Reverse Engineering the CIC
Moderators: B00daW, Moderators
Re: Reverse Engineering the CIC
Sadly I think your famicombox cic('s) is (/are) just dead
Re: Reverse Engineering the CIC
Probably. If I’m lucky my parts PCB will be salvageable and I can get it rebuilt. I’d like to mod my NES to dump the menu cart but sadly I’m probably out of money for now to do that, unless there is a fun arduino way to do it lol.
Re: Reverse Engineering the CIC
That 3199A dump has all the bits, so that's a great start. It's missing 7 bytes at the end, though, just like your last dump, and those bytes look in this case like they're probably not all 0. Why are these getting dropped now?
I'm a little uneasy about the fact that these pages don't have a bunch of 00's padding them out, but I do see stuff that's plausibly code, so I guess that means the ROM is just really full. Most concerning to me, though, is that I see a lot of what looks like calls to field 1 pages 0 and 1 (7E xx where bit 7 of xx is 0 for page 0 or 1 for page 1), which suggests this is an SM595 (with 768 bytes of data) and we need some kind of method to change fields. I'm curious if field 0 repeats if we dump past 508 bytes, or if it transitions to field 1 on its own.
Edit: Just saw your post saying it's looping after this. That's really unfortunate.
I'm a little uneasy about the fact that these pages don't have a bunch of 00's padding them out, but I do see stuff that's plausibly code, so I guess that means the ROM is just really full. Most concerning to me, though, is that I see a lot of what looks like calls to field 1 pages 0 and 1 (7E xx where bit 7 of xx is 0 for page 0 or 1 for page 1), which suggests this is an SM595 (with 768 bytes of data) and we need some kind of method to change fields. I'm curious if field 0 repeats if we dump past 508 bytes, or if it transitions to field 1 on its own.
Edit: Just saw your post saying it's looping after this. That's really unfortunate.
Re: Reverse Engineering the CIC
I should clarify it’s not looping but when I run older code it starts at a different spot and has 0 in between where the newer one ends and starts.
Re: Reverse Engineering the CIC
I'm a bit confused. With the newer code run on the 3199A, what does it output for i1F5-i1FB, and does it start repeating the i0+ data at i1FC? With the older code, when it starts at a different spot, is there evidence of it outputting anything that is not included in the 508 bytes from the new code's dump?
I believe there is an additional 254 bytes we need from this that are probably inaccessible with the knowledge we have so far.
I believe there is an additional 254 bytes we need from this that are probably inaccessible with the knowledge we have so far.
Re: Reverse Engineering the CIC
it stops after printing i1F5 with the newer code, the old code https://pastebin.com/raw/aQFhF3DC I get the following
Code: Select all
i0 :D0
i1 :BD
i2 :0
i3 :0
i4 :C7
i5 :23
i6 :61
i7 :DC
i8 :2C
i9 :52
i10 :E3
i11 :A6
i12 :75
i13 :2E
i14 :7D
i15 :C5
i16 :A6
i17 :74
i18 :23
i19 :6D
i20 :0
i21 :74
i22 :23
i23 :62
i24 :89
i25 :2B
i26 :52
i27 :94
i28 :78
i29 :9C
i30 :78
i31 :C4
i32 :7D
i33 :F2
i34 :E9
i35 :75
i36 :21
i37 :7D
i38 :CC
i39 :86
i40 :74
i41 :23
i42 :6C
i43 :7D
i44 :A6
i45 :0
i46 :86
i47 :22
i48 :68
i49 :7D
i50 :A6
i51 :28
i52 :52
i53 :88
i54 :93
i55 :7D
i56 :D3
i57 :74
i58 :23
i59 :60
i60 :96
i61 :78
i62 :2B
i63 :2C
i64 :52
i65 :D5
i66 :7D
i67 :A6
i68 :74
i69 :23
i70 :68
i71 :23
i72 :61
i73 :BF
i74 :69
i75 :78
i76 :13
i77 :0
i78 :75
i79 :25
i80 :7E
i81 :0
i82 :26
i83 :33
i84 :45
i85 :D7
i86 :25
i87 :3C
i88 :45
i89 :D7
i90 :74
i91 :23
i92 :6F
i93 :74
i94 :23
i95 :62
i96 :8E
i97 :9C
i98 :7E
i99 :5B
i100 :74
i101 :24
i102 :40
i103 :10
i104 :BB
i105 :89
i106 :13
i107 :97
i108 :89
i109 :75
i110 :26
i111 :11
i112 :A8
i113 :40
i114 :10
i115 :89
i116 :3E
i117 :9A
i118 :40
i119 :10
i120 :89
i121 :3C
i122 :25
i123 :71
i124 :C1
i125 :89
i126 :78
i127 :13
i128 :74
i129 :2A
i130 :7D
i131 :C5
i132 :96
i133 :75
i134 :22
i135 :63
i136 :B7
i137 :74
i138 :26
i139 :6D
i140 :96
i141 :74
i142 :2F
i143 :30
i144 :43
i145 :32
i146 :43
i147 :3F
i148 :43
i149 :3F
i150 :4A
i151 :75
i152 :22
i153 :6F
i154 :96
i155 :79
i156 :8D
i157 :74
i158 :26
i159 :6C
i160 :6E
i161 :23
i162 :6E
i163 :21
i164 :32
i165 :46
i166 :22
i167 :55
i168 :65
i169 :B4
i170 :D0
i171 :2D
i172 :52
i173 :DA
i174 :75
i175 :22
i176 :63
i177 :98
i178 :79
i179 :69
i180 :21
i181 :52
i182 :E2
