Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 7:00 am

I also got long chains of EC with 6113 chip. So I know the code is doing the same thing on both our chips...

Edit: to remove a suggestion I found to not be helpful.

Yes sharing the updated code would be awesome I can run it on my 3198 and see what I get. I used desoldering braid with good results.

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 11:43 am

I tested a 2nd 3198A and had the same exact dump as previously. I did add an extra ClockMacro() as suggested and it did start on the proper 30 instead of the 0 i was getting in the first line.

Code: Select all

i0 :30
i1 :20
i2 :74
i3 :48
i4 :44
i5 :20
i6 :54
i7 :64
i8 :B8
i9 :74
iA :20
iB :54
iC :64
iD :DC
iE :20
iF :30
i10 :70
i11 :40
i12 :F8
i13 :30
i14 :20
i15 :0
i16 :0
i17 :68
i18 :44
i19 :3C
i1A :0
i1B :8C
i1C :0
i1D :0
i1E :3C
i1F :0
i20 :D8
i21 :94
i22 :30
i23 :20
i24 :44
i25 :7C
i26 :0
i27 :7C
i28 :0
i29 :30
i2A :5C
i2B :7C
i2C :0
i2D :44
i2E :A8
i2F :7C
i30 :80
i31 :74
i32 :7C
i33 :C4
i34 :74
i35 :7C
i36 :C4
i37 :7C
i38 :F4
i39 :54
i3A :64
i3B :9C
i3C :D8
i3D :30
i3E :40
i3F :44
i40 :0
i41 :54
i42 :44
i43 :48
i44 :74
i45 :7C
i46 :80
i47 :74
i48 :60
i49 :D0
i4A :7C
i4B :F4
i4C :60
i4D :D8
i4E :88
i4F :7C
i50 :F4
i51 :60
i52 :90
i53 :D8
i54 :0
i55 :5C
i56 :0
i57 :E8
i58 :7C
i59 :80
i5A :7C
i5B :F8
i5C :24
i5D :40
i5E :C
i5F :98
i60 :40
i61 :8C
i62 :5C
i63 :B4
i64 :7C
i65 :80
i66 :A0
i67 :30
i68 :E0
i69 :20
i6A :30
i6B :44
i6C :88
i6D :20
i6E :44
i6F :4
i70 :98
i71 :30
i72 :44
i73 :7C
i74 :0
i75 :44
i76 :A8
i77 :D8
i78 :30
i79 :E0
i7A :0
i7B :0
i7C :0
i7D :0
i7E :7C
i7F :80
i80 :EC
i81 :30
i82 :20
i83 :0
i84 :0
i85 :0
i86 :CC
i87 :30
i88 :20
i89 :44
i8A :0
i8B :0
i8C :0
i8D :44
i8E :4C
i8F :20
i90 :54
i91 :64
i92 :8C
i93 :64
i94 :B8
i95 :34
i96 :D8
i97 :30
i98 :D8
i99 :64
i9A :B0
i9B :34
i9C :D8
i9D :30
i9E :48
i9F :74
iA0 :28
iA1 :30
iA2 :40
iA3 :B8
iA4 :2C
iA5 :38
iA6 :40
iA7 :2C
iA8 :48
iA9 :30
iAA :70
iAB :E4
iAC :40
iAD :8C
iAE :20
iAF :40
iB0 :C
iB1 :4C
iB2 :48
iB3 :EC
iB4 :20
iB5 :54
iB6 :64
iB7 :8C
iB8 :4C
iB9 :74
iBA :7C
iBB :80
iBC :74
iBD :4C
iBE :5C
iBF :5C
iC0 :54
iC1 :40
iC2 :20
iC3 :48
iC4 :68
iC5 :68
iC6 :68
iC7 :4C
iC8 :0
iC9 :0
iCA :0
iCB :0
iCC :0
iCD :0
iCE :0
iCF :0
iD0 :0
iD1 :0
iD2 :0
iD3 :0
iD4 :0
iD5 :0
iD6 :0
iD7 :0
iD8 :0
iD9 :0
iDA :0
iDB :0
iDC :0
