## Reverse Engineering the CIC

**Moderators:** B00daW, Moderators

### Re: Reverse Engineering the CIC

I also got long chains of EC with 6113 chip. So I know the code is doing the same thing on both our chips...

Edit: to remove a suggestion I found to not be helpful.

Yes sharing the updated code would be awesome I can run it on my 3198 and see what I get. I used desoldering braid with good results.

Edit: to remove a suggestion I found to not be helpful.

Yes sharing the updated code would be awesome I can run it on my 3198 and see what I get. I used desoldering braid with good results.

### Re: Reverse Engineering the CIC

I tested a 2nd 3198A and had the same exact dump as previously. I did add an extra ClockMacro() as suggested and it did start on the proper 30 instead of the 0 i was getting in the first line.

Code: Select all

```
i0 :30
i1 :20
i2 :74
i3 :48
i4 :44
i5 :20
i6 :54
i7 :64
i8 :B8
i9 :74
iA :20
iB :54
iC :64
iD :DC
iE :20
iF :30
i10 :70
i11 :40
i12 :F8
i13 :30
i14 :20
i15 :0
i16 :0
i17 :68
i18 :44
i19 :3C
i1A :0
i1B :8C
i1C :0
i1D :0
i1E :3C
i1F :0
i20 :D8
i21 :94
i22 :30
i23 :20
i24 :44
i25 :7C
i26 :0
i27 :7C
i28 :0
i29 :30
i2A :5C
i2B :7C
i2C :0
i2D :44
i2E :A8
i2F :7C
i30 :80
i31 :74
i32 :7C
i33 :C4
i34 :74
i35 :7C
i36 :C4
i37 :7C
i38 :F4
i39 :54
i3A :64
i3B :9C
i3C :D8
i3D :30
i3E :40
i3F :44
i40 :0
i41 :54
i42 :44
i43 :48
i44 :74
i45 :7C
i46 :80
i47 :74
i48 :60
i49 :D0
i4A :7C
i4B :F4
i4C :60
i4D :D8
i4E :88
i4F :7C
i50 :F4
i51 :60
i52 :90
i53 :D8
i54 :0
i55 :5C
i56 :0
i57 :E8
i58 :7C
i59 :80
i5A :7C
i5B :F8
i5C :24
i5D :40
i5E :C
i5F :98
i60 :40
i61 :8C
i62 :5C
i63 :B4
i64 :7C
i65 :80
i66 :A0
i67 :30
i68 :E0
i69 :20
i6A :30
i6B :44
i6C :88
i6D :20
i6E :44
i6F :4
i70 :98
i71 :30
i72 :44
i73 :7C
i74 :0
i75 :44
i76 :A8
i77 :D8
i78 :30
i79 :E0
i7A :0
i7B :0
i7C :0
i7D :0
i7E :7C
i7F :80
i80 :EC
i81 :30
i82 :20
i83 :0
i84 :0
i85 :0
i86 :CC
i87 :30
i88 :20
i89 :44
i8A :0
i8B :0
i8C :0
i8D :44
i8E :4C
i8F :20
i90 :54
i91 :64
i92 :8C
i93 :64
i94 :B8
i95 :34
i96 :D8
i97 :30
i98 :D8
i99 :64
i9A :B0
i9B :34
i9C :D8
i9D :30
i9E :48
i9F :74
iA0 :28
iA1 :30
iA2 :40
iA3 :B8
iA4 :2C
iA5 :38
iA6 :40
iA7 :2C
iA8 :48
iA9 :30
iAA :70
iAB :E4
iAC :40
iAD :8C
iAE :20
iAF :40
iB0 :C
iB1 :4C
iB2 :48
iB3 :EC
iB4 :20
iB5 :54
iB6 :64
iB7 :8C
iB8 :4C
iB9 :74
iBA :7C
iBB :80
iBC :74
iBD :4C
iBE :5C
iBF :5C
iC0 :54
iC1 :40
iC2 :20
iC3 :48
iC4 :68
iC5 :68
iC6 :68
iC7 :4C
iC8 :0
iC9 :0
iCA :0
iCB :0
iCC :0
iCD :0
