Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

Patnukem
Posts: 10
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Mon Sep 14, 2020 11:27 am

Thanks for the encouragement and support. I did order some hook clips just to have but they will work for the Chip... I am taking a guess it’s the same Sharp 4bit SM590 chip as the other CIC chips but with a different code and tied in differently, since it works with other chips on multiple carts?

I have a PICkit 3 would this work to dump the chip? Or should a modified NES be used?

I can always dump a regular nes cart first to make sure I get it correct before moving to the Famicomstation, FedEx is delivering it any moment now!

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Mon Sep 14, 2020 12:26 pm

Patnukem wrote:
Mon Sep 14, 2020 11:27 am
I am taking a guess it’s the same Sharp 4bit SM590 chip as the other CIC chips but with a different code and tied in differently, since it works with other chips on multiple carts?
That's what we believe is true. Obviously we haven't verified it yet.

If you're willing to sit down and figure out what pin on the 3198 go to what pin on the cartridge that'd help. It'll be necessary to understand how to emulate the 3198-3199 communication later on also. Also ... how the 3199 is wired.
I have a PICkit 3 would this work to dump the chip?
Unfortunately, the PICkit3 is more-or-less only useful for programming Microchip parts. These SM590 micros only have a "validation" mode available, and that requires a bunch more pins.
Or should a modified NES be used?
Other than for the connector, you can't really use it either.

Patnukem
Posts: 10
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Mon Sep 14, 2020 11:40 pm

There were 2 or so pins on the right side under the PGM chip I’m not 100% sure on near the resistor, I am at home and only have my cheap multimeter. Though this doesn’t seem to mater because I traced all the CIC leads to the cart pins other then ground and 5+.

3198 Pin 1 goes to cart pin 35
Pin 2 goes to cart pin 34
Pin 6 goes to cart pin 71
Pin 7 goes to cart pin 70
Pin 8 is ground
Pins 12-15 go to the resistor network then to cart pins 16-19
Pin 16 is 5+

Here are my crude drawings just in case it helps anyone else.

So maybe a dumb question, if a PICkit or modified NES won’t dump the 3198, what is the preferred hardware set up to get it to the correct mode to dump, I can’t seem to find details about that part. A picture goes a long way for me, hands on visual learner.
Attachments
68A0A389-6370-448D-BE5F-EE3A7DFDB477.jpeg
04FBDF57-30B5-49F7-88EB-F7B793EEBD4A.jpeg

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Tue Sep 15, 2020 12:26 am

Patnukem wrote:
Mon Sep 14, 2020 11:40 pm
What is the preferred hardware set up to get it to the correct mode to dump, I can’t seem to find details about that part?
Well, what I'd do is program a microcontroller to put the part into verification mode and then the microcontroller would relay that data to a computer.

For you, it'd help for me to know what parts do you have on hand. Do you have breadboards and 74xxx logic lying around? Resistors, capacitors, transistors, crystals/resonators, LEDs? By some unlikely chance, do you already have a device that uses a FT232H or a FT245?

What I'd suggest – for now – is to do something very simple to verify that you can get it into verification mode, before you tried to get those bytes to a computer.

Unlike the standard NES-xxx PCBs, which explicitly tied a whole bunch of pins to ground, your annotated PCB photos shows only one pin is tied to ground that needs to not be. It looks to me like pin 4 will need to be desoldered before you'll be able to get a dump.

If you have these parts on hand, I'd do something like this:

Code: Select all

                .--_--.
Gnd---LED---1k -|01 16|- +5V
Gnd---LED---1k -|02 15|- switch
Gnd---LED---1k -|03 14|- switch
Gnd---LED---1k -|04 13|- switch
       +5---1k -|05 12|- 1kΩ---LED---Gnd
         clock -|06 11|- 1kΩ---LED---Gnd
        switch -|07 10|- 1kΩ---LED---Gnd
           Gnd -|08 09|- 1kΩ---LED---Gnd
                '-----'
Where you see "switch", replace with:
+5V ---- 1kΩ --- toPin --- toggle switch --- ground

Where you see "clock" ... depends on what parts you have available. a 74HC14 and a resistor and capacitor is by far easiest to describe, but we can find other options too.

Patnukem
Posts: 10
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Tue Sep 15, 2020 12:53 am

I have some parts on hand mostly transistors and capacitors since that’s 80% of arcade and CRT repair. I have some switches as well, some resistors and doubt I have and LEDs but maybe I can find a few, I have some junk PCB I can pull some parts from as well. Somewhere I have a breadboard but at the moment It May be in storage.

This makes more sense having a microcontroller with more pins... I’m a lot less lost now thank you.

Would you have a microcontroller suggestion? I don’t mind just ordering one.

Lord Nightmare
Posts: 131
Joined: Wed Apr 05, 2006 10:12 am
Location: PA, USA
Contact:

Re: Reverse Engineering the CIC

Post by Lord Nightmare » Tue Sep 15, 2020 3:50 am

Jeroen wrote:
Mon Sep 14, 2020 7:44 am
Is there any info on what mnemonics were used?
The "correct" mnemonics come from the SM590 datasheet. The Mnemonics Segher came up with on his post were an educated guess on his part, as we didn't know the part was an SM590 at the time.

