Saving Nostalgia
Modding an old Z80 Computer
Graham Sutherland
Penetration Tester, Cisco/Portcullis
THIS TALK
- Background
- Reverse Engineering
- Approaches
- Design
- Fabrication
- Result
- Future
BACKGROUND
THE SUBJECT
VIDEO TIME
HISTORY [1/3]
-
1988
- I was born.
- VTech released the PreComputer range.
-
1994
- My parents bought me a PreComputer 1000.
- I pressed buttons at random (as kids do) and got stuck in "Computer Drill" mode (???)
- Read the manual.
- Learned BASIC!
-
1995 - 2013
- Education, etc.
- Taught myself programming & security stuff.
- Taught myself electronics (with help from my dad)
- My PreComputer 1000 was sold at some point :(
HISTORY [2/3]
-
2013
- Joined Portcullis Computer Security.
- First pentesting job, w00t!
- Getting into the demoscene.
-
2015
- Portcullis acquired by Cisco.
- I guess I work for Cisco now?
-
May 2016
- Random thought: "Remember that old thing?"
- Thought it'd be cool to write a demo on it.
- Got one on eBay for £20.
- Nostalgia!
- Oh yeah, no save function :(
- Kinda hard to write demos without storage...
HISTORY [3/3]
-
June - August 2016
- Learned about Z80 system architecture.
- Started designing a save mod.
- Multiple design iterations.
- Finalised board design, got them made.
- ... life stuff happened.
-
September 2016
- Oh s*#t I forgot 44CON is soon!
- Ordered the parts.
- Soldered it all together.
- ????????????
-
Today
- 44CON talk!
SIDE NOTE: DEMOSCENE
SIDE NOTE: DEMOSCENE
REVERSE ENGINEERING
THE PROCESS
- Take it apart
- Identify ICs & parts
- Find common circuitry
- Photographic overlays
- Follow traces, get circuit
THE TOOLS
- A camera
- Logical thinking
- Multimeter
- Oscilloscope
THE BOARD
IC #1
IC #2
IC #3
IC #4
TAKING STOCK
- Zilog Z84C00
- Z80 CPU
- Sharp LH5516
- RAM?
- "VTech" LH531606
- Probably Sharp (LH- prefix)
- ROM?
- Unknown brand, HEF4508BP
DATASHEETS
- Zilog Z80 (Z84C00)
- We know this one already.
-
Sharp LH5116
- CMOS 16K (2K x 8-bit) Static RAM
-
(Sharp?) LH531606
- No hits :(
-
Sharp LH5316
- LH5316P00B (not quite right)
- CMOS 16M (2M x 8) Mask ROM
- Still lets us know it's a mask ROM.
-
HEF4508BP
- Philips, Dual 4-bit latch
COMMON CIRCUITRY
RING OSCILLATOR
Image credit: Wikimedia, user Inductiveload
RING OSCILLATOR
Image credit: Wikimedia, user Inductiveload
5ns
5ns
5ns
f=\frac{1}{2 \times n \times t} = \frac{1}{2 \space \times \space 3 \space \times \space 5 \times 10^{-9}} = 33,333,333
OUr OSCILLATOR
- Ring Oscillator
- 7404 Hex Inverter IC
- Resistors & capacitors
- Increased delay
- Measured @ 2.0MHz
- Provides clock signal
EXTRACTING A DIAGRAM
- Photograph top side
- Photograph bottom side
- Normalise
- Overlay
- Enumerate pins
- Trace & map
BOARD OVERVIEW
GENERAL METHODOLOGY
- Take a known pin
- Map to other locations
- Use that information to identify other pins
- Trace those
- Confirm with measurements
- Repeat
CLOCK PIN TRACE
SIDE NOTE: DOING IT RIGHT
APPROACHES
SAVE APPROACHES
- Build replacement ROM
- Microcontroller-based ROM chip
- Modify existing code
- Save to EEPROM via "ROM"
- Man-in-the-middle the RAM
- Disconnect RAM from processor
- Connect RAM to microcontroller
- Dump or restore RAM
ROM
- Simple circuitry.
- Need to learn Z80 assembly.
- Need to discover how the ROM IC works.
- But potentially more seamless...
RAM
- More complicated circuitry.
- No need to learn Z80 assembly.
- RAM IC is known part.
- Z80 is synchronous, so we can just stop the clock and disconnect the RAM.
- Z80 also has shared memory bus support.
DESIGN
MAIN CHALLENGES
- Design
- Simplicity
- Debugging
- Part selection
- Cost
- Complexity
- Size
- Voltage
- Speed
- Board design
- Size
- EMI
- Decoupling
- Mechanical
ROUGH IDEA
- Mux/demux ICs for switching.
- Atmel uC for control.
- Clock provided by us.
- Monitor Z80's IO control lines
OR use WAIT/BUSRQ/BUSACK.
BOARD GOALS
- Place mux/demux under the RAM.
- Should be 50x50mm at most.
- 2-layer, standard thickness.
- 8 mil traces (6 mil at minimum)
- Routing same signals together.
- Using ground pours.
- Good decoupling cap placement.
- Power & switch indicators.
EARLY DESIGN
SECOND DESIGN
FInALISED SECOND DESIGN
S/SSOP/NSOIC/
(this was a pain)
VERSION 3 - TOP
VERSION 3 - BOTTOM
FABRICATION
PCB FABRICATION
- Elecrow (China)
- 2-layer, 1.6mm, 1oz/35um.
- 50x50mm max size.
- Costs more for bigger boards.
- 4-7 day lead time.
- Cost: $9.90 (!!!)
- 48h rush: +$16
- 24h rush: +$25
- Plus shipping costs.
PARTS
- Farnell UK.
- Huge part selection.
- Search system rocks.
- Datasheets!
- Very good prices.
- Free & fast shipping.
ASSEMBLY
- Manually soldered.
- Lots of flux.
- 60/40 SnPb solder.
- RoHS can suck it!
- Good soldering iron.
- Temperature controlled.
- Bevel tip.
- Small parts first.
- Flux holds parts in place.
- NSOIC is a pain!
- Fixing bridges with solder wick.
- Microscope is a life saver.
THE RESULT
THE RESULT
THE RESULT
THE RESULT
THE RESULT
DOES IT WORK?
:(
WHY?
- Transition time too long?
- Dead mux/demux ICs?
- Missing pullups/downs?
- Something else...
- I ran out of time :(
CURRENT STATE
FUTURE
LESSONS LEARNED
- Don't blindly trust the datasheets.
- Measure twice... thrice... uh, frice?
- Triple or quadruple your time estimate.
- Board re-spins take time.
- Rush jobs are expensive!
- Debugging is super important.
- Factor time into cost savings.
WHAT I'D DO DIFFERENTLY
- Make debugging easier!
- Debug headers.
- Test points.
- Dedicated test rig.
- More detailed part review.
- Better time estimates.
- Spend more, work less.