+acadiel Posted February 23, 2023 Share Posted February 23, 2023 Hey all - I finally got my DuPAL PAL brute forcing tool working, and was able to get it to process my TI Workshop protected PAL16R4. It's a multi part process. First, I have to identify what's called the "output mask" by having it scan the 16R4 with the DuPAL Analyzer Java app. Then re-run the analyzer again with the "41" at the end. Ending up with a huge JSON of all possible input/output combinations. $ java -jar dupal_analyzer.jar /dev/tty.usbserial-1420 16R4 out.json [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - detectIOTypeMask -> Currently detected mask is 41 [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Detected the following IO as Outputs mask: 41 [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Now, turn OFF and ON again the DuPAL to reset the PAL and run this tool again by specifying the mask and output file. $ java -jar dupal_analyzer.jar /dev/tty.usbserial-1420 16R4 41 out.json [main] INFO info.hkzlab.dupal.analyzer.App - DuPAL Analyzer null [main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Initial state: OS[O:41|Z:00] [main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Can't find a path to an unexplored state from OS[O:01|Z:00] [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Got 64 output states! [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - saveOutputToFile() -> Saving to out.json $ ls -l -rw-r--r-- 1 Jon wheel 5827770 Feb 22 15:47 out.json Second, I have to then actually let it do the conversion of that huge JSON with the DuPAL Espresso Converter Java app: $ java -jar DuPAL_EspressoConverter.jar out.json output.json.tbl DuPAL Espresso Converter null [main] INFO info.hkzlab.dupal.EspressoConverter.App - Got file for PAL type PAL16R4 [main] INFO info.hkzlab.dupal.EspressoConverter.formatter.EspressoFormatter - formatEspressoTableHeader() -> Will format a table for a PAL16R4, IO mask 41 [main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to output.json.tbl0 [main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to output.json.tbl1 $ ls -l -rw-r--r-- 1 Jon wheel 1704107 Feb 22 15:48 output.json.tbl0 -rw-r--r-- 1 Jon wheel 426155 Feb 22 15:48 output.json.tbl1 And lastly, condense the output tables. Since this is a registered PAL, you get one for the registered outputs and one for the combinational outputs. $ espresso output.json.tbl0 # PAL16R4 .i 16 .o 8 .ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14 .ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe #.phase 00000000 .p 3 -010---10------- 10000000 1--------------- 01000000 ---------------- 00000011 .e $ espresso output.json.tbl1 # PAL16R4 .i 16 .o 8 .ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14 .ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe #.phase 00000000 .p 12 ------0--------- 00100000 -----0---------- 00010000 ----0----------- 00001000 ---------0------ 00000100 0----------0---- 11111111 1----------1---- 11111111 --------1-0----- 11111111 --------0-1----- 11111111 -------0-------- 11111111 ---1------------ 11111111 --0------------- 11111111 -1-------------- 11111111 .e I'm going to re-run this job just to make sure it's ok, but wanted to throw this in here in case anyone knows how to make heads or takes of this output. This could very well be gibberish 4 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 23, 2023 Author Share Posted February 23, 2023 I've re-run the jobs and verified the same results. etinambp:DuPAL_Analyzer Jon$ ./template.sh [main] INFO info.hkzlab.dupal.analyzer.App - DuPAL Analyzer null [main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Initial state: OS[O:41|Z:00] [main] INFO info.hkzlab.dupal.analyzer.palanalisys.explorers.OSExplorer - exploreOutStates() -> Can't find a path to an unexplored state from OS[O:01|Z:00] [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - Got 64 output states! [main] INFO info.hkzlab.dupal.analyzer.board.boardio.DuPALAnalyzer - saveOutputToFile() -> Saving to tiworkshop -rw-r--r-- 1 Jon wheel 5827770 Feb 22 22:12 tiworkshop retinambp:DuPAL_EspressoConverter Jon$ java -jar DuPAL_EspressoConverter.jar tiworkshop tiworkshop.tbl DuPAL Espresso Converter null [main] INFO info.hkzlab.dupal.EspressoConverter.App - Got file for PAL type PAL16R4 [main] INFO info.hkzlab.dupal.EspressoConverter.formatter.EspressoFormatter - formatEspressoTableHeader() -> Will format a table for a PAL16R4, IO mask 41 [main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to tiworkshop.tbl.tbl0 [main] INFO info.hkzlab.dupal.EspressoConverter.App - saveOutputToFile() -> Saving to tiworkshop.tbl.tbl1 -rw-r--r-- 1 Jon wheel 1704107 Feb 23 13:41 tiworkshop.tbl.tbl0 -rw-r--r-- 1 Jon wheel 426155 Feb 23 13:41 tiworkshop.tbl.tbl1 retinambp:DuPAL_EspressoConverter Jon$ mv tiworkshop.tbl.tbl0 tiworkshop.tbl0 retinambp:DuPAL_EspressoConverter Jon$ mv tiworkshop.tbl.tbl1 tiworkshop.tbl1 retinambp:DuPAL_EspressoConverter Jon$ espresso tiworkshop.tbl0 # PAL16R4 .i 16 .o 8 .ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14 .ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe #.phase 00000000 .p 3 -010---10------- 10000000 1--------------- 01000000 ---------------- 00000011 .e retinambp:DuPAL_EspressoConverter Jon$ espresso tiworkshop.tbl1 # PAL16R4 .i 16 .o 8 .ilb i2 i3 i4 i5 i6 i7 i8 i9 io13 io12 fio18 fio19 psro17 psro16 psro15 psro14 .ob io18 io19 ro17 ro16 ro15 ro14 io18oe io19oe #.phase 00000000 .p 12 ------0--------- 00100000 -----0---------- 00010000 ----0----------- 00001000 ---------0------ 00000100 0----------0---- 11111111 1----------1---- 11111111 --------1-0----- 11111111 --------0-1----- 11111111 -------0-------- 11111111 ---1------------ 11111111 --0------------- 11111111 -1-------------- 11111111 .e 3 Quote Link to comment Share on other sites More sharing options...
HOME AUTOMATION Posted February 23, 2023 Share Posted February 23, 2023 Looks very good ...you must know everything! -Tarzan no understand. Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 23, 2023 Author Share Posted February 23, 2023 1 hour ago, HOME AUTOMATION said: Looks very good ...you must know everything! -Tarzan no understand. Hah, if only I understood the output and how to translate it to JEDEC. Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 23, 2023 Author Share Posted February 23, 2023 I did find an arguments for espresso that reduces the output into algebraic equations: Combinational output (probably not valid) $ espresso -o eqntott tiworkshop.tbl0 >test0.txt # PAL16R4 io18 = (!i3&i4&!i5&i9&!io13); io19 = (i2); ro17 = ; ro16 = ; ro15 = ; ro14 = ; io18oe = (); io19oe = (); Registered output: $ espresso -o eqntott tiworkshop.tbl1 >test1.txt # PAL16R4 io18 = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | ( i5) | (!i4) | (i3); io19 = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | ( i5) | (!i4) | (i3); ro17 = (!i8) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | ( !i9) | (i5) | (!i4) | (i3); ro16 = (!i7) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | ( !i9) | (i5) | (!i4) | (i3); ro15 = (!i6) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | ( !i9) | (i5) | (!i4) | (i3); ro14 = (!io12) | (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | ( !i9) | (i5) | (!i4) | (i3); io18oe = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | ( i5) | (!i4) | (i3); io19oe = (!i2&!fio19) | (i2&fio19) | (io13&!fio18) | (!io13&fio18) | (!i9) | ( i5) | (!i4) | (i3); This looks a bit closer, but still need to learn the idiosyncrasies of some of the nomenclature (like the "f") @Fritz442, thoughts? Quote Link to comment Share on other sites More sharing options...
Fritz442 Posted February 23, 2023 Share Posted February 23, 2023 Oh yeah, personally I would start with a standard PAL12L6 chip to decode. One that we know the jedec of, so we can learn what your outputs mean. The 16R4 is one of the absolute hardest chips I have decoded. Starting with the easier ones may make your/these outputs make more sense. If you have a removeable 12L6 chip you can run on your decoder. 1 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 23, 2023 Author Share Posted February 23, 2023 4 minutes ago, Fritz442 said: Oh yeah, personally I would start with a standard PAL12L6 chip to decode. One that we know the jedec of, so we can learn what your outputs mean. The 16R4 is one of the absolute hardest chips I have decoded. Starting with the easier ones may make your/these outputs make more sense. If you have a removeable 12L6 chip you can run on your decoder. I'm sure it can do it - it actually states it supports the following. The above is the one that I need, though. Combinatorial PAL10L8 PAL16L8 PAL20L8 Registered PAL16R4 PAL16R6 PAL16R8 PAL20R4 PAL20R6 PAL20R8 2 Quote Link to comment Share on other sites More sharing options...
