• Updated 2023-07-12: Hello, Guest! Welcome back, and be sure to check out this follow-up post about our outage a week or so ago.

"Dumping" Protected GALs - Any Tricks?

SuperSVGA

Well-known member
I'm working on reverse engineering and cloning an ethernet card for the SE/30, and right now I'm stuck on the GALs.

The board has two Lattice GAL16V8As, and I'm assuming they're both protected in some way. I've tried dumping both with a TL866ii but neither appears as if I'm getting the actual logic off.

From what I can tell these just seem to be controlling latching logic, and there doesn't appear to be any other code running on the board, so I can't imagine it would be too impossible to rebuild them from scratch, just very time consuming.

Does anyone have any tips or things that I may have missed?
 

Gorgonops

Moderator
Staff member
If the GAL is just using combinatorial logic there are github projects out there for using an Arduino to bitbang out the wire map if the protection bit is set.

If there is any registered logic then, yeah, life gets a lot harder. Do you know broadly where in the circuit the GALs live? (Are they just doing address decoding/chip selection, or is there a chance they’re implementing some kind of state machine?)
 

SuperSVGA

Well-known member
Do you know broadly where in the circuit the GALs live? (Are they just doing address decoding/chip selection, or is there a chance they’re implementing some kind of state machine?)
According to the dumps one of them is registered and the other is "medium". I'm not sure what it means by medium.
From what I can tell so far they're connected to the various logic ICs, as well as connections to the 68030 data and address strobes. My limited understanding tells me that these are just here so the card talks to the PDS bus at the right time.

I'm working on making the schematic right now to get the exact flow of the logic, I just need to buzz out the inner layers.
 

Bolle

Well-known member
You can get around the security fuse on a lot of GAL16V8 and 20V8s by messing with the programming voltage.

You have to apply a voltage to the programming pin just at the right time before VCC to the chip gets applied and then read it like you normally would.
The problem here is that the timing seems to be important so you’ll spend a lot of time with trial and error. Another unknown factor is the voltage that you have to apply. This is not necessarily the actual programming voltage of the chip but rather a seemingly random value between 7V and 20V depending on the chip.
Make sure to not directly connect the external voltage source or you’ll instantly fry the GAL but instead use a 4.7k resistor in series.
 

Gorgonops

Moderator
Staff member
You can get around the security fuse on a lot of GAL16V8 and 20V8s by messing with the programming voltage.

Do you have an actual trusted source that goes into detail about this? I've seen vague mention of this on some electronics forums, posts going back to at least 2011 referencing some German Amiga fan who was very squirrely about documenting his methods. Frankly this sounds like a great way to brick your originals if you don't know *exactly* what you're aiming for.
 

Gorgonops

Moderator
Staff member
the other is "medium". I'm not sure what it means by medium

Reading the datasheet it looks like "Medium" refers to a specific subset of combinatorial mode. (The GAL16v8 and 20v8 can emulate a bunch of older PAL devices, the difference between "Small" and "Medium" mode is the latter supports tri-stating the configurable I/O lines.)

If you can get a handle on what the registered GAL does it may turn out to be mostly combinatorial with just one trivially simple registered function, like a one-shot latch, so I wouldn't give up on just trying to noodle it out. Hopefully it's not something gross like the cycle-counting state machines that I've been screwing with, it seems a little unlikely on an ethernet card.
 

Bolle

Well-known member
Do all the clones I build count as source? ;)

It is exactly this, you’re going to brick things until you get a hang of how to approach it.
Been there, done that, killed two accelerators so far.

If done manually using a bench PSU it is really hard to document what has to be done. You have to try it to get a feel for it… when to apply the external programming voltage, how to find out the exact voltage for each chip to react.

What I said above stays true, hook up a bench psu to the programming pin of your GAL through a 4.7k resistor and start playing.

It’s worth mentioning that some chip programmers don’t like the external voltage but the Minipro is going to be fine from my experience.
As said the time interval between turning on the external programming voltage and hitting the „read“ button in your programmers software is one of the two factors that make it work, the actual voltage you set is the other.
 

Angelgreat

Well-known member
I think SuperSVGA should lend the SE/30 Ethernet card to Bolle since he has reverse engineered the GALs of the MicroMac accellorator card to make his own replicas. I think he can help.
 

