Today I repaired my Sharp EL-640 talking calculator. A through-hole PCB contact underneath the LCD panel was corroded. (Fortunately this LCD has no brittle foil cable but a proper silicone contact strip that is safe to remove. Simply bend away the tabs of the sheetmetal frame.) I soldered a piece of enamelled copper wire across the trace. Now speech works again.
The hardware indeed has SMD chips with accessible pins (not COB).
While the main CPU is crystal clocked @32kHz (for the integrated quartz clock), the speech hardware apparently uses an LC oscillator with trimmer capacitor. Despite 6V (4x 1.5V AA cells) there seems to be still a discrete stepup voltage converter on the separate amp PCB.
Sharp EL640 Talking Calculator (teardown,repair)
Passive TEMPEST HF emission analysis with digital radio on AM range reveals beside many overtones of the speech audio a particular signal at about 675kHz, which produces distinct beeps/blips of varying frequencies during start of each spoken word. The pitch and pattern are unique to each selected word and may be serial(?) data sent to the speech rom, or even a signal derived from the internal sample playback frequency that differs per word or syllable (which is less likely because the blips are shorter than the words). The word "six" even plays 2 blips.
I yet own no proper hardware to examine this deeper. An SDR receiver with multiple inputs for a tiny phased array antenna would be necessary to isolate parallel bus bits of rom data inside an IC (possibly using deep learning algorithms like those for radio astronomy). Like with recording an EEG, the antenna grid needs to be closely attached to the source (e.g. scotchtaped onto the chip under test) to minimize external interference.
Sharp CT-660G hardware
This is a more detailed description I wrote down when I repaired my "Sharp CT-660G - Die Sprechende Uhr" (German language version of Sharp CT-660 "Talking Time").
speech CPU = "L13093, 610, Sharp" (60 pin SMD, crystal 4.1 MHz) clock CPU = (unlabelled?, same package?) DAC IC = "Sharp IR3R12, 266D" (18 pin SMD)
The costly and somewhat iPhone-esque case construction contains a lot of small parts (separate switch contacts, strap eye, many screw lengths, black subchassis frame holding PCB...), so watch out not to loose them. Do not use raw force and especially do not overlook the screw under the door rim (gently push door sideways to unhinge). This German issue has no expansion connector, but a square hole in the subchassis with unused screw mount where likely a jack was planned. On the PCB I see no contacts for it, although a few unused solder pads (e.g. reset hole between switches, lacks 2nd contact) hint that something else was planned. Perhaps the subchassis was even supposed to act as a plugin module for many different cases (like a quartz clock movement) or even industrial application to be remote controlled by a computer. My front pane (labelled "SHARP") is definitely acrylic, not mineral glass.
IMO the design is not really ergonomic; as a blind's clock it should have less flimsy switches and feelable Braille labels. As an alarm clock it should have at least a bigger stop button (speech button does not stop it; you have to open the bottom compartment and slide a switch). As a stopwatch (the strap eye suggests this use) larger buttons would be useful, and also the sunk switch to select stopwatch mode is rather WTF than logical. But it is still a nice gadget from the "chip chip hurray" era when ICs still had thousands, not billions of transistors.
The hardware contains 3 SMD ICs, 2 of them (sound CPU "L13093, 610, Sharp" (60 pin SMD, crystal clocked @4.1 MHz)) on main board, clock CPU behind LCD panel (unlabelled?, same package?, crystal clocked @32kHz) are sort-of COB (casted in violet clear plastic resin). The 3rd chip "IR3R12, Sharp, 266D" (18 pin SMD) seems to be the speech DAC or sound IC.
Discrete circuitry with a tiny stepup transformer doubles the voltage to power the transistorized audio amplifier. The oscillator for the sound CPU is only active during sound output. Some parts look much more miniaturized than necessary; with proper design TI Speak&Spell sized DIL parts would have fit into this transistor radio sized case as well (not least because the subchassis wastes the space won by miniaturization). Interesting is that it contains one of the first flat plastic loudspeakers; such yellcoins became common not before mid of 1990th.
It tells the time in German with 24 hours system and has a Speak&Spell-like grainy male voice. The monophonic melody has (like in Casio calculators) decay envelope with zipper noise.
My specimen did nothing (blank LCD, only a quiet pop noise during power-on) so I feared the CPU was dead. Fortunately it wasn't. After hours of measurement with analogue oscilloscope, I found out that the reset capacitor (100nF ceramic, labelled "12V, 104M" - the right one behind the front panel) had a high resistance short circuit and so pulled reset hi forever. After replacing it with a foil capacitor it works. The reset capacitor is the Achilles' heel of the hardware and yet died several times again.
