Previous Thread
Next Thread
Print Thread
Page 4 of 4 1 2 3 4
Joined: Feb 2004
Posts: 2,367
Likes: 81
Very Senior Member
Offline
Very Senior Member
Joined: Feb 2004
Posts: 2,367
Likes: 81
Originally Posted by Revenant
Originally Posted by =CO=Windler
the rom contents (dumped as analogue voltages through the DAC output?)
How did he manage to do that? Is any of this actually available somewhere?
The usual way it to find an exploit to trick the system into treating program ROM as audio samples. This was done for some arcade games to extract the internal ROMs from the sound CPUs. (Speaking of which, you can exploit the QSound DSP to make it use any old piece of program ROM as FIR filter taps. In conjunction with a specially-crafted sample ROM, that could be used to extract the program ROM as a digital audio bitstream. We should do this at some point to verify the ROM contents. There are three bit errors in it that I know of, but there could be more.)

Joined: Jan 2021
Posts: 27
Likes: 14
R
Member
Offline
Member
R
Joined: Jan 2021
Posts: 27
Likes: 14
I know how it can be done in a general theoretical sense, I'm more wondering how it might have apparently already been done with the MSM6387, especially because it's just a tiny little DIP30 with no external memory bus.

If D-tech has one decapped already, did he actually use any kind of exploit at all or did he just read it from a die photo?

Joined: Jan 2021
Posts: 96
=
Member
Offline
Member
=
Joined: Jan 2021
Posts: 96
Dtech wrote me in 2012:
Quote
With sa chips I was about to send one to france for decapsulation and photos, togheter with some other guys that are
into retro video game consoles and had other chips to decapsulate. However this entire project somehow stalled and
died out. I know it's oki 4bit microcontroller with melody circuit and have a plenty of approximate information about
it's innards, as well as have researched a little bit about some test fetures that I plan (for so more than 10 years
already hehehe) to exploit to read out it's rom without decapsulation. All oki chips have features for such tests, but
in none of their documentation did I find any information on it.
I have made some test jig for such hardware tests, but it is not yet complete. It will be useful to explore the chip
test functions and try to read out it's contents, but no idea if it will be successful.

I have used the voltage glitching to record it's output in very high quality and then made a tool to try to extract
approximate rom contents with exact byte precision, and now know exactly how many bytes are each of the blocks and
things like that. However exact data (value of each program word) is not yet known, and that's a thing I would realy
like to see someday.

I can cool the chip down to -55degrees anytime, but i don't think it will help reading it out. Shitshot capture is
easy with it as it is. Using 192ksps or faster analog capture is more than enough to get every sample of it's 21.xxx
kHz (don't remember) samplerate and use adapted highspeed telecommunications algorithms to synchronise to transitions
and lock to every byte. Getting exact value is a problem, as the playback from chip is scaled... with loss. Loss is
similar to like playing back 8bit wave multiplied by 0.99 on 8bit dac. There are missing codes.

And regarding rom contents playback as samples, I discovered that "My Music Center" toy keyboard hardware (Holtek - Ad-lib Micro®, may be HT3670 based) by shitshot (voltage glitching) often vomited apparently its entire rom contents through the DAC, producing a sequence of all samples with "noise" in between. Because its MCU is SRAM based, its resistor controlled clock rate can be turned down to complete halt with crash, which may permit to sample the output (which DAC multiplexes polyphony voices like Yamaha) precise enough with any PC to decipher it.


MAY THE SOFTWARE BE WITH YOU!

{weltenschule.de}
Page 4 of 4 1 2 3 4

Link Copied to Clipboard
Who's Online Now
5 members (Hydreigon, r09, box, 2 invisible), 16 guests, and 3 robots.
Key: Admin, Global Mod, Mod
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Forum Statistics
Forums9
Topics9,085
Posts119,081
Members5,014
Most Online890
Jan 17th, 2020
Our Sponsor
These forums are sponsored by Superior Solitaire, an ad-free card game collection for macOS and iOS. Download it today!

Superior Solitaire
Forum hosted by www.retrogamesformac.com