Cartridge keys and emulation

General discussions or ideas about hardware.
Post Reply
czietz
Posts: 332
Joined: Sun Jan 14, 2018 1:02 pm

Re: Steinberg Avalon cartridge

Post by czietz » Tue May 19, 2020 7:09 am

troed wrote:
Mon May 18, 2020 10:43 pm
Just a hickup, but irritating. It does give me some incentive to in addition to emulator support also try to produce either a working GAL16V8 replacement or, if the equations cannot be reversed from the data, some MCU based hw clone.
Having already successfully reverse-engineered the equations of a PAL, I have quite detailed ideas how I would proceed. With enough effort it should be possible to reconstruct the equations. Too bad that these dongles are very expensive on eBay; too expensive to do this as a fun project. (I have no need for Steinberg software.)

troed
Moderator
Moderator
Posts: 710
Joined: Mon Aug 21, 2017 10:27 pm

Re: Steinberg Avalon cartridge

Post by troed » Tue May 19, 2020 8:07 am

czietz wrote:
Tue May 19, 2020 7:09 am
Having already successfully reverse-engineered the equations of a PAL, I have quite detailed ideas how I would proceed. With enough effort it should be possible to reconstruct the equations. Too bad that these dongles are very expensive on eBay; too expensive to do this as a fun project. (I have no need for Steinberg software.)
Yeah I'm doing it purely for the challenge. Helping out with archiving for posterity is a bonus.

I'll shell out the money if needed.

/Troed

User avatar
JezC
Trusted Guru
Trusted Guru
Posts: 834
Joined: Mon Aug 28, 2017 11:44 pm

Re: Steinberg Avalon cartridge

Post by JezC » Tue May 19, 2020 8:19 am

beel1 wrote:
Mon May 18, 2020 10:55 pm
Try running Avalon with the dongle first :D
Ok, will dig out the dongle & try it in the Mega ST4 it came with - I think the s/w is still on the Megafile so I will run the s/w with no dongle & then with the dongle & if that is OK, then try it with that program.

We can try to sort out Avalon first & then revisit the Synthworks dongles at a later date.

I've wanted to get the equivalent editor for the Roland D series (incl. MT32 etc.) but can't afford that.

I got the C-Lab one back in the late 80s...and that is now in the public domain :shrug: :sigh:

Tomswork
Posts: 422
Joined: Fri Nov 22, 2019 10:05 pm

Re: Steinberg Avalon cartridge

Post by Tomswork » Tue May 19, 2020 8:44 am

I have a question about the cartridge key. Does the software have a s/n or does it access hardware thru a midi port. There were not many ways to validate a dongle in the old days. Some of the old dongle looked for something unique like a code from a startup phrase in a booklet or stored the phrase once entered on th floppy or hd to check with the key.

Tom

troed
Moderator
Moderator
Posts: 710
Joined: Mon Aug 21, 2017 10:27 pm

Re: Steinberg Avalon cartridge

Post by troed » Tue May 19, 2020 9:29 am

Tomswork wrote:
Tue May 19, 2020 8:44 am
I have a question about the cartridge key. Does the software have a s/n or does it access hardware thru a midi port. There were not many ways to validate a dongle in the old days. Some of the old dongle looked for something unique like a code from a startup phrase in a booklet or stored the phrase once entered on th floppy or hd to check with the key.
An ST cartridge is a memory space. The dongles generate numbers when an address is read, and the chip inside the dongle is supposed to generate a string of values hard to predict. The values are then used in the execution of the program on the ST, so if the values are wrong the execution will fail.

It's very different from simple phrases or serial numbers.

/Troed

troed
Moderator
Moderator
Posts: 710
Joined: Mon Aug 21, 2017 10:27 pm

Re: Steinberg Avalon cartridge

Post by troed » Tue May 19, 2020 10:01 am

There might also be different hardware dongles, even though they're all Steinberg. From this thread we know that Synthworks and Avalon use the same method, only different variables and equations. From a thread on Atari-Forum (down, so reading cached) I saw Frank saying the Cubase Score one is different:
Inside the Steinberg Dongle is a "Intel P5C060" cmos PLD Chip. (Cubase Score 3.x key)
I found a random photo showing a Steinberg dongle for "Twenty Four" with visible chip marking, GAL16V8: https://www.nightfallcrew.com/wp-conten ... G_9830.jpg The PCB is the same as for Avalon/Synthworks.

