How to hack the EP1K30TC144-3N ?

[Chriss]

Hi!
Here is my big question and much  bigger problem:
I got from a friend an old tool, some sort of a car diag tool with some measuring fdeature like scope, dmm...

The problem is, when I power on the tool, and try to enter to any function in the menu I get a textbox where I should enter some sort of password or so.

The code should be 10 digit long, which what you can enter by manipulating the four arrow keys.
Left, right, up, down and the Enter key approve the entered code.

So, now, nobody knows anymore what kind of code and what should be entered,
sins it was around 12-15 years ago when the tool was used.

My goal in this project would be to crack somehow the firmware or to figure out the code.

The unit is based on some sort of EP1K30TC144-3N PLD.
I don't have any tool to deal with it, but I also think if I would somehow manage to try to read the firmware that is not possible cos of some security reasons of the PLD...

My other option would be somehow to brute force attack the tool.
There is no restriction as far as I could investigate on how many times I entered the incorrect code.
To make some sort of electronic to enter the codes until it it the correct code and unlock the device.
For these scenario the problem is, how would the brute force electronic device know when the code was cracked?

Or maybe you have some better idea? or suggestion how to solve this, bring back to life this tool and have fun again after so many years?
I would like to hear about that.

Thank you very much for any kind of help.

My best regards.

[ale500]

Make some photos of the board(s), where the ICs a clearly visible. In that small FPGA they may have done some sort of soft processor, but I think it may contain a discrete one.

[Chriss]

Here is the whole board.
If needed I can upload more specific region of the board and maybe in a bit better quality...
Thanks for any help.

[ale500]

That TQFP100 chip is an H8S (H8/300H derivative) processor, very nice architecture kind of M68K. There is the software running, out of that intel Flash. A video controller chip, the Epson one, with dedicated memory, a nice board !. You may try to dump the flash and have some fun with an analyzer disassembler like ghydra or so.

[Chriss]

Thank you for this nice info.
I really appreciate that.

If I understand correctly the flash file is outside of the EP1K30TC144-3N?

I could maybe read the content with an external hardware like an eep/flash ic r/w?

Or is there something like a jtag option or so?

[ale500]

The micro has internal flash too:

https://www.renesas.com/eu/en/products/microcontrollers-microprocessors/h8s/h8s2300/h8s2329-h8s2328/device/HD64F2328BVF25V.html

To know how the FPGA is being configured, look at the datasheet, identify the pins for serial interface and see if a programming device, a prom or a flash are present there or maybe the H8S configures it, something that happens often in mixed systems.