Reverse Engineering Unobtanium

font

If you listen to [Bil Herd] and the rest of the Commodore crew, you’ll quickly realize the folks behind Commodore were about 20 years ahead of their time, with their own chip foundries and vertical integration that would make the modern-day Apple jealous. One of the cool chips that came out of the MOS foundry was the 6500/1 – used in the keyboard controller of the Amiga and the 1520 printer/plotter. Basically a microcontroller with a 6502 core, the 6500/1 has seen a lot of talk when it comes to dumping the contents of the ROM, and thus all the code on the Amiga’s keyboard controller and the font for the 1520 plotter – there were ideas on how to get the contents of the ROM, but no one tried building a circuit.

[Jim Brain] looked over the discussions and recently gave it a try. He was completely successful, dumping the ROM of a 6500/1, and allowing for the preservation and analysis of the 1520 plotter, analysis of other devices controlled by a 6500/1, and the possibility of the creation of a drop-in replacement for the unobtanium 6500/1.

The datasheet for the 6500/1 has a few lines describing the test mode, where applying +10 VDC to the /RES line forces the machine to make memory fetches from the external pins. The only problem was, no body knew how to make this work. Ideas were thrown around, but it wasn’t until [Jim Brain] pulled an ATMega32 off the top of his parts bin did anyone create a working circuit.

The code for the AVR puts the 6500/1 into it’s test mode, loads a single memory location from ROM, stores the data in PORTA, where the AVR reads it and prints it out over a serial connection to a computer. Repeat for every location in the 6500/1 ROM, and you have a firmware dump. This is probably the first time this code has been seen in 20 years.

Now the race is on to create a drop-in replacement of what is basically a 6502-based microcontroller. That probably won’t be used for much outside of the classic and retro scene, but at least it would be a fun device to play around with.

Comments

  1. fartface says:

    Cant you basically write an entire C64 in verilog?

    • F says:

      where do I punch in the elastic modulus of the springs in the keyboard switches?

      Does verilog accurately mimic the registration errors in the printing of the aluminum nameplate? Does it accurately place the double sided tape on the bottom of the nameplate? Does it accurately model the organic content of the soldering flux and its ability to attract insects?

      Tell us more about your “entire” C64

  2. sqelch says:

    This isn’t about C64. It is a method to dump code from an long lost microcontroller.

  3. leadacid says:

    What makes this particular chip “unobtanium”? Are they slowly kicking the bucket or something?

    • Sebastian says:

      Well, you can’t buy them anywhere and you don’t have the code, so yeah, unobtanium. This kind of reverse engineering helps preserve those ancient chips and make it possible to replicate them using an FPGA/CPLD or maybe a modern day microcontroller.

    • SavannahLion says:

      All chips fail, it’s just a matter of when. RAM burns out, controllers stop working, ROMs encounter bit rot. A capacitor pops or a diode shorts and takes three or four chips with it. There’s a reason why mean time to failure is calculated.

      • FrankenPC says:

        Or just plain old oxidation creeping up the leads into the package.

      • Garth Wilson says:

        I have a lot of electronic equipment from the 1970’s and a little from the 60’s, and _none_ of the semiconductors have failed. Rubber parts in tape recorders and turntables rot, rechargeable batteries go bad, and switches get bad but can usually be brought back with contact cleaner. I can’t think of any capacitors I’ve had go bad in my own equipment, and the few that have gone bad in our products after 15 years are quite predictable, being the ones operated at a steady voltage with the least WVDC derating. The calculator I use every day HP-41cx) was made almost 30 years ago; and it, along with all the modules and accessories, work fine, except an inkjet printer that seems to have bad contacts at the print head.

        • Erik Johnson says:

          If any of your equipment uses (early) SMT electrolytic caps, there is a good change they are pissing all over the traces & surrounding components and dissolving them.

          • Garth Wilson says:

            The company I work for did not start using SMT until after 2006, for various reasons that may not apply to many other companies and types of products. We still use leaded solder, as the European market is more trouble than it’s worth.

