Page 1 of 11

Cartridge keys and emulation

Posted: Sat May 16, 2020 9:37 pm
by troed
I've come into the possession of a Steinberg Avalon original package. After having dumped the disks, I realised they wouldn't run in Hatari since I had no way of plugging in the cartridge.

This thread is about solving that problem. The target is to be able to mount a cloned key to emulator cartridge space, to be able to run original disk dumps under emulation.
avalon.JPG
avalon.JPG (93.85 KiB) Viewed 6873 times
top.JPG
top.JPG (78.25 KiB) Viewed 6873 times
bottom.JPG
bottom.JPG (86.67 KiB) Viewed 6873 times
MMI_PAL_16R6.jpg
MMI_PAL_16R6.jpg (19.36 KiB) Viewed 6873 times
My assumption is that we're dealing with an MMI PAL16R8 - and the connections are as follows:

Code: Select all

Top side:
UDS          1 (CLK on R8, I0 on L8)
ROM3       11 (OE on R8, I9 on L8)
A5             9 (I8)
A6             8 (I7)
A7             7 (I6)
A8             6 (I5)
D8             16 (O5)
D10           17 (O6)
D12           18 (O7)
D14           19 (O8 on R8/L8, could have been I on R6/R4)
+5V           20 (VCC)
Bottom side:
GND          10 (GND)
A1              2 (I1)
A2              3 (I2)
A3              4 (I3)
A4              5 (I4)
D9              12 (O1)
D11            13 (O2)
D13            14 (O3)
D15            15 (O4)
tl;dr: OE on accessing FA bank, clocked by upper bus byte access, takes address low byte (watch the nibble bit order) as input and outputs byte at high byte (D9-D15).

1) Brute force
2) Decap and restore security fuse
3) Glitch-hack using under-voltage and clock-skew when trying to read out the contents

I know which method I will begin with. What would you?

/Troed

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 9:45 pm
by exxos
I would say just put a logic analyser on it, and look for what patterns are going in, and coming out... Such a small chip it cannot really be doing much..

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 9:55 pm
by czietz
Having reverse-engineered (and subsequently bug-fixed) the PAL in an Atari SH204 host adapter, obviously I would start with "brute force", too. If it was a combinatorial PAL, the equations could be extracted by applying all possible inputs and minimizing the resulting outputs using something like Espresso (https://en.wikipedia.org/wiki/Espresso_ ... _minimizer).

However, I agree with you, @troed, that this will be registered PAL, which complicates matters significantly. (The SH204 PAL is also registered.) You can use the fact that a PAL16R8 has no hidden registers. Whenever /OE is active, you can observe all register contents at the respective output pins.

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 10:28 pm
by troed
Exactly - brute force it is.

When I started, I was sure this cartridge would be similar to Cubase cartridges, this being another Steinberg product. However, I'm less sure now. From what I can see, a simple assembler program on the ST with the cartridge inserted will result in a nice 256 byte table (which might need to be mirrored over the whole address space). If it was that easy to clone Cubase keys, surely that would've been done - and even sw hacks just redirecting cart memory space reads etc.

In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs. Let's see tomorrow.

edit: 256*number of clocks/reads

/Troed

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 10:44 pm
by adam
troed wrote: Sat May 16, 2020 10:28 pm In any case, since there is no internal memory in this chip I can't see how it would be harder than to run through 2^8 inputs and record the (always the same) outputs.
There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 10:58 pm
by troed
adam wrote: Sat May 16, 2020 10:44 pm There is a memory in this chip. Not using gal in registered mode to implement hardware key would be interesting idea. If that's the case you're lucky:)
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed

Re: Steinberg Avalon cartridge

Posted: Sat May 16, 2020 11:13 pm
by beel1
I made a few posts about my findings on a Synthworks dongle in AF a few years ago.
Unfortunately AF is down for now so here is an archive.org link: https://web.archive.org/web/20190309135 ... &start=100

I started by putting a breakpoint in Hatari on ROM port addresses to find the routine I described

Re: Steinberg Avalon cartridge

Posted: Sun May 17, 2020 1:18 am
by exxos
I would assume cubase has a serial number which would match the same number in the gal ? Then it would output some sequence to say yes or no back to cubase. Though the gal probably couldn't process many bits anyway.

Re: Steinberg Avalon cartridge

Posted: Sun May 17, 2020 7:59 am
by czietz
troed wrote: Sat May 16, 2020 10:58 pm Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.
Yes, the outputs are visible (fortunately). But you cannot directly control them. To reverse-engineer the logic equations by minimization you need to exercise all input terms. Since -- as you mention -- the output pins are possible input terms into the equations as well, you first have to figure out a way to set/reset the outputs.

It's helpful to hook a logic analyzer to the chip while using the dongle as a starting point for reverse-engineering.

If I had to implement a dongle with a PAL, I'd probably go with an LFSR, which can produce quite long sequences of pseudo-random numbers. Using the input data as seed.

Re: Steinberg Avalon cartridge

Posted: Sun May 17, 2020 8:21 am
by terriblefire
troed wrote: Sat May 16, 2020 10:58 pm
Not sure I follow. The only inputs to your logic are the 8 input pins and the 8 output pins. All of them are visible/known.

http://www.applelogic.org/files/PAL16R8.pdf

/Troed
Its not quite this simple. A PAL can keep state based on previous inputs clocked into D type flip flops internally. Maybe it doesnt do this, maybe it does but it has that capability.