ChanServ changed the topic of ##yamahasynths to: Channel dedicated to questions and discussion of Yamaha FM Synthesizer internals and corresponding REing. Discussion of synthesis methods similar to the Yamaha line of chips, Sound Blasters + clones, PCM chips like RF5C68, and CD theory of operation are also on-topic. Channel logs: https://freenode.irclog.whitequark.org/~h~yamahasynths
andlabs has joined ##yamahasynths
emilazy has quit [Changing host]
emilazy has joined ##yamahasynths
emily has joined ##yamahasynths
emily has quit [Changing host]
andlabs has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
andlabs has joined ##yamahasynths
UnluckyPony has joined ##yamahasynths
superctr_ has joined ##yamahasynths
kode540 has joined ##yamahasynths
superctr has quit [Ping timeout: 260 seconds]
SceneCAT has quit [Ping timeout: 260 seconds]
fseidel has quit [Ping timeout: 260 seconds]
fseidel has joined ##yamahasynths
kode54 has quit [Ping timeout: 260 seconds]
kode540 is now known as kode54
_whitelogger has joined ##yamahasynths
notnatalie has quit [Ping timeout: 268 seconds]
notnatalie has joined ##yamahasynths
notnatalie has quit [Ping timeout: 240 seconds]
notnatalie has joined ##yamahasynths
_whitelogger has joined ##yamahasynths
notnatalie has quit [Quit: WeeChat 1.9.1]
notnatalie has joined ##yamahasynths
andlabs has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<Foone>
Lord_Nightmare:cool!
<Foone>
I've heard back from Brandon, and they're sending me the card, although they don't want it damaged. so I'll do as much reverse engineering as possible from that one, short of decapping the PALs
<Lord_Nightmare>
ok
<Lord_Nightmare>
foone: the pals, if they're pal16l8 devices, don't need decapping; you can in theory just extract a truth table
<Lord_Nightmare>
the issue is sometimes people found 'clever' ways to make pseudo-latches even on pal16l8 devices and abuse stuff like open collector inputs
<Lord_Nightmare>
see the later sb "2.0" short isa card pal
<Lord_Nightmare>
the 'reverse engineered' pal that chuck guzis did doesn't actually work on later cards, but the real pal apparently does?
<Lord_Nightmare>
that specific pal may be worth decapping to directly optically read the fuse map
<Lord_Nightmare>
(or have someone with an FIB patch over the blown security fuse, then digitally read the fuse map; either way works)
<Foone>
FIB?
<cr1901_modern>
focused ion beam
<Foone>
ahh
<Lord_Nightmare>
its a way of patching a silicon chip die, post production
<Lord_Nightmare>
it was sometimes used to fix buggy prototype die revisions before the masks could be fixed
<Lord_Nightmare>
i'd be very very surprised (but happy) if brandon's card has a different ROM rev
<Foone>
yeah, that'd be interesting to see
<Lord_Nightmare>
the ROM claims "Action Replay v1.3 installed" inside
<Lord_Nightmare>
so there's clearly a bunch more revisions of this
<Lord_Nightmare>
LGR's video may even show that message, I haven't checked
<Foone>
I'm hoping a lot of the PAL functionality will be easy to reverse engineer from looking at how the software + firmware works
<Foone>
ahh, the rom starts with 55AA. yeah this is a straight up option rom. cool
<Foone>
ahahaha
<Foone>
it has the virus definitions IN THE ROM
<Lord_Nightmare>
the pal stuff is probably mostly ISA glue, but there's also those two SRAMs (bankable? does this card use the 15-16mb memory hole for its ram?))
<Foone>
because yeah, that's how you do anti-virus: YOU BURN THE DEFINITIONS INTO A ROM CHIP
<Foone>
VIRUSES CHANGE REALLY SLOWLY, RIGHT?
<Lord_Nightmare>
there's also that jumper bank, the manual probably explains what those do...
<Lord_Nightmare>
and the dipswitches
<Lord_Nightmare>
i assume the jumpers are to set an IRQ
<Foone>
yeah.
<Foone>
the dip switches are for the ROM address & IO port, the jumpers are for IRQ
<Foone>
Brandon scanned his manual, so I've got that here.
<Lord_Nightmare>
ya, its on the vcfed thread
<Lord_Nightmare>
I fed everything there to archive.org
<Lord_Nightmare>
and LGR also posted it all
<Lord_Nightmare>
btw between the front label from brandon's unit (whcih has some tearing ) and the one from krick's (which has scuffing in a different spot) you could make a vectorized version of the front label
<Lord_Nightmare>
if you want i can scan the front and back labels right now
<Foone>
one thing LGR didn't cover that I wonder about: what happens if you run 32bit DOS games?