iCE :0
iCF :0
iD0 :0
iD1 :0
iD2 :0
iD3 :0
iD4 :0
iD5 :0
iD6 :0
iD7 :0
iD8 :0
iD9 :0
iDA :0
iDB :0
iDC :0
iDD :0
iDE :0
iDF :0
iE0 :0
iE1 :0
iE2 :0
iE3 :0
iE4 :0
iE5 :0
iE6 :0
iE7 :0
iE8 :0
iE9 :0
iEA :0
iEB :0
iEC :0
iED :0
iEE :0
iEF :0
iF0 :0
iF1 :0
iF2 :0
iF3 :0
iF4 :0
iF5 :0
iF6 :0
iF7 :0
iF8 :0
iF9 :0
iFA :0
iFB :0
iFC :0
iFD :74
iFE :20
iFF :54
i100 :20
i101 :48
i102 :68
i103 :68
i104 :20
i105 :54
i106 :20
i107 :6C
i108 :64
i109 :68
i10A :6C
i10B :64
i10C :68
i10D :40
i10E :20
i10F :40
i110 :4C
i111 :0
i112 :0
i113 :0
i114 :0
i115 :0
i116 :0
i117 :0
i118 :0
i119 :0
i11A :0
i11B :0
i11C :0
i11D :0
i11E :0
i11F :0
i120 :0
i121 :0
i122 :0
i123 :0
i124 :0
i125 :0
i126 :0
i127 :0
i128 :0
i129 :0
i12A :0
i12B :0
i12C :0
i12D :0
i12E :0
i12F :0
i130 :0
i131 :0
i132 :0
i133 :0
i134 :0
i135 :0
i136 :0
i137 :0
i138 :0
i139 :0
i13A :0
i13B :0
i13C :0
i13D :0
i13E :0
i13F :0
i140 :0
i141 :0
i142 :0
i143 :0
i144 :0
i145 :0
i146 :0
i147 :0
i148 :0
i149 :0
i14A :0
i14B :0
i14C :0
i14D :0
i14E :0
i14F :0
i150 :0
i151 :0
i152 :0
i153 :0
i154 :0
i155 :0
i156 :0
i157 :0
i158 :0
i159 :0
i15A :0
i15B :0
i15C :0
i15D :0
i15E :0
i15F :0
i160 :0
i161 :0
i162 :0
i163 :0
i164 :0
i165 :0
i166 :0
i167 :0
i168 :0
i169 :0
i16A :0
i16B :0
i16C :0
i16D :0
i16E :0
i16F :0
i170 :0
i171 :0
i172 :0
i173 :0
i174 :0
i175 :0
i176 :0
i177 :0
i178 :0
i179 :0
i17A :0
i17B :0
i17C :7C
i17D :80
i17E :AC
i17F :74
i180 :20
i181 :30
i182 :60
i183 :30
i184 :7C
i185 :80
i186 :20
i187 :30
i188 :60
i189 :30
i18A :7C
i18B :80
i18C :20
i18D :30
i18E :60
i18F :30
i190 :7C
i191 :80
i192 :20
i193 :30
i194 :60
i195 :30
i196 :7C
i197 :80
i198 :20
i199 :0
i19A :0
i19B :0
i19C :0
i19D :0
i19E :0
i19F :0
i1A0 :4C
i1A1 :74
i1A2 :20
i1A3 :3C
i1A4 :40
i1A5 :0
i1A6 :7C
i1A7 :EC
i1A8 :20
i1A9 :64
i1AA :68
i1AB :0
i1AC :7C
i1AD :EC
i1AE :20
i1AF :64
i1B0 :68
i1B1 :0
i1B2 :7C
i1B3 :EC
i1B4 :20
i1B5 :64
i1B6 :68
i1B7 :0
i1B8 :7C
i1B9 :EC
i1BA :20
i1BB :64
i1BC :68
i1BD :40
i1BE :74
i1BF :44
i1C0 :78
i1C1 :58
i1C2 :4C
i1C3 :0
i1C4 :0
i1C5 :0
i1C6 :0
i1C7 :0
i1C8 :0
i1C9 :0
i1CA :0
i1CB :0
i1CC :0
i1CD :0
i1CE :0
i1CF :0
i1D0 :0
i1D1 :0
i1D2 :0
i1D3 :0
i1D4 :0
i1D5 :0
i1D6 :0
i1D7 :0
i1D8 :0
i1D9 :0
i1DA :0
i1DB :0
i1DC :0
i1DD :0
i1DE :0
i1DF :0
i1E0 :0
i1E1 :0
i1E2 :0
i1E3 :0
i1E4 :0
i1E5 :0
i1E6 :0
i1E7 :0
i1E8 :0
i1E9 :0
i1EA :0
i1EB :0
i1EC :0
i1ED :0
i1EE :0
i1EF :0
i1F0 :0
i1F1 :0
i1F2 :0
i1F3 :0
i1F4 :0
i1F5 :0
i1F6 :0
i1F7 :0
i1F8 :0
i1F9 :0
i1FA :0
i1FB :0
```

