reading "secure" GAL chips

I know they are almost a thing of the past but I wonder if there is any way to extract the code from a protected GAL IC (example: GAL16V8A) that has had its security bit set. I repair mostly old Commodore 8 bit computers. There are a lot of users of an after-market device called a RAMLink originally made by Creative Micro Designs (CMD is now out of business) back in the 1980's, and I was asked to repair a few of them. Turns out each one has four or five GALs and they all are copy protected which makes repair of those orphan devices impossible unless I can find a way to extract the code from the chips in a working unit. Any hackers out there?

Ray

Reply to
Ray Carlsen
Loading thread data ...

There used to be a company in the US advertising in magazines and online (late 90s) that they could read GALs and PALs - they ran various algorithms to crack the code (for a fee). Lost sight of them ten or so years ago and haven't been able to track them down since.

There are articles on reading GALs that cover this problem, the issue appears to be that some GALs are far more difficult than others to read.

John :-#)#

--
    (Please post followups or tech enquiries to the newsgroup) 
  John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9 
 Click to see the full signature
Reply to
John Robertson

Good resource page:

formatting link

John :-#)#

--
    (Please post followups or tech enquiries to the newsgroup) 
  John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9 
 Click to see the full signature
Reply to
John Robertson

The amount of logic in the typical GAL is not very great. After figuring out which pins are inputs and outputs, and the clock (I think that will be a fixed assignment for most parts) you could probably hook them to a computer parallel port and write a program to go through a bunch of patterns. In most cases for glue logic on a CPU board, there is NOT going to be a whole lot of feedback or state machines in them. Mostly it would be expected to be D FFs and decode trees, and the logic should become clear quickly.

In other words, a brute-force attack on the logic function with no attempt to read back the program pattern.

Jon

Reply to
Jon Elson

"Ray Carlsen" schreef in bericht news:wbqhs.12$ snipped-for-privacy@newsreading01.news.tds.net...

It was told to be software that presented series of input signals to the PAL/GAL that searched for the fuse pattern rather then the logic. But I never found it. Off course, combinatorial can be found easily. A pre NT/2000/XP machine with a parallel printerport - preferable EPP - , a little hardware and some old fashioned GWBASIC programming will do that job quite easily. But the moment there are state machines inside, you're out of luck. The only time I needed to reverse engineer a PAL like that, it was relatively easy to find out the function from the schematic. I suppose it is still the best thing to do. Off course, one can still go for the ultimate PAL cracker but is it worth the time and the effort?

petrus bitbyter

Reply to
petrus bitbyter

Some of the older devices could actually be unsecured and others had tricks to get past the security fuse. Then there is the brute force attack that others have mentioned. I have some old hardware that can do both. I would be willing to give it a go if you want. I prefer the analysis/brute force method because it poses no risk to the original device. All I would need is known good originals, and a weekend to pull out the old hardware and give it a go.

Jim

Reply to
WangoTango

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.