Previous Thread
Next Thread
Print Thread
Page 4 of 4 1 2 3 4
Joined: Feb 2004
Posts: 2,395
Likes: 110
Very Senior Member
Offline
Very Senior Member
Joined: Feb 2004
Posts: 2,395
Likes: 110
Originally Posted by Revenant
Originally Posted by =CO=Windler
the rom contents (dumped as analogue voltages through the DAC output?)
How did he manage to do that? Is any of this actually available somewhere?
The usual way it to find an exploit to trick the system into treating program ROM as audio samples. This was done for some arcade games to extract the internal ROMs from the sound CPUs. (Speaking of which, you can exploit the QSound DSP to make it use any old piece of program ROM as FIR filter taps. In conjunction with a specially-crafted sample ROM, that could be used to extract the program ROM as a digital audio bitstream. We should do this at some point to verify the ROM contents. There are three bit errors in it that I know of, but there could be more.)

Joined: Jan 2021
Posts: 44
Likes: 22
R
Member
Offline
Member
R
Joined: Jan 2021
Posts: 44
Likes: 22
I know how it can be done in a general theoretical sense, I'm more wondering how it might have apparently already been done with the MSM6387, especially because it's just a tiny little DIP30 with no external memory bus.

If D-tech has one decapped already, did he actually use any kind of exploit at all or did he just read it from a die photo?

Joined: Jan 2021
Posts: 108
=
Senior Member
Offline
Senior Member
=
Joined: Jan 2021
Posts: 108
Dtech wrote me in 2012:
Quote
With sa chips I was about to send one to france for decapsulation and photos, togheter with some other guys that are
into retro video game consoles and had other chips to decapsulate. However this entire project somehow stalled and
died out. I know it's oki 4bit microcontroller with melody circuit and have a plenty of approximate information about
it's innards, as well as have researched a little bit about some test fetures that I plan (for so more than 10 years
already hehehe) to exploit to read out it's rom without decapsulation. All oki chips have features for such tests, but
in none of their documentation did I find any information on it.
I have made some test jig for such hardware tests, but it is not yet complete. It will be useful to explore the chip
test functions and try to read out it's contents, but no idea if it will be successful.

I have used the voltage glitching to record it's output in very high quality and then made a tool to try to extract
approximate rom contents with exact byte precision, and now know exactly how many bytes are each of the blocks and
things like that. However exact data (value of each program word) is not yet known, and that's a thing I would realy
like to see someday.

I can cool the chip down to -55degrees anytime, but i don't think it will help reading it out. Shitshot capture is
easy with it as it is. Using 192ksps or faster analog capture is more than enough to get every sample of it's 21.xxx
kHz (don't remember) samplerate and use adapted highspeed telecommunications algorithms to synchronise to transitions
and lock to every byte. Getting exact value is a problem, as the playback from chip is scaled... with loss. Loss is
similar to like playing back 8bit wave multiplied by 0.99 on 8bit dac. There are missing codes.

And regarding rom contents playback as samples, I discovered that "My Music Center" toy keyboard hardware (Holtek - Ad-lib Micro®, may be HT3670 based) by shitshot (voltage glitching) often vomited apparently its entire rom contents through the DAC, producing a sequence of all samples with "noise" in between. Because its MCU is SRAM based, its resistor controlled clock rate can be turned down to complete halt with crash, which may permit to sample the output (which DAC multiplexes polyphony voices like Yamaha) precise enough with any PC to decipher it.


MAY THE SOFTWARE BE WITH YOU!

{weltenschule.de}
Joined: Jan 2021
Posts: 44
Likes: 22
R
Member
Offline
Member
R
Joined: Jan 2021
Posts: 44
Likes: 22
I was sent some MSM6387 die photos from an anonymous source recently:
https://revenant1.net/casio/msm6387-16.zip (~285 MB unzipped)

[Linked Image from i.imgur.com]

Maybe these will be interesting/useful to someone who actually knows what they're looking at with these. I was told that it'd most likely need additional delayering to be able to extract the mask ROM contents, but AFAIK these photos are old and it'd probably have to be redone by someone else at this point.

Joined: Jan 2021
Posts: 108
=
Senior Member
Offline
Senior Member
=
Joined: Jan 2021
Posts: 108
I have looked at the OKI M6387 dieshot, and as far I understand, the roms seem to be the plain dark double-rectangle at the lower right and double-square at upper left. You can see barely varying pixel brightness among cells those might be the data. (Perhaps a neural network AI can decipher it.) The lower left square made of bigger cells is likely the SRAM, and the woven looking smaller rectangle at the upper right may be the DAC (a big array of different resistor types?). The somewhat messy vertical stuff (decoder logics?) in the upper middle may be an ALU, so the upper left ROM area attached to it may be microcode of the CPU. But it also may be that the upper left ROM is program code while the lower right ROM (because it is closer to and possibly directly connected to DAC) is the waveforms.

The chip seems to have internally 33 pads those are wired to only 30 pins on the package.

Regard that I am no dieshot expert but only remember what I learned at the university 20 years ago, so it may be complete bullshit.

Last edited by =CO=Windler; 09/07/22 05:27 AM.

MAY THE SOFTWARE BE WITH YOU!

{weltenschule.de}
Joined: Mar 2001
Posts: 16,928
Likes: 62
R
Very Senior Member
Online Content
Very Senior Member
R
Joined: Mar 2001
Posts: 16,928
Likes: 62
I would agree it needs additional delayering to actually see the ROM contents, but I'm by no means an expert on this stuff.

Joined: Jun 2001
Posts: 479
Likes: 3
O
Senior Member
Offline
Senior Member
O
Joined: Jun 2001
Posts: 479
Likes: 3
It sounds correct to me. It's hard to say at that level of magnification if a delayering is actually needed though.

Joined: Jan 2021
Posts: 108
=
Senior Member
Offline
Senior Member
=
Joined: Jan 2021
Posts: 108
I forgot, this chip uses DRAM, not SRAM (it can not be underclocked very far). When looking at the downloaded B/W detail pictures of the supposed rom sections, I only see tiny notches in the traces at some spots. Are these data or just acid damage from decapping? They look fairly irregular/jagged, so this may be a wrong clue and indeed needs delayering. (AFAIK flash memory has no visible pattern, but I guess/hope SA-series is too early for being flash based.) But the visible logic parts of the chip may help to understand the testmode data format to dump the rom electrically the normal way.


MAY THE SOFTWARE BE WITH YOU!

{weltenschule.de}
Joined: Jan 2021
Posts: 44
Likes: 22
R
Member
Offline
Member
R
Joined: Jan 2021
Posts: 44
Likes: 22
Yeah, the b&w close up shots give a better view but it still doesn't really seem possible to distinguish anything.

Joined: Feb 2004
Posts: 2,395
Likes: 110
Very Senior Member
Offline
Very Senior Member
Joined: Feb 2004
Posts: 2,395
Likes: 110
I doubt it’s Flash, but it could be ion implant, which doesn’t show up in microphotography.

Page 4 of 4 1 2 3 4

Link Copied to Clipboard
Who's Online Now
1 members (Kale), 24 guests, and 1 robot.
Key: Admin, Global Mod, Mod
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Forum Statistics
Forums9
Topics9,111
Posts119,402
Members5,024
Most Online890
Jan 17th, 2020
Our Sponsor
These forums are sponsored by Superior Solitaire, an ad-free card game collection for macOS and iOS. Download it today!

Superior Solitaire
Forum hosted by www.retrogamesformac.com