  4. Totally OT: what’s the font used for the image in the post? I like it!

  5. F says:

    “the folks behind Commodore were about 20 years ahead of their time”

    yeah, today’s intel processors are laid out by hand by a single person with an xacto knife

  6. F says:

    We grant “copyright” to corporations EXPRESSLY so that they have an economic incentive to NOT allow their creations to BIT-ROT. Read our Constitution! Rights for individuals had to wait for amendments. But the preservation of knowledge was considered MORE important so it went in right away, before individual freedoms were added.

    It’s a freaking JOKE is what it is. We give corporations the right to engage in rent-seeking behavior, and we get NOTHING in return. We DO NOT get to enjoy the fruits of their government-subsidized profits. We get dead technology, forgotten work, and stories like this.

    • Jerry says:

      Technically chip designs don’t fall under copyright laws…and this particular chip predates the 1984 semi conductor chip protection act.

      The act also explicitly allow reverse engineering of a chip.

      But go ahead, lets not let facts get in the way of your rant.

      • Me says:

        But they are dumping the code stored on the chip right? Isn’t code covered under copyright

        • silverdrs says:

          They do. But there are a few things to be considered: Who would benefit from this NOT being done? The long non-existent corporation? Would someone buy the rights (from whom?) to produce a marketable product using that code? Even if the copyright returned to the actual authors, it’s been a breakthrough some good years ago when CBM employees who could theoretically be the owners of some firmware code – agreed that they won’t pursuit any copyright ownership. Now – OTOH – who may benefit from this BEING actually done? Every owner of a retro-device, which doesn’t have much practical value but it would be nice to revive it? And without anyone selling appropriate parts ever again – it would not be possible? And every owner of such piece of hardware already OWNS the licence (he bought it with the hardware) but couldn’t do anything… So yes, they’re dumping the code. For a good cause and the potential users of this won’t be violating much if they already have devices, which need this code to operate..

          • F says:

            human knowledge in the end should be owned by humanity

            we stand on the shoulders of those who came before us

            the particulars are irrelevant, are we civilized romans, or do we fiddle while the library burns?

        • genki says:

          What would CBM do about the chip getting dumped? Rise from the grave and sue? All of the companies behind this chip have gone under and current corporation that took the old names like Commodore likely can’t do anything.

          It’s better to have it dumped and made available publicly than wait until copyright law expires and discover all of the electronics have degraded and nothing can be dumped. Even ROM chip will fail, the copper and some other metal never stops breaking down and eventually chip will have oxidized to the point it breaks connection between pins and the silicon waver inside.

          • phuzz says:

            I now have a great image in my head of zombie corporations crawling out of the ground to protect their IP :)

      • F says:

        “The act also explicitly allow reverse engineering of a chip.”

        So I can reverse-engineer a flash chip with a copy of Windows on it ans sell that? Really?

        Tell us more about how we can legally copy the firmware on a chip

  7. David says:

    Is there any better explanation of how the test mode works? The linked story didn’t quite get there.

    • silverdrs says:

      I am also not fully satisfied (as always – I am the author ;-) so if you think something can be written better – let me know. I understand it and can augment or rephrase whatever is needed. Actually the test mode is described “enough” in the data sheet.

      In short TEST mode is entered when the /RST line is driven up to 10V. In this mode, instead of fetching from internal memory, every data is fetched from one of the 8-bit ports. The trick is to make the “switch” from “normal” mode to “TEST” mode without sending the CPU to the woods.

  8. RocketGeek says:

    Anyone here know where to get pens for the Alps mech used in the the C=1520, (also used in the Atari plotter/printer, and a CoCo plotter/printer, too.)?

  9. Galane says:

    So if it was so simple, why didn’t anyone just do this years ago?

  10. Nitish K.S. says:

    Brian (and others at HaD), when are you finally going to learn the difference between “it’s” and “its” ?
    It’s really annoying to see things like :
    … into it’s test mode

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,095 other followers