Difference between revisions of "Amstrad Cartridge Identification Device"

From CPCWiki - THE Amstrad CPC encyclopedia!
Jump to: navigation, search
(The End of the Darkness : A New Hope)
(Added picture of the decapped ACID chip)
 
(34 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
[[Image:Inside GX4000 cart 1.jpg|frame|right|ACID protection chip within a cartridge (bottom)]]
 
[[Image:Inside GX4000 cart 1.jpg|frame|right|ACID protection chip within a cartridge (bottom)]]
  
The '''ACID''' ('''A'''mstrad '''C'''artridge '''I'''dentification '''D'''evice) protection chip is used in the [[GX4000 cartridge|cartridges]] of the [[Plus]] series and the [[GX4000]] game console.
+
The '''ACID''' (Amstrad Cartridge Identification Device) protection chip is used in the [[GX4000 cartridge|cartridges]] of the [[Plus]] series and the [[GX4000]] game console. After Nocash decrypted the internal algorithms it is possible to replace the protection chip with a complex programmable logic device (CPLD).
  
It is labelled with "Amstrad 40908".
 
  
Because this chip was a custom creation by Amstrad it is currently not possible to replace this chip nor to build new cartridges, because it is not known how it works.
+
== Technical ==
  
 +
The 16pin ACID chip (in the cartridge) is sending a serial data stream to the 160pin ASIC chip (in the computer). The data stream is generated by some shift/xor logic, and is also affected by the EPROM address/enable signals. If the data stream isn't correct, then the ASIC does scatter access to RAM, making the cartridge unusable.
  
==The End of the Darkness : A New Hope==
+
;ACID reverse-engineered 13-16 February 2010 by nocash (Martin Korth)
 +
;below is repeated on every CLK cycle...
 +
CmpVal=13596h, XorVal=0c820h
 +
if PinA0=1 then CmpVal=CmpVal XOR 0000ch, XorVal=XorVal XOR 00004h
 +
if PinA1=1 then CmpVal=CmpVal XOR 06000h, XorVal=XorVal XOR 06000h
 +
if PinA2=1 then CmpVal=CmpVal XOR 000c0h, XorVal=XorVal XOR 00080h
 +
if PinA3=1 then CmpVal=CmpVal XOR 00030h, XorVal=XorVal XOR 00020h
 +
if PinA4=1 then CmpVal=CmpVal XOR 18000h, XorVal=XorVal XOR 08000h
 +
if PinA5=1 then CmpVal=CmpVal XOR 00003h, XorVal=XorVal XOR 00000h
 +
if PinA6=1 then CmpVal=CmpVal XOR 00600h, XorVal=XorVal XOR 00000h
 +
if PinA7=1 then CmpVal=CmpVal XOR 01800h, XorVal=XorVal XOR 00800h
 +
if PinCE=0 AND (ShiftReg OR 100h)=CmpVal then ShiftReg=ShiftReg XOR XorVal
 +
NewBit=ShiftRegBit0 XOR ShiftRegBit9 XOR ShiftRegBit12 XOR ShiftRegBit16
 +
ShiftReg=(ShiftReg SHR 1) + (NewBit SHL 16)
 +
Wait for falling edge on PinCLK
 +
if PinCCLR=0 then ShiftReg=1FFFFh      ;\done at falling CLK edge
 +
PinSIN=ShiftRegBit0                    ;/
 +
;Mind that above is a software example - a hardware solution obviously
 +
;wouldn't require CmpVal and XorVal registers - instead, hardware would
 +
;directly deal with the PinAx (or NOT PinAx) signals.
  
 +
Replacing or overwriting the EPROM in existing cartridges is easy, so the ACID doesn't prevent piracy or homebrew programming. However, it prevents commercial developers from producing unlicensed cartridges.
  
''At first was the age of grim darkness, ignorance en despair.
+
== Timings ==
 
+
''For twenty years, the once glorious Amstradom struggled and was about to loose it to the might of the Commodore's legions and Nintendorks hordes, a fight It wouldn't win.''
+
 
+
''Remembering with Nostalgia old ages of glory, gay old time when the Amstradom was young and fool, as told by the Elders.
+
''
+
''Until one day the end of a Nightmarish Time was about to End as announced by an obscure and lost prophecy.''
+
 
+
 
+
''A Lone Man came to stand before the Foul Darkness of Ignorance.''
+
 
+
''"Give me two days, and I'll bring you the light, I'll bring you hopes, for it is our destiny to stand proudly and face bravely." he said to the massed crowd of the Amstradom
+
''
+
 
+
 
+
''The Amstrad Peoples frowned in horror and fear.''
+
 
+
''"Heresy, you know that None can stand before the ultime Might and Eldricht Arcane of the Mighty ACID, bringer of extinction, destroyer of the Worlds!" scanded the crowd in anger and fury.''
+
 