<Lord_Nightmare>
god knows
<Foone>
that might be a good idea. I'm not great at graphical stuff but I'm sure someone else could look at that
<Lord_Nightmare>
did datel make a parallel-port dongle game buster too? what does it do, use IEEE1284 DMA shenanigans?
<Foone>
nah, that one is 100% software
<Foone>
the parallel port dongle is for copy protection
<Lord_Nightmare>
ah, so its a dongle dongle
<Lord_Nightmare>
is it one of the old trivially crackable early HASP ones?
<Lord_Nightmare>
some of the later parallel port dongles are quite nasty, using challange response, multiple internal keys chosen by a hashed nonce, stuff like that
<Lord_Nightmare>
but iirc the early ones were mostly security through stupidity
<Foone>
no idea, it's not been reversed. it's rare and the software doesn't seem to work anyway
<Lord_Nightmare>
i remember there being utilities which would 'duplicate' an early parport dongle and emulate it using a TSR
<Lord_Nightmare>
for "legal reasons" you had to actually plug the dongle in first and it would "read out" and characterize it
<Lord_Nightmare>
to some sort of file
andlabs has joined ##yamahasynths
<Foone>
it looks like this PAL is 14 inputs, and 8 input/outputs. it looks like this pretty much is going to be static logic rather than any latches, so it may be possible to just desolder the chips (on the Krick card) and then just exercise them until we can work out the logic map
<Foone>
I mean, in the worst possible case it has 2 million possible input states.
<Lord_Nightmare>
i'm more concerned that a PALCE20V8 *CAN* have buried state, not that it *DOES*
<Lord_Nightmare>
it could be something super subtle as copy protection
<Lord_Nightmare>
which makes the system crash minutes or hours later
<Lord_Nightmare>
although the specific version used on the card is the AMD one
<Lord_Nightmare>
AMD PALCE20V8Q
<Lord_Nightmare>
4 of them
<Lord_Nightmare>
so a total of 32 bits of state
<Lord_Nightmare>
and the worst part: because its a PALCE device, its NOT A FUSED DEVICE
<Lord_Nightmare>
even if you decap it, its EEPROM cells inside
<Lord_Nightmare>
you have to erase a security bit
<Lord_Nightmare>
there's no fuses to see
<Lord_Nightmare>
this also means in theory these parts have a finite life
<Lord_Nightmare>
until the eeprom cells decau
<Lord_Nightmare>
and they revert to their blank state
<Lord_Nightmare>
if we're really lucky, they left the security bit unset, but given datel's use of a dongle later on, i don't have high hopes
<Foone>
if the security bit is unset, I wonder if we can easily build or find a programmer for it. or maybe it's common enough that your EEPROM readers could read it?
<Lord_Nightmare>
i assume the bp1600 i have will read them, if the security bit is unset (and the PLCC module for the bp1600 is behaving, which unfortunately it often is not)
<Lord_Nightmare>
digshadow has another plcc module for his bp1610 (same model of module, its exchangable over the entire bp1xxx range)
<Lord_Nightmare>
and that one works, afaik
<Lord_Nightmare>
the one balrog and I have is kinda flaky
<Lord_Nightmare>
I need to reflow everything on it
<Lord_Nightmare>
Foone: btw i wonder if the ram on the card is for the tsr to load an expanded ROM into
<Lord_Nightmare>
so maybe it really can load additional virus defs
<Foone>
possibly!
<Lord_Nightmare>
the ROM is stored in marked 'pages'
<Lord_Nightmare>
so perhaps it can look for and use additional pages from ram if it finds them
<Lord_Nightmare>
this does mean it won't do a full virus scan until you boot, load the tsr, then hit the reset button
<Lord_Nightmare>
since there's no battery to back up the sram
<Foone>
although here's the question: if it can run from SRAM... why does it have the ROM at all?
<Foone>
why not ship it with just RAM and always load it from the TSR?
<Lord_Nightmare>
initial load, i assume. it also may allow it to do some shenanigans involving resetting the cpu which it otherwise couldn't do reliably
<Foone>
possibly, yeah. although really resetting the CPU shouldn't scramble the SRAM, unless it loses power during that time
<Lord_Nightmare>
although fully resetting the cpu the bios ram test will destroy the contents of all the system ram, so it can't resume state like that...
