PAL Brute Forcing: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Page on analyzing PAL devices by supplying a large number of test vectors. This may be extendable to other devices like GALs, but this type of analysis typically works best on very simple devices. | Page on analyzing PAL devices by supplying a large number of test vectors. This may be extendable to other devices like GALs, but this type of analysis typically works best on very simple devices. | ||
== readpal == | ==Data formats== | ||
.jed | |||
* Industry standard fuse format | |||
BP Microsystems .bin | |||
* Presumably this is the JED fuses converted directly into a binary w/o metadata | |||
* Maybe like the MAME .bin w/o the small header? | |||
MAME .bin | |||
* Custom format with a very small amount of metadata | |||
* Can be converted to .jed etc using tools included in MAME | |||
* TODO: add link | |||
"EPROM" .bin | |||
* Output from techno-junk 27C020 adapter | |||
.jl | |||
* Output from pal866 | |||
<br /> | |||
==readpal== | |||
http://techno-junk.org/readpal.php | http://techno-junk.org/readpal.php | ||
| Line 7: | Line 36: | ||
Summary: | Summary: | ||
* An EPROM like adapter to enable brute forcing using COTS programmers | *An EPROM like adapter to enable brute forcing using COTS programmers | ||
* Fast since it uses standard algorithms | *Fast since it uses standard algorithms | ||
* Doesn't handle registers | *Doesn't handle registers | ||
* Reference post processing workflow | *Reference post processing workflow | ||
<br /> | <br /> | ||
| Line 20: | Line 49: | ||
<nowiki>http://techno-junk.org/readpal.php</nowiki> | <nowiki>http://techno-junk.org/readpal.php</nowiki> | ||
* <nowiki>https://github.com/pascalorama/paldumper</nowiki> | *<nowiki>https://github.com/pascalorama/paldumper</nowiki> | ||
* Eagle design files provided for EPROM adapter | *Eagle design files provided for EPROM adapter | ||
* Windows binary provided to analyze EPROM into equations | *Windows binary provided to analyze EPROM into equations | ||
<br /> | <br /> | ||
== DuPAL == | ==DuPAL== | ||
https://github.com/DuPAL-PAL-DUmper | https://github.com/DuPAL-PAL-DUmper | ||
| Line 32: | Line 61: | ||
Summary: | Summary: | ||
* Hardware + software toolchain for copying PAL devices | *Hardware + software toolchain for copying PAL devices | ||
* As a stand alone solution, board is much more complex than readpal | *As a stand alone solution, board is much more complex than readpal | ||
* More powerful than others? | *More powerful than others? | ||
<br /> | <br /> | ||
== pal866 == | ==pal866== | ||
https://github.com/JohnDMcMaster/pal866/ | https://github.com/JohnDMcMaster/pal866/ | ||
| Line 44: | Line 73: | ||
Summary | Summary | ||
* FOSS tl866 software to read out PAL16 family devices | *FOSS tl866 software to read out PAL16 family devices | ||
* Registered PAL WIP | *Registered PAL WIP | ||
* Doesn't require any adapters | *Doesn't require any adapters | ||
<br /> | <br /> | ||
== Test vectors == | ==Test vectors== | ||
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors" | "For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors" | ||
Revision as of 02:01, 7 April 2021
Page on analyzing PAL devices by supplying a large number of test vectors. This may be extendable to other devices like GALs, but this type of analysis typically works best on very simple devices.
Data formats
.jed
- Industry standard fuse format
BP Microsystems .bin
- Presumably this is the JED fuses converted directly into a binary w/o metadata
- Maybe like the MAME .bin w/o the small header?
MAME .bin
- Custom format with a very small amount of metadata
- Can be converted to .jed etc using tools included in MAME
- TODO: add link
"EPROM" .bin
- Output from techno-junk 27C020 adapter
.jl
- Output from pal866
readpal
http://techno-junk.org/readpal.php
Summary:
- An EPROM like adapter to enable brute forcing using COTS programmers
- Fast since it uses standard algorithms
- Doesn't handle registers
- Reference post processing workflow
This approach does not work for the following devices: All registered PAL devices. (PAL16R4, PAL16R6, PAL16R8, etc.) All GAL devices configured to be registered. (GAL16V8, etc.) PEEL devices (18CV8, etc.) which have a different architecture than PALs/GALs. Non-PAL or GAL devices (82S153, PLS153, etc.) which have a different architecture and pinout than PALs/GALs.
http://techno-junk.org/readpal.php
- https://github.com/pascalorama/paldumper
- Eagle design files provided for EPROM adapter
- Windows binary provided to analyze EPROM into equations
DuPAL
https://github.com/DuPAL-PAL-DUmper
Summary:
- Hardware + software toolchain for copying PAL devices
- As a stand alone solution, board is much more complex than readpal
- More powerful than others?
pal866
https://github.com/JohnDMcMaster/pal866/
Summary
- FOSS tl866 software to read out PAL16 family devices
- Registered PAL WIP
- Doesn't require any adapters
Test vectors
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"