i183 :0
i184 :21
i185 :52
i186 :E6
i187 :22
i188 :52
i189 :AC
i190 :22
i191 :52
i192 :D5
i193 :A5
i194 :0
i195 :0
i196 :75
i197 :22
i198 :60
i199 :FE
i200 :2D
i201 :52
i202 :F0
i203 :DE
i204 :7E
i205 :3F
i206 :F3
i207 :23
i208 :52
i209 :F7
i210 :28
i211 :52
i212 :BE
i213 :79
i214 :FB
i215 :75
i216 :22
i217 :6C
i218 :7E
i219 :3F
i220 :C1
i221 :7E
i222 :7D
i223 :7E
i224 :1E
i225 :75
i226 :22
i227 :68
i228 :69
i229 :21
i230 :30
i231 :46
i232 :23
i233 :7E
i234 :0
i235 :24
i236 :30
i237 :45
i238 :CF
i239 :23
i240 :3F
i241 :45
i242 :CF
i243 :7E
i244 :6A
i245 :22
i246 :62
i247 :8D
i248 :6A
i249 :B3
i250 :6E
i251 :30
i252 :D9
i253 :75
i254 :22
i255 :61
i256 :B8
i257 :26
i258 :52
i259 :FA
i260 :D2
i261 :25
i262 :52
i263 :C7
i264 :CF
i265 :74
i266 :21
i267 :7D
i268 :CC
i269 :8F
i270 :7E
i271 :7D
i272 :7E
i273 :20
i274 :6D
i275 :21
i276 :30
i277 :46
i278 :74
i279 :27
i280 :7E
i281 :0
i282 :29
i283 :32
i284 :45
i285 :CF
i286 :28
i287 :33
i288 :45
i289 :CF
i290 :27
i291 :30
i292 :45
i293 :CF
i294 :7E
i295 :1E
i296 :A8
i297 :75
i298 :26
i299 :3F
i300 :71
i301 :AB
i302 :0
i303 :21
i304 :52
i305 :A2
i306 :7E
i307 :7D
i308 :7E
i309 :20
i310 :21
i311 :32
i312 :46
i313 :31
i314 :22
i315 :46
i316 :CF
i317 :75
i318 :25
i319 :40
i320 :27
i321 :43
i322 :40
i323 :28
i324 :4A
i325 :74
i326 :24
i327 :40
i328 :75
i329 :27
i330 :7E
i331 :3C
i332 :78
i333 :82
i334 :79
i335 :B
i336 :74
i337 :26
i338 :61
i339 :8D
i340 :75
i341 :40
i342 :10
i343 :AA
i344 :74
i345 :24
i346 :40
i347 :75
i348 :25
i349 :7E
i350 :3C
i351 :87
i352 :DD
i353 :74
i354 :23
i355 :6A
i356 :26
i357 :6C
i358 :6A
i359 :7D
i360 :CA
i361 :7E
i362 :7D
i363 :7E
i364 :20
i365 :69
i366 :6B
i367 :7E
i368 :1E
i369 :74
i370 :26
i371 :69
i372 :6F
i373 :23
i374 :6B
i375 :7E
i376 :5B
i377 :74
i378 :26
i379 :60
i380 :B7
i381 :23
i382 :38
i383 :46
i384 :7E
i385 :AD
i386 :23
i387 :30
i388 :46
i389 :26
i390 :68
i391 :7E
i392 :E9
i393 :78
i394 :73
i395 :7E
i396 :AD
i397 :2D
i398 :52
i399 :B6
i400 :F1
i401 :75
i402 :20
i403 :32
i404 :42
i405 :3A
i406 :4A
i407 :4C
i408 :21
i409 :33
i410 :46
i411 :23
i412 :30
i413 :46
i414 :22
i415 :31
i416 :46
i417 :4C
i418 :22
i419 :55
i420 :66
i421 :4D
i422 :4C
i423 :75
i424 :2E
i425 :33
i426 :42
i427 :38
i428 :4A
i429 :4C
i430 :3F
i431 :71
i432 :E2
i433 :4A
i434 :4C
i435 :42
i436 :C5
i437 :4D
i438 :3F
i439 :71
i440 :D6
i441 :4A
i442 :4C
i443 :43
i444 :CC
i445 :4D
i446 :25
i447 :7D
i448 :C5
i449 :DD
i450 :0
i451 :0
i452 :20
i453 :75
i454 :30
i455 :4A
i456 :74
i457 :42
i458 :C0
i459 :7D
i460 :A6
i461 :7E
i462 :7D
i463 :7D
i464 :D3
i465 :7D
i466 :CA
i467 :7E
i468 :5B
i469 :75
i470 :22
i471 :63
i472 :9D
i473 :0
i474 :28
i475 :52
i476 :EB
i477 :EC
i478 :74
i479 :22
i480 :60
i481 :B0
i482 :D7
i483 :7E
i484 :21
i485 :74
i486 :23
i487 :63
i488 :B2
i489 :23
i490 :52
i491 :97
i492 :91
i493 :7D
i494 :F2
i495 :B1
i496 :22
i497 :6C
i498 :23
i499 :60
i500 :C2
i501 :0
i502 :29
i503 :52
i504 :9A
i505 :74
i506 :24
i507 :33
repeat
i508 :45
repeat
i509 :BD
End of story
Re: Reverse Engineering the CIC
The print loop is independent of the actual data read, so maybe it's not sending out the buffer, gimme a sec and I'll look up documentation on that.Patnukem wrote: ↑Thu Oct 01, 2020 2:32 pmit stops after printing i1F5 with the newer code, the old code https://pastebin.com/raw/aQFhF3DC I get the following
*log here*
Try this:
Code: Select all
//sm590 dumper script
//Written by Jero32 21/09/2020
//to run, hook the arduino pins up to sm590 chip according to pinout below. Upload sketch to arduino. Clear the terminal window
//and press the reset button
//do one clock cycle. Note: relies on opcodes taking time to provide delay for speed, not very portable
#define ClockMacro()\
if(1){\
PORTC |= 0b00001000; delayMicroseconds(5); PORTC &= 0b11110111; delayMicroseconds(5);\
} else {}
#define ClockMacroTrigger()\
if(1){\
PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
} else {}
//do 3 clocks
#define ThreeClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
//do 4 clocks
#define FourClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
void setup() {
int i;
//R20 A0
//R21 A1
//R22 A2
//CLOCK A3
//Reset/ACL A4
//D0 pin 2
//D1 pin 3
//D2 pin 4
//D3 pin 5
//D4 pin 6
//D5 pin 7
//D6 pin 8
//D7 pin 9
noInterrupts();
DDRD &= 0b00000011; //set pins 2 through 7 as inputs
DDRB &= 0b11111100; //set pin 8 and 9 as inputs
DDRC |= 0b00111111; // Set A0 through A4 as outputs */
DIDR0 = 0x00; //no longer neccessary but it doesn't hurt.
