Two bits per transistor: high-density ROM in Intel’s 8087 floating point chip


Ken Shirriff has a great write-up about the multi-level ROM in Intel’s 8087 floating point chip:

The 8087 chip provided fast floating point arithmetic for the original IBM PC and became part of the x86 architecture used today. One unusual feature of the 8087 is it contained a multi-level ROM (Read-Only Memory) that stored two bits per transistor, twice as dense as a normal ROM. Instead of storing binary data, each cell in the 8087’s ROM stored one of four different values, which were then decoded into two bits. Because the 8087 required a large ROM for microcode1 and the chip was pushing the limits of how many transistors could fit on a chip, Intel used this special technique to make the ROM fit. In this article, I explain how Intel implemented this multi-level ROM.

More details on Ken Shirriff’s blog.

Sega System 16 security reverse engineering


Reverse engineering of Sega’s System 16 Hitachi FD1089 cpu security module by Eduardo Cruz:

I’m glad to announce the successful reverse engineering of Sega’s System 16 cpu security modules. This development will enable collectors worldwide preserving hardware unmodified, and stop the general discarding of Hitachi FD modules.
The project is right now involving external testers so expect further details and full disclosure over the coming weeks.

Further details on Arcade Hacker blog.

Check out the video after the break.

A journey into Capcom’s CPS2 silicon – part 3


Eduardo Cruz published the third and last post in the Capcom CPS2 reverse engineering series we covered previously:

For many years, finding how and where did Capcom hid away its security implementation has been a pending critical task for the arcade community. CPS2 systems running out of battery were rendered useless forcing collectors worldwide to perform board conversions or let go of their favorite games.

See the full post on the Arcade Hacker blog. Be sure to see Part 1 and 2.

Inside the 76477 space invaders sound effect chip: Digital logic implemented with I2L


Ken Shirriff has written an excellent in-depth look at the 76477 sound effects chip:

The 76477 Complex Sound Generation chip (1978) provided sound effects for Space Invaders1 and many other video games. It was also a popular hobbyist chip, easy to experiment with and available at Radio Shack. I reverse-engineered the chip from die photos and found some interesting digital circuitry inside. Perhaps the most interesting is a shift register based white noise generator, useful for drums, gunshots, explosions and other similar sound effects. The chip also uses a digital mixer to combine the chip’s different sound generators. An unusual feature of the chip is that it uses Integrated Injection Logic (I2L), a type of digital logic developed in the 1970s with the goal of high-density, high-speed chips. (I wrote about the chip’s analog circuitry last year in this article.)

See the full post on his blog here.

Repairing the card reader for a 1960s mainframe: cams, relays and a clutch


Ken Shirriff writes:

I recently helped repair the card reader for the Computer History Museum’s vintage IBM 1401 mainframe. In the process, I learned a lot about the archaic but interesting electromechanical systems used in the card reader. Most of the card reader is mechanical, with belts, gears, and clutches controlling the movement of cards through the mechanism. The reader has a small amount of logic, but instead of transistorized circuits, the logic is implemented with electromechanical relays.1 Timing signals are generated by spinning electromechanical cams that generate pulses at the proper rotation angles. This post explains how these different pieces work together, and how a subtle timing problem caused the card reader to fail.

See the full post on his blog.

A journey into Capcom’s CPS2 silicon – Part 2


Here’s an informative part 2 of the Capcom CPS2 reverse engineering series by Eduardo Cruz:

Capcom’s Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and a firm call on bootlegging. Featuring similar but improved specs to its predecessor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its main commercial lifespan and that even prevented projects like Mame from gaining proper emulation of the system for years.

See the full post on the Arcade Hacker blog. Be sure to see Part 1 here.

Reverse engineering of BK Precision 1696 switching power supply’s LCD protocol


Kerry Wong writes:

As mentioned in my previous post, besides the broken LCD there was also an issue with the power supply portion of the unit and the output voltage was clamped at around 10 to 11V. The digital circuitry portion however seemed to be intact. Unfortunately since an identical LCD is virtually unobtanium, I thought I’d reverse engineer the LCD protocol so once the power supply is fixed I can fix the display by hooking up a different LCD.

See the full post on his blog.

Check out the video after the break.

Examining a vintage RAM chip, I find a counterfeit with an entirely different die inside


Ken Shirriff writes, “A die photo of a vintage 64-bit TTL RAM chip came up on Twitter recently, but the more I examined the photo the more puzzled I became. The chip didn’t look at all like a RAM chip or even a TTL chip, and in fact appeared partially analog. By studying the chip’s circuitry closely, I discovered that this RAM chip was counterfeit and had an entirely different die inside. In this article, I explain how I analyzed the die photos and figured out what it really was.”

See the full post on his blog.

A look inside the DS3231 real-time clock


Pete posted an article taking a closer look at Maxim’s DS3231 real-time clock:

Fortunately, Maxim also offers the DS3231, which is advertised as an “Extremely Accurate I2C-Integrated RTC/TCXO/Crystal”. This chip has the 32kHz crystal integrated into the package itself and uses a built-in temperature sensor to periodically measure the temperature of the crystal and, by switching different internal capacitors in and out of the crystal circuit, can precisely adjust its frequency so it remains constant. It’s specified to keep time within 2ppm from 0°C to +40°C, and 3.5ppm from -40°C to +85°C, which means the clock would only drift 63 and 110 seconds per year, respectively. Very cool.

See the full post at blog.