Another Sharp CT-660G version (German language) has different hardware. This one uses a hybrid resistor ladder DAC and the speech sounds thinner. The case has at the left side the silicone plug connector for external speak button. My specimen was damaged by badly corroded PCB traces near and underneath the volume pot, making no sound and some buttons failed. After patching traces with enamelled wire it works again.
speech CPU = "LI3093, 001?, ??????" (60 pin SMD shaped COB, badly readable) clock CPU = (unlabelled?, same package? (h16*v?? pins)) DAC hybrid: "12B24K/48K" (8 pin SIL)
Despite the clock and speech CPU are coated with thin black resin, the rim has fine pins underneath those look like possible to clean without destroying the chip package itself.
TEMPEST for chip scanning
Regarding TEMPEST technology. Here in Germany its existence was absolutely common knowledge! Every school boy knew it. Not only by espionage fear of the nearby GDR, but that is to say, our German TV fees withdrawal central "GEZ" repeatedly broadcasted on public TV ads "Schon den Rundfunk GEZahlt?" to scare TV nonpayers ("Schwarzseher"), often showing scenes about those "Funkpeilwagen" (radio emission detector vans) and people getting handcuffed. And long before wifi stupidified mankind, there was the famous whitehat hacker club "Chaos Computer Club" that publically informed about data privacy risks. So even kids swapping homecomputer diskettes on school yards discussed (also scared by newspapers) if those Funkpeilwagen go wardriving to identify and arrest them when playing pirated games at home. And before there was wifi, people experimented with crude SDR predecessors if they could transmit data from room to room with homecomputers and a directional antenna. And techno musicians experiment with this stuff. Place a VL-Tone on top of your AM radio, turn the tuning knob and you get funny synth sounds. Use a proper SDR and you may read its rom.
So spreading tinfoilhat rubbish about TEMPEST being related to MkUltra is plain absurd and can be only statement of someone who wastes his life on Telegram and/or spreads intentional false information to ridicule existing privacy risks. E.g. the phase array capabilities of 5G mobile radio may be well capable of performing active TEMPEST attacks (i.e. scanning electronic signals by intermodulating them with radar) to receive secrets from offline devices in the background (either always or only after a remote-uploadable firmware upgrade). That's one reason why nations fear to use Chinese Huawei 5G network hardware. (And of course such a sabotage can make the radiation even more harmful to humans when increasing signal strength and changing its composition.)
And that is to say, thanks Snowden the mankind knows now that even offline hardware can come factory prebugged with hidden antennas to ease wireless (passive or active) remote attacks. Everybody knows the well documented nearly invisible wifi antenna inside the PCB material of RasPi Zero W. But it doesn't need to be such complicated nor need wifi. One of those really cheap and innocent looking little baddies is e.g. Congaflock.
Hidden transmitters are more common than you may think. Did you know that the "Hard Drivin" arcade machine contains a simple hidden SDR inside an MCU for copy protection?
If you ground pin 4 on the TMS320P15 (signal 'P2') and then reset the chip (turning the game off for a few seconds and then turning it on again will do the trick) the TMS320P15 will send the Atari Games copyright message in Morse code which can be received on a standard AM radio by holding it near the DSK Board. Tune around the AM band to get the best quality signal.
And here we have the opposite case of another primitive SDR hidden in rom of a "Cherry Master" fruitmachine designed for cheating the gambling hall owner.
With the card on the right being face down, you are to choose whether it is going to be Big (higher than 8) or Small (less than 8). This is when the LEDs act weirdly and go dim, but should instead be turned off.
During this time, if you place a pocket-sized AM radio next to the buttons on the front panel of the game, and have previously tuned it between strong broadcast stations, you can detect a distinct sound generated by the game, which will indicate whether to press HI or LO, or bail out because the next card is an (8) eight, and you will lose.
My own PC got heavily shielded because the 1991th Colani bigtower was originally rated for a 50MHz CPU and I neither want to expose my brain nor my tube amplifier to its nowadays 3..4GHz clock frequency. (The audio is still full of dull rumbling noise varying with CPU load, so it is far from perfect.) This is what a seriously (nuke proof!) shielded TEMPEST PC has to be made of.
Military rugged laptop - DRS LXI with Pentium MMX - RETRO Hardware
TEMPEST methods are neither uncommon nor conspiracy tales. The only thing crazy here is how humankind got stupidified by mobile radio and wifi infested products to not be afraid of data vampires anymore and sell their souls to Alexa.
