I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray

Ray Carlsen wrote:
I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray

There used to be a company in the US advertising in magazines and online
(late 90s) that they could read GALs and PALs - they ran various
algorithms to crack the code (for a fee). Lost sight of them ten or so
years ago and haven't been able to track them down since.

There are articles on reading GALs that cover this problem, the issue
appears to be that some GALs are far more difficult than others to read.

John :-#)#

--
(Please post followups or tech enquiries to the newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
Call (604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

Ray Carlsen wrote:
I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray

Good resource page:

http://www.edaboard.com/thread220871.html

John :-#)#

--
(Please post followups or tech enquiries to the newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
Call (604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

Ray Carlsen wrote:

I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray
The amount of logic in the typical GAL is not very great. After figuring
out which pins are inputs and outputs, and the clock (I think that will
be a fixed assignment for most parts) you could probably hook them to
a computer parallel port and write a program to go through a bunch of
patterns. In most cases for glue logic on a CPU board, there is NOT going
to be a whole lot of feedback or state machines in them. Mostly it would
be expected to be D FFs and decode trees, and the logic should become
clear quickly.

In other words, a brute-force attack on the logic function with no attempt
to read back the program pattern.

Jon

"Ray Carlsen" schreef in bericht
...
I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray

It was told to be software that presented series of input signals to the
PAL/GAL that searched for the fuse pattern rather then the logic. But I
never found it. Off course, combinatorial can be found easily. A pre
NT/2000/XP machine with a parallel printerport - preferable EPP - , a little
hardware and some old fashioned GWBASIC programming will do that job quite
easily. But the moment there are state machines inside, you're out of luck.
The only time I needed to reverse engineer a PAL like that, it was
relatively easy to find out the function from the schematic. I suppose it is
still the best thing to do. Off course, one can still go for the ultimate
PAL cracker but is it worth the time and the effort?

petrus bitbyter

In article ,
says...
I know they are almost a thing of the past but I wonder if there is
any way to extract the code from a protected GAL IC (example: GAL16V8A)
that has had its security bit set.
I repair mostly old Commodore 8 bit computers. There are a lot of
users of an after-market device called a RAMLink originally made by
Creative Micro Designs (CMD is now out of business) back in the 1980's,
and I was asked to repair a few of them. Turns out each one has four or
five GALs and they all are copy protected which makes repair of those
orphan devices impossible unless I can find a way to extract the code
from the chips in a working unit. Any hackers out there?

Ray

Some of the older devices could actually be unsecured and others had
tricks to get past the security fuse. Then there is the brute force
attack that others have mentioned. I have some old hardware that can do
both. I would be willing to give it a go if you want. I prefer the
analysis/brute force method because it poses no risk to the original
device. All I would need is known good originals, and a weekend to pull
out the old hardware and give it a go.

Jim