+
''"You fool, we are Doomed into Oblivion, the Commodore's Legions and Nintendo Hordes  shall rule us all..." cried others.''
+
 
+
''"Burn this Foul Heretic for giving us false hopes ! We must accept our fate as we always did !" a last man hystericaly screamed.''
+
 
+
 
+
''Then Fano the Wise accomplished his destiny and stepped one pace before the crowd.''
+
 
+
''"I believe in you, Lone man, accept my humble sacrifice" he said gently, a tear in the eye.''
+
 
+
''For era we will remember Him who who sacrified his beloved Cartridge for the cause.''
+
 
+
''
+
''Strenghtened by the Blood of the martyr, the Lone Man Hurled himself into the fray.
+
 
+
 
+
''Four days and Four nights, he fought.''
+
 
+
''The Battle was Epic, sounds of the bits tearing the sky, Heaven and Hell colour clashed in a furious destruction of blind madness.''
+
 
+
 
+
''Four days and Four nights, he Braved.
+
''
+
''So Grand was the cause and so inspiring was His Fight.''
+
 
+
''At first sceptic, the Amstradom were slowly gained to the Holy Cause of the Lone Man.''
+
 
+
''Fortified by the exemple of He who fought desperately yet with no hesitation, conscious that Grand Scheme was being at work.''
+
 
+
''Four days and Four night.''
+
 
+
''and then the Colour Clash ended.''
+
 
+
 
+
 
+
''The chanting cheerfull acclaims of Amstradom stand before the Lone Man.''
+
 
+
''Accompanied by colourfull sprites, smooth scrolling rolling as DMA channels rejoyced loudly, in a rainbow of four-thouzand-and-ninety-six Colours out of Space..''
+
 
+
''Victorious and Untainted.''
+
 
+
''He who defeated the Vile Beast.
+
''
+
 
+
''"Four Days" he said.''
+
 
+
''"Fours days and four nights, the Task was even greater than I could believe. How Fool was I... but I did overcame."
+
''
+
 
+
''And future generations in Amstradom would remember Him as the Saviour, the Messiah, the Bringer of Light against Darkness.''
+
 
+
''He who shown us the way.''
+
 
+
''And NoCa$h was his name, the man who degfeated the ACID chip.''
+
 
+
 
+
''Twenty years and Four days.''
+
 
+
''A new Era was to begin.
+
''''
+
 
+
==The beast unleashed==
+
 
+
ACID chip is soon to be beterly understand, and many stuff are to come.
+
 
+
  
 +
Although the functionatlity of the ACID chip is known. The timings of the signals coming from the computer is still unknown (reverse-engineering was done on a ACID chip, without owning a CPC+/GX4000).
 +
* CLK is known to be 4MHz, and SIN is known to be updated on falling edge of CLK, as seen on [[Media:ACID-SIN.jpg|this picture]].
 +
* Judging from the ACID chip, /CCLR is checked on falling edge of CLK. However, juding from [[Media:ACID-CCLR.png| this picture]], /CCLR is ''changing'' on falling edge of CLK. If this is true (the picture resolution isn't perfect), then it's unclear how the ACID can interprete /CCLR in a stable way while it's changing. Possibly, it can't do that at all (ie. it might act unstable, and the CPC+ might need to retry sending /CCLR several times).
 +
** '''WANTED:''' A picture showing CLK and /CCLR without ACID connected (at better resolution) would help!
 +
** A picture showing CLK and /CCLR with ACID connected is [[Media:ACID Init by Grim.png|found here]].
 +
* The /CE timing is still unknown, too. The ACID might check A0-A7 on raising or falling edge of /CE. Or, on raising or falling edge of CLK while /CE being LOW. Or at whatever other time.
 +
** '''WANTED:''' A picture showing CLK and /CE would help!
 +
** '''WANTED:''' Best also showing one or more of the A0-A7 signals.
  
 +
<gallery>
 +
Image:ACID Init by Grim.png|/RESET, CLK, CCLR, SIN (init sequence)
 +
Image:ACID-SIN.jpg|CLK and SIN
 +
Image:ACID-CCLR.png|CLK and CCLR (and some offtopic signals) (from CPC, without ACID connected)
 +
</gallery>
  
 
== Pinout ==
 
== Pinout ==
Line 101: Line 52:
 
<pre>
 
<pre>
 
           +--()--+
 
           +--()--+
       GND | 1 16| +5V
+
       GND |1   16| +5V     AMSTRAD 40908
       A7  | 2 15| A6
+
       A7  |2   15| A6       1L03P1003
       CLK4| 3 14| A5
+
       CLK4|3   14| A5       JAPAN
       NC  | 4 13| A4
+
       NC  |4   13| A4
       CCLR| 5 12| A3
+
       CCLR|5   12| A3
       SIN | 6 11| A2
+
       SIN |6   11| A2
       |CE | 7 10| A1
+
       /CE |7   10| A1
       GND | 8   9| A0
+
       GND |8   9| A0
 