iDD :0
iDE :0
iDF :0
iE0 :0
iE1 :0
iE2 :0
iE3 :0
iE4 :0
iE5 :0
iE6 :0
iE7 :0
iE8 :0
iE9 :0
iEA :0
iEB :0
iEC :0
iED :0
iEE :0
iEF :0
iF0 :0
iF1 :0
iF2 :0
iF3 :0
iF4 :0
iF5 :0
iF6 :0
iF7 :0
iF8 :0
iF9 :0
iFA :0
iFB :0
iFC :0
iFD :74
iFE :20
iFF :54
i100 :20
i101 :48
i102 :68
i103 :68
i104 :20
i105 :54
i106 :20
i107 :6C
i108 :64
i109 :68
i10A :6C
i10B :64
i10C :68
i10D :40
i10E :20
i10F :40
i110 :4C
i111 :0
i112 :0
i113 :0
i114 :0
i115 :0
i116 :0
i117 :0
i118 :0
i119 :0
i11A :0
i11B :0
i11C :0
i11D :0
i11E :0
i11F :0
i120 :0
i121 :0
i122 :0
i123 :0
i124 :0
i125 :0
i126 :0
i127 :0
i128 :0
i129 :0
i12A :0
i12B :0
i12C :0
i12D :0
i12E :0
i12F :0
i130 :0
i131 :0
i132 :0
i133 :0
i134 :0
i135 :0
i136 :0
i137 :0
i138 :0
i139 :0
i13A :0
i13B :0
i13C :0
i13D :0
i13E :0
i13F :0
i140 :0
i141 :0
i142 :0
i143 :0
i144 :0
i145 :0
i146 :0
i147 :0
i148 :0
i149 :0
i14A :0
i14B :0
i14C :0
i14D :0
i14E :0
i14F :0
i150 :0
i151 :0
i152 :0
i153 :0
i154 :0
i155 :0
i156 :0
i157 :0
i158 :0
i159 :0
i15A :0
i15B :0
i15C :0
i15D :0
i15E :0
i15F :0
i160 :0
i161 :0
i162 :0
i163 :0
i164 :0
i165 :0
i166 :0
i167 :0
i168 :0
i169 :0
i16A :0
i16B :0
i16C :0
i16D :0
i16E :0
i16F :0
i170 :0
i171 :0
i172 :0
i173 :0
i174 :0
i175 :0
i176 :0
i177 :0
i178 :0
i179 :0
i17A :0
i17B :0
i17C :7C
i17D :80
i17E :AC
i17F :74
i180 :20
i181 :30
i182 :60
i183 :30
i184 :7C
i185 :80
i186 :20
i187 :30
i188 :60
i189 :30
i18A :7C
i18B :80
i18C :20
i18D :30
i18E :60
i18F :30
i190 :7C
i191 :80
i192 :20
i193 :30
i194 :60
i195 :30
i196 :7C
i197 :80
i198 :20
i199 :0
i19A :0
i19B :0
i19C :0
i19D :0
i19E :0
i19F :0
i1A0 :4C
i1A1 :74
i1A2 :20
i1A3 :3C
i1A4 :40
i1A5 :0
i1A6 :7C
i1A7 :EC
i1A8 :20
i1A9 :64
i1AA :68
i1AB :0
i1AC :7C
i1AD :EC
i1AE :20
i1AF :64
i1B0 :68
i1B1 :0
i1B2 :7C
i1B3 :EC
i1B4 :20
i1B5 :64
i1B6 :68
i1B7 :0
i1B8 :7C
i1B9 :EC
i1BA :20
i1BB :64
i1BC :68
i1BD :40
i1BE :74
i1BF :44
i1C0 :78
i1C1 :58
i1C2 :4C
i1C3 :0
i1C4 :0
i1C5 :0
i1C6 :0
i1C7 :0
i1C8 :0
i1C9 :0
i1CA :0
i1CB :0
i1CC :0
i1CD :0
i1CE :0
i1CF :0
i1D0 :0
i1D1 :0
i1D2 :0
i1D3 :0
i1D4 :0
i1D5 :0
i1D6 :0
i1D7 :0
i1D8 :0
i1D9 :0
i1DA :0
i1DB :0
i1DC :0
i1DD :0
i1DE :0
i1DF :0
i1E0 :0
i1E1 :0
i1E2 :0
i1E3 :0
i1E4 :0
i1E5 :0
i1E6 :0
i1E7 :0
i1E8 :0
i1E9 :0
i1EA :0
i1EB :0
i1EC :0
i1ED :0
i1EE :0
i1EF :0
i1F0 :0
i1F1 :0
i1F2 :0
i1F3 :0
i1F4 :0
i1F5 :0
i1F6 :0
i1F7 :0
i1F8 :0
i1F9 :0
i1FA :0
i1FB :0