### Re: Reverse Engineering the CIC

0 is actually the proper byte to start at. (Judging by the "Known" dump in the repo)

### Re: Reverse Engineering the CIC

I misunderstood the number has a 0 before I put the code update in.

I’ll take a look at see where the data is missing, but I’m thinking my setup Is ok since my 6113 chip got the same reading as Fiskbit did, and I got the same dump consistently on two different chips. Maybe another dumb idea but just throwing pasta at the wall to see what sticks, Could there be additional bits or something else we are missing?

I’ll take a look at see where the data is missing, but I’m thinking my setup Is ok since my 6113 chip got the same reading as Fiskbit did, and I got the same dump consistently on two different chips. Maybe another dumb idea but just throwing pasta at the wall to see what sticks, Could there be additional bits or something else we are missing?

### Re: Reverse Engineering the CIC

So I see a few options:

1.) Our understanding of the exact timings needed to activate the debug mode are not entirely correct.

2.) Some chips lack a full fledged debug mode

3.) The chips have differing debug modes that swap pins and such

I have no clue which of these it is. I did update my code to incorporate the changes mentioned earlier. I also disabled interrupts in case that was messing things up.

It could also be that I'm missing some kind of pin set up procedure call and they're not properly set as inputs. I've never programmed avr chips before so they're all a bit new to me.

1.) Our understanding of the exact timings needed to activate the debug mode are not entirely correct.

2.) Some chips lack a full fledged debug mode

3.) The chips have differing debug modes that swap pins and such

I have no clue which of these it is. I did update my code to incorporate the changes mentioned earlier. I also disabled interrupts in case that was messing things up.

