Tuesday, December 27, 2016

MCU decapping



A basically very interesting arcade system is Quizard from TAB Austria. This CD-I based quiz-system uses an Standard CD-I Player and an external Jamma-PCB which is connected to the CD-I Player over the serial port on the back of the Player.
The Jamma PCB has an MCU (D8751H) as a copy protection on it and by starting the game, the CD-I player communicates over the serial port with the MCU.

There are 4 different CD-Versions for the Quizard (1, 2, 3 and 4) and a couple of different revisions for each version. For example version 1 got 8 different revisions (1.0 to 1.7).
To play a version you need the matching MCU for it! So to play any revision of version 1 you a need an MCU for version 1. The same goes for version 2, 3 and 4. So you can not play a version 1 CD with the MCU from version 4...



As it's an austrian System, and i'm austrian too, i got very soon interested in finding some CD's for it and to get it included in MAME. Thx to the help of harmony, it was also possible to play some the games very shortly after! (http://harmoniouscode.blogspot.co.at/2010/10/quizard-22-patch-free.html)



harmony got the Version 1 and 2 fully working, by hacking/patching the copy protection and without a dump of the MCU! Version 3 and 4 are bootable, but crash after you press START.
So we tought, that the copy protections from version 3 and 4 are more complex and the game needs some other values from the MCU to get it fully working...



6 years fast forward....CAPS0ff (Blog here) is doing fantastic work with decapping MCU's and other stuff! And i nearly look daily on their blog to see if new magic happened!
But i was also fascinated about the work they have done with the D8751 MCU's, and how it was possible to de-secure the lock bit!
I got so fascinated that i had to try it myself, as i have a couple of D8751's for the Version 4 here. So basically no big deal if one get's broken.

I used the following equipment:
- Galep5 Programmer (500eur)
- cheap digital Microscope (200x zoom) (25eur)
- Heat-Gun (30eur)
- cheap China Eprom UV-Eraser (15eur)

So basically cheap equipment...beside the programmer, but you can easily find cheaper ones which can also dump d8751's.

here's the mcu, before i did start:


so i heated the top of the chip at about 330° for about 20 seconds, and used a flat screwdriver to remove the top of the chip:

before i could erase the lock bit, i had to cover the eprom part with something, i did not have professional uv opaque material (like CAPS0ff), so i used electrical tape which i cut to the correct size. thx to the blog of CAPS0ff i basically knew were the lock bit is located...

so the chip was now ready for the uv eraser! 15 minutes later i tried dumping it and voila i got consistent reads! --> and yes, the chip was locked before, only giving FF's when reading...

let's hope this will get the games running in MAME! We will see soon!
For sure it's a good thing to have a dump of it, so basically now everyone can burn it's own MCU for version 4!

This was a fun challenge and it proofs that it's possible to do decaps with cheap materials and equipment! But please don't try this with EXPENSIVE and RARE games\chips!!! there's just to much risc for destroying them! leave them to professionals like the guys from CAPS0ff....

Thx again to CAPS0ff, who basically inspired me for doing this!