Protected PAL/GAL reading

Status
Not open for further replies.
B

Bluenone

Newbie level 2
Joined
Dec 10, 2010
Messages
2
Helped
1
Reputation
2
Reaction score
1
Trophy points
1,283
Visit site
Activity points
1,348
I have some information about protected pal/gal reading and needs some help about registered pals/gals

If you have any comments about reading a protected and registered pals/gals please reply this thread


MY INFOMATION ABOUT THIS TOPIC:

There is a very clever guy about the protected GAL/PAL reading procedure. If you are still
interested about this you can look at this link

**broken link removed**


I built up this "PAL reader" and it is worked. But it only works for combinatorial PAL/GALs


This guy is still developing a reader for registered PALs and it is still in development.
You can look for it at this link **broken link removed** and search "New pal reader" phrase.

For people who has no idea about protected PAL/GAL reading


There are 2 kinds of protected PAL/GAL (The device is same. Programs on them have different structures)

1. Combinatorial

There are only logic functions on it and easy to clone. (The PAL Reader I mentioned above can
handle them with %100 success)

2. Registered:

There are logic functions plus flip flops on it and very hard to clone. This kind of
program is using a clock pulse (coming from for example 1.pin for PAL16R4.
Simply It has memory. The IC may have a complicated counter, memory decoder,
etc. on it and because of that they are very hard to clone.

But Charles is working on this hard process and he has some success on it. I'm nearly a fan
of him and looking his site everyday

My comment:

I've worked on protected PAsL/GALs for 1 year and investigated nearly 40 pieces PALs/GALs

1. 15 of them were combinatorial so I can easily clone it via the PALReader of charles

2. 25 of them were registered. I investigated 10 pieces in detail and I could only clone 3 of them
via below PCB investigation method. So I gave up to clone the registered PALs/GALs


Protected GAL/PAL investigation on PCB:

If the protected PAL/GAL is a registered program on it you have no way to clone it
with an automated process. You have only one way to understand what it does on the system.
Please see below

1. Use a multimeter and a led light to investigate the lines on PCB.

2. When you understand what it does on PCB ( May be after 1 week or later)
You can write an equivalent program using PALASM, ABEL, WINCUPL, OPAL programming
editors with your own knowledge about programming

3. Create a jedec file and reprogram it with a PAL programmer like elnec universal programmer.
 

Quite interesting. Some of this info could come in handy.

You mentioned you built the PAL/GAL Reader. How much testing have you done with it. How many different vendor's chips were successfully read?
 

Please do not think that I know everything about this subject. I'm stuck for REGISTERED ones and I need some help.


@Bigdogguru

I've tested nearly 40 PAL/GAL IC with this pal reader.

- 15 of them were succesfully read.
- 25 of them is registered. So I manually investigated the boards with a multimeter, osciloscope, logic analyser.
- I could only understand 3 of them and write the equivalent equations reprogramme the device.

Actually the wendor is not a determining factor for this ICs. Because for example GAL16V8 has identical or nearly same structure for all
vendors like Atmel, Lattice, ICT.

But as I said PAL Reader only works for combinatioanal, because of the nature of the programs on them.

MAIN PROBLEM IS REGISTERED PALs/GALs

I want to give some detailed information about registered types.

If you started to a reverse engineering process of a PAL/GAL IC you have to determine if it is a registered or combinational. To do that.

* Registered programs must use CLK pin as a clock input. (clock for flip-flops in GAL/PAL). So If you see a oscillator connected to this
CLK pin you may nearly be sure that the program on it is a registered one.

* Registered programs should enable the output pins. So If the output enable pin of the PAL/GAL (For example 11. pin of PAL16R8)
is connected to ground you may nearly be sure that the program on it is a registered one.

I want to give some clues to make a system for protected registered PAL/GAL readings.

Is it possible to just remove the security fuse via a software program ?

Forget to remove security fuse via a software program. It is impossible.

At the begining I thought that it can be. So I started to find a way to remove the security fuse. There is no program or a
documentation about where the addres of the security fuse, or about the programming structure of GALs/PALs.
But I found a home type GALBlast programmer on the internet. Link is here:
Welcome to GALBlast

The source codes of the GALBlast is available and I'm very excited when I see that. If you investigate the source codes you can see
the register addresses of the PAL/GAL on a PAL. I can only find the register addresses, detailed information about gal programming
in these source codes.

So I used GALBlast win32 source codes as a based for my purpose and started to make a program just remove the security fuse.
But I nearly try everything in deep but with no success. So I can say with my own experiments removing the security fuse via a
software is impossible

Is it possible to just remove the security fuse via some hardware tricks?

For PIC16C microchip IC there is a way to do that. Increasing/ Decrasing the programming voltage, supply voltage stultifies the PIC16C ,
so you can get the codes on it.

But no one suggests this kind of tricks for PALs/GALs except a german person. His nick is wiesel. He gives some clues on the
below link.

German_Site

The site is german so if you translate it to english and look for wiesel comments you can see that he suggest a kind of
delaying the programming voltage of the PALs so the PAL ignores the security fuse while you are reading it via a GAL/PAL programmer.

However; wiesel does not give details so this information is not handy. I asked him but there is no reply.
But you can still follow the thread. He may give some information hopefully


Is it possible to just remove the security fuse via a microscope technique ?

Yes it is possible. Some firms can remove the package of the IC and jumper the security fuse using an electron microscope.
But you have to find a trusty firm. Some guys gave a firm name ( www.mefas.com) on internet. But I called them they have no service for this purposes.


My comments about PAL Reader for REGISTERED types

* You have to make an electronic system that give all of the inputs to GAL/PAL and record the inputs/outputs in memory. After that
convert these input/output datas to pld equations via a converter software that you will write

* You should understand that the programs on GALs/PALs is based on a state machine. A state machine has state transitions.
If you built up a system to catch these state transitions than you can probably understand what it does.

* This system is like a custom design fast logic analyser with a recorder on it. It should try to catch the state transitions.

* I'm an advanced programmer but to built up this system discourage me. For me making the electronics is OK.
But finding the state transitions is nearly impossible ( But charles says he has a solution) please see the link **broken link removed**


waiting for your replies
best regards
 
If refer to low complexity devices like 16V8, the limited number of internal states (in case of registered logic) should always allow to decode the implemented equations. If I understand right, the security fuse doesn't disable the register preload feature, which further eases a systematic analysis.
 

Re: Protected PAL/GAL readinggdf


could you please give details of pal reader for gal ics
 

Status
Not open for further replies.

Similar threads

Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…