Code: Select all

```
//sm590 dumper script
//Written by Jero32 23/09/2020
//to run, hook the arduino pins up to sm590 chip according to pinout below. Upload sketch to arduino. Clear the terminal window
//and press the reset button
//do one clock cycle. Note: relies on opcodes taking time to provide delay for speed, not very portable
#define ClockMacro()\
if(1){\
PORTC |= 0b00001000; delayMicroseconds(5); PORTC &= 0b11110111; delayMicroseconds(5);\
} else {}
//do 3 clocks
#define ThreeClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
//do 4 clocks
#define FourClockMacro()\
if(1){\
ClockMacro();\
ClockMacro();\
ClockMacro();\
ClockMacro();\
} else {}
void setup() {
int i;
//R20 A0
//R21 A1
//R22 A2
//CLOCK A3
//Reset/ACL A4
//D0 pin 2
//D1 pin 3
//D2 pin 4
//D3 pin 5
//D4 pin 6
//D5 pin 7
//D6 pin 8
//D7 pin 9
noInterrupts();
DDRD &= 0b00000011; //set pins 2 through 7 as inputs
DDRB &= 0b11111100; //set pin 8 and 9 as inputs
DDRC |= 0b00011111; // Set A0 through A4 as outputs */
DIDR0 = 0x00; //no longer neccessary but it doesn't hurt.
PORTC &= 0b11100000; //make sure all bits are in a known cleared state
PORTC |= 0b00010111; // set pin A0 - A4 High with the exception of A3/CLK
for(i= 0; i<255; i++){
FourClockMacro(); //start the clock give some time to boot up
}
PORTC &= 0b11101111;// lower ACL
FourClockMacro();
PORTC &= 0b11111101;//lower R21
FourClockMacro();
PORTC &= 0b11111110;//lower R20
FourClockMacro();
}
void loop() {
int i;
for (i = 0; i < 507; i++) {
ClockMacro();
ClockMacro();
ClockMacro();
ClockMacro();
}
unsigned char dataArray[508];
for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
ClockMacro();
ClockMacro();
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
ClockMacro();
ClockMacro();
}
Serial.begin(9600);
for (i = 0; i < 508; i++) {
Serial.print("i");
Serial.print(i + 1, HEX);
Serial.print(" :");
Serial.print(((dataArray[i] ^ 0XFF)) & 0xFF, HEX);//data inverted to match "known" rom dumps
Serial.print("\r\n");
}
while (1) {}
}
```

### Re: Reverse Engineering the CIC

If you have a multimeter with a diode test functionality, you could see if there's a diode drop measuring pins 1 and 2 to pin 16, or pin 8 to pins 1 and 2.

My suspicion, given that the validation mode can still be entered, is that the bond wire blew up. If so, you won't see any diodes.

My suspicion, given that the validation mode can still be entered, is that the bond wire blew up. If so, you won't see any diodes.

### Re: Reverse Engineering the CIC

I don't have the code on-hand at the moment, but the two changes I remember that aren't reflected in Jeroen's latest update are a single added ClockMacro() before lowering ACL:

and moving where dataArray is sampled, to compensate for the above change:

We assumed that the jitter might be related to exiting reset at the wrong part of the clock cycle (remember that we're going in steps of 4 because the clock is divided down inside the chip). This was the first change to the alignment that we tried and it seemed to do the trick.

I really don't know what to make of Patnukem being unable to dump a 6113 (which I'm assuming was this letterless revision). Both of us have gotten the same result, but allegedly the 6113 letterless has been dumped in this fashion, so I don't know what we're doing wrong.

Code: Select all

```
ClockMacro();
PORTC &= 0b11101111;// lower ACL
```

Code: Select all

```
for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
ClockMacro();
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
ClockMacro();
ClockMacro();
ClockMacro();
}
```

I really don't know what to make of Patnukem being unable to dump a 6113 (which I'm assuming was this letterless revision). Both of us have gotten the same result, but allegedly the 6113 letterless has been dumped in this fashion, so I don't know what we're doing wrong.

### Re: Reverse Engineering the CIC

I actually execute a lot of clocks before lowering ACL now (256 * 4), it seems ACL is when everything is cleared. I think it's pretty safe to assume any reasonably designed cpu will reset it's instruction phase when reset is asserted? (otherwise it could just boot up in whatever state)Fiskbit wrote: ↑Wed Sep 23, 2020 1:29 pmI don't have the code on-hand at the moment, but the two changes I remember that aren't reflected in Jeroen's latest update are a single added ClockMacro() before lowering ACL:

and moving where dataArray is sampled, to compensate for the above change:Code: Select all

`ClockMacro(); PORTC &= 0b11101111;// lower ACL`

We assumed that the jitter might be related to exiting reset at the wrong part of the clock cycle (remember that we're going in steps of 4 because the clock is divided down inside the chip). This was the first change to the alignment that we tried and it seemed to do the trick.Code: Select all

`for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data ClockMacro(); dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps ClockMacro(); ClockMacro(); ClockMacro(); }`

I really don't know what to make of Patnukem being unable to dump a 6113 (which I'm assuming was this letterless revision). Both of us have gotten the same result, but allegedly the 6113 letterless has been dumped in this fashion, so I don't know what we're doing wrong.

