomputers where CPU registers required fast storage. The overthrow of core memory would require a different technology—MOS DRAM chips—and the 3101 remained in use in the 1980s.3
This article looks inside the 3101 chip and explains how it works. I received two 3101 chips from Evan Wasserman and used a microscope to take photos of the tiny silicon die inside.4 Around the outside of the die, sixteen black bond wires connect pads on the die to the chip’s external pins. The die itself consists of silicon circuitry connected by a metal layer on top, which appears golden in the photo. The thick metal lines through the middle of the chip power the chip.

See the full post and more details at Ken Shirriff’s blog.