Gorgonops

Moderator
Staff member
Do all the clones I build count as source? ;)

Hah! Okay, then. Do you have a dev blog or something where you've been storing these juicy details, by any chance? Google needs to know about it if you do, the "varying the voltage" thing reads like an urban legend everywhere I saw it. :)

Again, I would *hope* that a registered GAL on an ethernet card would be doing something relatively trivial compared to an accelerator (where it might be part of a clock doubling circuit or gosh knows what else), but I guess you're not really going to have a rough idea what's likely until the schematic is all there.
 

trag

Well-known member
@Bolle Are you less likely to fry a GAL by starting at lower voltages?

Also, we're often dealing with one-of-a-kind or few-of-a-kind chips/GALs. Do you recommend getting some blank GALs, programming them, and setting the Security fuse and then practicing on them?

When you say a "delay", do you mean seconds? Fractions of a second? Would it make sense to set up a microcontroller actuated relay, so that the time can be made consistent and incremented/decremented in known amounts.

I have one GAL each in the Outbound Model 125 Laptop SCSI adapter and External Floppy that I would like to read, but I can't afford to destroy them in an unsuccessful attempt...

Also, have the GALs on the JackHammer been read?
 

Bolle

Well-known member
Also, have the GALs on the JackHammer been read?
I have not come around a Jackhammer that uses actual GALs. All the ones i have seen (or own) use AMD PALCE PLDs. While they are functioning the same way as GALs the programming algorithm is completely different and they’re not vulnerable to the same (let’s call it) glitching method.

A few of the Jackhammer PLDs are not protected though and can be read, however some of them are protected. It’s also always the same chips among different cards which are unprotected.
 

re4mat

Well-known member
Also, we're often dealing with one-of-a-kind or few-of-a-kind chips/GALs. Do you recommend getting some blank GALs, programming them, and setting the Security fuse and then practicing on them?

This seems like a smart way to go about it. I mean, I'd love to reverse-engineer my Presto Plus, but the idea of risking that Xilinx Spartan XCS20XL trying to find out what voltage to apply and when in order to get it to read is daunting. (Assuming that technique also works on FPGAs. Any insights there?)
 

Bolle

Well-known member
Any insights there?
Yes. It doesn’t work that way.
Look at the datasheet of the XCS20XL and it’s going to be obvious what has to be done ;)
Cloning the Presto Plus is pretty trivial…
Copy the serial EPROM containing the bitstream for the FPGA (it doesn’t have any form of protection)
Make another copy of the flash ROM containing the declaration ROM code for the builtin ethernet card.
Then figure out the schematics and make new boards (after sourcing all the old ICs from somewhere)

Do you recommend getting some blank GALs, programming them, and setting the Security fuse and then practicing on them?
That’s definitely a good idea, but don’t expect your practicing GAL to behave the same as the one you want to read. As said, voltages seem to randomly differ between chips that are supposedly the same make/type.
 

re4mat

Well-known member
Look at the datasheet of the XCS20XL and it’s going to be obvious what has to be done ;)

I guess I could have started there! 😅 I'd just assumed that it had the same kind of security—I know the newer Spartans have fuses. (And encryption, but I figured the older ones didn't.)

Right there on the first page:
• System level features
[…]
- Full readback capability for program verification and internal node observability

I looked through the Readback section of the datasheet and, sure enough, it looks like readback is always enabled. And so it sounds like that EPROM has the configuration bitstream, so it does indeed seem pretty obvious what needs to be done. Thanks! You've just given me a lot to go on! :)
 

trag

Well-known member
I have not come around a Jackhammer that uses actual GALs. All the ones i have seen (or own) use AMD PALCE PLDs.

Yep. Sorry. Sloppy language. Happened to be on my mind while we were discussing GALs.

So logic attack for the PALs that are protected?
 

SuperSVGA

Well-known member
Well, I ordered some extra GAL16V8s (as well as some GAL20V8s to play with just to make the shipping cost worth it) as well as some more expensive test equipment. Hopefully I can get some repeatable methods down before I try on the irreplaceable GALs.

At some point I'm going to get the inner layers of the PCB finished so I can send it off for production, and then maybe I'll actually get to test the cloned GALs.

If all else fails, I guess I can just stare at the data sheets for hours on end and try to figure out how to manually recreate them, since there doesn't seem to be any specialty code running anywhere.
 

Gorgonops

Moderator
Staff member
If you feel like sharing the schematic once it's complete I wouldn't mind staring at it for a few minutes and making a wild guess what the registered one might do.

As for the non-registered one, you might want to consider using one of those "bitbang it with an arduino" methods to at least get it in the can before you risk smoking it. My spider senses also make me feel like there's at least a fair chance you might get a partial read of the registered one's logic if it only does one latch/one-shot kind of function in addition to simple combinational stuff.
 
Top