Jump to content
IGNORED

DuPAL and TI Workshop protected PAL16R4


acadiel

Recommended Posts

Hey all -

 

I finally got my DuPAL PAL brute forcing tool working, and was able to get it to process my TI Workshop protected PAL16R4.  

 

It's a multi part process.

 

First, I have to identify what's called the "output mask" by having it scan the 16R4 with the DuPAL Analyzer Java app.  Then re-run the analyzer again with the "41" at the end.  Ending up with a huge JSON of all possible input/output combinations.

 

$ java -jar dupal_analyzer.jar /dev/tty.usbserial-1420 16R4 out.json

[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - detectIOTypeMask -> Currently detected mask is 41
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Detected the following IO as Outputs mask: 41
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Now, turn OFF and ON again the DuPAL to reset the PAL and run this tool again by specifying the mask and output file.

$ java -jar dupal_analyzer.jar /dev/tty.usbserial-1420 16R4 41 out.json
[main] INFO info.hkzlab.dupal.analyzer.App - DuPAL Analyzer null
[main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Initial state: OS[O:41|Z:00]
[main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Can't find a path to an unexplored state from OS[O:01|Z:00]
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Got 64 output states!
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - saveOutputToFile() -> Saving to out.json

$ ls -l

-rw-r--r--  1 Jon  wheel  5827770 Feb 22 15:47 out.json

 

Second, I have to then actually let it do the conversion of that huge JSON with the DuPAL Espresso Converter Java app:

 

$ java -jar DuPAL_EspressoConverter.jar out.json output.json.tbl

DuPAL Espresso Converter null
[main] INFO info.hkzlab.dupal.EspressoConverter.App - Got file for PAL type PAL16R4
[main] INFO info.hkzlab.dupal.EspressoConverter.formatter.EspressoFormatter - formatEspressoTableHeader() -> Will format a table for a PAL16R4, IO mask 41
[main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to output.json.tbl0
[main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to output.json.tbl1

$ ls -l
-rw-r--r--  1 Jon  wheel  1704107 Feb 22 15:48 output.json.tbl0
-rw-r--r--  1 Jon  wheel   426155 Feb 22 15:48 output.json.tbl1

 

And lastly, condense the output tables.  Since this is a registered PAL, you get one for the registered outputs and one for the combinational outputs.

 

$ espresso output.json.tbl0
# PAL16R4
.i 16
.o 8
.ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14
.ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe
#.phase 00000000
.p 3
-010---10------- 10000000
1--------------- 01000000
---------------- 00000011
.e

$ espresso output.json.tbl1
# PAL16R4
.i 16
.o 8
.ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14
.ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe
#.phase 00000000
.p 12
------0--------- 00100000
-----0---------- 00010000
----0----------- 00001000
---------0------ 00000100
0----------0---- 11111111
1----------1---- 11111111
--------1-0----- 11111111
--------0-1----- 11111111
-------0-------- 11111111
---1------------ 11111111
--0------------- 11111111
-1-------------- 11111111
.e

 

I'm going to re-run this job just to make sure it's ok, but wanted to throw this in here in case anyone knows how to make heads or takes of this output.  This could very well be gibberish :)

 

  • Like 4
Link to comment
Share on other sites

I've re-run the jobs and verified the same results.

 

etinambp:DuPAL_Analyzer Jon$ ./template.sh 
[main] INFO info.hkzlab.dupal.analyzer.App - DuPAL Analyzer null
[main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Initial state: OS[O:41|Z:00]
[main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Can't find a path to an unexplored state from OS[O:01|Z:00]
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Got 64 output states!
[main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - saveOutputToFile() -> Saving to tiworkshop