... and here's a tweet showing that a Cubase dongle at least has a different PCB. Looks like it's a single bit in, single bit out:

Chip visible for the Cubase dongle here, validating Frank's comment of chip type. A quick read through the data sheet made me think it doesn't have hidden registers either, but I didn't read in that much detail. Since all unused pins are tied to GND/VCC they simply don't use outputs as inputs if so.



/Troed

beel1
Posts: 40
Joined: Mon Feb 25, 2019 10:36 pm

Re: Steinberg Avalon cartridge

Post by beel1 » Tue May 19, 2020 10:55 am

I profiled the startup of several legal versions I found (mostly here: http://atari.music.free.fr/main.php?Cubase also here: https://atarimusic.exxoshost.co.uk/foru ... f=23&t=807 ), there are at leat 2 different dongle read routines:
  • Routine "A" (black dongle) we are working on:
    Synthworks Wavestation 1.14
    Avalon 2.1
    Cubase 2.01
  • Routine "B" (red dongle):
    Cubase 3.10
    Cubase Score 2.0r6

User avatar
JezC
Trusted Guru
Trusted Guru
Posts: 834
Joined: Mon Aug 28, 2017 11:44 pm

Re: Steinberg Avalon cartridge

Post by JezC » Tue May 19, 2020 11:20 am

I know that the red dongle for Cubase 3 (and the same one works with Cubase Score and even Cubase Audio Falcon I think???) is different from the Cubase 2 dongle.

I have a few Cubase 3 dongles & also a full Cubase Audio Falcon box & two Pro 24 dongles (I think) - I don't have one for Cubase 2 though.

Is there interest in reverse engineering some of the other dongles as well in the future? If so I can try to help out with all but the black Cubase 2.0 dongle...

czietz
Posts: 332
Joined: Sun Jan 14, 2018 1:02 pm

Re: Steinberg Avalon cartridge

Post by czietz » Tue May 19, 2020 11:44 am

troed wrote:
Tue May 19, 2020 8:07 am
Yeah I'm doing it purely for the challenge. Helping out with archiving for posterity is a bonus.
I'll shell out the money if needed.
Ok, since I cannot actually do it (for lack of a dongle [1]), here is what I would do. Maybe it can help you.

1. Capture the access pattern to the dongle (input pins, clock, /OE) on the Atari using a logic analyzer.
2. Recreate this pattern in a microcontroller and place µC and PAL on a breadboard. Force /OE low so that one can observe the registers for every clock cycle.
3. Put the data in vectors: [input pins, current register state] => [register state after clock] and run these vectors through Espresso or a similar minimizer.
4. In the best case, this will already yield a (sensible) solution.
5. If for some reason the approach above fails, I would revisit my theory that this is mainly an LFSR:
a. clock the PAL with constant input
b. see how the period of the data is
c. try to figure out the LFSR
d. set the input pins and try to figure out how they are combined

[1] For a fun challenge like this, I'd maybe spend 10 €; but the dongles are being sold for 50 € or so.

beel1
Posts: 40
Joined: Mon Feb 25, 2019 10:36 pm

Re: Steinberg Avalon cartridge

Post by beel1 » Tue May 19, 2020 1:13 pm

JezC wrote:
Tue May 19, 2020 11:20 am
I know that the red dongle for Cubase 3 (and the same one works with Cubase Score and even Cubase Audio Falcon I think???) is different from the Cubase 2 dongle.

I have a few Cubase 3 dongles & also a full Cubase Audio Falcon box & two Pro 24 dongles (I think) - I don't have one for Cubase 2 though.

Is there interest in reverse engineering some of the other dongles as well in the future? If so I can try to help out with all but the black Cubase 2.0 dongle...
Yes all dongles are interesting, red dongles will need more work and should be more challenging
This is what I get when running Cubase Score:

Code: Select all

FB0000 W ---
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000834
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
FB0000 W 00000200
...
Here is Cubase 3.10:

Code: Select all

FB0000 W ---
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 00000E88
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 0000058C
FB0000 W 00000634
FB0000 W 0000058C
FB0000 W 0000058C
Thus dongle reset pattern is unknown yet, and there are far more cycles between reads (0x28 for black dongle and 0x200 or 0x58C for red one) so I guess intermediate results may not be discarded.

Post Reply

Return to “HARDWARE DISCUSSIONS”