<Lord_Nightmare>
the card has a 6264 8K SRAM and a a 628128 128kx8 sram
<Lord_Nightmare>
i don't know which is used for what
<Lord_Nightmare>
i'd almost think the larger one is for additional/replacement-from-tsr ROM since its the same size as the existing ROM
<Lord_Nightmare>
and the 8k one is for settings/state?
<Lord_Nightmare>
also maybe the ROM allows the card to work in a 'degraded mode' of some sort even without the tsr running
<Lord_Nightmare>
since its loaded as a rom-bios extension
<Foone>
maybe it needs rom because it wants to run before any DOS TSRs. it might want to save the state of interrupts before any other programs load
<Foone>
but yeah. it'll be interesting to see what happens if you don't run the TSR and then press the button
<Lord_Nightmare>
also a rom-bios antivirus is actually not a horrifically bad idea, though i think the most it can really reliably do is check the boot sector?
<Lord_Nightmare>
and even that won't work if you have a weird disk controller like a scsi controller with its own ROM bios
<Lord_Nightmare>
like adaptec cards
<Foone>
I'm not sure it even does that. I think it only scans RAM
brezza_dsa has joined ##yamahasynths
<Lord_Nightmare>
here's a weird observation: the 628128 sram is capable of running in low power mode off a battry
<Lord_Nightmare>
maybe the actio replay card really did originally intend to come with a battery
<Lord_Nightmare>
so it should be capable of running off a battery in low power mode
<Foone>
OK, so, reversing: Krick says their card is yours to do with whatever you want now, right? Are you OK with desoldering the PALs then, to reverse them?
<Lord_Nightmare>
I would get balrog to do that, he's got a hot air station
<Lord_Nightmare>
as for actually reversing the pals, the most I would do is try dumping them with the bp1600
<Lord_Nightmare>
if they're protected, then that's above my pay grade :(
<Lord_Nightmare>
since we'd need to identify based on the pcb what pins are inputs, outputs, or both
<Foone>
okies. I'm willing to try rigging up a brute-force-and-ignorance device to just exercise all possible inputs
<Lord_Nightmare>
then using that, make a truth table analyzer
<Lord_Nightmare>
knowing the purpose of each pin would be very helpful too
<Lord_Nightmare>
also if you're going to be reversing the whole card, we need to desolder everything on it anyway
<Lord_Nightmare>
to redo the gerbers
<Foone>
possibly. Tube Tube has done some good work with reversing these things from pictures
<Foone>
there's not a lot of hidden traces on these so it probably wouldn't be too hard to figure out just from the soldered card
<Lord_Nightmare>
one thing we might be able to do: datel.co.uk still exists. do you think THEY still have the gerbers/schematics/jed files for this?
<Lord_Nightmare>
we know who worked on it from the credits in the ROM
<Lord_Nightmare>
around 0x4f70
<Lord_Nightmare>
if you play this right maybe datel is on board with making an official-remake run of these things, if enough people are interested
<Lord_Nightmare>
the original card used tin edge fingers too (yuck), any remake card should use hard gold or at the very least ENIG
<Lord_Nightmare>
though i've been told ENIG does wear through after a few dozen insertions
<Lord_Nightmare>
but that might be someone exaggerating
<ZirconiumX>
I think the main example of ENIG wear I've seen is a stylophone business card that had an ENIG keyboard
<ZirconiumX>
You could see the scuff marks after not long at all
<Foone>
the PCB manufacturer I usually use (jlcpcb) does offer gold fingers, so that'll definitely be an option
<andlabs>
random question time
<andlabs>
how many different attempts to replace the vgm file format have there been in the past 4 years?
Xyz_39809 has quit [Read error: Connection reset by peer]
<Foone>
Lord_Nightmare: Do you think that can get done anytime soon? I'm working on getting more hot air tools for my own bench and I should be able to desolder and test them just fine soon, so if there's going to be a long delay before any of that can be tested, it may be faster just to ship the card to me to work on reversing
<Lord_Nightmare>
i agree about shipping the card tbh
<Lord_Nightmare>
although balrog does have his hot air station
<Lord_Nightmare>
so i think it might make the most sense to desolder and try to dump the pals first, and regardless of if they're all protected or not, send everything on to you
<Foone>
definitely! I just meant that if that was gonna take a year to get around to doing, it might be faster to skip it and ship it straight to me. that's a perfectly sensible idea, and will at least save me the trouble of desoldering them
<Lord_Nightmare>
well, it sounds like you'll probably have to desolder everything else eventually too...
