PAL Brute Forcing: Difference between revisions

From Proghq
Jump to navigation Jump to search
No edit summary
No edit summary
Line 4: Line 4:
.jed
.jed


* Industry standard fuse format
*Industry standard fuse format




BP Microsystems .bin
BP Microsystems .bin


* Presumably this is the JED fuses converted directly into a binary w/o metadata
*Presumably this is the JED fuses converted directly into a binary w/o metadata
* Maybe like the MAME .bin w/o the small header?
*Maybe like the MAME .bin w/o the small header?




MAME .bin
MAME .bin


* Custom format with a very small amount of metadata
*Custom format with a very small amount of metadata
* Can be converted to .jed etc using tools included in MAME
*Can be converted to .jed etc using tools included in MAME
* TODO: add link
*TODO: add link




"EPROM" .bin
"EPROM" .bin


* Output from techno-junk 27C020 adapter
*Output from techno-junk 27C020 adapter




.jl
.jl


* Output from pal866
*Output from pal866


<br />
<br />
Line 79: Line 79:
<br />
<br />


==Test vectors==
== ReGAL ==
https://github.com/psurply/ReGAL
 
== Test vectors ==
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"

Revision as of 02:36, 11 April 2021

Page on analyzing PAL devices by supplying a large number of test vectors. This may be extendable to other devices like GALs, but this type of analysis typically works best on very simple devices.

Data formats

.jed

  • Industry standard fuse format


BP Microsystems .bin

  • Presumably this is the JED fuses converted directly into a binary w/o metadata
  • Maybe like the MAME .bin w/o the small header?


MAME .bin

  • Custom format with a very small amount of metadata
  • Can be converted to .jed etc using tools included in MAME
  • TODO: add link


"EPROM" .bin

  • Output from techno-junk 27C020 adapter


.jl

  • Output from pal866


readpal

http://techno-junk.org/readpal.php


Summary:

  • An EPROM like adapter to enable brute forcing using COTS programmers
  • Fast since it uses standard algorithms
  • Doesn't handle registers
  • Reference post processing workflow


This approach does not work for the following devices:
All registered PAL devices. (PAL16R4, PAL16R6, PAL16R8, etc.)
All GAL devices configured to be registered. (GAL16V8, etc.)
PEEL devices (18CV8, etc.) which have a different architecture than PALs/GALs.
Non-PAL or GAL devices (82S153, PLS153, etc.) which have a different architecture and pinout than PALs/GALs.

http://techno-junk.org/readpal.php

  • https://github.com/pascalorama/paldumper
  • Eagle design files provided for EPROM adapter
  • Windows binary provided to analyze EPROM into equations


DuPAL

https://github.com/DuPAL-PAL-DUmper


Summary:

  • Hardware + software toolchain for copying PAL devices
  • As a stand alone solution, board is much more complex than readpal
  • More powerful than others?


pal866

https://github.com/JohnDMcMaster/pal866/


Summary

  • FOSS tl866 software to read out PAL16 family devices
  • Registered PAL WIP
  • Doesn't require any adapters


ReGAL

https://github.com/psurply/ReGAL

Test vectors

"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"