Electronics > FPGA

Programming (non-JTAG) MAX7000 devices

<< < (23/24) > >>


--- Quote from: GTT95 on June 23, 2022, 02:34:47 pm ---
--- Quote ---You entered the parallel programming mode of Altera
--- End quote ---

Does it mean to stay in serial JTAG based programming mode only /OE1 shall be put to 12V. Or is it specific to ATF150X devices?

--- End quote ---
MAX 7000AE/3000A/ATF1500 specific, these families are JTAG only.

I am the original starter of this thread.

To recap, I have a bunch of NON-JTAG EPM7032/EPM7064/EPM7128 devices, obtained when there was a lab clear out of non-ROHS devices.

I have used GALs in a number of recent projects for which I have had PCBs made, and it would be nice to use these CPLDs in future projects. However I do not have a programmer for the MAX7000 devices.

I mentioned that the ALL03 programmer has been reverse engineered and information is available on the "benoit" website. I am able to run the programming software for the ALL03 in DOSBOX. The programs are DOS EXE files and use character graphics, as was common in the late 80's and 90's. Each device type has it's own EXE. There are several EXEs to support the Altera CPLD parts.

Last year I worked on an 8088 based IBM PC XT clone PCB/project. I needed a BIOS and found a disassembly of the Tandy1000 BIOS on GitHub. The author used a tool called "IDA Pro" to do the disassembly. It is an intelligent disassembler. there is a free version of this tool available for download. I downloaded and "had a play". As usual there's a learning curve.

Just recently I had the idea to re-visit the MAX7000 project with the idea of looking at the EXE code, so see if the programming algorithm could be determined.

I made a false start by using the wrong EXE ! I stated with the EXE which allowed the ALL03 programmer to program the EPM7064/96/128. Nevertheless it was a useful introduction to IDA Pro (Free). The biggest frustration is forgetting to click to select the current line of disassembly before assigning a label. Firstly the EXE is compressed using PKLITE, so I had to find a tool to remove this compression. Having done this the new EXE loads into IDA Pro and the tool does lots of work with no input needed. At the end of the file you can find lots of text strings. Some decompiled as strings, and others which are a list of bytes (not yet referenced by the code). It is also possible to search and find the I/O out and in instructions. I spent quite a few hours over the course of a week playing with the tool and adding labels and defining data types. I started to see code (C switch?) which used the selected device type and jumped to different code depending upon the device selected in the simple GUI. Then the penny dropped, I was looking at the wrong EXE.

So I found the EXE which programmed the ALL03 for the EPM7032 only, and I started a new IDA Pro project. I was able to make quick work thanks to the knowledge already gained.  I now started to see where the strings seen in the data section of the EXE were referenced, so the subroutine call could be assigned a readable name. I didn't understand what all the parameters do, but that is not necessary. This helped figure out where other stuff was. I then found the code for the main menu. When running the code (in DOSBOX) a single character selects an action. I found the jump table which mapped character pressed to subroutine. Interestingly some characters vector off, but they are not seen in the GUI on-screen. I don't know what they do, but at the moment this is not of interest.

I also downloaded the "debug" version of DOSBOX. This version of the code allows writing a trace file, which shows disassembly of the instructions as they are executed and gives a register dump. I was able to use grep and vim to process this file to extract all the I/O instructions, where the code speaks to the two ports on the PC ISA card. This gives a pretty clear picture on how the hardware is sequenced. Again thanks to the "benoit" website, the mapping of ALL03 pins (there are 40) to the pins of the EPM7032, are known.

When I run the EXE I get the message "Error Identification on hardware". Thanks to having schematics of the PC ISA card, and some example C source code (which allows users to write there own driver software), I realised this came from checking the magic counter in the PALs on the ISA card. IDK but perhaps it is a simple form of copy protection? I was able to find the code and hack it to return a "pass" result.

When I run the EXE and now get into the GUI and select the ERASE operation, I get the error message "ID code ERROR !". This string appears several times, but I was able to find it in code related to the 'E' (ERASE) command. After quite some effort I found the function which returned a Boolean false and triggered the message. I hacked the code to fix this too. When the code was run again, the programming software did "more stuff", so having the fail result, due to no real device in a socket, gives an incomplete DOSBOX trace file. I figured out that the first thing that the programmer does is try to determine if there is an ALTERA device in the socket. It does this by applying a stimulus, grabbing the resulting 160 bits, "fiddling" with them in some way, then comparing the resulting 9 bytes to an array of 10 strings, the first of which is "ALTERA92". If no string match is found the "ID code ERROR !" string is the result. By now I think(!) that I know how to stimulate the EPM7032 part in order to get the identification string response. Now over to my hardware to see what happens in practice.

If you have no familiarity with the ALL03 programmer, this will make no sense  ;D

BTW there are currently a couple of ALL03 programmers for sale on Ebay US, both around $500. If I lived in the US I would probably just bid on one of these and save a lot of my time!

Any for those interested in the EPM7032 and how the device identification string is "accessed", please read on.

The device VCC is powered to 5V. The NTPW pin is set to '1'. I'm unsure if it needs to already by '1' during power up, but the programmer sets it first before enabling VCC.
Vpp is ramped to 12V. I am pretty sure that this puts the device into test (or programming) mode where the user settings are switched off and various pins are put into input or output mode for programming purposes.
The 7 "ADDR" pins are forced with the value "0x7C". I have no idea why, or what these pins do, but I guess that the address selects different blocks of EEPROM.
Then 80 bits are shifted into SDINA and SDINB (the same data) using SCK (SCK is normally used for the name of a shift clock). The data shifted in is "00001" repeated 16 times.
Next data is shifted out using SK in blocks of 16 bits. The data on SCOA and SCOB is captured. I believe that this data stream should contain the device identifier (ALTERA92) coded in some way.
After each 16 bit clock SCK is clocked.
There are 5 blocks of 16 so 80 x 2 = 160 bits are shifted out and captured.

So over to my hardware.

I recently made a EPM7032 PLCC to DIL breakout PCB. I now find that I got the pin out incorrect and the PCB is useless   |O

So back to the old hardware, which uses a hand wired perf board, a breadboard for two DACs (VCC and Vpp) and a MEGA 2560 for control.

So I modified the code to apply the newly determined sequence.

I power the device on, ramp Vpp, do the toggling of SCK and CK clocks and drive SDINA/B and then ramp down Vpp and power off. In the Arduino code I loop on this sequence in order to look at the signals using my Rigol scope. The good news is that there is genuine serial data, the bad news is that it is random for each read. I must be missing something which resets the sequence.

Some waveforms captured using the Rigol scope.

The good news is that I get a digital serial stream shifted out from SCOA and SCOB. SCOA is always zero, but SCOB waveform/data changed from run to run.



--- Quote from: abyrvalg on October 22, 2021, 01:41:25 pm ---migry, I've tried to disassemble the AMAX70.EXE a bit and have identified the erase function. I can see the 10 42 08 21 84 10 42 08 21 84 pattern matching your log, the ReadID function sends it and receives 5x16 bits back from the chip.

--- End quote ---

--- Quote from: migry on August 10, 2022, 02:17:58 pm ---Then 80 bits are shifted into SDINA and SDINB (the same data) using SCK (SCK is normally used for the name of a shift clock). The data shifted in is "00001" repeated 16 times.

--- End quote ---

which is it?
also have you compared to ATF1502 A1500.exe?


[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Go to full version