User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Wed Sep 23, 2020 12:08 pm

0 is actually the proper byte to start at. (Judging by the "Known" dump in the repo)

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 12:21 pm

I misunderstood the number has a 0 before I put the code update in.

I’ll take a look at see where the data is missing, but I’m thinking my setup Is ok since my 6113 chip got the same reading as Fiskbit did, and I got the same dump consistently on two different chips. Maybe another dumb idea but just throwing pasta at the wall to see what sticks, Could there be additional bits or something else we are missing?

User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Wed Sep 23, 2020 12:26 pm

So I see a few options:

1.) Our understanding of the exact timings needed to activate the debug mode are not entirely correct.
2.) Some chips lack a full fledged debug mode
3.) The chips have differing debug modes that swap pins and such

I have no clue which of these it is. I did update my code to incorporate the changes mentioned earlier. I also disabled interrupts in case that was messing things up.

Code: Select all

//sm590 dumper script

//Written by Jero32 23/09/2020
//to run, hook the arduino pins up to sm590 chip according to pinout below. Upload sketch to arduino. Clear the terminal window
//and press the reset button

//do one clock cycle. Note: relies on opcodes taking time to provide delay for speed, not very portable
#define ClockMacro()\
  if(1){\
    PORTC |= 0b00001000; delayMicroseconds(5); PORTC &= 0b11110111; delayMicroseconds(5);\
  } else {}

//do 3 clocks
#define ThreeClockMacro()\
  if(1){\
    ClockMacro();\
    ClockMacro();\
    ClockMacro();\
  } else {}

//do 4 clocks
#define FourClockMacro()\
  if(1){\
    ClockMacro();\
    ClockMacro();\
    ClockMacro();\
    ClockMacro();\
  } else {}

void setup() {
  int i;
  
  //R20 A0
  //R21 A1
  //R22 A2
  //CLOCK A3
  //Reset/ACL A4

  //D0 pin 2
  //D1 pin 3
  //D2 pin 4
  //D3 pin 5

  //D4 pin 6
  //D5 pin 7
  //D6 pin 8
  //D7 pin 9

  noInterrupts();

  DDRD &= 0b00000011; //set pins 2 through 7 as inputs
  DDRB &= 0b11111100; //set pin 8 and 9 as inputs
  DDRC |= 0b00011111; // Set A0 through A4 as outputs */

  DIDR0 = 0x00; //no longer neccessary but it doesn't hurt.
  PORTC &= 0b11100000; //make sure all bits are in a known cleared state
  PORTC |= 0b00010111; // set pin A0 - A4 High with the exception of A3/CLK

  for(i= 0; i<255; i++){
    FourClockMacro(); //start the clock give some time to boot up
  }

  PORTC &= 0b11101111;// lower ACL
  FourClockMacro();
  PORTC &= 0b11111101;//lower R21
  FourClockMacro();
  PORTC &= 0b11111110;//lower R20
  FourClockMacro();
  

}

void loop() {
  int i;

  for (i = 0; i < 507; i++) {
    ClockMacro();
    ClockMacro();
    ClockMacro();
    ClockMacro();
  }
  
  unsigned char dataArray[508];
  for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacro();
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
  }