-rw-r--r--  1 Jon  wheel  5827770 Feb 22 22:12 tiworkshop

retinambp:DuPAL_EspressoConverter Jon$ java -jar DuPAL_EspressoConverter.jar tiworkshop tiworkshop.tbl
DuPAL Espresso Converter null
[main] INFO info.hkzlab.dupal.EspressoConverter.App - Got file for PAL type PAL16R4
[main] INFO info.hkzlab.dupal.EspressoConverter.formatter.EspressoFormatter - formatEspressoTableHeader() -> Will format a table for a PAL16R4, IO mask 41
[main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to tiworkshop.tbl.tbl0
[main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to tiworkshop.tbl.tbl1

-rw-r--r--  1 Jon  wheel  1704107 Feb 23 13:41 tiworkshop.tbl.tbl0
-rw-r--r--  1 Jon  wheel   426155 Feb 23 13:41 tiworkshop.tbl.tbl1

retinambp:DuPAL_EspressoConverter Jon$ mv tiworkshop.tbl.tbl0 tiworkshop.tbl0
retinambp:DuPAL_EspressoConverter Jon$ mv tiworkshop.tbl.tbl1 tiworkshop.tbl1

retinambp:DuPAL_EspressoConverter Jon$ espresso tiworkshop.tbl0 

# PAL16R4
.i 16
.o 8
.ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14
.ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe
#.phase 00000000
.p 3
-010---10------- 10000000
1--------------- 01000000
---------------- 00000011
.e

retinambp:DuPAL_EspressoConverter Jon$ espresso tiworkshop.tbl1

# PAL16R4
.i 16
.o 8
.ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14
.ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe
#.phase 00000000
.p 12
------0--------- 00100000
-----0---------- 00010000
----0----------- 00001000
---------0------ 00000100
0----------0---- 11111111
1----------1---- 11111111
--------1-0----- 11111111
--------0-1----- 11111111
-------0-------- 11111111
---1------------ 11111111
--0------------- 11111111
-1-------------- 11111111
.e

 

  • Like 3
Link to comment
Share on other sites

I did find an arguments for espresso that reduces the output into algebraic equations:

 

Combinational output (probably not valid)

 

$ espresso -o eqntott tiworkshop.tbl0 >test0.txt

# PAL16R4
io18 = (!i3&i4&!i5&i9&!io13);

io19 = (i2);

ro17 = ;

ro16 = ;

ro15 = ;

ro14 = ;

io18oe = ();

io19oe = ();

 

Registered output:

 

$ espresso -o eqntott tiworkshop.tbl1 >test1.txt

# PAL16R4
io18 = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | (
    i5) | (!i4) | (i3);

io19 = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | (
    i5) | (!i4) | (i3);

ro17 = (!i8) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (
    !i9) | (i5) | (!i4) | (i3);

ro16 = (!i7) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (
    !i9) | (i5) | (!i4) | (i3);

ro15 = (!i6) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (
    !i9) | (i5) | (!i4) | (i3);

ro14 = (!io12) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (
    !i9) | (i5) | (!i4) | (i3);

io18oe = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | (
    i5) | (!i4) | (i3);

io19oe = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | (
    i5) | (!i4) | (i3);

 

This looks a bit closer, but still need to learn the idiosyncrasies of some of the nomenclature (like the "f")

 

@Fritz442, thoughts?

Link to comment
Share on other sites

Oh yeah, personally I would start with a standard PAL12L6 chip to decode. One that we know the jedec of, so we can learn

what your outputs mean. The 16R4 is one of the absolute hardest chips I have decoded. Starting with the easier ones may

make your/these outputs make more sense. If you have a removeable 12L6 chip you can run on your decoder. :thumbsup:

  • Like 1
Link to comment
Share on other sites

4 minutes ago, Fritz442 said:

Oh yeah, personally I would start with a standard PAL12L6 chip to decode. One that we know the jedec of, so we can learn

what your outputs mean. The 16R4 is one of the absolute hardest chips I have decoded. Starting with the easier ones may

make your/these outputs make more sense. If you have a removeable 12L6 chip you can run on your decoder. :thumbsup:

I'm sure it can do it - it actually states it supports the following.  The above is the one that I need, though. :)

Combinatorial

  • PAL10L8
  • PAL16L8
  • PAL20L8

Registered

  • PAL16R4
  • PAL16R6
  • PAL16R8
  • PAL20R4
  • PAL20R6
  • PAL20R8
  • Like 2
Link to comment
Share on other sites

16 hours ago, dhe said:

1) Was the protection fuse blown - so... did you have to brute force it?

