Page 1 of 11
Cartridge keys and emulation
Posted: Sat May 16, 2020 9:37 pm
by troed
I've come into the possession of a Steinberg Avalon original package. After having dumped the disks, I realised they wouldn't run in Hatari since I had no way of plugging in the cartridge.
This thread is about solving that problem. The target is to be able to mount a cloned key to emulator cartridge space, to be able to run original disk dumps under emulation.
- avalon.JPG (93.85 KiB) Viewed 6873 times
- top.JPG (78.25 KiB) Viewed 6873 times
- bottom.JPG (86.67 KiB) Viewed 6873 times
- MMI_PAL_16R6.jpg (19.36 KiB) Viewed 6873 times
My assumption is that we're dealing with an MMI PAL16R8 - and the connections are as follows:
Code: Select all
Top side:
UDS 1 (CLK on R8, I0 on L8)
ROM3 11 (OE on R8, I9 on L8)
A5 9 (I8)
A6 8 (I7)
A7 7 (I6)
A8 6 (I5)
D8 16 (O5)
D10 17 (O6)
D12 18 (O7)
D14 19 (O8 on R8/L8, could have been I on R6/R4)
+5V 20 (VCC)
Bottom side:
GND 10 (GND)
A1 2 (I1)
A2 3 (I2)
A3 4 (I3)
A4 5 (I4)
D9 12 (O1)
D11 13 (O2)
D13 14 (O3)
D15 15 (O4)
tl;dr: OE on accessing FA bank, clocked by upper bus byte access, takes address low byte (watch the nibble bit order) as input and outputs byte at high byte (D9-D15).
1) Brute force
2) Decap and restore security fuse
3) Glitch-hack using under-voltage and clock-skew when trying to read out the contents
I know which method I will begin with. What would you?
/Troed
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 9:45 pm
by exxos
I would say just put a logic analyser on it, and look for what patterns are going in, and coming out... Such a small chip it cannot really be doing much..
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 9:55 pm
by czietz
Having reverse-engineered (and subsequently bug-fixed) the PAL in an Atari SH204 host adapter, obviously I would start with "brute force", too. If it was a combinatorial PAL, the equations could be extracted by applying all possible inputs and minimizing the resulting outputs using something like Espresso (
https://en.wikipedia.org/wiki/Espresso_ ... _minimizer).
However, I agree with you,
@troed, that this will be registered PAL, which complicates matters significantly. (The SH204 PAL is also registered.) You can use the fact that a PAL16R8 has no hidden registers. Whenever /OE is active, you can observe all register contents at the respective output pins.
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 10:28 pm
by troed
Exactly - brute force it is.
When I started, I was sure this cartridge would be similar to Cubase cartridges, this being another Steinberg product. However, I'm less sure now. From what I can see, a simple assembler program on the ST with the cartridge inserted will result in a nice 256 byte table (which might need to be mirrored over the whole address space). If it was that easy to clone Cubase keys, surely that would've been done - and even sw hacks just redirecting cart memory space reads etc.
In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs. Let's see tomorrow.
edit: 256*number of clocks/reads
/Troed
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 10:44 pm
by adam
troed wrote: ↑Sat May 16, 2020 10:28 pm
In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs.
There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 10:58 pm
by troed
adam wrote: ↑Sat May 16, 2020 10:44 pm
There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.
http://www.applelogic.org/files/PAL16R8.pdf
/Troed
Re: Steinberg Avalon cartridge
Posted: Sat May 16, 2020 11:13 pm
by beel1
I made a few posts about my findings on a Synthworks dongle in AF a few years ago.
Unfortunately AF is down for now so here is an archive.org link:
https://web.archive.org/web/20190309135 ... &start=100
I started by putting a breakpoint in Hatari on ROM port addresses to find the routine I described
Re: Steinberg Avalon cartridge
Posted: Sun May 17, 2020 1:18 am
by exxos
I would assume cubase has a serial number which would match the same number in the gal ? Then it would output some sequence to say yes or no back to cubase. Though the gal probably couldn't process many bits anyway.
Re: Steinberg Avalon cartridge
Posted: Sun May 17, 2020 7:59 am
by czietz
troed wrote: ↑Sat May 16, 2020 10:58 pm
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.
Yes, the outputs are visible (fortunately). But you cannot directly control them. To reverse-engineer the logic equations by minimization you need to exercise all input terms. Since -- as you mention -- the output pins are possible input terms into the equations as well, you first have to figure out a way to set/reset the outputs.
It's helpful to hook a logic analyzer to the chip while using the dongle as a starting point for reverse-engineering.
If I had to implement a dongle with a PAL, I'd probably go with an LFSR, which can produce quite long sequences of pseudo-random numbers. Using the input data as seed.
Re: Steinberg Avalon cartridge
Posted: Sun May 17, 2020 8:21 am
by terriblefire
Its not quite this simple. A PAL can keep state based on previous inputs clocked into D type flip flops internally. Maybe it doesnt do this, maybe it does but it has that capability.