  Serial.begin(9600);
  
  for (i = 0; i < 508; i++) {
    Serial.print("i");
    Serial.print(i + 1, HEX);
    Serial.print(" :");
    Serial.print(((dataArray[i] ^ 0XFF)) & 0xFF, HEX);//data inverted to match "known" rom dumps
    Serial.print("\r\n");
  }
  while (1) {}

}
It could also be that I'm missing some kind of pin set up procedure call and they're not properly set as inputs. I've never programmed avr chips before so they're all a bit new to me.

lidnariq
Posts: 10456
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Wed Sep 23, 2020 12:28 pm

If you have a multimeter with a diode test functionality, you could see if there's a diode drop measuring pins 1 and 2 to pin 16, or pin 8 to pins 1 and 2.

My suspicion, given that the validation mode can still be entered, is that the bond wire blew up. If so, you won't see any diodes.

Fiskbit
Posts: 267
Joined: Sat Nov 18, 2017 9:15 pm

Re: Reverse Engineering the CIC

Post by Fiskbit » Wed Sep 23, 2020 1:29 pm

I don't have the code on-hand at the moment, but the two changes I remember that aren't reflected in Jeroen's latest update are a single added ClockMacro() before lowering ACL:

Code: Select all

ClockMacro();
PORTC &= 0b11101111;// lower ACL
and moving where dataArray is sampled, to compensate for the above change:

Code: Select all

  for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
    ClockMacro();
  }
We assumed that the jitter might be related to exiting reset at the wrong part of the clock cycle (remember that we're going in steps of 4 because the clock is divided down inside the chip). This was the first change to the alignment that we tried and it seemed to do the trick.


I really don't know what to make of Patnukem being unable to dump a 6113 (which I'm assuming was this letterless revision). Both of us have gotten the same result, but allegedly the 6113 letterless has been dumped in this fashion, so I don't know what we're doing wrong.

User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Wed Sep 23, 2020 1:52 pm

Fiskbit wrote:
Wed Sep 23, 2020 1:29 pm
I don't have the code on-hand at the moment, but the two changes I remember that aren't reflected in Jeroen's latest update are a single added ClockMacro() before lowering ACL:

Code: Select all

ClockMacro();
PORTC &= 0b11101111;// lower ACL
and moving where dataArray is sampled, to compensate for the above change:

Code: Select all

  for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
    ClockMacro();
  }
We assumed that the jitter might be related to exiting reset at the wrong part of the clock cycle (remember that we're going in steps of 4 because the clock is divided down inside the chip). This was the first change to the alignment that we tried and it seemed to do the trick.


I really don't know what to make of Patnukem being unable to dump a 6113 (which I'm assuming was this letterless revision). Both of us have gotten the same result, but allegedly the 6113 letterless has been dumped in this fashion, so I don't know what we're doing wrong.
I actually execute a lot of clocks before lowering ACL now (256 * 4), it seems ACL is when everything is cleared. I think it's pretty safe to assume any reasonably designed cpu will reset it's instruction phase when reset is asserted? (otherwise it could just boot up in whatever state)

I had played around with the moment of sampling before, sampling before the 4 clockmacros is definitely unreliable, hence moving it to the middle of the clock cycle, where hopefully everything would be stabilized. Moving it back one clock is probably fine as long as its had a positive flank.

edit: from the datasheet: "The ACL pin is used to initalize the LSI. The LSI will be reset upon completion of two instruction cycles after ACL pin goes high. The ACL (reset) mode will be cleared upon completion of one instruction cycle after ACL pin goes LOW."

So it sounds like the instability you might've seen was because I wasn't giving it two cycles of high time before letting it go back low again.