Scanning a COB chip of rare vintage electronics with TEMPEST methods is definitely better than decapping. An SDR receiver with multiple inputs for a tiny phased array antenna would be necessary to isolate parallel bus bits of rom data inside an IC (possibly using deep learning algorithms like those for radio astronomy). Like with recording an EEG, the antenna grid needs to be closely attached to the source (e.g. scotchtaped onto the chip under test) inside a faraday box to minimize external interference (see how an MRT room is built), which is a very different situation than long range espionage in the field. So even active scans (i.e. emitting radar to receive the modulated signals) may be done with very low dosage constituting no actual risk of HAVANA syndrome. It is embarrassing when mame chip hackers know of TEMPEST not more than a game by Dave Theurer.
Seriously, you have no clue what you’re talking about, but if you won’t accept it from me telling you, put your money where your mouth is and demonstrate a practical attack on a chip. Otherwise, just shut up and stop derailing threads.
I doubt that COBs of LCD games or old music keyboards contain such protection. If they e.g. do a rom test after reset (counting through all rom addresses in correct order to compute a checksum) it may be possible to reconstruct the rom dump from emissions of the internal data bus.
To receive RF signals from the chip under test, external RF noise needs to be avoided. A known noise source of such unwanted emissions are internal digital signals from the cheap SDR receiver (e.g. USB TV stick) itself, which harmonics can make detected frequencies ambiguous (also by sampling theorem when higher than the sampling rate). To compensate this, it may help to wobble the test subject's clock frequency (needs access to the oscillator) parallel with then detection frequency in the SDR algorithm while reading multiple times, and so subtract the digital noise.
E.g. the handheld spectrum analyzer Aaronia Spectran employs such principles (varying its own sampling frequency), which however can fail with random transient test signals. Here is a German language forum discussion about its technical limitations.
AES side channel attacks work because most implementations have conditional branches that depend on key contents. That won’t work for a checksum algorithm (there are also stream ciphers like ChaCha20 designed to make these kinds of side channel attacks more difficult). That aside, the SM510 series melody ROM isn’t directly accessible by the ALU. Once again, you’ve posted a lot of irrelevant text and shown how little you actually understand.
Many no-name LCD games seem to be based on the documented Holtek HT1130 4-bit microcontroller. On websearch I didn't found them mentioned although IC datasheets are available. Are they already emulated?
HT113AA 2Streetfighters2 LCD Game.pdf HT113FA Submarine War LCD Game.pdf HT113JA Baseball LCD Game.pdf HT113LA Mini Brick LCD Game.pdf HT113RA Poker and Black Jack LCD Game.pdf HT113SA Casino Game 5-in-1 LCD Game.pdf HT1132A SPACE WAR LCD Game.pdf HT1134A Pin Ball LCD Game.pdf HT1136A Football LCD Game.pdf HT1137A Motorcycle LCD Game.pdf HTG1395 3-in-1 LCD Game.pdf
Holtek (Taiwan) is one of the biggest manufacturer of cheap button cell operated LCD gadgets, and also seems to be the hidden creator behind many no-name single chip keyboard CPUs, including some of the most exciting mini keyboard LSI with multipulse squarewave and great POKEY-style blip percussion (like EK-001 and Creatoy). Also My Music Center variants (sound engine "Ad-lib Micro®") and many modern Yongmei grade COB chips (e.g. 100 preset sounds + LED display etc.) seem to be their creation (functions seen in datasheets). While official Holtek chips have the naming convention HT + number (+ optional letter + number for software version), also many rebranded versions with different naming can be found. With single chip mini and toy keyboards Holtek was in late 1990th at least among the big 3 next after Casio and Yamaha (in sold units count likely even higher). Because those cheap toy tablehooter chips often have resistor controlled clock rate with poorly stabilized voltage that changes pitch with empty batteries, they also got their nickname "Howltek".
Not emulated. Some of the Nelsonic G&W games have a Holtek MCU, not this one but I expect it's similar technology. And the ROM bits were not visible on the decap.
Some of the Nelsonic G&W games have a Holtek MCU, not this one but I expect it's similar technology. And the ROM bits were not visible on the decap.
Does that mean it uses not mask rom (i.e. eprom or flash cells) or is there only a layer above to hide it from hardware pirates? Was it 1990th or later?
I ask because of long-term bitrot risk if the "rom" is actually something else. Many lofi music keyboards and soundtoys employ Holtek chips (likely of different architecture), but if I remember well, datasheets (or specs on Holtek website and forums?) claimed that prototyping MCU versions for such things were OTP (no erasable versions exist) but mass produced ones are rom, hence they have no reusable chip version for DIY projects.
