-- Tim Shoppa Email: shoppa_at_trailing-edge.com Trailing Edge Technology WWW: http://www.trailing-edge.com/ 7328 Bradley Blvd Voice: 301-767-5917 Bethesda, MD, USA 20817 Fax: 301-767-5927 How to Reverse Engineer a Non-Stated Programmable Logic Device Using Nothing but Stone Knives and Bear Skins. Revision 0.1 / 3-Mar-2000 Tim Shoppa, shoppa_at_trailing-edge.com INTRODUCTION Computer collectors often come across programmable logic devices (bipolar PROMs, PALs, GALs, etc.) in their hardware. They may want knowledge of the device to improve, customize, or modify it, they may want to know what it is doing purely out of curiosity, or they might want to simply be able to replace device in the future in case of hardware failure. As the original manufacturer of the equipment has almost always disavowed all support and knowledge of the programmed devices, here I tell how you can determine the function of the device, even if it has had (for example) a security fuse blown. ASSUMPTIONS Here I assume the following: 1. The reader of this document has at least a little bit of familiarity with electronics - enough to wire up simple logic circuits on solderless breadboards, and use a logic probe or multimeter, and find pin 1 on an IC. Those who aren't familiar with electronics should start elsewhere for the very basics - I strongly recommend Don Lancaster's _TTL Cookbook_ and Horowitz and Hill's _The Art of Electronics_. 2. The device to be reverse-engineered is easily removed from its circuit for testing. Very often, bipolar PROM's and many PAL's are already socketed for easy removal. While it is undoubtedly possible to apply the techniques I describe here to in-circuit testing, there are complications of in-circuit testing that I'm not ready to discuss in general. 3. The device to be reverse-engineered doesn't have any internal "state". Again, the principles discussed here can also be used with, for example, registered PAL's, but interpreting the results and ensuring that all internal states are exercised is not discussed here. 4. Here I also assume that device being reverse-engineered doesn't have any tri-stated outputs. The techniques discussed here *do* allow for devices which have pins that are fuse-programmable for input only or output only. STEP 1: DETERMININING DEVICE POWER CONNECTIONS For many programmable devices (especially PALs and GALs, and many bipolar PROMs) the Vcc and Ground power connections follow the "standard" TTL conventions - i.e. for a 14 pin device, Vcc is at pin 14, ground is at pin 7. For a 20 pin device, Vcc is at pin 20, ground is at pin 10. usw. Not all programmable devices follow these conventions. Usually some simple testing with an ohmmeter, checking for connection to +5V and Ground at some known IC or connector on the circuit board, will reveal the actual connections. It's vitally important that you are sure about the Vcc and ground connections. IC's don't like having power applied backwards across them. Seeing as how you've already decided that the part in question is worth reverse engineering - probably because it's irreplacable - it's wise to be very careful about this phase. OK, now that we know which pins are Vcc and ground, put the device on your favorite solderless breadboard and apply power. Be sure to bypass Vcc to ground near the device with an appropriate bypass capacitor (say, 0.001 to 0.01 uF). STEP 2: DETERMINING INS AND OUTS If you've got a good logic probe - one that can distinguish a high from a low from an open circuit - this stage is easy. Just use the logic probe to test each unknown pin - if it's definitely high or low, then it's an output. If it's open circuit or high impedance, it's probably an input. My logic probe is a $7.99 device I bought at a local electronics store many years ago. It detects high, low, and open circuits, and also has a pulse stretcher for making very brief output pulses visible. I recommend that anyone doing anything even remotely related to digital electronics have such a tool. But for those who don't have such a tool, you can use a milliameter to do the equivalent thing. Attach one end of a milliameter to Vcc through a 1K resistor, and scan through all the unknown pins on the device with the other end of the milliameter. If you see a current of 3-5 mA, you've found an output which is low. Now attach one end of the milliameter to ground with a 1K resistor, and scan through the remaining unknown pins with the other end of the milliameter. If you see a current of 2-5 mA on any pin, you've found an output which is high. Any remaining pins that didn't show appreciable current flow through either pass with the milliameter is now known to be an input. STEP 3: SCAN THROUGH ALL THE INPUTS OK, now we fall back on one of my favorite methods of all: Brute Force. Say we started out with a 24-pin device, and found two of the pins to be Vcc and Ground, and found three other pins which tested to be outputs. That leaves 19 pins as inputs. There are 2^19, or about half a million, possible input patterns to this device. That might sound like a lot, but it really isn't - by using our friend, the 74LS93, to scan through the inputs we can scan through this in under a second if we want. The 74LS93 is a 4-bit binary counter. We're going to chain as many as necessary