Two bits per transistor: high-density ROM in Intel’s 8087 floating point chip


Ken Shirriff has a great write-up about the multi-level ROM in Intel’s 8087 floating point chip:

The 8087 chip provided fast floating point arithmetic for the original IBM PC and became part of the x86 architecture used today. One unusual feature of the 8087 is it contained a multi-level ROM (Read-Only Memory) that stored two bits per transistor, twice as dense as a normal ROM. Instead of storing binary data, each cell in the 8087’s ROM stored one of four different values, which were then decoded into two bits. Because the 8087 required a large ROM for microcode1 and the chip was pushing the limits of how many transistors could fit on a chip, Intel used this special technique to make the ROM fit. In this article, I explain how Intel implemented this multi-level ROM.

More details on Ken Shirriff’s blog.

How To Add More Games to the NES Classic

The hype around the NES Classic in 2016 was huge, and as expected, units are already selling for excessively high prices on eBay. The console shipped with 30 games pre-installed, primarily first-party releases from Nintendo. But worry not — there’s now a way to add more games to your NES Classic!

Like many a good hack, this one spawned from a forum community. [madmonkey] posted on about their attempts to load extra games into the console. The first step is using the FEL subroutine of the Allwinner SOC’s boot ROM to dump the unit’s flash memory. From there, it’s a matter of using custom tools to inject extra game ROMs before reburning the modified image to the console. The original tool used, named hakchi, requires a Super Mario savegame placed into a particular slot to work properly, though new versions have already surfaced eliminating this requirement.

While this is only a software modification, it does come with several risks. In addition to bricking your console, virus scanners are reporting the tools as potentially dangerous. There is confusion in the community as to whether these are false positives or not. As with anything you find lurking on a forum, your mileage may vary. But if you just have to beat Battletoads for the umpteenth time, load up a VM for the install process and have at it. This Reddit thread (an expansion from the original pastebin instructions) acts as a good starting point for the brave.

Only months after release, the NES Classic is already a fertile breeding ground for hacks — last year we reported on this controller mod and how to install Linux. Video of this ROM injection hack after the break.

Filed under: nintendo hacks

BASIC Interpreter Hidden in ESP32 Silicon

We’ve been keeping up with the ongoing software developed for the ESP32 WiFi chip, and that means a lot of flashing, hooking up random wires, and rebooting. Along the way, we stumbled on an Easter egg: the ESP32 processor has a built-in BASIC interpreter to fall back on.

That’s a cool little hack to find, but we couldn’t find some crucial functions that would have made it a lot more useful. Still, it’s great fun to play around in real-time with the chip. And you’ll absolutely get an LED blinking faster in ESP32 BASIC than you will on an Arduino!

Getting to BASIC

At first, we thought that the key to getting into the BASIC shell was simply blocking the onboard flash program ROM, because we discovered it by connecting to GPIO 12, labeled as the MOSI pin for “HSPI”. But a little verification with ‘scope and continuity tester verifies that no data is going across this pin at bootup, and the SPI lines for the flash aren’t even broken out from the module. It looks like whatever boot ROM the ESP32 has inside it is testing for a high voltage on GPIO 12. Don’t ask us.

Anyway, the short version of the story is: pull GPIO 12 high and hit reset. Connect to the ESP32 over serial, and hit enter to stop it from continually rebooting. Falling back to built-in command interpreter. Woot. Set your terminal program up to send only a linefeed at the end of each line and you’re off! Don’t have an ESP32 on hand to try this? I recorded a screencast of my adventures so at least you can join me for the ride.

Blinking an LED, BASIC Style

What’s the first thing you do when faced with a command prompt? Type “help”, right? Well, that works. The ESP32 comes back with “A very Basic ROM console. Available commands/functions:” and then lists out everything you need to get started. Now, our BASIC is a bit rusty, dating from the Tandy Color Computer days, but we quickly whipped up a few demos and frankly, we had a lot of fun.

ESP32 ROM Basic (c) 2016 Espressif Shanghai
Derived from TinyBasic Plus by Mike Field and Scott Lawrence

Espressif was nice enough to add iodir and ioset commands to the BASIC, and they let you set the data direction of any pin (input or output) and either read or write to it. That means blinking LEDs is just a few words away.

> list

5 IODIR 32,1
10 FOR I = 1 TO 10
20 PRINT "Hello Hackaday!"
30 GOSUB 100
50 END
110 IOSET 32,1
120 DELAY 200
130 IOSET 32,0
140 DELAY 100

> run
Hello Hackaday!

