This looks like it could be quite helpful in demysifying a decoder.
However, not all devices have negative-going enables and it leaves a gap
there. In a PAL it would be just as easy to use to create a decoder that
uses positive enables, e.g. as found on 6821's and the like. This isn't
common but I've run into it just in the last couple of weeks.
On most of the "old" bipolar PALs, pin 11 was used as the global output
enable, since most of the 16 and 20 input 20 and 24-pin PALs were capable of
generating tristate outputs on every macrocell. The easy way to test for
these is to use a weak pullup, driven by a single driver, together with an
equally weak pull-down resistor array. This can be the same one if your
resistor is on the order of 20K. When your device-under-test is disabled,
it should follow the signal driving the resistors. Monitoring this requires
you use no TTL in the monitoring circuit, since its inputs source current
and will drive up an output.
One other thing that could stand to be circumvented is that the 'LS93 is a
ripple counter which, with PAL speeds as high as they are, could generate
internal glitches long enough set or clear a latch (normally implemented as
a combinatorial loop in an 'L8 or the like).
That might warrant the use of a synchronous counter at least in newly built
devices. For a synchronous counter I like the 'LS590 because it's an 8-bit
counter and has an extra internal register to which the count can be
transferred in parallel, thereby eliminating risk of all but the shortest
output glitches. If you concatenate, say, three of these, their output
registers can be clocked from the complement of the counter clock. That way
they are out of phase with the count clock, hence will not generate internal
races which could result in incorrectly latched data.
Also, for newly built devices, it's about as easy as anything to use a CMOS
Schmidt trigger, e.g. 74HC132 as an oscillator. You need merely put about a
1 MEG pot in feedback across the device, with inputs tied together to form
an inverter, and hang a capacitor, say, 0.01 or 0.1, or whatever else is
handy, and then tweak he pot to set the frequency. That way you don't have
to admit you have used a 555.
These measures should result in less wiring effort for the cases where a new
gadget is being built.
Just my $.02's worth . . .
Dick
-----Original Message-----
From: CLASSICCMP_at_trailing-edge.com <CLASSICCMP_at_trailing-edge.com>
To: CLASSICCMP_at_classiccmp.org <CLASSICCMP_at_classiccmp.org>
Date: Friday, March 03, 2000 10:12 AM
Subject: How to Reverse Engineer a Non-Stated Programmable Logic Device
Using Stone Knives and Bear Skins
>Here's part A of my promised document on reverse engineering programmable
>logic devices. I suspect that it's too technically complex for about 49%
>of the audience, too technically simplistic for 50% of the audience, and
>right on target for only about 1% of the audience. Well, that's how
>the dice fall!
>
>I'm sure that my circuit-design techniques will be viciously attacked here
>too. My emphasis was on using commonly available parts, and even
>though I happened to use my time-tested favorites, I'm sure some folks will
>despise me because I happened to stoop as low as using a 555 in a circuit.
>Please take into account that I know that the hardware I'm using here
>is primitive (thus the "stone knives and bear skins" in the title) and
>that I'm very much aiming at circuits that others will learn from and
>adapt for their own uses.
>
>Soon I'll publish part B, computer-assisted scanning, after I get that
>written up. That will be followed by part C, determining logic equations,
>and part D, reconstructing an equivalent fuse map. These documents,
>as they're revised, will be available over the web at
>
> http://www.trailing-edge.com/www/reverse-engineer/
>
>--
> Tim Shoppa Email: shoppa_at_trailing-edge.com
> Trailing Edge Technology WWW: http://www.trailing-edge.com/
> 7328 Bradley Blvd Voice: 301-767-5917
> Bethesda, MD, USA 20817 Fax: 301-767-5927
>
>
>How to Reverse Engineer a Non-Stated Programmable Logic Device Using
>Nothing but Stone Knives and Bear Skins.
>
>Revision 0.1 / 3-Mar-2000
>Tim Shoppa, shoppa_at_trailing-edge.com
>
> INTRODUCTION
>
>Computer collectors often come across programmable logic devices
>(bipolar PROMs, PALs, GALs, etc.) in their hardware. They may want
>knowledge of the device to improve, customize, or modify it, they may
>want to know what it is doing purely out of curiosity, or they might
>want to simply be able to replace device in the future in case of
>hardware failure. As the original manufacturer of the equipment has
>almost always disavowed all support and knowledge of the programmed
>devices, here I tell how you can determine the function of the device,
>even if it has had (for example) a security fuse blown.
>
> ASSUMPTIONS
>
>Here I assume the following:
>
>1. The reader of this document has at least a little bit of
>familiarity with electronics - enough to wire up simple logic circuits
>on solderless breadboards, and use a logic probe or multimeter, and
>find pin 1 on an IC. Those who aren't familiar with electronics should
>start elsewhere for the very basics - I strongly recommend Don Lancaster's
>_TTL Cookbook_ and Horowitz and Hill's _The Art of Electronics_.