PORTC &= 0b11100000; //make sure all bits are in a known cleared state
PORTC |= 0b00010111; // set pin A0 - A4 High with the exception of A3/CLK
for(i= 0; i<255; i++){
FourClockMacro(); //start the clock give some time to boot up
}
PORTC &= 0b11101111;// lower ACL
FourClockMacro();
PORTC &= 0b11111100;//lower R20, R21
FourClockMacro();
}
void loop() {
int i;
unsigned char dataArray[508];
for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
ClockMacroTrigger();
ClockMacro();
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
ClockMacro();
ClockMacro();
}
Serial.begin(9600);
for (i = 0; i < 508; i++) {
Serial.print("i");
Serial.print(i, HEX);
Serial.print(" :");
Serial.print(((dataArray[i] ^ 0XFF)) & 0xFF, HEX);//data inverted to match "known" rom dumps
Serial.print("\r\n");
}
for(i=0; i<255;i++){Serial.print(" ");}
while (1) {}
}this should print a bunch of empty characters after the last byte, hopefully that'll flush any buffer stuff that hasn't been sent (not the proper way to do this, but a quick test)
Re: Reverse Engineering the CIC
Code: Select all
i0 :75
i1 :30
i2 :4A
i3 :74
i4 :42
i5 :C0
i6 :7D
i7 :A6
i8 :7E
i9 :7D
iA :7D
iB :D3
iC :7D
iD :CA
iE :7E
iF :5B
i10 :75
i11 :22
i12 :63
i13 :9D
i14 :0
i15 :28
i16 :52
i17 :EB
i18 :EC
i19 :74
i1A :22
i1B :60
i1C :B0
i1D :D7
i1E :7E
i1F :21
i20 :74
i21 :23
i22 :63
i23 :B2
i24 :23
i25 :52
i26 :97
i27 :91
i28 :7D
i29 :F2
i2A :B1
i2B :22
i2C :6C
i2D :23
i2E :60
i2F :C2
i30 :0
i31 :29
i32 :52
i33 :9A
i34 :74
i35 :24
i36 :33
i37 :45
i38 :BD
i39 :0
i3A :0
i3B :C7
i3C :23
i3D :61
i3E :DC
i3F :2C
i40 :52
i41 :E3
i42 :A6
i43 :75
i44 :2E
i45 :7D
i46 :C5
i47 :A6
i48 :74
i49 :23
i4A :6D
i4B :0
i4C :74
i4D :23
i4E :62
i4F :89
i50 :2B
i51 :52
i52 :94
i53 :78
i54 :9C
i55 :78
i56 :C4
i57 :7D
i58 :F2
i59 :E9
i5A :75
i5B :21
i5C :7D
i5D :CC
i5E :86
i5F :74
i60 :23
i61 :6C
i62 :7D
i63 :A6
i64 :0
i65 :86
i66 :22
i67 :68
i68 :7D
i69 :A6
i6A :28
i6B :52
i6C :88
i6D :93
i6E :7D
i6F :D3
i70 :74
i71 :23
i72 :60
i73 :96
i74 :78
i75 :2B
i76 :2C
i77 :52
i78 :D5
i79 :7D
i7A :A6
i7B :74
i7C :23
i7D :68
i7E :23
i7F :61
i80 :BF
i81 :69
i82 :78
i83 :13
i84 :0
i85 :75
i86 :25
i87 :7E
i88 :0
i89 :26
i8A :33
i8B :45
i8C :D7
i8D :25
i8E :3C
i8F :45
i90 :D7
i91 :74
i92 :23
i93 :6F
i94 :74
i95 :23
i96 :62
i97 :8E
i98 :9C
i99 :7E
i9A :5B
i9B :74
i9C :24
i9D :40
i9E :10
i9F :BB
iA0 :89
iA1 :13
iA2 :97
iA3 :89
iA4 :75
iA5 :26
iA6 :11
iA7 :A8
iA8 :40
iA9 :10
iAA :89
iAB :3E
iAC :9A
iAD :40
iAE :10
iAF :89
iB0 :3C
iB1 :25
iB2 :71
iB3 :C1
iB4 :89
iB5 :78
iB6 :13
iB7 :74
iB8 :2A
iB9 :7D
iBA :C5
iBB :96
iBC :75
iBD :22
iBE :63
iBF :B7
iC0 :74
iC1 :26
iC2 :6D
iC3 :96
iC4 :74
iC5 :2F
iC6 :30
iC7 :43
iC8 :32
iC9 :43
iCA :3F
iCB :43
iCC :3F
iCD :4A
iCE :75
iCF :22
iD0 :6F
iD1 :96
iD2 :79
iD3 :8D
iD4 :74
iD5 :26
iD6 :6C
iD7 :6E
iD8 :23
iD9 :6E
iDA :21
iDB :32
iDC :46
iDD :22
iDE :55
iDF :65
iE0 :B4
iE1 :D0
iE2 :2D
iE3 :52
iE4 :DA
iE5 :75
iE6 :22
iE7 :63
iE8 :98
iE9 :79
iEA :69
iEB :21
iEC :52
iED :E2
iEE :0
iEF :21
iF0 :52
iF1 :E6
iF2 :22
iF3 :52
iF4 :AC
iF5 :22
iF6 :52
iF7 :D5
iF8 :A5
iF9 :0
iFA :0
iFB :75
iFC :22
iFD :60
iFE :FE
iFF :2D
i100 :52
i101 :F0
i102 :DE
i103 :7E
i104 :3F
i105 :F3
i106 :23
i107 :52
i108 :F7
i109 :28
i10A :52
i10B :BE
i10C :79
i10D :FB
i10E :75
i10F :22
i110 :6C
i111 :7E
i112 :3F
i113 :C1
i114 :7E
i115 :7D
i116 :7E
i117 :1E
i118 :75
i119 :22
i11A :68
i11B :69
i11C :21
i11D :30
i11E :46
i11F :23
i120 :7E
i121 :0
i122 :24
i123 :30
i124 :45
i125 :CF
i126 :23
i127 :3F
i128 :45
i129 :CF
i12A :7E
i12B :6A
i12C :22
i12D :62
i12E :8D
i12F :6A
i130 :B3
i131 :6E
i132 :30
i133 :D9
i134 :75
i135 :22
i136 :61
i137 :B8
i138 :26
i139 :52
i13A :FA
i13B :D2
i13C :25
i13D :52
i13E :C7
i13F :CF
i140 :74
i141 :21
i142 :7D
i143 :CC
i144 :8F
i145 :7E
i146 :7D
i147 :7E
i148 :20
i149 :6D
i14A :21
i14B :30
i14C :46
i14D :74
i14E :27
i14F :7E
i150 :0
i151 :29
i152 :32
i153 :45