Fritz442 Posted February 23, 2023 Share Posted February 23, 2023 (edited) Ok, the Corcomp micro expansion unit chip U9 is a PAL16L8 that we have the jedec for, if you can't make a 12L6 work, but a 12L6 would be easier to learn with. Edited February 23, 2023 by Fritz442 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 23, 2023 Author Share Posted February 23, 2023 By the way, I disassembled the cart and scanned it in. Need to put some round pin sockets in this thing anyway. Plus, now we can see how it's wired. 3 Quote Link to comment Share on other sites More sharing options...
+Ksarul Posted February 24, 2023 Share Posted February 24, 2023 27 minutes ago, acadiel said: By the way, I disassembled the cart and scanned it in. Need to put some round pin sockets in this thing anyway. Plus, now we can see how it's wired. You want me to make a layout for it and post it here? That's an easy one. . . 1 Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 24, 2023 Share Posted February 24, 2023 1) Was the protection fuse blown - so... did you have to brute force it? 2) Was you able to take the equations and burn a new working PAL/GAL? Inquiring minds want to know! Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 24, 2023 Author Share Posted February 24, 2023 16 hours ago, dhe said: 1) Was the protection fuse blown - so... did you have to brute force it? 2) Was you able to take the equations and burn a new working PAL/GAL? Inquiring minds want to know! Yes, the fuse was blown. That's why I built the PAL brute force device... to try and get the equations Here's what everything is hooked up to. The only strange connection is the PAL is getting its clock (pin 1) from one of its I/O pin (pin 18). Pins 17 and 19 are n/c. There’s a small typo for #9 - should be A1 under EPROM Desc. 1 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 24, 2023 Author Share Posted February 24, 2023 1 hour ago, Ksarul said: You want me to make a layout for it and post it here? That's an easy one. . . Sure - that board I believe was used for TI Workshop, Red Baron, Desktop Publisher, and Beyond WordWriter. The jumpers were the only things that differed at the top. Plus the PAL. Quote Link to comment Share on other sites More sharing options...
Fritz442 Posted February 24, 2023 Share Posted February 24, 2023 (edited) I just found my 'Red Baron cart' and replaced the eprom with WORKSHOP.BIN from the Finalgrom files folder. Temporarily switched the one jumper to match yours and the cart works. Definitely seems more interesting than Red Baron... Edited February 24, 2023 by Fritz442 2 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 24, 2023 Author Share Posted February 24, 2023 37 minutes ago, Fritz442 said: I just found my 'Red Baron cart' and replaced the eprom with WORKSHOP.BIN from the Finalgrom files folder. Temporarily switched the one jumper to match yours and the cart works. Definitely seems more interesting than Red Baron... Makes me wonder if they used the same PAL for everything. Try and exercise all the functionality - and if it all works, then it must be indeed the same PAL. TI Workshop needed all three address lines banked vs. the two for Red Baron. Quote Link to comment Share on other sites More sharing options...
Fritz442 Posted February 24, 2023 Share Posted February 24, 2023 7 minutes ago, acadiel said: Makes me wonder if they used the same PAL for everything. Try and exercise all the functionality - and if it all works, then it must be indeed the same PAL. TI Workshop needed all three address lines banked vs. the two for Red Baron. OK I'll test it tomorrow as best I can, is yours v1.0 also? Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 24, 2023 Author Share Posted February 24, 2023 16 hours ago, Fritz442 said: OK I'll test it tomorrow as best I can, is yours v1.0 also? Yep. As far as I know, they only released that one version. Supposedly, it was going to be renamed “Magic Memory” to avoid TI’s wrath, but I’ve never seen that binary/ROM. IF all the functionality works, it gives me hope, because that same cart board (and the same PAL) can make new CRU bank switched carts, to help fix old ones that aren’t working. Here’s some information on CRU, but I noticed a few things - 1) The cart is only using CRUCLK, not in or out, 2) The 8 TI address lines aren’t contiguous (A3-A5 and A12-A15), and 3) it’s using DBIN somehow with this. 4) TI Workshop’s manual says it’s using CRU >0800. 