<Foone>
I'm hoping to avoid that, but possibly.
<Foone>
I'm just trying to make sure something happens with 'em while we've got momentum.
<Lord_Nightmare>
ok
<Lord_Nightmare>
balrog is busy but I think he's seeing what's happening on irc
<Foone>
one thing I want to try is setting up the card and TSR and then writing a DOS program to read the card's memory space. that'll quickly see if they're in fact using the RAM instead of the ROM, assuming it's been changed
<Lord_Nightmare>
that's a good idea
<Lord_Nightmare>
before and after loading the tsr
<Lord_Nightmare>
can you do that with brandon's card?
Xyz_39808 has joined ##yamahasynths
<Lord_Nightmare>
since if we desolder the pals from this one, the card won't be directly usable
<Foone>
yeah, I'm planning to do that with Brandon's once it arrives
<Lord_Nightmare>
also his may have a different ROM rev from mine
<Lord_Nightmare>
or maybe the ROM has a serial number in it
<Lord_Nightmare>
which would be interesting
<Foone>
definitely!
<Lord_Nightmare>
i can't imagine there were that many of these cards made...
<Lord_Nightmare>
which is why i'm wondering if it makes sense to contact the old programmers who used to work at datel and see if any of them have saved source/listings/etc from this
<Lord_Nightmare>
it could save us a massive amount of time if someone has the .jed files for the 4 pals
<Foone>
I'm reluctant to contact them unless we hit a wall with reverse engineering efforts. they're more likely to get lawyers involves than to help, in my experience
<Lord_Nightmare>
ok
<Lord_Nightmare>
a repro of this card would use one of those big CPLDs like on the MCA adlib clone anyway
<Foone>
right
<Foone>
I've no experience with those, I should probably grab one to play with when I can
<Lord_Nightmare>
i'm wondering how this card works... is it doing something like bus-mastering DMA?
<Lord_Nightmare>
to alter memory 'out from under' a running program?
<Lord_Nightmare>
or is it hooking the timer int to call the card tsr/rom bios, which uses dma or plain old cpu to patch memory, then dump back to the timer handler?
<Lord_Nightmare>
i have a feeling its not using dma, but i don't know. it could be?
<Foone>
I think it's going to be very simple. I suspect it does something like look for RAM writes to special addresses, and when it sees one it triggers an interrupt, the TSR takes over and then does a write over that existing write
<Foone>
so the PAL would just need to set up a way to trigger the interrupt based on the specific RAM getting written
<Lord_Nightmare>
oh, so its a game-genie esque mid-instrucion interrupt and replace? the pals can only hold 32 bits of state, so it could only be 1 address or so
<Lord_Nightmare>
i figured it was more like the action replay steadfast of interrupting vblank and patching memory
<Lord_Nightmare>
on pc, you have the timer int for that, since the vblank int on pc was erratically implemented if at all
<Lord_Nightmare>
i would probably say most cards do NOT support it
<Foone>
I'm just guessing, I haven't taken it apart yet. it wouldn't surprise me if most of the smarts is in the TSR, not the card
<Lord_Nightmare>
the matrox millenium 2 card for instance doesn't support the vblank int but does support all the rest of the VGA spec, i think
<Lord_Nightmare>
did ibm ever release a 'real' separate vga card, or was it always built into the motherboard on the later PS/2 machines and that was the 'reference' implementation?
<Foone>
I'm not sure, that's a good question
<Lord_Nightmare>
I know they made 8514/A ISA card
<Lord_Nightmare>
but that's basically accellerated VGA
<Lord_Nightmare>
I know there was an IBM ISA 8514/A isa card which looks similar, I always thought that card was it though?
Xyz_39808 has joined ##yamahasynths
Xyz_39808 has quit [Read error: Connection reset by peer]
Xyz_39808 has joined ##yamahasynths
<Lord_Nightmare>
also pcman on the action replay disk was written by simon p constable, who worked on the pc action replay itself too
<Lord_Nightmare>
datel employee
<Foone>
interesting
<Lord_Nightmare>
brandon's card in lgr's video also calls itself 1.3, so now i'm 99% sure the roms will be the same, unless there's an embedded serial number
<balrog>
I'm here now
<Foone>
oh hi
<balrog>
I did indeed have a busy day at work :/
<balrog>
(still not over, LOL)
<balrog>
Foone: do you follow MSFN's Win9x areas / did you see the thread about R.Loew?
<balrog>
He passed away last year and his son has made a lot of his work (which used to cost money) free and source-available