together (in the example above, 5 74LS93's gives us a 20-bit counter, enough to scan through 2^20 or a million input states) to scan our device under test. I bought 5 74LS93's at a local electronic store in a 5-unit "Jim-Pak" for under $3.00. Each 74LS93 stage is wired together according to the following schematic: Qa Qd Clk Qc Qd Out Out Out Out Out ^ ^ ^ ^ ^ | | | | | | | | | | /----------------* *----/ | | | | | | | | Clk | | | | | in | | Gnd | | | ^ | | ^ | | | | | | | | | | | | | | | | | --------------------------------------- | | 14 13 12 11 10 9 8 | | | | | | | | | | | | | | ) 74LS93 | | | | | | | | | | | | | | | | | | 1 2 3 4 5 6 7 | | --------------------------------------- | | | | | | | | | | \------/ \----* v | Vcc v RESET IN Note that the 74LS93 doesn't follow the TTL convention of putting ground in the lower right and Vcc on the upper left! Again, we're dealing with clocked logic here, so to prevent output changes from making power supply glitches that feed into nearby stages it's good practice to bypass Vcc to ground near each IC with a bypass capacitor. To chain the above counters together, run clock out from the first 74LS93 to clock in on the second 74LS93, clock out from the second 74LS93 to clock in on the third 74LS93, etc. The "RESET IN" connection to each counting stage should be tied low for normal counting, and momentarily tied high to reset all the counters. I tied all the reset ins together on my solderless breadboard and hooked them to ground for normal operation. To reset the counters, I move the wire to Vcc briefly and back. STEP 4: NON-COMPUTER ASSISTED SCANNING OK, now we tie Qa-Qd from each counting stage to "input" pins on the device to be scanned. I also like to watch the most significant counting bit cycle, so I hook it (through a 1K or so resistor) to a LED whose anode is hooked to +5V. And we also need a clock to step the counters through all the possible patterns. I used a 555 (again, a part that ought to be available everywhere) to make a simple oscillator: Gnd ^ | | C1 Vcc _____ ^ _____ | | *-- /-- *-----------------\ | \ | \ | Gnd | | /R | /R | ^ | | \1 | \2 | | C2 | | / | / | _____ | | ---* ---* _____ | | | | | | | | | | | /-----------------------------\ | | 8 7 6 5 | | | | | | | | | | | | | | ) 555 | | | | | | | | | | | | | | | | | | 1 2 3 4 | | \-----------------------------/ | | | | | | | | | | | v | | v | Gnd | v Vcc | | Clk | | Out | | | \-----------------------/ C2 is a 0.01 uF capacitor to bypass the threshold divider to ground. It's non-critical, and the circuit will probably work without it. The resistor and capacitor values are noncritical; I happened to use R1=R2=220 ohms, and C1=0.047 uF, to get a clock rate of somewhere around 30 kHz for initial testing. Making C ten times smaller will up the clock rate by a factor of ten; making it ten times larger will slow down the clock rate by a factor of ten. The clock rate you choose will depend on how large of a space you have to scan. OK, now feed Clk Out from the 555 to Clk In on the first 74LS93 stage. With a logic probe, you'll see high-frequency pulses coming out of the first stages of the counter, and on the last stages you'll see the pulse rate divided down by however many stages of divide-by-2 you have wired in. If you've wired a LED to the most significant bit, you'll see it cycle on-off-on as you go through all the possible binary output patterns. Now move the logic probe to an output of the programmable device. With any luck, you'll see output pulses here flashing in a repeating cycle that coincides with the MSB LED hooked to the last counter stage. STEP 5: DETERMINING WHICH INPUTS GIVE INTERESTING OUTPUTS OK, now suppose that our logic probe has told us that the output from our PAL under test is "high" almost all the time, but goes low only a few times per input cycle. If the PAL was used as an address decoder - as many of the ones I deal with are used - then this is a very likely case. So to find the input that causes the output to go low, we gate the clock signal from the 555 with the PAL output through a NAND gate. When the PAL output goes low, the clock pulses will no longer be applied to the counter, and the counters will stop at the input which caused the PAL output to go low. (1/4 of a 74LS00 NAND) |------- Clk out from 555 ---------------| ) | )O------- Clk in to first 74LS93 Out from PAL ---------------| ) |------- When the counters stop, just use a logic probe to read off the logic states that produce the interesting "input" state. To continue scanning, momentarily lift the "out from PAL" signal from the 74LS00. This input will float high, and the counters will start scanning again. If you suspect that there might be other "PAL output low" combinations, it may be worthwhile to slow down or stop the 555 clock signal while you momentarily lift the "out from PAL" signal. For this purpose, I keep a largish electrolytic around to plug in parallel across the the capacitor that sets the 555 time constant. -- Tim Shoppa Email: shoppa_at_trailing-edge.com Trailing Edge Technology WWW: http://www.trailing-edge.com/ 7328 Bradley Blvd Voice: 301-767-5917 Bethesda, MD, USA 20817 Fax: 301-767-5927Received on Fri Mar 03 2000 - 10:58:26 GMT
This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:33:04 BST