Fiskbit
Posts: 267
Joined: Sat Nov 18, 2017 9:15 pm

Re: Reverse Engineering the CIC

Post by Fiskbit » Wed Sep 23, 2020 2:52 pm

Good find on the need for 2 instruction cycles for reset after power-on. I'll be curious to see if this resolves the problems we're seeing, though I'm not convinced it will remove the 1 instruction jitter. Note that our moving the sampling position was intended to keep it in the same part of the instruction clock given that we offset all operations by a quarter of a cycle; it's not supposed to be a functional change. I agree that it is a functional change if ACL affects the clock divider, but the timing description in the section you quoted makes me suspect it doesn't. Experimentally, that quarter cycle did remove the jitter in the way we expected [Edit: though maybe we just got lucky and didn't try enough times to see it jitter back.]

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 3:36 pm

The 3198A was tested pin 1 & 2 to pin 16 and the diode seems to be working as I only get a reeding in one direction.

User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Wed Sep 23, 2020 3:41 pm

Not content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:

Code: Select all

#define ClockMacroTrigger()\
  if(1){\
    PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
  } else {}
  
    for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacroTrigger();
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
  }
  
  
https://imgur.com/a/UEazhPq

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.
Last edited by Jeroen on Wed Sep 23, 2020 3:47 pm, edited 1 time in total.

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 3:46 pm

Changing these two things Fiskbit suggested it looks like the same data from the 3198A as before but with a different start point but it is consistent.