2) Was you able to take the equations and burn a new working PAL/GAL?

Inquiring minds want to know!

Yes, the fuse was blown.  That's why I built the PAL brute force device... to try and get the equations ;)

 

Here's what everything is hooked up to.  The only strange connection is the PAL is getting its clock (pin 1) from one of its I/O pin (pin 18).  Pins 17 and 19 are n/c.  There’s a small typo for #9 - should be A1 under EPROM Desc.

 

               

PAL Map.png

  • Like 1
Link to comment
Share on other sites

1 hour ago, Ksarul said:

You want me to make a layout for it and post it here? That's an easy one. . .

Sure - that board I believe was used for TI Workshop, Red Baron, Desktop Publisher, and Beyond WordWriter.  The jumpers were the only things that differed at the top.  Plus the PAL.

 

Link to comment
Share on other sites

37 minutes ago, Fritz442 said:

I just found my 'Red Baron cart' and replaced the eprom with WORKSHOP.BIN from the Finalgrom files folder. Temporarily switched

the one jumper to match yours and the cart works. ;-)  Definitely seems more interesting than Red Baron...

DSCF0008.JPG

Makes me wonder if they used the same PAL for everything.

 

Try and exercise all the functionality - and if it all works, then it must be indeed the same PAL.  TI Workshop needed all three address lines banked vs. the two for Red Baron.

Link to comment
Share on other sites

7 minutes ago, acadiel said:

Makes me wonder if they used the same PAL for everything.

 

Try and exercise all the functionality - and if it all works, then it must be indeed the same PAL.  TI Workshop needed all three address lines banked vs. the two for Red Baron.

OK I'll test it tomorrow as best I can, is yours v1.0 also?

Link to comment
Share on other sites

16 hours ago, Fritz442 said:

OK I'll test it tomorrow as best I can, is yours v1.0 also?

Yep.  As far as I know, they only released that one version.  Supposedly, it was going to be renamed “Magic Memory” to avoid TI’s wrath, but I’ve never seen that binary/ROM.

 

IF all the functionality works, it gives me hope, because that same cart board (and the same PAL) can make new CRU bank switched carts, to help fix old ones that aren’t working.


Here’s some information on CRU, but I noticed a few things - 1) The cart is only using CRUCLK, not in or out, 2) The 8 TI address lines aren’t contiguous (A3-A5 and A12-A15), and 3) it’s using DBIN somehow with this.  4) TI Workshop’s manual says it’s using CRU >0800.  5) CRU was almost exclusively used for sidecar and PEB peripherals, almost never carts. https://www.unige.ch/medecine/nouspikel/ti99/cru.htm

 

EPROM		TI		PAL
A15
A14
A13		(A2 and below not on cart port)
A12		A3		3
A11		A4		4
A10		A5		5
A9		A6
A8		A7
A7		A8
A6		A9
A5		A10
A4		A11		
A3		A12		6
A2		A13		7
A1		A14		8
A0		A15		9

 

Some updated thoughts and even more questions.

 

Since A0-A2 are hard wired to make the cart port to start at address >6000, I’m wondering what role the separated address lines play in the inputs on the PAL.  Example:

 

Does A3-A5 on the TI toggle to >800 in conjunction with the CRUCLK line going low?  From what I understand about CRU, once CRUCLK is toggled low, the next cycle is valid and sends out bit by bit data on TI A15.  So, possibly have the three bits that you need for EPROM A13, A14, and A15 so that the PAL can toggle these low/high to do the bank switch?  Then, why is the PAL interfacing with TI A12-A14?