I had played around with the moment of sampling before, sampling before the 4 clockmacros is definitely unreliable, hence moving it to the middle of the clock cycle, where hopefully everything would be stabilized. Moving it back one clock is probably fine as long as its had a positive flank.

edit: from the datasheet: "The ACL pin is used to initalize the LSI. The LSI will be reset upon completion of two instruction cycles after ACL pin goes high. The ACL (reset) mode will be cleared upon completion of one instruction cycle after ACL pin goes LOW."

So it sounds like the instability you might've seen was because I wasn't giving it two cycles of high time before letting it go back low again.

### Re: Reverse Engineering the CIC

Good find on the need for 2 instruction cycles for reset after power-on. I'll be curious to see if this resolves the problems we're seeing, though I'm not convinced it will remove the 1 instruction jitter. Note that our moving the sampling position was intended to keep it in the same part of the instruction clock given that we offset all operations by a quarter of a cycle; it's not supposed to be a functional change. I agree that it is a functional change if ACL affects the clock divider, but the timing description in the section you quoted makes me suspect it doesn't. Experimentally, that quarter cycle did remove the jitter in the way we expected [Edit: though maybe we just got lucky and didn't try enough times to see it jitter back.]

### Re: Reverse Engineering the CIC

The 3198A was tested pin 1 & 2 to pin 16 and the diode seems to be working as I only get a reeding in one direction.

### Re: Reverse Engineering the CIC

Not content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:
https://imgur.com/a/UEazhPq

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.

Code: Select all

```
#define ClockMacroTrigger()\
if(1){\
PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
} else {}
for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
ClockMacroTrigger();
ClockMacro();
dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
ClockMacro();
ClockMacro();
}
```

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.

Last edited by Jeroen on Wed Sep 23, 2020 3:47 pm, edited 1 time in total.

### Re: Reverse Engineering the CIC

Changing these two things Fiskbit suggested it looks like the same data from the 3198A as before but with a different start point but it is consistent.

