Prev: Periodic instruction set testing - done it? heard of it?
Next: FPGA Camp, Bangalore is tomorrow
From: G. Edward on 19 May 2010 20:15
The story so far: I'm trying to reverse engineer a certain much-
maligned gaming peripheral from circa 1990. I've already interfaced
with it the way microcontroller-God intended and worked out the basic
functionality, but I've reached the limits of trial-and-error. There
are hidden features that never saw the light of day, embedded deep in
the firmware. I can't blackbox them. So I did the only reasonable
thing left to do and tore this thing's brain out!

This leaves me with a 44-pin PLCC-flavored COP888CL (http://
www.national.com/ds/CO/COP888CL.pdf) splayed out on my solderless
breadboard. I've read some encouraging (http://www.national.com/ms/CN/
CN-7.pdf) documents (http://www.national.com/an/AB/AB-4.pdf) which
suggest that massaging a ROM dump out of it (that sounded bad) could
be trivial.

Trouble is, those two documents refer to COP400 family devices, so I
assume it's invalid for my COP888. Also, some closer inspection of the
COP888 datasheet reveals that "Care must be exercised with the D2 pin
operation. At RESET, the external loads on this pin must ensure that
the output voltages stay above 0.8 Vcc to prevent the chip from
entering special modes." Ok, that might be the way to access a "test
mode" similar to the COP400... But there's no further mention anywhere
of what these modes may be, or how to interact with them. Argh.

So it seems to me that there must be some way, somehow, of dumping
this chip's onboard ROM. I mean they had to verify it at least once at
the factory, right? And there are references to special modes on this
chip, and even explicit instructions for doing what I want to do only
with an ancestor chip. And that's where I am right now. I'm about to
solder on an additional 8 lines to the D port so I can blindly try
various combinations of these instructions in the hopes that I'll hit
some dumb luck. But this is going to take a while even if I don't make
any mistakes.

I get the feeling that this is the kind of thing I could spend a
couple weeks on, yet maybe someone out there worked extensively with
this line many years ago and knows exactly what to do off the top of
their head or something. Or maybe there are faster/easier ways to
pursue this.

Any thoughts? :)
From: hamilton on 19 May 2010 22:16
On 5/19/2010 6:15 PM, G. Edward wrote:
> The story so far: I'm trying to reverse engineer a certain much-
> maligned gaming peripheral from circa 1990. I've already interfaced
> with it the way microcontroller-God intended and worked out the basic
> functionality, but I've reached the limits of trial-and-error. There
> are hidden features that never saw the light of day, embedded deep in
> the firmware. I can't blackbox them. So I did the only reasonable
> thing left to do and tore this thing's brain out!
>
> This leaves me with a 44-pin PLCC-flavored COP888CL (http://
> www.national.com/ds/CO/COP888CL.pdf) splayed out on my solderless
> breadboard. I've read some encouraging (http://www.national.com/ms/CN/
> CN-7.pdf) documents (http://www.national.com/an/AB/AB-4.pdf) which
> suggest that massaging a ROM dump out of it (that sounded bad) could
> be trivial.
>
> Trouble is, those two documents refer to COP400 family devices, so I
> assume it's invalid for my COP888. Also, some closer inspection of the
> COP888 datasheet reveals that "Care must be exercised with the D2 pin
> operation. At RESET, the external loads on this pin must ensure that
> the output voltages stay above 0.8 Vcc to prevent the chip from
> entering special modes." Ok, that might be the way to access a "test
> mode" similar to the COP400... But there's no further mention anywhere
> of what these modes may be, or how to interact with them. Argh.
>
> So it seems to me that there must be some way, somehow, of dumping
> this chip's onboard ROM. I mean they had to verify it at least once at
> the factory, right? And there are references to special modes on this
> chip, and even explicit instructions for doing what I want to do only
> with an ancestor chip. And that's where I am right now. I'm about to
> solder on an additional 8 lines to the D port so I can blindly try
> various combinations of these instructions in the hopes that I'll hit
> some dumb luck. But this is going to take a while even if I don't make
> any mistakes.
>
> I get the feeling that this is the kind of thing I could spend a
> couple weeks on, yet maybe someone out there worked extensively with
> this line many years ago and knows exactly what to do off the top of
> their head or something. Or maybe there are faster/easier ways to
> pursue this.
>
> Any thoughts? :)

Your Wavoes are much bigger then mine !!!! ;-)

You must really love this game to want to subject your self to reversing
assembly on a defunct and obscure chip like this.

Please let us know how you end up.

hamilton

From: larwe on 19 May 2010 22:40
On May 19, 8:15 pm, "G. Edward" <bsdcolo...(a)gmail.com> wrote:
>
> This leaves me with a 44-pin PLCC-flavored COP888CL (http://www.national.com/ds/CO

NS sold some of these as mask parts and some as "mask" parts. The mask
parts have no readout capability. The "mask" parts are EPROM parts in
a windowless plastic package, so they're really OTP. The OTP parts can
be read out using most reasonably high-end burners of the era (older
BP Micro and Advin programmers for instance). But in a retail product,
what chance do you really think you have that this chip is
unprotected???

From: Walter Banks on 21 May 2010 06:44


"G. Edward" wrote:
>
> Any thoughts? :)

The COP888 is a very different processor. We wrote a C compiler for
it and worked on the instruction set when it was developed. My guess
is the only folks who might really know if the contents can be dumped
are Metalink who made emulators for the COP888 and were very much
involved in emulator support technology as the part was developed.

If you get a hex dump I have some internal tools the would go a
long way to make it understandable. Contact me offline.

w..

--- news://freenews.netfront.net/ - complaints: news(a)netfront.net ---
From: George Whiteside on 23 May 2010 14:06
On May 19, 7:15 pm, "G. Edward" <bsdcolo...(a)gmail.com> wrote:
> Any thoughts? :)

An update, though not much to report. I've prodded the chip for
several days and the only thing I'm reasonably sure of is that
performing the "pulling-D2-low-during-reset" maneuver does seem to put
the chip in some kind of special mode, as hinted at by the datasheet.
Haven't made much progress beyond that yet.

The reason I'm playing with this old relic is because it's inside the
Power Glove, that thing for Nintendo. Yeah it's been a while, but it
only gets older every day. We know how to interface it just fine these
days, but what it's actually thinking/doing is still a mystery. So
there's more to be known. There was a glove list talking about all of
this (way back when), but very little pertaining to the actual onboard
chip. I'll continue my trial-and-error while I resume searching for
more information and people with helpful hints.

Having said all that, mostly I just wanted to post this to make sure
to thank everyone for the hints and advice so far... every bit helps.
So thank you everyone, I really appreciate it!

G
 |  Next  |  Last
Pages: 1 2
Prev: Periodic instruction set testing - done it? heard of it?
Next: FPGA Camp, Bangalore is tomorrow