LN
"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"

Lord Nightmare
Posts: 131
Joined: Wed Apr 05, 2006 10:12 am
Location: PA, USA
Contact:

Re: Reverse Engineering the CIC

Post by Lord Nightmare » Tue Sep 15, 2020 3:53 am

lidnariq wrote:
Mon Sep 14, 2020 11:18 am
Well, first things first: do we have a pinout for the 3198 CIC? Tentatively looking at one SSS-UNROM board, it looks like all the pins might actually go to the card edge, which would mean there's no soldering needed at all.
As far as I'm aware, all the CIC chips are SM590 and have the same pinout. what exactly each pin was used for (since they're programmable i/o pins from the MCU cpu side) differs, but the pin functions are all the same.

LN
"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Tue Sep 15, 2020 10:30 am

Lord Nightmare wrote:
Tue Sep 15, 2020 3:53 am
As far as I'm aware, all the CIC chips are SM590 and have the same pinout. what exactly each pin was used for (since they're programmable i/o pins from the MCU cpu side) differs, but the pin functions are all the same.
Yeah, I meant "as used on the SSS PCBs".

Per PatNukem's photos above, apparently the FamicomBox CIC pinout is

Code: Select all

                .--_--.
  (P00) cart35 -|01 16|- +5V
  (P01) cart34 -|02 15|- cart16 (P22)
     (P02) n/c -|03 14|- cart17 (P21)
     (P03) gnd -|04 13|- n/c (P20)
    (Xout) n/c -|05 12|- cart18 (P13)
(Clock) cart71 -|06 11|- cart19 (P12)
(Reset) cart70 -|07 10|- n/c (P11)
           Gnd -|08 09|- n/c (P10)
                '-----'
Pin 4 is almost assuredly the same lock/key pin as the normal NES CICs. All of cart16...cart19 are via some series resistor in that SIP resistor pack.

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Tue Sep 15, 2020 10:39 am

Patnukem wrote:
Tue Sep 15, 2020 12:53 am
Would you have a microcontroller suggestion? I don’t mind just ordering one.
Well ... I'd use a PIC18F45K50 because I have spares and am already set up for working with them. But something with a modern devchain might be a better choice for you. Depends on what you want to do, really, and whether you're more comfortable wiring things or want to learn more about microcontrollers.

The option that involves the least programming is to use something like the FT232H, FT245, or CY7C68013A to just capture the data off the pins, and build an external clock and toggle the pins I marked with "switch" high or low.

User avatar
Jeroen
Posts: 993
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Tue Sep 15, 2020 12:18 pm

Alternatively you can use an Arduino Uno. They're really cheap, and they have a lot of documentation for newbs.

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Tue Sep 15, 2020 12:22 pm

The only caveat about spinning your own is that you must give the SM590 a clock no slower than 80kHz, which means the "validation" mode will spit out data at least at 20KByte/sec. Most arduino code can't manage strict timings.

User avatar
Jeroen
Posts: 993
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen » Tue Sep 15, 2020 12:27 pm

Yes that is a point I hadn't considered.

In that case however, I still think the Arduino can be a good platform, just don't use the Arduino libraries. Since it's cheap and readily found (There's bound to be lots of info on "bare bones" Arduino programming.)

edit: I forgot to mention, obviously the arduino would be generating the clock signal in this case.

edit2: looking at the Arduino Uno, it appears to have only 2kB of ram, which is technically enough, but you probably want a bit more overhead. (Streaming everything directly over serial seems like a bad time.) Still worth giving other Arduino compatible boards a look though.

Fiskbit
Posts: 151
Joined: Sat Nov 18, 2017 9:15 pm

Re: Reverse Engineering the CIC

Post by Fiskbit » Thu Sep 17, 2020 1:49 pm

Patnukem: I noticed the CIC on your cart is a 3198A. I received a couple FamicomBox carts yesterday that also use the 3198A. What are the revisions of the two CICs in your FamicomStation? It'd be good to get a dump of a letterless 3198, if we can find one.

Patnukem
Posts: 10
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem » Thu Sep 17, 2020 2:35 pm

I can check the other carts... I am pretty sure they are all the a version. I do have a coin counter too. I got a new breadboard today and hope to do the suggested connections to the chip.

I am preoccupied at the moment repairing the system as it’s really hard to do without a schematic. I can’t find the service manual except photos of the cover. It’s doing something but working is not one of the things it is doing lol.

lidnariq
Posts: 9655
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Reverse Engineering the CIC

Post by lidnariq » Thu Sep 17, 2020 2:57 pm

I'd start off with the standard tests I give for the NES:
Is the 21.5MHz clock running?
Does the 2A03 M2 pin toggle?
Does the 2A03 A0 pin toggle?
Does the 2C02 video sound like a 60Hz buzz?

Post Reply