i154 :CF
i155 :28
i156 :33
i157 :45
i158 :CF
i159 :27
i15A :30
i15B :45
i15C :CF
i15D :7E
i15E :1E
i15F :A8
i160 :75
i161 :26
i162 :3F
i163 :71
i164 :AB
i165 :0
i166 :21
i167 :52
i168 :A2
i169 :7E
i16A :7D
i16B :7E
i16C :20
i16D :21
i16E :32
i16F :46
i170 :31
i171 :22
i172 :46
i173 :CF
i174 :75
i175 :25
i176 :40
i177 :27
i178 :43
i179 :40
i17A :28
i17B :4A
i17C :74
i17D :24
i17E :40
i17F :75
i180 :27
i181 :7E
i182 :3C
i183 :78
i184 :82
i185 :79
i186 :B
i187 :74
i188 :26
i189 :61
i18A :8D
i18B :75
i18C :40
i18D :10
i18E :AA
i18F :74
i190 :24
i191 :40
i192 :75
i193 :25
i194 :7E
i195 :3C
i196 :87
i197 :DD
i198 :74
i199 :23
i19A :6A
i19B :26
i19C :6C
i19D :6A
i19E :7D
i19F :CA
i1A0 :7E
i1A1 :7D
i1A2 :7E
i1A3 :20
i1A4 :69
i1A5 :6B
i1A6 :7E
i1A7 :1E
i1A8 :74
i1A9 :26
i1AA :69
i1AB :6F
i1AC :23
i1AD :6B
i1AE :7E
i1AF :5B
i1B0 :74
i1B1 :26
i1B2 :60
i1B3 :B7
i1B4 :23
i1B5 :38
i1B6 :46
i1B7 :7E
i1B8 :AD
i1B9 :23
i1BA :30
i1BB :46
i1BC :26
i1BD :68
i1BE :7E
i1BF :E9
i1C0 :78
i1C1 :73
i1C2 :7E
i1C3 :AD
i1C4 :2D
i1C5 :52
i1C6 :B6
i1C7 :F1
i1C8 :75
i1C9 :20
i1CA :32
i1CB :42
i1CC :3A
i1CD :4A
i1CE :4C
i1CF :21
i1D0 :33
i1D1 :46
i1D2 :23
i1D3 :30
i1D4 :46
i1D5 :22
i1D6 :31
i1D7 :46
i1D8 :4C
i1D9 :22
i1DA :55
i1DB :66
i1DC :4D
i1DD :4C
i1DE :75
i1DF :2E
i1E0 :33
i1E1 :42
i1E2 :38
i1E3 :4A
i1E4 :4C
i1E5 :3F
i1E6 :71
i1E7 :E2
i1E8 :4A
i1E9 :4C
i1EA :42
i1EB :C5
i1EC :4D
i1ED :3F
i1EE :71
i1EF :D6
i1F0 :4A
i1F1 :4C
i1F2 :43
i1F3 :CC
i1F4 :4D
i1F5 :25
i1F6 :7D
i1F7 :C5
i1F8 :DD
i1F9 :0
i1FA :0
i1FB :20
Re: Reverse Engineering the CIC
We should change the read loop to try to get 762 (or 1016) bytes in case the chip is trying to change fields on its own, though I have some skepticism. It also looks like the code should be printing 508 iterations, so I'm not sure why it's ending early. [I see before posting that you did get it to print those bytes, so that's good.]
From the old code's dump, I've gotten the remaining 7 bytes. I think at least one byte (the 20) belongs at the beginning of the dump, but I'm otherwise very confused about the page boundaries. I haven't done a disassembly or anything, but it doesn't look to me like the pages end cleanly. I'll probably get a better idea of what's going on by actually making a disassembly, but unlike with the other chips where there was a clear ending to the bank and then padding, these don't have clear boundaries. If we assume a page boundary comes every 127 bytes, it looks like the code just executes off the end, wrapping around, which doesn't seem right. There are places with two 00 bytes in a row that come after the end of something, and one of those comes at what I think is the end of page 3, but the other two don't (and in fact, one of them leaves just 2 bytes of code remaining in what I think is the page, which doesn't make sense). So all in all, I'm finding this pretty hard to parse.
From the old code's dump, I've gotten the remaining 7 bytes. I think at least one byte (the 20) belongs at the beginning of the dump, but I'm otherwise very confused about the page boundaries. I haven't done a disassembly or anything, but it doesn't look to me like the pages end cleanly. I'll probably get a better idea of what's going on by actually making a disassembly, but unlike with the other chips where there was a clear ending to the bank and then padding, these don't have clear boundaries. If we assume a page boundary comes every 127 bytes, it looks like the code just executes off the end, wrapping around, which doesn't seem right. There are places with two 00 bytes in a row that come after the end of something, and one of those comes at what I think is the end of page 3, but the other two don't (and in fact, one of them leaves just 2 bytes of code remaining in what I think is the page, which doesn't make sense). So all in all, I'm finding this pretty hard to parse.