Code: Select all

```
i0 :7C
i1 :80
i2 :AC
i3 :74
i4 :20
i5 :30
i6 :60
i7 :30
i8 :7C
i9 :80
iA :20
iB :30
iC :60
iD :30
iE :7C
iF :80
i10 :20
i11 :30
i12 :60
i13 :30
i14 :7C
i15 :80
i16 :20
i17 :30
i18 :60
i19 :30
i1A :7C
i1B :80
i1C :20
i1D :0
i1E :0
i1F :0
i20 :0
i21 :0
i22 :0
i23 :0
i24 :4C
i25 :74
i26 :20
i27 :3C
i28 :40
i29 :0
i2A :7C
i2B :EC
i2C :20
i2D :64
i2E :68
i2F :0
i30 :7C
i31 :EC
i32 :20
i33 :64
i34 :68
i35 :0
i36 :7C
i37 :EC
i38 :20
i39 :64
i3A :68
i3B :0
i3C :7C
i3D :EC
i3E :20
i3F :64
i40 :68
i41 :40
i42 :74
i43 :44
i44 :78
i45 :58
i46 :4C
i47 :0
i48 :0
i49 :0
i4A :0
i4B :0
i4C :0
i4D :0
i4E :0
i4F :0
i50 :0
i51 :0
i52 :0
i53 :0
i54 :0
i55 :0
i56 :0
i57 :0
i58 :0
i59 :0
i5A :0
i5B :0
i5C :0
i5D :0
i5E :0
i5F :0
i60 :0
i61 :0
i62 :0
i63 :0
i64 :0
i65 :0
i66 :0
i67 :0
i68 :0
i69 :0
i6A :0
i6B :0
i6C :0
i6D :0
i6E :0
i6F :0
i70 :0
i71 :0
i72 :0
i73 :0
i74 :0
i75 :0
i76 :0
i77 :0
i78 :0
i79 :0
i7A :0
i7B :0
i7C :0
i7D :0
i7E :0
i7F :0
i80 :30
i81 :20
i82 :74
i83 :48
i84 :44
i85 :20
i86 :54
i87 :64
i88 :B8
i89 :74
i8A :20
i8B :54
i8C :64
i8D :DC
i8E :20
i8F :30
i90 :70
i91 :40
i92 :F8
i93 :30
i94 :20
i95 :0
i96 :0
i97 :68
i98 :44
i99 :3C
i9A :0
i9B :8C
i9C :0
i9D :0
i9E :3C
i9F :0
iA0 :D8
iA1 :94
iA2 :30
iA3 :20
iA4 :44
iA5 :7C
iA6 :0
iA7 :7C
iA8 :0
iA9 :30
iAA :5C
iAB :7C
iAC :0
iAD :44
iAE :A8
iAF :7C
iB0 :80
iB1 :74
iB2 :7C
iB3 :C4
iB4 :74
iB5 :7C
iB6 :C4
iB7 :7C
iB8 :F4
iB9 :54
iBA :64
iBB :9C
iBC :D8
iBD :30
iBE :40
iBF :44
iC0 :0
iC1 :54
iC2 :44
iC3 :48
iC4 :74
iC5 :7C
iC6 :80
iC7 :74
iC8 :60
iC9 :D0
iCA :7C
iCB :F4
iCC :60
iCD :D8
iCE :88
iCF :7C
iD0 :F4
iD1 :60
iD2 :90
iD3 :D8
iD4 :0
iD5 :5C
iD6 :0
iD7 :E8
iD8 :7C
iD9 :80
iDA :7C
iDB :F8
iDC :24
iDD :40
iDE :C
iDF :98
iE0 :40
iE1 :8C
iE2 :5C
iE3 :B4
iE4 :7C
iE5 :80
iE6 :A0
iE7 :30
iE8 :E0
iE9 :20
iEA :30
iEB :44
iEC :88
iED :20
iEE :44
iEF :4
iF0 :98
iF1 :30
iF2 :44
iF3 :7C
iF4 :0
iF5 :44
iF6 :A8
iF7 :D8
iF8 :30
iF9 :E0
iFA :0
iFB :0
iFC :0
iFD :0
iFE :7C
iFF :80
i100 :EC
i101 :30
i102 :20
i103 :0
i104 :0
i105 :0
i106 :CC
i107 :30
i108 :20
i109 :44
i10A :0
i10B :0
i10C :0
i10D :44
i10E :4C
i10F :20
i110 :54
i111 :64
i112 :8C
i113 :64
i114 :B8
i115 :34
i116 :D8
i117 :30
i118 :D8
i119 :64
i11A :B0
i11B :34
i11C :D8
i11D :30
i11E :48
i11F :74
i120 :28
i121 :30
i122 :40
i123 :B8
i124 :2C
i125 :38
i126 :40
i127 :2C
i128 :48
i129 :30
i12A :70
i12B :E4
i12C :40
i12D :8C
i12E :20
i12F :40
i130 :C
i131 :4C
i132 :48
i133 :EC
i134 :20
i135 :54
i136 :64
i137 :8C
i138 :4C
i139 :74
i13A :7C
i13B :80
i13C :74
i13D :4C
i13E :5C
i13F :5C
i140 :54
i141 :40
i142 :20
i143 :48
i144 :68
i145 :68
i146 :68
i147 :4C
i148 :0
i149 :0
i14A :0
i14B :0
i14C :0
i14D :0
i14E :0
i14F :0
i150 :0
i151 :0
i152 :0
i153 :0
i154 :0
i155 :0
i156 :0
i157 :0
i158 :0
i159 :0
i15A :0
i15B :0
i15C :0
i15D :0
i15E :0
i15F :0
i160 :0
i161 :0
i162 :0
i163 :0
i164 :0
i165 :0
i166 :0
i167 :0
i168 :0
i169 :0
i16A :0
i16B :0
i16C :0
i16D :0
i16E :0
i16F :0
i170 :0
i171 :0
i172 :0
i173 :0
i174 :0
i175 :0
i176 :0
i177 :0
i178 :0
i179 :0
i17A :0
i17B :0
i17C :0
i17D :74
i17E :20
i17F :54
i180 :20
i181 :48
i182 :68
i183 :68
i184 :20
i185 :54
i186 :20
i187 :6C
i188 :64
i189 :68
i18A :6C
i18B :64
i18C :68
i18D :40
i18E :20
i18F :40
i190 :4C
i191 :0
i192 :0
i193 :0
i194 :0
i195 :0
i196 :0
i197 :0
i198 :0
i199 :0
i19A :0
i19B :0
i19C :0
i19D :0
i19E :0
i19F :0
i1A0 :0
i1A1 :0
i1A2 :0
i1A3 :0
i1A4 :0
i1A5 :0
i1A6 :0
i1A7 :0
i1A8 :0
i1A9 :0
i1AA :0
i1AB :0
i1AC :0
i1AD :0
i1AE :0
i1AF :0
i1B0 :0
i1B1 :0
i1B2 :0
i1B3 :0
i1B4 :0
i1B5 :0
i1B6 :0
i1B7 :0
i1B8 :0
i1B9 :0
i1BA :0
i1BB :0
i1BC :0
i1BD :0
i1BE :0
i1BF :0
i1C0 :0
i1C1 :0
i1C2 :0
i1C3 :0
i1C4 :0
i1C5 :0
i1C6 :0
i1C7 :0
i1C8 :0
i1C9 :0
i1CA :0
i1CB :0
i1CC :0
i1CD :0
i1CE :0
i1CF :0
i1D0 :0
i1D1 :0
i1D2 :0
i1D3 :0
i1D4 :0
i1D5 :0
i1D6 :0
i1D7 :0
i1D8 :0
i1D9 :0
i1DA :0
i1DB :0
i1DC :0
i1DD :0
i1DE :0
i1DF :0
i1E0 :0
i1E1 :0
i1E2 :0
i1E3 :0
i1E4 :0
i1E5 :0
i1E6 :0
i1E7 :0
i1E8 :0
i1E9 :0
i1EA :0
i1EB :0
i1EC :0
i1ED :0
i1EE :0
i1EF :0
i1F0 :0
i1F1 :0
i1F2 :0
i1F3 :0
i1F4 :0
i1F5 :0
i1F6 :0
i1F7 :0
i1F8 :0
i1F9 :0
i1FA :0
i1FB :0
```

