Electronics > FPGA
Reading the programming of PAL chips
brandon.arnold:
Hi all! I have a couple of old PAL chips from a board, of type PAL16L8. I guess they were the one-time programmable type, and I really have no idea which language or software was used to define the programming.
I do believe that I can put one of these chips in my chip reader (Xeltek Super Pro 610P) and read the PAL chip like a 27C020 EEPROM, as if the output wires are 8 bits of data and the input wires are 8 bit addresses.
Does anyone know if there is any method of making sense of this data dump, possibly generating a minimal PAL description for it? Perhaps there would be more than one viable PAL program for any dump, I don't know; this would just be to help me make sense of the PAL chip without having to analyze the address/data bytes by hand.
Thank you!
dietert1:
As far as i remember those PAL chips include registers, so there is (partially hidden) state inside that makes reengineering much more difficult. But there seem to be "brute force" type methods to extract the programming bits.
Another difficulty is deriving the meaning of it. Similar problem as deriving a high level language project from a MCU disassembly. If you can run the chips in their intended environment and analyze the function using a logic analyzer, this will help a lot.
Regards, Dieter
dorkshoei:
--- Quote from: dietert1 on January 25, 2024, 11:31:27 pm ---As far as i remember those PAL chips include registers, so there is (partially hidden) state inside
--- End quote ---
Indeed.
https://www.techtravels.org/2022/08/why-simply-dumping-a-pal-isnt-always-possible/
brandon.arnold:
Thanks for this valuable insight, @dietert1 and @dorkshoei!
That link is super helpful, and apparently there is a Windows utility that can convert the dump from a programmer from purely combinatorial PALs, into their original PAL equations. Sadly that .exe file isn't available at the link in his blog anymore, so I will need to ask around for that.
I also don't quite understand the type of security presented by the dreaded "fuse map." Is this a result of reading addresses of the PAL, that make the PAL itself unusable? Or is it something else, and I should not worry about bricking my PAL by simply reading it like an EEPROM?
Edit: I think it's just for reading the programming of the PAL, and I should not worry about breaking my PAL by reading it.
PCB.Wiz:
--- Quote from: brandon.arnold on January 25, 2024, 11:50:00 pm ---I also don't quite understand the type of security presented by the dreaded "fuse map." Is this a result of reading addresses of the PAL, that make the PAL itself unusable? Or is it something else, and I should not worry about bricking my PAL by simply reading it like an EEPROM?
Edit: I think it's just for reading the programming of the PAL, and I should not worry about breaking my PAL by reading it.
--- End quote ---
You are talking about two separate pathways.
Reading back the fuses, likely involves applying some higher voltage, and if they read back all 1's or 0's that part may be secured.
The 16L8 series have no registers, it is the 16Rx series that have flipflops.
You can use test vectors to scan the pins and read the outputs, but device programmers are really built to run expected results and pass/fail, not to scan unknown parts.
You could make an adaptor that does what you say, "read the PAL chip like a 27C020 EEPROM", but you need to map the PLD pins to a suitable memory.
Complicating things is that some IO might be used as inputs, so a circuit of the original unit helps here.
Another complication, is the design might create latches, which would be hard to detect from a linear, one pass scan of input pins.
If you do manage to get a (large) logical test table, some PLD tools can synthesise tables, so you might see if they can reduce a large table to a few equations.
Navigation
[0] Message Index
[#] Next page
Go to full version