Re: Reverse Engineering the CIC
Hey it worked! Neat. I guess now someone has to analyze the code to see if it's all there.
edit: I hope this is a more "proper" fix, I added a serial.flush command after sending some data, maybe the buffer was overloading or something.
If you wouldn't mind trying it out.
edit: I hope this is a more "proper" fix, I added a serial.flush command after sending some data, maybe the buffer was overloading or something.
If you wouldn't mind trying it out.
Code: Select all
//sm590 dumper script
//Written by Jero32 24/09/2020
//to run, hook the arduino pins up to sm590 chip according to pinout below. Upload sketch to arduino. Clear the terminal window
//and press the reset button
//do one clock cycle. Note: relies on opcodes taking time to provide delay for speed, not very portable
#define ClockMacro()\
if(1){\
PORTC |= 0b00001000; delayMicroseconds(5); PORTC &= 0b11110111; delayMicroseconds(5);\
} else {}
#define ClockMacroTrigger()\
if(1){\
PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
} else {}
//do 3 clocks
#define ThreeClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
//do 4 clocks
#define FourClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
void setup() {
int i;
//R20 A0
//R21 A1
//R22 A2
//CLOCK A3
//Reset/ACL A4
//D0 pin 2
//D1 pin 3
//D2 pin 4
//D3 pin 5
//D4 pin 6
//D5 pin 7
//D6 pin 8
//D7 pin 9
noInterrupts();
DDRD &= 0b00000011; //set pins 2 through 7 as inputs
DDRB &= 0b11111100; //set pin 8 and 9 as inputs
DDRC |= 0b00111111; // Set A0 through A4 as outputs */
DIDR0 = 0x00; //no longer neccessary but it doesn't hurt.
PORTC &= 0b11100000; //make sure all bits are in a known cleared state
PORTC |= 0b00010111; // set pin A0 - A4 High with the exception of A3/CLK
for(i= 0; i<255; i++){
FourClockMacro(); //start the clock give some time to boot up
}
PORTC &= 0b11101111;// lower ACL
for(i=0; i<509; i++){FourClockMacro();}
PORTC &= 0b11111100;//lower R20, R21
FourClockMacro();
}
void loop() {
int i;
unsigned char dataArray[508];
for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
// ClockMacroTrigger();
ClockMacro();
ClockMacro();
PORTC |= 0b00001000; delayMicroseconds(5);
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
PORTC &= 0b11110111; delayMicroseconds(5);
ClockMacro();
}
Serial.begin(9600);
for (i = 0; i < 508; i++) {
Serial.print("i");
Serial.print(i, HEX);
Serial.print(" :");
Serial.print(((dataArray[i] ^ 0XFF)) & 0xFF, HEX);//data inverted to match "known" rom dumps
Serial.print("\r\n");
Serial.flush();
}
while (1) {}
}Re: Reverse Engineering the CIC
Yes, I get the same dump as before.
Patnukem wrote: ↑Thu Oct 01, 2020 2:48 pmCode: Select all
i0 :75 i1 :30 i2 :4A i3 :74 i4 :42 i5 :C0 i6 :7D i7 :A6 i8 :7E i9 :7D iA :7D iB :D3 iC :7D iD :CA iE :7E iF :5B i10 :75 i11 :22 i12 :63 i13 :9D i14 :0 i15 :28 i16 :52 i17 :EB i18 :EC i19 :74 i1A :22 i1B :60 i1C :B0 i1D :D7 i1E :7E i1F :21 i20 :74 i21 :23 i22 :63 i23 :B2 i24 :23 i25 :52 i26 :97 i27 :91 i28 :7D i29 :F2 i2A :B1 i2B :22 i2C :6C i2D :23 i2E :60 i2F :C2 i30 :0 i31 :29 i32 :52 i33 :9A i34 :74 i35 :24 i36 :33 i37 :45 i38 :BD i39 :0 i3A :0 i3B :C7 i3C :23 i3D :61 i3E :DC i3F :2C i40 :52 i41 :E3 i42 :A6 i43 :75 i44 :2E i45 :7D i46 :C5 i47 :A6 i48 :74 i49 :23 i4A :6D i4B :0 i4C :74 i4D :23 i4E :62 i4F :89 i50 :2B i51 :52 i52 :94 i53 :78 i54 :9C i55 :78 i56 :C4 i57 :7D i58 :F2 i59 :E9 i5A :75 i5B :21 i5C :7D i5D :CC i5E :86 i5F :74 i60 :23 i61 :6C i62 :7D i63 :A6 i64 :0 i65 :86 i66 :22 i67 :68 i68 :7D i69 :A6 i6A :28 i6B :52 i6C :88 