[abc80] Super Smartaid Cartridge
H. Peter Anvin
hpa at zytor.com
Fre Apr 26 23:56:21 PDT 2019
On 4/26/19 10:50 PM, H. Peter Anvin wrote:
> On 4/24/19 12:01 PM, Anders Sandahl wrote:
>> For all curious people:
>> The 82s131 is dumped as well! It was a little project to unsolder the PROM
>> but everything went well. No smartaid was injured during the process!
> The 82S131 is definitely being used as an address decoder, and it looks
> like only half of it (256 words) is actually used. Without tracing the
> wiring it is probably hard to know what the various values mean, though.
> The data in the EPROMs makes no sense whatsoever. If I were to guess I
> would say that the data and/or address lines are connected in a
> nonstandard manner thus resulting in the dumped data getting scrambled.
> Just brute-forcing it would be ... difficult ... since there are 40,320
> ways to permute the data lines and 6,227,020,800 to permute the address
> lines on the 8K EPROM, for a total of 251,073,478,656,000 combinations.
> Since the data bus buffer sits on one side away from the rest of the
> logic, I'm going to bravely assume that they didn't put in any kind of
> intentional scrambling.
So I experimented with just permuting the data lines, hoping that the
address lines would be mapped normally. Furthermore, I was guessing that
the 3-byte pattern at the beginning of each file was a jump table, and
excluded any permutation where the first byte was not 0xc3 (JP). Then I
used "strings" to look for long ASCII strings. It worked for SSA2.BIN,
producing output that made sense:
[The "standard" mapping is named 76543210 here.]
==== 07534162.dec ====
SUPER SMARTAID Copyright OWOCO AB Ver.2MEMMAPSYSVARTIME DEVICEPROGVAR
The disassembly seemed to make sense as well; this ROM is almost
certainly mapped at 0x4000, which makes perfect sense since
0x4000-0x57ff is free (0x5800-0x5fff I believe is used by TKN80).
Unfortunately I did not have any such luck with SSA1.BIN. It is likely
that this ROM simply doesn't have any strings of sufficient length to
pick out in it.
That being said, it seems extremely likely that the data buses are
simply connected together, so a simple ohm meter should be able to
answer that question easily.
Scrambling the data lines like this is probably not about obfuscation as
much as board routing.
More information about the ABC80