Originally Posted by hal3000
The table top version of Mario's Cement Factory sports a SM511 with a melody ROM. There are two known versions with different startup jingles.

The current way of electronically reading the melody ROM data isn't 100% accurate (it is done by playing back the melodies and reconstructing the ROM) and a decap is needed to get this fully right. This stands true for many of the SM511/SM512 G&W games which has been added to MAME. I'm still believing that there exists a accurate way to read out the melody ROM data electronically and want to revisit this some day. There has been some development in this area recently as Furrtek has offered to take a look at SM511 die shots and investigate whether the melody ROM data can be connected to the CPU data bus...

Has anybody tried to apply TEMPEST sidechannel attacks on those chips?

https://en.wikipedia.org/wiki/TEMPEST

It may be easiest to do for such simple 4-bit stuff to decipher the HF radiation from antennas (e.g. wires taped on top of the chip package) in several directions to conclude internal ROM data being accessed. A digital 4 channel oscilloscope may be sufficient to sample the signals. You will likely need to place the device under test inside a faraday box to eliminate external RF interferences. On eBay you can buy Chinese shielding adhesive tape woven from very fine metal fabric and (unlike property store aluminium tape) fully conductive glue side. The stuff is great; glue it e.g. on window sealing foam rubber strip to make an elastic HF seal. (I shielded e.g. the PC case doors of my Colani bigtower with it.) Only be very careful to properly cut (never tear!) this tape, else it can spill tiny conductive wire lints everywhere, those are hell stuff even nastier than zinc whiskers in data centers.

I experimented in my youth with radios and wires scotchtaped on top of chips to produce strange sounds (kind of circuit bending) but had no hardware to decrypt what is actually going on inside. When demodulated by signals from the clock quartz it may be possible to leak the bits being read out of the rom. Another known sidechannel method is to put a resistor in the power supply line to the chip and observe voltage spikes by varying power consumption. But it is likely hard to distinguish the individual bits on a parallel bus read from the rom.

I have >100 old LCD games (from fleamarkets when they were still 2EUR each) and particularly tons of that dread McDonalds HappyMeal obsolescence trash (usually bought for each 20ct or such - many are doublets with torn paper label waiting for experiments). At least I gutted out their unremovable button cell, which else for sure would corrode itself through the COB or LCD over time.


MAY THE SOFTWARE BE WITH YOU!

{weltenschule.de}