i6D :93 i6E :7D i6F :D3 i70 :74 i71 :23 i72 :60 i73 :96 i74 :78 i75 :2B i76 :2C i77 :52 i78 :D5 i79 :7D i7A :A6 i7B :74 i7C :23 i7D :68 i7E :23 i7F :61 i80 :BF i81 :69 i82 :78 i83 :13 i84 :0 i85 :75 i86 :25 i87 :7E i88 :0 i89 :26 i8A :33 i8B :45 i8C :D7 i8D :25 i8E :3C i8F :45 i90 :D7 i91 :74 i92 :23 i93 :6F i94 :74 i95 :23 i96 :62 i97 :8E i98 :9C i99 :7E i9A :5B i9B :74 i9C :24 i9D :40 i9E :10 i9F :BB iA0 :89 iA1 :13 iA2 :97 iA3 :89 iA4 :75 iA5 :26 iA6 :11 iA7 :A8 iA8 :40 iA9 :10 iAA :89 iAB :3E iAC :9A iAD :40 iAE :10 iAF :89 iB0 :3C iB1 :25 iB2 :71 iB3 :C1 iB4 :89 iB5 :78 iB6 :13 iB7 :74 iB8 :2A iB9 :7D iBA :C5 iBB :96 iBC :75 iBD :22 iBE :63 iBF :B7 iC0 :74 iC1 :26 iC2 :6D iC3 :96 iC4 :74 iC5 :2F iC6 :30 iC7 :43 iC8 :32 iC9 :43 iCA :3F iCB :43 iCC :3F iCD :4A iCE :75 iCF :22 iD0 :6F iD1 :96 iD2 :79 iD3 :8D iD4 :74 iD5 :26 iD6 :6C iD7 :6E iD8 :23 iD9 :6E iDA :21 iDB :32 iDC :46 iDD :22 iDE :55 iDF :65 iE0 :B4 iE1 :D0 iE2 :2D iE3 :52 iE4 :DA iE5 :75 iE6 :22 iE7 :63 iE8 :98 iE9 :79 iEA :69 iEB :21 iEC :52 iED :E2 iEE :0 iEF :21 iF0 :52 iF1 :E6 iF2 :22 iF3 :52 iF4 :AC iF5 :22 iF6 :52 iF7 :D5 iF8 :A5 iF9 :0 iFA :0 iFB :75 iFC :22 iFD :60 iFE :FE iFF :2D i100 :52 i101 :F0 i102 :DE i103 :7E i104 :3F i105 :F3 i106 :23 i107 :52 i108 :F7 i109 :28 i10A :52 i10B :BE i10C :79 i10D :FB i10E :75 i10F :22 i110 :6C i111 :7E i112 :3F i113 :C1 i114 :7E i115 :7D i116 :7E i117 :1E i118 :75 i119 :22 i11A :68 i11B :69 i11C :21 i11D :30 i11E :46 i11F :23 i120 :7E i121 :0 i122 :24 i123 :30 i124 :45 i125 :CF i126 :23 i127 :3F i128 :45 i129 :CF i12A :7E i12B :6A i12C :22 i12D :62 i12E :8D i12F :6A i130 :B3 i131 :6E i132 :30 i133 :D9 i134 :75 i135 :22 i136 :61 i137 :B8 i138 :26 i139 :52 i13A :FA i13B :D2 i13C :25 i13D :52 i13E :C7 i13F :CF i140 :74 i141 :21 i142 :7D i143 :CC i144 :8F i145 :7E i146 :7D i147 :7E i148 :20 i149 :6D i14A :21 i14B :30 i14C :46 i14D :74 i14E :27 i14F :7E i150 :0 i151 :29 i152 :32 i153 :45 i154 :CF i155 :28 i156 :33 i157 :45 i158 :CF i159 :27 i15A :30 i15B :45 i15C :CF i15D :7E i15E :1E i15F :A8 i160 :75 i161 :26 i162 :3F i163 :71 i164 :AB i165 :0 i166 :21 i167 :52 i168 :A2 i169 :7E i16A :7D i16B :7E i16C :20 i16D :21 i16E :32 i16F :46 i170 :31 i171 :22 i172 :46 i173 :CF i174 :75 i175 :25 i176 :40 i177 :27 i178 :43 i179 :40 i17A :28 i17B :4A i17C :74 i17D :24 i17E :40 i17F :75 i180 :27 i181 :7E i182 :3C i183 :78 i184 :82 i185 :79 i186 :B i187 :74 i188 :26 i189 :61 i18A :8D i18B :75 i18C :40 i18D :10 i18E :AA i18F :74 i190 :24 i191 :40 i192 :75 i193 :25 i194 :7E i195 :3C i196 :87 i197 :DD i198 :74 i199 :23 i19A :6A i19B :26 i19C :6C i19D :6A i19E :7D i19F :CA i1A0 :7E i1A1 :7D i1A2 :7E i1A3 :20 i1A4 :69 i1A5 :6B i1A6 :7E i1A7 :1E i1A8 :74 i1A9 :26 i1AA :69 i1AB :6F i1AC :23 i1AD :6B i1AE :7E i1AF :5B i1B0 :74 i1B1 :26 i1B2 :60 i1B3 :B7 i1B4 :23 i1B5 :38 i1B6 :46 i1B7 :7E i1B8 :AD i1B9 :23 i1BA :30 i1BB :46 i1BC :26 i1BD :68 i1BE :7E i1BF :E9 i1C0 :78 i1C1 :73 i1C2 :7E i1C3 :AD i1C4 :2D i1C5 :52 i1C6 :B6 i1C7 :F1 i1C8 :75 i1C9 :20 i1CA :32 i1CB :42 i1CC :3A i1CD :4A i1CE :4C i1CF :21 i1D0 :33 i1D1 :46 i1D2 :23 i1D3 :30 i1D4 :46 i1D5 :22 i1D6 :31 i1D7 :46 i1D8 :4C i1D9 :22 i1DA :55 i1DB :66 i1DC :4D i1DD :4C i1DE :75 i1DF :2E i1E0 :33 i1E1 :42 i1E2 :38 i1E3 :4A i1E4 :4C i1E5 :3F i1E6 :71 i1E7 :E2 i1E8 :4A i1E9 :4C i1EA :42 i1EB :C5 i1EC :4D i1ED :3F i1EE :71 i1EF :D6 i1F0 :4A i1F1 :4C i1F2 :43 i1F3 :CC i1F4 :4D i1F5 :25 i1F6 :7D i1F7 :C5 i1F8 :DD i1F9 :0 i1FA :0 i1FB :20
Re: Reverse Engineering the CIC
Here's a quick test for 1016 bytes:
It is untested.
