2010-02-10

Reverse Engineering a EPROM emulator

While I'm waiting for the SolarLight PCBs to arrive I went on think about other projects...
I had an old EPROM emulator that I bought a long time ago in ePay. It is quite small and it doesn't consume much power but it worked from the parallel port and the old DOS software was reluctant to work even under WinXP.
I had to redone the parallel port interface board, as a soldered IC (74125) blew up when I powered the PC after the target board (note to self: power first PC then target). It was quite simple to draw up the schematic and redo the circuit on a perfboard. When I tried the DOS software with my new board all worked OK, I was sure that the schematic and hardware were correctly reverse engineered.
Of the 5 signals coming out of the parallel port, Reset and Output Enable were easy to spot, the others I suspected downloaded the data serially.


Reverse engineering software, on the other hand is far from trivial. I first tried my two channel xscope, but since there are actually three important variables it was difficult to really discover what was the sequence of events. Furthermore there was a start sequence where transitions where at the millisecond range and a program sequence where things happened at the microsecond range.
Then I remembered I had a PICKIT 2, a tool I bought and used about two years ago to do a short Microchip PIC development (and re-learning since when I first learned about PICs the 16C84 was the craze, obsolete today). PICKit 2 was not only relatively cheap, programmed most of the devices, it also included a logic analyzer and a UART for remote debugging, all connected to a USB port. I must give a note of remark to Microchip that this was a stroke of genius, a scope is a an expensive tool, but by adding this functionality to a device-programmer is a well needed help in many non-working projects.
I created a fixed intel hex file with 3 bytes 0x22,0xAA,0x44 than ran the program in a dosbox in windows (and using a parallel port access - Windows bypass - tool) waited for the signals to come out on the other side. Sometimes it worked, others it didn't but I registered the ones that did.

This in the above waveform the real data download is pictured, in this particular case I shifted the data to position 0x0001. From here it was easier to identify the signals, first is the clock, second data and third advance to next memory address.
Then to capture the initial reset sequence I downloaded bigger programs, just to measure the timings of the sequence.

As you can see the waveforms are very detailed and although one cannot read signals above 500Khz chances are 99% of hobby projects will never need more than that.
The code will be published or given as soon as I finish the other source file interpreters (S-Record, Binary and hex) for now only intel-hex works, I will also try to clean up the code and have it hosted in google code or similar as soon as I understand properly how to use it. I'll try to host all the software produced under a single project otherwise it is a waste of google's space.
So that people that still have a similar eprom emulator, the name of the package was "MicroRom Eprom Emulator" and produced or sold by "Squarewave Electronics". Here is a picture of my test bench, the Eprom emulator is the big fat thing on the left, the top LEDs are the data out, the lower green leds the four LSBits, the selector on the top right corner is a BCD selector and finally the yellow led on its right is the reset signal.

2 comments:

mjd said...

Very nice João!

Good that you have the pickit to use.

I've been in a situation where I had a dual channel scope, but had several digital lines I wanted to monitor. In this situation, I made a simple R-2R digital to analog converter, and generated an analog voltage from the digital lines I wanted to watch. You can easy watch 3 (or even four if your scope lets you do onscreen measurement) digital lines this way, although decoding the result can take some time. Still, when that's all you have....

João Silva said...

Thanks mjd,
I've done a project similar to the one you tell many years ago at school. you have a DAC with 8 levels and you add the voltage of each of the channels, you shift through the channels fast enough ta da logic analyser.
Here the advantage of the pickit2 is to record waveforms of two very different time scales (ms, us). I wish Atmel had done it with their AVR-ISP!
Meanwhile, good luck with your Written Mandarin teaching aids...