 

This is how the bank switching works in assembler.  We just need to translate this to physical hardware:

DCB2F052-C1FE-4A85-9F24-3E893A98F86C.jpeg

  • Like 2
Link to comment
Share on other sites

It would be interesting to take a PAL with the protection fuse in tact, read it out, then read it with DuPAL to see if the equations look different - even if functionally identical.

 

I had denoted this device in the EPROMS and PALS thread and called it peak reverse engineering.

 

It's really a super device for everyone working on electronics from the 80's and 90's - no more black boxes!

  • Like 2
Link to comment
Share on other sites

Just a FYI, an observation that we're making as we are experimenting with this... the -15 GAL parts seem to have a timing issue. The original PAL is a -25 part.

 

The GAL, as noted above, hooks the CLK line to I/O pin 18, which is odd.

 

Some question to toss out there for the ether:

  1. Have only 25ns PAL/GALs worked on the cartridge port in the past?
  2. If 15ns PALs/GALs have worked, which models?
  3. Why would someone put the PAL/GAL clock pin into an I/O pin of the same PAL/GAL?  What purpose does this serve?

I remember that Cecure (Don) did some experimenting with GALs (and actually made some prototype cart boards back in the 90s), and ultimately resulted in him saying "The TI Bus was too noisy."  I don't know if these were just too fast GALs, or the wrong part, or ??  

 

Needless to say, our machine does appear to be picky with some of these PLDs.

 

 

 

  • Like 1
Link to comment
Share on other sites

7 hours ago, acadiel said:

-15 GAL parts seem to have a timing issue. 

Right, that was the problem with the original WHT SCSI controller.

 

Michael Becker fixed that with a daughter board, another way of saying "TI Bus was too noisy" is new parts are too fast, they see dozens of state changes while the TI bus is still getting settled...

 

Fixes for timing issues like that - are way above my head.

  • Like 2
Link to comment
Share on other sites

4 hours ago, dhe said:

Right, that was the problem with the original WHT SCSI controller.

 

Michael Becker fixed that with a daughter board, another way of saying "TI Bus was too noisy" is new parts are too fast, they see dozens of state changes while the TI bus is still getting settled...

 

Fixes for timing issues like that - are way above my head.

Yep, so I have some NOS -25 flash and traditional GALs headed this way to try.  :)

 

  • Like 1
Link to comment
Share on other sites

12 hours ago, dhe said:

@acadiel do you have an extra dupal you'd like to sell - or where is the best place to pick one up?

Thanks, Dano

I think @Fritz442is interested in building one.  Oshpark and PCBWay are the best places to get the PCB made (boards source is here).  Might be worth going in and getting a few done and splitting it?

 

The soldering and finding parts is easy.  The programming of the boot loader and DuPAL EPROM is a little harder, and I have some great lessons learned from building and getting this thing to work over the past year.  Including just using a 5V FTDI USB cable on pins #9-12 of the MAX232 IC socket instead of putting a MAX232 in it.  

 

I have a pre-built 16Mhz version of the DuPAL board Atmega 328P I can just dump if they someone doesn't want to download and compile the boot loader and DuPAL board firmware from scratch.  (Mine differs slightly that I use 16Mhz like a regular Arduino instead of 20Mhz like the schematics call for - doesn't make a difference because I compiled mine for 16Mhz.  I can throw my 328P in a regular Arduino, though and troubleshoot it.)

 

 

  • Like 2
Link to comment
Share on other sites

4 hours ago, acadiel said:

 Including just using a 5V FTDI USB cable on pins #9-12 of the MAX232 IC

I've seen a number of boards doing this.

 

I have a 6809 SBC I would like to try to build first.

 

I might be asking questions later....

 

Thanks for the information!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...