Code: Select all

i0 :7C
i1 :80
i2 :AC
i3 :74
i4 :20
i5 :30
i6 :60
i7 :30
i8 :7C
i9 :80
iA :20
iB :30
iC :60
iD :30
iE :7C
iF :80
i10 :20
i11 :30
i12 :60
i13 :30
i14 :7C
i15 :80
i16 :20
i17 :30
i18 :60
i19 :30
i1A :7C
i1B :80
i1C :20
i1D :0
i1E :0
i1F :0
i20 :0
i21 :0
i22 :0
i23 :0
i24 :4C
i25 :74
i26 :20
i27 :3C
i28 :40
i29 :0
i2A :7C
i2B :EC
i2C :20
i2D :64
i2E :68
i2F :0
i30 :7C
i31 :EC
i32 :20
i33 :64
i34 :68
i35 :0
i36 :7C
i37 :EC
i38 :20
i39 :64
i3A :68
i3B :0
i3C :7C
i3D :EC
i3E :20
i3F :64
i40 :68
i41 :40
i42 :74
i43 :44
i44 :78
i45 :58
i46 :4C
i47 :0
i48 :0
i49 :0
i4A :0
i4B :0
i4C :0
i4D :0
i4E :0
i4F :0
i50 :0
i51 :0
i52 :0
i53 :0
i54 :0
i55 :0
i56 :0
i57 :0
i58 :0
i59 :0
i5A :0
i5B :0
i5C :0
i5D :0
i5E :0
i5F :0
i60 :0
i61 :0
i62 :0
i63 :0
i64 :0
i65 :0
i66 :0
i67 :0
i68 :0
i69 :0
i6A :0
i6B :0
i6C :0
i6D :0
i6E :0
i6F :0
i70 :0
i71 :0
i72 :0
i73 :0
i74 :0
i75 :0
i76 :0
i77 :0
i78 :0
i79 :0
i7A :0
i7B :0
i7C :0
i7D :0
i7E :0
i7F :0
i80 :30
i81 :20
i82 :74
i83 :48
i84 :44
i85 :20
i86 :54
i87 :64
i88 :B8
i89 :74
i8A :20
i8B :54
i8C :64
i8D :DC
i8E :20
i8F :30
i90 :70
i91 :40
i92 :F8
i93 :30
i94 :20
i95 :0
i96 :0
i97 :68
i98 :44
i99 :3C
i9A :0
i9B :8C
i9C :0
i9D :0
i9E :3C
i9F :0
iA0 :D8
iA1 :94
iA2 :30
iA3 :20
iA4 :44
iA5 :7C
iA6 :0
iA7 :7C
iA8 :0
iA9 :30
iAA :5C
iAB :7C
iAC :0
iAD :44
iAE :A8
iAF :7C
iB0 :80
iB1 :74
iB2 :7C
iB3 :C4
iB4 :74
iB5 :7C
iB6 :C4
iB7 :7C
iB8 :F4
iB9 :54
iBA :64
iBB :9C
iBC :D8
iBD :30
iBE :40
iBF :44
iC0 :0
iC1 :54
iC2 :44
iC3 :48
iC4 :74
iC5 :7C
iC6 :80
iC7 :74
iC8 :60
iC9 :D0
iCA :7C
iCB :F4
iCC :60
iCD :D8
iCE :88
iCF :7C
iD0 :F4
iD1 :60
iD2 :90
iD3 :D8
iD4 :0
iD5 :5C
iD6 :0
iD7 :E8
iD8 :7C
iD9 :80
iDA :7C
iDB :F8
iDC :24
iDD :40
iDE :C
iDF :98
iE0 :40
iE1 :8C
iE2 :5C
iE3 :B4
iE4 :7C
iE5 :80
iE6 :A0
iE7 :30
iE8 :E0
iE9 :20
iEA :30
iEB :44
iEC :88
iED :20
iEE :44
iEF :4
iF0 :98
iF1 :30
iF2 :44
iF3 :7C
iF4 :0
iF5 :44
iF6 :A8
iF7 :D8
iF8 :30
iF9 :E0
iFA :0
iFB :0
iFC :0
iFD :0
iFE :7C
iFF :80
i100 :EC
i101 :30
i102 :20
i103 :0
i104 :0
i105 :0
i106 :CC
i107 :30
i108 :20
i109 :44
i10A :0
i10B :0
i10C :0
i10D :44
i10E :4C
i10F :20
i110 :54
i111 :64
i112 :8C
i113 :64
i114 :B8
i115 :34
i116 :D8
i117 :30
i118 :D8
i119 :64
i11A :B0
i11B :34
i11C :D8
i11D :30
i11E :48
i11F :74
i120 :28
i121 :30
i122 :40
i123 :B8
i124 :2C
i125 :38
i126 :40
i127 :2C
i128 :48
i129 :30
i12A :70
i12B :E4
i12C :40
i12D :8C
i12E :20
i12F :40
i130 :C
i131 :4C
i132 :48
i133 :EC
i134 :20
i135 :54
i136 :64
i137 :8C
i138 :4C
i139 :74
i13A :7C
i13B :80
i13C :74
i13D :4C
i13E :5C
i13F :5C
i140 :54
i141 :40
i142 :20
i143 :48
i144 :68
i145 :68
i146 :68
i147 :4C
i148 :0
i149 :0
i14A :0
i14B :0
i14C :0
i14D :0
i14E :0
i14F :0
i150 :0
i151 :0
i152 :0
i153 :0
i154 :0
i155 :0
i156 :0
i157 :0
i158 :0
i159 :0
i15A :0
i15B :0
i15C :0
i15D :0
i15E :0
i15F :0
i160 :0
i161 :0
i162 :0
i163 :0
i164 :0
i165 :0
i166 :0
i167 :0
i168 :0
i169 :0
i16A :0
i16B :0
i16C :0
i16D :0
i16E :0
i16F :0
i170 :0
i171 :0
i172 :0
i173 :0
i174 :0
i175 :0
i176 :0
i177 :0
i178 :0
i179 :0
i17A :0
i17B :0
i17C :0
i17D :74
i17E :20
i17F :54
i180 :20
i181 :48
i182 :68
i183 :68
i184 :20
i185 :54
i186 :20
i187 :6C
i188 :64
i189 :68
i18A :6C
i18B :64
i18C :68
i18D :40
i18E :20
i18F :40
i190 :4C
i191 :0
i192 :0
i193 :0
i194 :0
i195 :0
i196 :0
i197 :0
i198 :0
i199 :0
i19A :0
i19B :0
i19C :0
i19D :0
i19E :0
i19F :0
i1A0 :0
i1A1 :0
i1A2 :0
i1A3 :0
i1A4 :0
i1A5 :0
i1A6 :0
i1A7 :0
i1A8 :0
i1A9 :0
i1AA :0
i1AB :0
i1AC :0
i1AD :0
i1AE :0
i1AF :0
i1B0 :0
i1B1 :0
i1B2 :0
i1B3 :0
i1B4 :0
i1B5 :0
i1B6 :0
i1B7 :0
i1B8 :0
i1B9 :0
i1BA :0
i1BB :0
i1BC :0
i1BD :0
i1BE :0
i1BF :0
i1C0 :0
i1C1 :0
i1C2 :0
i1C3 :0
i1C4 :0
i1C5 :0
i1C6 :0
i1C7 :0
i1C8 :0
i1C9 :0
i1CA :0
i1CB :0
i1CC :0
i1CD :0
i1CE :0
i1CF :0
i1D0 :0
i1D1 :0
i1D2 :0
i1D3 :0
i1D4 :0
i1D5 :0
i1D6 :0
i1D7 :0
i1D8 :0
i1D9 :0
i1DA :0
i1DB :0
i1DC :0
i1DD :0
i1DE :0
i1DF :0
i1E0 :0
i1E1 :0
i1E2 :0
i1E3 :0
i1E4 :0
i1E5 :0
i1E6 :0
i1E7 :0
i1E8 :0
i1E9 :0
i1EA :0
i1EB :0
i1EC :0
i1ED :0
i1EE :0
i1EF :0
i1F0 :0
i1F1 :0
i1F2 :0
i1F3 :0
i1F4 :0
i1F5 :0
i1F6 :0
i1F7 :0
i1F8 :0
i1F9 :0
i1FA :0
i1FB :0