### Re: Reverse Engineering the CIC

so just a 104 between + and - correct?

Jeroen wrote: ↑Wed Sep 23, 2020 3:41 pmNot content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:https://imgur.com/a/UEazhPqCode: Select all

`#define ClockMacroTrigger()\ if(1){\ PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\ } else {} for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data ClockMacroTrigger(); ClockMacro(); dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps ClockMacro(); ClockMacro(); }`

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.

### Re: Reverse Engineering the CIC

Correct. Try to get it as directly connected to the ic as possible.Patnukem wrote: ↑Wed Sep 23, 2020 3:52 pmso just a 104 between + and - correct?

Jeroen wrote: ↑Wed Sep 23, 2020 3:41 pmNot content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:https://imgur.com/a/UEazhPqCode: Select all

`#define ClockMacroTrigger()\ if(1){\ PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\ } else {} for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data ClockMacroTrigger(); ClockMacro(); dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps ClockMacro(); ClockMacro(); }`

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.

### Re: Reverse Engineering the CIC

Do you get that starting point without my changes but with the extra 256 clocks before ACL drops? That dump is starting at page 3, which is really weird. I wonder if the 256 instruction clocks before ACL drops are advancing the instruction pointer to get from page 1 (standby behavior) to page 3, but I wouldn't expect that behavior at all.