Code: Select all
//sm590 dumper script
//Written by Jero32 24/09/2020
//to run, hook the arduino pins up to sm590 chip according to pinout below. Upload sketch to arduino. Clear the terminal window
//and press the reset button
//do one clock cycle. Note: relies on opcodes taking time to provide delay for speed, not very portable
#define ClockMacro()\
if(1){\
PORTC |= 0b00001000; delayMicroseconds(5); PORTC &= 0b11110111; delayMicroseconds(5);\
} else {}
#define ClockMacroTrigger()\
if(1){\
PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
} else {}
//do 3 clocks
#define ThreeClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
//do 4 clocks
#define FourClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
void setup() {
int i;
//R20 A0
//R21 A1
//R22 A2
//CLOCK A3
//Reset/ACL A4
//D0 pin 2
//D1 pin 3
//D2 pin 4
//D3 pin 5
//D4 pin 6
//D5 pin 7
//D6 pin 8
//D7 pin 9
noInterrupts();
DDRD &= 0b00000011; //set pins 2 through 7 as inputs
DDRB &= 0b11111100; //set pin 8 and 9 as inputs
DDRC |= 0b00111111; // Set A0 through A4 as outputs */
DIDR0 = 0x00; //no longer neccessary but it doesn't hurt.
PORTC &= 0b11100000; //make sure all bits are in a known cleared state
PORTC |= 0b00010111; // set pin A0 - A4 High with the exception of A3/CLK
for(i= 0; i<255; i++){
FourClockMacro(); //start the clock give some time to boot up
}
PORTC &= 0b11101111;// lower ACL
for(i=0; i<509; i++){FourClockMacro();}
PORTC &= 0b11111100;//lower R20, R21
FourClockMacro();
}
void loop() {
int i;
unsigned char dataArray[1016];
for (i = 0; i < 1016; i++) { //fill a 508 byte array with the rom data
// ClockMacroTrigger();
ClockMacro();
ClockMacro();
PORTC |= 0b00001000; delayMicroseconds(5);
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
PORTC &= 0b11110111; delayMicroseconds(5);
ClockMacro();
}
Serial.begin(9600);
for (i = 0; i < 1016; i++) {
Serial.print("i");
Serial.print(i, HEX);
Serial.print(" :");
Serial.print(((dataArray[i] ^ 0XFF)) & 0xFF, HEX);//data inverted to match "known" rom dumps
Serial.print("\r\n");
Serial.flush();
}
while (1) {}
}It is untested.
Re: Reverse Engineering the CIC
I think it just loops the original 508 if I am not mistaken.
Code: Select all
i1FC :20
i1FD :75
i1FE :30
i1FF :4A
i200 :74
i201 :42
i202 :C0
i203 :7D
i204 :A6
i205 :7E
i206 :7D
i207 :7D
i208 :D3
i209 :7D
i20A :CA
i20B :7E
i20C :5B
i20D :75
i20E :22
i20F :63
i210 :9D
i211 :0
i212 :28
i213 :52
i214 :EB
i215 :EC
i216 :74
i217 :22
i218 :60
i219 :B0
i21A :D7
i21B :7E
i21C :21
i21D :74
i21E :23
i21F :63
i220 :B2
i221 :23
i222 :52
i223 :97
i224 :91
i225 :7D
i226 :F2
i227 :B1
i228 :22
i229 :6C
i22A :23
i22B :60
i22C :C2
i22D :0
i22E :29
i22F :52
i230 :9A
i231 :74
i232 :24
i233 :33
i234 :45
i235 :BD
i236 :0
i237 :0
i238 :C7
i239 :23
i23A :61
i23B :DC
i23C :2C
i23D :52
i23E :E3
i23F :A6
i240 :75
i241 :2E
i242 :7D
i243 :C5
i244 :A6
i245 :74
i246 :23
i247 :6D
i248 :0
i249 :74
i24A :23
i24B :62
i24C :89
i24D :2B
i24E :52
i24F :94
i250 :78
i251 :9C
i252 :78
i253 :C4
i254 :7D
i255 :F2
i256 :E9
i257 :75
i258 :21
i259 :7D
i25A :CC
i25B :86
i25C :74
i25D :23
i25E :6C
i25F :7D
i260 :A6
i261 :0
i262 :86
i263 :22
i264 :68
i265 :7D
i266 :A6
i267 :28
i268 :52
i269 :88
i26A :93
i26B :7D
i26C :D3
i26D :74
i26E :23
i26F :60
i270 :96
i271 :78
i272 :2B
i273 :2C
i274 :52
i275 :D5
i276 :7D
i277 :A6
i278 :74
i279 :23
i27A :68
i27B :23
i27C :61
i27D :BF
i27E :69
i27F :78
i280 :13
i281 :0
i282 :75
i283 :25
i284 :7E
i285 :0
i286 :26
i287 :33
i288 :45
i289 :D7
i28A :25
i28B :3C
i28C :45
i28D :D7
i28E :74
i28F :23
i290 :6F
i291 :74
i292 :23
i293 :62
i294 :8E
i295 :9C
i296 :7E
i297 :5B
i298 :74
i299 :24
i29A :40
i29B :10
i29C :BB
i29D :89
i29E :13
i29F :97
i2A0 :89
i2A1 :75
i2A2 :26
i2A3 :11
i2A4 :A8
i2A5 :40
i2A6 :10
i2A7 :89
i2A8 :3E
i2A9 :9A
i2AA :40
i2AB :10
i2AC :89
