Cartridge keys and emulation

General discussions or ideas about hardware.
Post Reply
troed
Moderator
Moderator
Posts: 562
Joined: Mon Aug 21, 2017 10:27 pm

Cartridge keys and emulation

Post by troed » Sat May 16, 2020 9:37 pm

I've come into the possession of a Steinberg Avalon original package. After having dumped the disks, I realised they wouldn't run in Hatari since I had no way of plugging in the cartridge.

This thread is about solving that problem. The target is to be able to mount a cloned key to emulator cartridge space, to be able to run original disk dumps under emulation.
avalon.JPG
avalon.JPG (93.85 KiB) Viewed 577 times
top.JPG
top.JPG (78.25 KiB) Viewed 577 times
bottom.JPG
bottom.JPG (86.67 KiB) Viewed 577 times
MMI_PAL_16R6.jpg
MMI_PAL_16R6.jpg (19.36 KiB) Viewed 577 times
My assumption is that we're dealing with an MMI PAL16R8 - and the connections are as follows:

Code: Select all

Top side:
UDS          1 (CLK on R8, I0 on L8)
ROM3       11 (OE on R8, I9 on L8)
A5             9 (I8)
A6             8 (I7)
A7             7 (I6)
A8             6 (I5)
D8             16 (O5)
D10           17 (O6)
D12           18 (O7)
D14           19 (O8 on R8/L8, could have been I on R6/R4)
+5V           20 (VCC)
Bottom side:
GND          10 (GND)
A1              2 (I1)
A2              3 (I2)
A3              4 (I3)
A4              5 (I4)
D9              12 (O1)
D11            13 (O2)
D13            14 (O3)
D15            15 (O4)
tl;dr: OE on accessing FA bank, clocked by upper bus byte access, takes address low byte (watch the nibble bit order) as input and outputs byte at high byte (D9-D15).

1) Brute force
2) Decap and restore security fuse
3) Glitch-hack using under-voltage and clock-skew when trying to read out the contents

I know which method I will begin with. What would you?

/Troed

User avatar
exxos
Site Admin
Site Admin
Posts: 10425
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: Steinberg Avalon cartridge

Post by exxos » Sat May 16, 2020 9:45 pm

I would say just put a logic analyser on it, and look for what patterns are going in, and coming out... Such a small chip it cannot really be doing much..
https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/store2/ - All my hardware mods for sale - Please help support by making a purchase.

czietz
Posts: 237
Joined: Sun Jan 14, 2018 1:02 pm

Re: Steinberg Avalon cartridge

Post by czietz » Sat May 16, 2020 9:55 pm

Having reverse-engineered (and subsequently bug-fixed) the PAL in an Atari SH204 host adapter, obviously I would start with "brute force", too. If it was a combinatorial PAL, the equations could be extracted by applying all possible inputs and minimizing the resulting outputs using something like Espresso (https://en.wikipedia.org/wiki/Espresso_ ... _minimizer).

However, I agree with you, @troed, that this will be registered PAL, which complicates matters significantly. (The SH204 PAL is also registered.) You can use the fact that a PAL16R8 has no hidden registers. Whenever /OE is active, you can observe all register contents at the respective output pins.

troed
Moderator
Moderator
Posts: 562
Joined: Mon Aug 21, 2017 10:27 pm

Re: Steinberg Avalon cartridge

Post by troed » Sat May 16, 2020 10:28 pm

Exactly - brute force it is.

When I started, I was sure this cartridge would be similar to Cubase cartridges, this being another Steinberg product. However, I'm less sure now. From what I can see, a simple assembler program on the ST with the cartridge inserted will result in a nice 256 byte table (which might need to be mirrored over the whole address space). If it was that easy to clone Cubase keys, surely that would've been done - and even sw hacks just redirecting cart memory space reads etc.

In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs. Let's see tomorrow.

edit: 256*number of clocks/reads

/Troed

adam
Posts: 27
Joined: Sat Feb 02, 2019 6:01 pm

Re: Steinberg Avalon cartridge

Post by adam » Sat May 16, 2020 10:44 pm

troed wrote:
Sat May 16, 2020 10:28 pm
In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs.
There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)

troed
Moderator
Moderator
Posts: 562
Joined: Mon Aug 21, 2017 10:27 pm

Re: Steinberg Avalon cartridge

Post by troed » Sat May 16, 2020 10:58 pm

adam wrote:
Sat May 16, 2020 10:44 pm
There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed

beel1
Posts: 29
Joined: Mon Feb 25, 2019 10:36 pm

Re: Steinberg Avalon cartridge

Post by beel1 » Sat May 16, 2020 11:13 pm

I made a few posts about my findings on a Synthworks dongle in AF a few years ago.
Unfortunately AF is down for now so here is an archive.org link: https://web.archive.org/web/20190309135 ... &start=100

I started by putting a breakpoint in Hatari on ROM port addresses to find the routine I described

User avatar
exxos
Site Admin
Site Admin
Posts: 10425
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: Steinberg Avalon cartridge

Post by exxos » Sun May 17, 2020 1:18 am

I would assume cubase has a serial number which would match the same number in the gal ? Then it would output some sequence to say yes or no back to cubase. Though the gal probably couldn't process many bits anyway.
https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/store2/ - All my hardware mods for sale - Please help support by making a purchase.

czietz
Posts: 237
Joined: Sun Jan 14, 2018 1:02 pm

Re: Steinberg Avalon cartridge

Post by czietz » Sun May 17, 2020 7:59 am

troed wrote:
Sat May 16, 2020 10:58 pm
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.
Yes, the outputs are visible (fortunately). But you cannot directly control them. To reverse-engineer the logic equations by minimization you need to exercise all input terms. Since -- as you mention -- the output pins are possible input terms into the equations as well, you first have to figure out a way to set/reset the outputs.

It's helpful to hook a logic analyzer to the chip while using the dongle as a starting point for reverse-engineering.

If I had to implement a dongle with a PAL, I'd probably go with an LFSR, which can produce quite long sequences of pseudo-random numbers. Using the input data as seed.

terriblefire
Moderator Team
Moderator Team
Posts: 2466
Joined: Mon Aug 28, 2017 10:56 pm
Location: Glasgow, UK
Contact:

Re: Steinberg Avalon cartridge

Post by terriblefire » Sun May 17, 2020 8:21 am

troed wrote:
Sat May 16, 2020 10:58 pm

Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed
Its not quite this simple. A PAL can keep state based on previous inputs clocked into D type flip flops internally. Maybe it doesnt do this, maybe it does but it has that capability.
———
I get cranky when asked to repeat myself.

Post Reply

Return to “HARDWARE DISCUSSIONS”