And there was looping and blinking. It’s easier than getting started with Arduino!

Mysteries and Missing

But that’s also about as far as we got. There is a print command, and an input command, but we couldn’t figure out how to handle strings, so we never got further than

10 PRINT "Enter your favorite number"
30 IF F = 42 GOTO 100
40 PRINT "Really? I prefer"
50 PRINT F+1
60 END
100 PRINT "That’s my favorite number too."
110 END

There’s an rseed command, and the help lists a rnd but it looks like a syntax error when we try to use it in a function. ioget, which should read the logic voltage on a pin, doesn’t seem to work either. Going down the list, we were bummed out to find that many of the functions that we’d like to teach a young child programming just weren’t there.

BASIC Without Peek and Poke?

We couldn’t get peek and poke working for the life of us. It appears that they weren’t implemented, which is a shame because those two commands are practically the best feature of BASIC for exploring around the insides of a new chip in real-time. While you don’t often have cause for twiddling individual bits inside your desktop computer, interactively flipping those little silicon switches is a fantastic tool when dealing with a microcontroller with memory-mapped hardware peripherals.

Peek and poke are the raison d’être for BASIC. Without them, it’s just a toy language.

These Are Not The Droids…

Anyway, the big news is that the Espressif team has gotten most of the Arduino core up and working, and we have a full review coming out soon. They’re also continuing to work like crazy on development of the C libraries that real programmers will use to run these chips, so it’s probably not a top priority for them to implement peek inside an Easter egg. But we had a fun afternoon dredging up BASIC skills.

Filed under: Hackaday Columns, Microcontrollers

SNES EPROM Programmer with Arduino

Most video game manufacturers aren’t too keen on homebrew games, or people trying to get more utility out of a video game system than it was designed to have. While some effort is made to keep people from slapping a modchip on an Xbox or from running an emulator for a Playstation, it’s almost completely impossible to stop some of the hardware hacking that is common on older cartridge-based games. The only limit is usually the cost of an EPROM programmer, but [Robson] has that covered now with his Arduino-based SNES EPROM programmer.

Normally this type of hack involves finding any cartridge for the SNES at the lowest possible value, burning an EPROM with the game that you really want, and then swapping the new programmed memory with the one in the worthless cartridge. Even though most programmers are pricey, it’s actually not that difficult to write bits to this type of memory. [Robson] runs us through all of the steps to get an Arduino set up to program these types of memory, and then puts it all together into a Super Nintendo where it looks exactly like the real thing.

If you don’t have an SNES lying around, it’s possible to perform a similar end-around on a Sega Genesis as well. And, if you’re more youthful than those of us that grew up in the 16-bit era, there’s a pretty decent homebrew community that has sprung up around the Nintendo DS and 3DS, too.

Thanks to [Rafael] for the tip!

Filed under: nintendo hacks

Reverse Engineering the Sony PocketStation

[Robson Couto] never actually owned a PlayStation in his youth, but that doesn’t mean he can’t have a later in life renaissance. In particular a Japan only accessory called the PocketStation caught his interest.

The item in question resided in the PlayStation’s memory card slot. It’s purpose was to add additional functionality to games and hopefully sell itself. Like the PokeWalker, Kinect, etc. It’s an age old tactic but the PocketStation had some interesting stuff going on (translated).

The biggest was its processor. Despite having a pathetic 32×32 mono screen, it hosted the same processor as the GameBoy Advance. Having acquired a card from an internet auction house [Robson] wanted to load up some of the ROMs for this device and see what it was like.

It took quite a bit of work. Luckily there is a ton of documentation floating around the internet thanks to the emulation scene and it wasn’t long before he convinced a microcontroller to pretend to be the memory card slot. Now anyone with some skill and a small piece of gaming history can play around with the rare ROM dump for the PocketStation.

Filed under: playstation hacks

Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Spoiler: the ROM dump comes out in the USB device enumerator strings. Using a Chip Whisperer (second place in Hackaday Prize 2014!) and the “FaceWhisperer” add-on board of her own design, [Micah] could send power-supply glitches just as the tablet was identifying itself to the computer. Instead of stopping after the few device descriptor bytes, it just kept on going. And going. In fact, in one of the many brute-force attempts, it dumped its ROM twice, making it easy to find the beginning and end of the code stream.

Next up is disassembling and reversing the software, which is no small feat. We can’t wait to see what [Micah] comes up with.

Thanks to [Ben] and [Tim] for the nearly-simultaneous tips.

Filed under: classic hacks, misc hacks