>
>2. The device to be reverse-engineered is easily removed from its
>circuit for testing. Very often, bipolar PROM's and many PAL's
>are already socketed for easy removal. While it is undoubtedly possible
>to apply the techniques I describe here to in-circuit testing,
>there are complications of in-circuit testing that I'm not ready to
>discuss in general.
>
>3. The device to be reverse-engineered doesn't have any internal "state".
>Again, the principles discussed here can also be used with, for example,
>registered PAL's, but interpreting the results and ensuring that all
internal
>states are exercised is not discussed here.
>
>4. Here I also assume that device being reverse-engineered doesn't have
>any tri-stated outputs. The techniques discussed here *do* allow for
devices
>which have pins that are fuse-programmable for input only or output only.
>
> STEP 1: DETERMININING DEVICE POWER CONNECTIONS
>
>For many programmable devices (especially PALs and GALs, and many
>bipolar PROMs) the Vcc and Ground power connections follow the
>"standard" TTL conventions - i.e. for a 14 pin device, Vcc is at
>pin 14, ground is at pin 7. For a 20 pin device, Vcc is at pin 20,
>ground is at pin 10. usw.
>
>Not all programmable devices follow these conventions. Usually some
>simple testing with an ohmmeter, checking for connection to +5V and
>Ground at some known IC or connector on the circuit board, will reveal the
>actual connections.
>
>It's vitally important that you are sure about the Vcc and ground
connections.
>IC's don't like having power applied backwards across them. Seeing as
>how you've already decided that the part in question is worth reverse
>engineering - probably because it's irreplacable - it's wise to be very
>careful about this phase.
>
>OK, now that we know which pins are Vcc and ground, put the device on
>your favorite solderless breadboard and apply power. Be sure to bypass
>Vcc to ground near the device with an appropriate bypass capacitor
>(say, 0.001 to 0.01 uF).
>
> STEP 2: DETERMINING INS AND OUTS
>
>If you've got a good logic probe - one that can distinguish a high
>from a low from an open circuit - this stage is easy. Just use the
>logic probe to test each unknown pin - if it's definitely high or low,
>then it's an output. If it's open circuit or high impedance, it's probably
>an input.
>
>My logic probe is a $7.99 device I bought at a local electronics store
>many years ago. It detects high, low, and open circuits, and also has
>a pulse stretcher for making very brief output pulses visible.
>I recommend that anyone doing anything even remotely
>related to digital electronics have such a tool. But for those who don't
>have such a tool, you can use a milliameter to do the equivalent thing.
>Attach one end of a milliameter to Vcc through a 1K resistor, and scan
>through all the unknown pins on the device with the other end of the
>milliameter. If you see a current of 3-5 mA, you've found an output
>which is low. Now attach one end of the milliameter to ground with
>a 1K resistor, and scan through the remaining unknown pins with the other
>end of the milliameter. If you see a current of 2-5 mA on any pin, you've
>found an output which is high. Any remaining pins that didn't show
>appreciable current flow through either pass with the milliameter is
>now known to be an input.
>
> STEP 3: SCAN THROUGH ALL THE INPUTS
>
>OK, now we fall back on one of my favorite methods of all: Brute Force.
>Say we started out with a 24-pin device, and found two of the pins to be
>Vcc and Ground, and found three other pins which tested to be outputs.
>That leaves 19 pins as inputs. There are 2^19, or about half a million,
>possible input patterns to this device. That might sound like a lot, but
>it really isn't - by using our friend, the 74LS93, to scan through the
>inputs we can scan through this in under a second if we want.
>
>The 74LS93 is a 4-bit binary counter. We're going to chain as many
>as necessary together (in the example above, 5 74LS93's gives us a
>20-bit counter, enough to scan through 2^20 or a million input states)
>to scan our device under test. I bought 5 74LS93's at a local electronic
>store in a 5-unit "Jim-Pak" for under $3.00.
>
>Each 74LS93 stage is wired together according to the following
>schematic:
> Qa Qd Clk Qc Qd
> Out Out Out Out Out
> ^ ^ ^ ^ ^
> | | | | |
> | | | | |
> /----------------* *----/ | |
> | | | | |
> | Clk | | | |
> | in | | Gnd | |
> | ^ | | ^ | |
> | | | | | | |
> | | | | | | |
> | ---------------------------------------
> | | 14 13 12 11 10 9 8 |
> | | |
> | | |
> | | |
> | | |
> | ) 74LS93 |
> | | |
> | | |
> | | |
> | | |
> | | |
> | | 1 2 3 4 5 6 7 |
> | ---------------------------------------
> | | | | |
> | | | | |
> \------/ \----* v
> | Vcc
> v
> RESET
> IN
>
>Note that the 74LS93 doesn't follow the TTL convention of putting
>ground in the lower right and Vcc on the upper left! Again, we're
>dealing with clocked logic here, so to prevent output changes from making
>power supply glitches that feed into nearby stages it's good practice
>to bypass Vcc to ground near each IC with a bypass capacitor.