5) CRU was almost exclusively used for sidecar and PEB peripherals, almost never carts. https://www.unige.ch/medecine/nouspikel/ti99/cru.htm EPROM TI PAL A15 A14 A13 (A2 and below not on cart port) A12 A3 3 A11 A4 4 A10 A5 5 A9 A6 A8 A7 A7 A8 A6 A9 A5 A10 A4 A11 A3 A12 6 A2 A13 7 A1 A14 8 A0 A15 9 Some updated thoughts and even more questions. Since A0-A2 are hard wired to make the cart port to start at address >6000, I’m wondering what role the separated address lines play in the inputs on the PAL. Example: Does A3-A5 on the TI toggle to >800 in conjunction with the CRUCLK line going low? From what I understand about CRU, once CRUCLK is toggled low, the next cycle is valid and sends out bit by bit data on TI A15. So, possibly have the three bits that you need for EPROM A13, A14, and A15 so that the PAL can toggle these low/high to do the bank switch? Then, why is the PAL interfacing with TI A12-A14? This is how the bank switching works in assembler. We just need to translate this to physical hardware: 2 Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 24, 2023 Share Posted February 24, 2023 It would be interesting to take a PAL with the protection fuse in tact, read it out, then read it with DuPAL to see if the equations look different - even if functionally identical. I had denoted this device in the EPROMS and PALS thread and called it peak reverse engineering. It's really a super device for everyone working on electronics from the 80's and 90's - no more black boxes! 2 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 27, 2023 Author Share Posted February 27, 2023 Just a FYI, an observation that we're making as we are experimenting with this... the -15 GAL parts seem to have a timing issue. The original PAL is a -25 part. The GAL, as noted above, hooks the CLK line to I/O pin 18, which is odd. Some question to toss out there for the ether: Have only 25ns PAL/GALs worked on the cartridge port in the past? If 15ns PALs/GALs have worked, which models? Why would someone put the PAL/GAL clock pin into an I/O pin of the same PAL/GAL? What purpose does this serve? I remember that Cecure (Don) did some experimenting with GALs (and actually made some prototype cart boards back in the 90s), and ultimately resulted in him saying "The TI Bus was too noisy." I don't know if these were just too fast GALs, or the wrong part, or ?? Needless to say, our machine does appear to be picky with some of these PLDs. 1 Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 27, 2023 Share Posted February 27, 2023 7 hours ago, acadiel said: -15 GAL parts seem to have a timing issue. Right, that was the problem with the original WHT SCSI controller. Michael Becker fixed that with a daughter board, another way of saying "TI Bus was too noisy" is new parts are too fast, they see dozens of state changes while the TI bus is still getting settled... Fixes for timing issues like that - are way above my head. 2 Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 28, 2023 Author Share Posted February 28, 2023 4 hours ago, dhe said: Right, that was the problem with the original WHT SCSI controller. Michael Becker fixed that with a daughter board, another way of saying "TI Bus was too noisy" is new parts are too fast, they see dozens of state changes while the TI bus is still getting settled... Fixes for timing issues like that - are way above my head. Yep, so I have some NOS -25 flash and traditional GALs headed this way to try. 1 Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 28, 2023 Share Posted February 28, 2023 If anyone here knows how to adjust for timing we would all like to learn how to do that! Please? Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 28, 2023 Share Posted February 28, 2023 @acadiel do you have an extra dupal you'd like to sell - or where is the best place to pick one up? Thanks, Dano Quote Link to comment Share on other sites More sharing options...
+acadiel Posted February 28, 2023 Author Share Posted February 28, 2023 12 hours ago, dhe said: @acadiel do you have an extra dupal you'd like to sell - or where is the best place to pick one up? Thanks, Dano I think @Fritz442is interested in building one. Oshpark and PCBWay are the best places to get the PCB made (boards source is here). Might be worth going in and getting a few done and splitting it? The soldering and finding parts is easy. The programming of the boot loader and DuPAL EPROM is a little harder, and I have some great lessons learned from building and getting this thing to work over the past year. Including just using a 5V FTDI USB cable on pins #9-12 of the MAX232 IC socket instead of putting a MAX232 in it. I have a pre-built 16Mhz version of the DuPAL board Atmega 328P I can just dump if they someone doesn't want to download and compile the boot loader and DuPAL board firmware from scratch. (Mine differs slightly that I use 16Mhz like a regular Arduino instead of 20Mhz like the schematics call for - doesn't make a difference because I compiled mine for 16Mhz. I can throw my 328P in a regular Arduino, though and troubleshoot it.) 2 Quote Link to comment Share on other sites More sharing options...
+dhe Posted February 28, 2023 Share Posted February 28, 2023 4 hours ago, acadiel said: Including just using a 5V FTDI USB cable on pins #9-12 of the MAX232 IC I've seen a number of boards doing this. I have a 6809 SBC I would like to try to build first. I might be asking questions later.... Thanks for the information! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.