PAL Brute Forcing: Difference between revisions

From Proghq
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 57: Line 57:
==DuPAL==
==DuPAL==
https://github.com/DuPAL-PAL-DUmper
https://github.com/DuPAL-PAL-DUmper
[[DuPAL|Main page]]




Line 83: Line 85:


"Obviously, this method is limited to devices implementing combinational logic (PAL working in registered mode are out-of-scope for this proof-of-concept)."
"Obviously, this method is limited to devices implementing combinational logic (PAL working in registered mode are out-of-scope for this proof-of-concept)."
"The current implementation uses an arduino mega to drive the device under test. The setup required to perform the IO probing on the example defined above can be described as follow:"


==Test vectors==
==Test vectors==
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"
"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"

Latest revision as of 05:39, 21 May 2022

Page on analyzing PAL devices by supplying a large number of test vectors. This may be extendable to other devices like GALs, but this type of analysis typically works best on very simple devices.

Data formats

.jed

  • Industry standard fuse format


BP Microsystems .bin

  • Presumably this is the JED fuses converted directly into a binary w/o metadata
  • Maybe like the MAME .bin w/o the small header?


MAME .bin

  • Custom format with a very small amount of metadata
  • Can be converted to .jed etc using tools included in MAME
  • TODO: add link


"EPROM" .bin

  • Output from techno-junk 27C020 adapter


.jl

  • Output from pal866


readpal

http://techno-junk.org/readpal.php


Summary:

  • An EPROM like adapter to enable brute forcing using COTS programmers
  • Fast since it uses standard algorithms
  • Doesn't handle registers
  • Reference post processing workflow


This approach does not work for the following devices:
All registered PAL devices. (PAL16R4, PAL16R6, PAL16R8, etc.)
All GAL devices configured to be registered. (GAL16V8, etc.)
PEEL devices (18CV8, etc.) which have a different architecture than PALs/GALs.
Non-PAL or GAL devices (82S153, PLS153, etc.) which have a different architecture and pinout than PALs/GALs.

http://techno-junk.org/readpal.php

  • https://github.com/pascalorama/paldumper
  • Eagle design files provided for EPROM adapter
  • Windows binary provided to analyze EPROM into equations


DuPAL

https://github.com/DuPAL-PAL-DUmper

Main page


Summary:

  • Hardware + software toolchain for copying PAL devices
  • As a stand alone solution, board is much more complex than readpal
  • More powerful than others?


pal866

https://github.com/JohnDMcMaster/pal866/


Summary

  • FOSS tl866 software to read out PAL16 family devices
  • Registered PAL WIP
  • Doesn't require any adapters


ReGAL

https://github.com/psurply/ReGAL

"Obviously, this method is limited to devices implementing combinational logic (PAL working in registered mode are out-of-scope for this proof-of-concept)."

"The current implementation uses an arduino mega to drive the device under test. The setup required to perform the IO probing on the example defined above can be described as follow:"

Test vectors

"For combinatorial stuff, I use my Unisite to apply all possible combinations of inputs via JEDEC test vectors and then record the output. I then do a bit of processing and use espresso to create equations for the table. For registered stuff, I usually capture traces from the device in-circuit with a logic analyzer and then use that as a basis to write test vectors"