Patnukem
Posts: 80
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Wed Sep 23, 2020 3:52 pm

so just a 104 between + and - correct?
Jeroen wrote:
Wed Sep 23, 2020 3:41 pm
Not content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:

Code: Select all

#define ClockMacroTrigger()\
  if(1){\
    PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
  } else {}
  
    for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacroTrigger();
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
  }
  
  
https://imgur.com/a/UEazhPq

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.

User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Wed Sep 23, 2020 3:55 pm

Patnukem wrote:
Wed Sep 23, 2020 3:52 pm
so just a 104 between + and - correct?
Jeroen wrote:
Wed Sep 23, 2020 3:41 pm
Not content with guessing, I hooked up the system to my oscilloscope. I set a trigger signal to go high when the first clockpulse out of the 4 is sent:

Code: Select all

#define ClockMacroTrigger()\
  if(1){\
    PORTC |= 0b00101000; delayMicroseconds(5); PORTC &= 0b11010111; delayMicroseconds(5);\
  } else {}
  
    for (i = 0; i < 508; i++) { //fill a 508 byte array with the rom data
    ClockMacroTrigger();
    ClockMacro();
    dataArray[i] = ((PIND & 0b11111100) >> 2) | ((PINB & 0b00000011) << 6); //note date seems inverted compared to "known" romdumps
    ClockMacro();
    ClockMacro();
  }
  
  
https://imgur.com/a/UEazhPq

Blue is the "first clock pulse" trigger I set up, yellow is the clock. Purple is data.

As can be seen, the data falls after 4 clocks, so I think we're good on the phase sync.

edit: dumb question...are you guys using bypass caps? it might make things more stable. A ~100nF (0.1uF) ceramic cap right across the power rails of the SM590 should do the trick.
Correct. Try to get it as directly connected to the ic as possible.

Fiskbit
Posts: 267
Joined: Sat Nov 18, 2017 9:15 pm

Re: Reverse Engineering the CIC

Post by Fiskbit » Wed Sep 23, 2020 4:06 pm

Do you get that starting point without my changes but with the extra 256 clocks before ACL drops? That dump is starting at page 3, which is really weird. I wonder if the 256 instruction clocks before ACL drops are advancing the instruction pointer to get from page 1 (standby behavior) to page 3, but I wouldn't expect that behavior at all.

Post Reply