>
>To chain the above counters together, run clock out from the first
>74LS93 to clock in on the second 74LS93, clock out from the second
>74LS93 to clock in on the third 74LS93, etc.
>
>The "RESET IN" connection to each counting stage should be tied low
>for normal counting, and momentarily tied high to reset all the counters.
>I tied all the reset ins together on my solderless breadboard and
>hooked them to ground for normal operation. To reset the counters,
>I move the wire to Vcc briefly and back.
>
> STEP 4: NON-COMPUTER ASSISTED SCANNING
>
>OK, now we tie Qa-Qd from each counting stage to "input" pins on the
>device to be scanned. I also like to watch the most significant counting
>bit cycle, so I hook it (through a 1K or so resistor) to a LED whose
>anode is hooked to +5V. And we also need a clock to step the counters
>through all the possible patterns. I used a 555 (again, a part that
>ought to be available everywhere) to make a simple oscillator:
>
> Gnd
> ^
> |
> | C1
> Vcc _____
> ^ _____
> | |
> *-- /-- *-----------------\
> | \ | \ | Gnd |
> | /R | /R | ^ |
> | \1 | \2 | | C2 |
> | / | / | _____ |
> | ---* ---* _____ |
> | | | | |
> | | | | |
> /-----------------------------\ |
> | 8 7 6 5 | |
> | | |
> | | |
> | | |
> | | |
> ) 555 | |
> | | |
> | | |
> | | |
> | | |
> | | |
> | 1 2 3 4 | |
> \-----------------------------/ |
> | | | | |
> | | | | |
> v | | v |
> Gnd | v Vcc |
> | Clk |
> | Out |
> | |
> \-----------------------/
>
>
>C2 is a 0.01 uF capacitor to bypass the threshold divider to ground.
>It's non-critical, and the circuit will probably work without it.
>
>The resistor and capacitor values are noncritical; I happened to
>use R1=R2=220 ohms, and C1=0.047 uF, to get a clock rate of somewhere
>around 30 kHz for initial testing. Making C ten times smaller will up
>the clock rate by a factor of ten; making it ten times larger will slow
down
>the clock rate by a factor of ten. The clock rate you choose will depend
>on how large of a space you have to scan.
>
>OK, now feed Clk Out from the 555 to Clk In on the first 74LS93 stage.
>With a logic probe, you'll see high-frequency pulses coming out of the
>first stages of the counter, and on the last stages you'll see the pulse
>rate divided down by however many stages of divide-by-2 you have wired in.
>If you've wired a LED to the most significant bit, you'll see it cycle
>on-off-on as you go through all the possible binary output patterns.
>
>Now move the logic probe to an output of the programmable device. With
>any luck, you'll see output pulses here flashing in a repeating cycle
>that coincides with the MSB LED hooked to the last counter stage.
>
> STEP 5: DETERMINING WHICH INPUTS GIVE
> INTERESTING OUTPUTS
>
>OK, now suppose that our logic probe has told us that the output from our
>PAL under test is "high" almost all the time, but goes low only a few times
>per input cycle. If the PAL was used as an address decoder - as many of
>the ones I deal with are used - then this is a very likely case.
>
>So to find the input that causes the output to go low, we gate the
>clock signal from the 555 with the PAL output through a NAND gate.
>When the PAL output goes low, the clock pulses will no longer be applied
>to the counter, and the counters will stop at the input which caused
>the PAL output to go low.
>
> (1/4 of a 74LS00 NAND)
>
> |-------
> Clk out from 555 ---------------| )
> | )O------- Clk in to first
74LS93
> Out from PAL ---------------| )
> |-------
>
>When the counters stop, just use a logic probe to read off the logic
>states that produce the interesting "input" state.
>
>To continue scanning, momentarily lift the "out from PAL" signal from the
>74LS00. This input will float high, and the counters will start scanning
again.
>If you suspect that there might be other "PAL output low" combinations,
>it may be worthwhile to slow down or stop the 555 clock signal while
>you momentarily lift the "out from PAL" signal. For this purpose,
>I keep a largish electrolytic around to plug in parallel across the the
>capacitor that sets the 555 time constant.
>
>--
> Tim Shoppa Email: shoppa_at_trailing-edge.com
> Trailing Edge Technology WWW: http://www.trailing-edge.com/
> 7328 Bradley Blvd Voice: 301-767-5917
> Bethesda, MD, USA 20817 Fax: 301-767-5927
>
Received on Fri Mar 03 2000 - 12:51:54 GMT