i2AD :3C
i2AE :25
i2AF :71
i2B0 :C1
i2B1 :89
i2B2 :78
i2B3 :13
i2B4 :74
i2B5 :2A
i2B6 :7D
i2B7 :C5
i2B8 :96
i2B9 :75
i2BA :22
i2BB :63
i2BC :B7
i2BD :74
i2BE :26
i2BF :6D
i2C0 :96
i2C1 :74
i2C2 :2F
i2C3 :30
i2C4 :43
i2C5 :32
i2C6 :43
i2C7 :3F
i2C8 :43
i2C9 :3F
i2CA :4A
i2CB :75
i2CC :22
i2CD :6F
i2CE :96
i2CF :79
i2D0 :8D
i2D1 :74
i2D2 :26
i2D3 :6C
i2D4 :6E
i2D5 :23
i2D6 :6E
i2D7 :21
i2D8 :32
i2D9 :46
i2DA :22
i2DB :55
i2DC :65
i2DD :B4
i2DE :D0
i2DF :2D
i2E0 :52
i2E1 :DA
i2E2 :75
i2E3 :22
i2E4 :63
i2E5 :98
i2E6 :79
i2E7 :69
i2E8 :21
i2E9 :52
i2EA :E2
i2EB :0
i2EC :21
i2ED :52
i2EE :E6
i2EF :22
i2F0 :52
i2F1 :AC
i2F2 :22
i2F3 :52
i2F4 :D5
i2F5 :A5
i2F6 :0
i2F7 :0
i2F8 :75
i2F9 :22
i2FA :60
i2FB :FE
i2FC :2D
i2FD :52
i2FE :F0
i2FF :DE
i300 :7E
i301 :3F
i302 :F3
i303 :23
i304 :52
i305 :F7
i306 :28
i307 :52
i308 :BE
i309 :79
i30A :FB
i30B :75
i30C :22
i30D :6C
i30E :7E
i30F :3F
i310 :C1
i311 :7E
i312 :7D
i313 :7E
i314 :1E
i315 :75
i316 :22
i317 :68
i318 :69
i319 :21
i31A :30
i31B :46
i31C :23
i31D :7E
i31E :0
i31F :24
i320 :30
i321 :45
i322 :CF
i323 :23
i324 :3F
i325 :45
i326 :CF
i327 :7E
i328 :6A
i329 :22
i32A :62
i32B :8D
i32C :6A
i32D :B3
i32E :6E
i32F :30
i330 :D9
i331 :75
i332 :22
i333 :61
i334 :B8
i335 :26
i336 :52
i337 :FA
i338 :D2
i339 :25
i33A :52
i33B :C7
i33C :CF
i33D :74
i33E :21
i33F :7D
i340 :CC
i341 :8F
i342 :7E
i343 :7D
i344 :7E
i345 :20
i346 :6D
i347 :21
i348 :30
i349 :46
i34A :74
i34B :27
i34C :7E
i34D :0
i34E :29
i34F :32
i350 :45
i351 :CF
i352 :28
i353 :33
i354 :45
i355 :CF
i356 :27
i357 :30
i358 :45
i359 :CF
i35A :7E
i35B :1E
i35C :A8
i35D :75
i35E :26
i35F :3F
i360 :71
i361 :AB
i362 :0
i363 :21
i364 :52
i365 :A2
i366 :7E
i367 :7D
i368 :7E
i369 :20
i36A :21
i36B :32
i36C :46
i36D :31
i36E :22
i36F :46
i370 :CF
i371 :75
i372 :25
i373 :40
i374 :27
i375 :43
i376 :40
i377 :28
i378 :4A
i379 :74
i37A :24
i37B :40
i37C :75
i37D :27
i37E :7E
i37F :3C
i380 :78
i381 :82
i382 :79
i383 :B
i384 :74
i385 :26
i386 :61
i387 :8D
i388 :75
i389 :40
i38A :10
i38B :AA
i38C :74
i38D :24
i38E :40
i38F :75
i390 :25
i391 :7E
i392 :3C
i393 :87
i394 :DD
i395 :74
i396 :23
i397 :6A
i398 :26
i399 :6C
i39A :6A
i39B :7D
i39C :CA
i39D :7E
i39E :7D
i39F :7E
i3A0 :20
i3A1 :69
i3A2 :6B
i3A3 :7E
i3A4 :1E
i3A5 :74
i3A6 :26
i3A7 :69
i3A8 :6F
i3A9 :23
i3AA :6B
i3AB :7E
i3AC :5B
i3AD :74
i3AE :26
i3AF :60
i3B0 :B7
i3B1 :23
i3B2 :38
i3B3 :46
i3B4 :7E
i3B5 :AD
i3B6 :23
i3B7 :30
i3B8 :46
i3B9 :26
i3BA :68
i3BB :7E
i3BC :E9
i3BD :78
i3BE :73
i3BF :7E
i3C0 :AD
i3C1 :2D
i3C2 :52
i3C3 :B6
i3C4 :F1
i3C5 :75
i3C6 :20
i3C7 :32
i3C8 :42
i3C9 :3A
i3CA :4A
i3CB :4C
i3CC :21
i3CD :33
i3CE :46
i3CF :23
i3D0 :30
i3D1 :46
i3D2 :22
i3D3 :31
i3D4 :46
i3D5 :4C
i3D6 :22
i3D7 :55
i3D8 :66
i3D9 :4D
i3DA :4C
i3DB :75
i3DC :2E
i3DD :33
i3DE :42
i3DF :38
i3E0 :4A
i3E1 :4C
i3E2 :3F
i3E3 :71
i3E4 :E2
i3E5 :4A
i3E6 :4C
i3E7 :42
i3E8 :C5
i3E9 :4D
i3EA :3F
i3EB :71
i3EC :D6
i3ED :4A
i3EE :4C
i3EF :43
i3F0 :CC
i3F1 :4D
i3F2 :25
i3F3 :7D
i3F4 :C5
i3F5 :DD
i3F6 :0
i3F7 :0
Re: Reverse Engineering the CIC
Sean Riddle's dumping directions do imply that there's no known way to get to pages beyond the first four. Given the structure, I wouldn't be surprised if it'd require glitching into dump mode from operation.
I'd probably send him a note and ask where in the decapped SM590 dice is the counter that's used for switching between the first four pages.
I'd probably send him a note and ask where in the decapped SM590 dice is the counter that's used for switching between the first four pages.
Re: Reverse Engineering the CIC
One could try pulling R22 low, perhaps that controls the page.
edit: alternatively, one could try setting R20 or R21 high. with two pins you can adress 4 pages.
edit: alternatively, one could try setting R20 or R21 high. with two pins you can adress 4 pages.