"Dumping" Protected GALs - Any Tricks?

Gorgonops said:
If you feel like sharing the schematic once it's complete I wouldn't mind staring at it for a few minutes and making a wild guess what the registered one might do.
Click to expand...
Yep, I'll upload it once I stop being stupid and getting turned around halfway though.

Here's what the current progress on the board itself looks like:
test1.JPG
Along with the original scan:
front.jpg
There's a lot more going on in the inner layers than I anticipated, so it's going to take a bit to get it fully complete, but I should be able to at least get all the GAL connections mapped out.

Gorgonops said:
you might want to consider using one of those "bitbang it with an arduino" methods to at least get it
Click to expand...
Do you have a link to one of these? All I've been able to find so far is one that uses a custom PCB/shield, though I guess I could breadboard it if I was confident in the wiring.
 
Bolle said:
You can get around the security fuse on a lot of GAL16V8 and 20V8s by messing with the programming voltage.

You have to apply a voltage to the programming pin just at the right time before VCC to the chip gets applied and then read it like you normally would.
The problem here is that the timing seems to be important so you’ll spend a lot of time with trial and error. Another unknown factor is the voltage that you have to apply. This is not necessarily the actual programming voltage of the chip but rather a seemingly random value between 7V and 20V depending on the chip.
Make sure to not directly connect the external voltage source or you’ll instantly fry the GAL but instead use a 4.7k resistor in series.
Click to expand...

I’ve been messing around with the GALs on a Micron Xceed SE/306-48 according to your notes but haven’t got any to reveal their contents yet. I’m using a T48. Unfortunately, my bench PSU only goes up to 15.5V so this could be a bit of a show stopper.
I just wanted to check:

- that the programming pin is indeed pin#1?
- how long before hitting read (on average) were you applying voltage to the programming pin? Are we talking a few seconds, or a fraction of a second?
 
Galdurino and co are nice when they work. But they're not always an option.

I have used https://github.com/cdhooper/brutus28 in the past. It's straight forward for combinatorial logic, but anything more complex is work to figure out.

I wrote a set of expect scripts to help with the reverse engineering of GALs through Brutus28 which are available here for anybody curious: https://github.com/reinauer/laoshi/tree/main/logic ... Basically once you have a theory of operation, you can write test scripts to prove out the theory on the original parts and then modify your PLD source code until it passes those tests

Code: 
# Simulate a read from 0x1001. A14 should go to 1
puts "Setting A0 !A1 A12"
outputs [pins_to_hex A0 A12]
if { [inputs] == [pins_to_hex VCC A0 CLKOUT CLK A12 A14] } {
  puts "OK: CLKOUT+CLK is HIGH, A14 is HIGH"
} else {
  set debug 1
  inputs
  puts "Error: expected VCC A0 CLKOUT CLK A12 A14\n"
  exit 1
}
 
You must log in or register to reply here.

Similar threads

Trash80toHP_Mini
Logic Analyzer + AI = ?
Replies
3
Views
908
Trash80toHP_Mini
Trash80toHP_Mini
zigzagjoe
Repair of a basket case DiimoCache030
Replies
5
Views
835
Bolle
Bolle
jmacz
Macintosh 512K Flup Flup Flup
Replies
4
Views
2K
jmacz
jmacz
B
BlueSCSI problem, is it HW or user error?
Replies
4
Views
2K
Phipli
Phipli
A
Logic Board reworking: A Tale of Two IIcx
2 3 4
Replies
62
Views
13K
Addicted
A
Back
Top