           +------+
 
           +------+
 
</pre>
 
</pre>
Line 117: Line 68:
 
|1||GND||-||Ground
 
|1||GND||-||Ground
 
|-
 
|-
|2||A7||Input||Address A7
+
|2||A7||Input||EPROM Address A7
 
|-
 
|-
 
|3||CLK4||Input||Clock (4 MHz)
 
|3||CLK4||Input||Clock (4 MHz)
Line 123: Line 74:
 
|4||NC||-||Not connected
 
|4||NC||-||Not connected
 
|-
 
|-
|5||CCLR||?||?
+
|5||CCLR||Input||Reset ACID
 
|-
 
|-
|6||SIN||?||?
+
|6||SIN||Output||Serial Data
 
|-
 
|-
|7||/CE||Input||Chip enable
+
|7||/CE||Input||EPROM Chip enable
 
|-
 
|-
 
|8||GND||-||Ground
 
|8||GND||-||Ground
 
|-
 
|-
|9||A0||Input||Address A0
+
|9||A0||Input||EPROM Address A0
 
|-
 
|-
|10||A1||Input||Address A1
+
|10||A1||Input||EPROM Address A1
 
|-
 
|-
|11||A2||Input||Address A2
+
|11||A2||Input||EPROM Address A2
 
|-
 
|-
|12||A3||Input||Address A3
+
|12||A3||Input||EPROM Address A3
 
|-
 
|-
|13||A4||Input||Address A4
+
|13||A4||Input||EPROM Address A4
 
|-
 
|-
|14||A5||Input||Address A5
+
|14||A5||Input||EPROM Address A5
 
|-
 
|-
|15||A6||Input||Address A6
+
|15||A6||Input||EPROM Address A6
 
|-
 
|-
 
|16||+5V||-||Vcc
 
|16||+5V||-||Vcc
 
|}
 
|}
  
==Investigation==
+
Note: The two GND pins are interconnected with each other (inside of the chip). The NC pin seems to be always high.
 +
 
 +
== Clones ==
 +
 
 +
* An ACID replacement using a Xilinx XC9536 CPLD and some [[Verilog implementation of the ACID chip|Verilog code]] based on nocash's reverse engineering work has been built by [[Octoate]] and [[Nilquader]].
 +
* Miguel Angel (aka mcleod_ideafix) has published all the info about his implementation of the ACID in a CPLD, verilog sources included [http://www.zxprojects.com/index.php/analisis-del-chip-acid/62-analisis-del-chip-acid-del-amstrad-cpcgx4000]
 +
* It's possible to use the CPC+ without ACID by exploiting a timing bug in the CPC+/GX4000-ASIC Chip. (Developed by [[Nilquader]])
 +
<gallery caption="Running CPC+ without ACID">
 +
Image:NoAcid.jpg|GX4000 running without ACID
 +
Image:NoAcid_sch.png|Schematics
 +
</gallery>
 +
 
 +
== Pictures ==
 +
* ACID chip decapped. Many thanks to Sean Riddle!
 +
<gallery>
 +
Image:40908_Metal_Small.jpg
 +
</gallery>
 +
 
 +
== Misc ==
 +
 
 +
* [[Test Circuit used for ACID reverse engineering]]
 +
 
 +
==Investigations==
  
 
*http://amstradcpc.mforos.com/305097/7723493-que-hace-exactamente-el-chip-acid-de-los-cartuchos/ (Spanish language)
 
*http://amstradcpc.mforos.com/305097/7723493-que-hace-exactamente-el-chip-acid-de-los-cartuchos/ (Spanish language)
Line 154: Line 127:
 
*[http://www.vieuzordiland.fr/index.php?option=com_content&task=view&id=23&Itemid=34 Vieuxzordiland's page on the matter. In French]
 
*[http://www.vieuzordiland.fr/index.php?option=com_content&task=view&id=23&Itemid=34 Vieuxzordiland's page on the matter. In French]
  
*http://v3.espacenet.com/publicationDetails/biblio?CC=GB&NR=2243701A&KC=A&FT=D&date=19911106&DB=&locale= link to a patent rumoured to be ACID's patent.
+
*[http://cpcwiki.eu/forum/index.php/topic,410.0.html| The CPCwiki's forum thread featuring the Epic fight between the infamous ACID and NoCa$h.]
 +
 
 +
 
  
  
  
[[Category:Hardware]][[Category:Cartridges| ]][[Category:CPC Plus]][[Category:CPC Internal Components]][[Category:Amstrad Products]]
+
[[Category:Hardware]][[Category:Cartridges| ]][[Category:CPC Plus]][[Category:CPC Internal Components]][[Category:Amstrad Products]][[Category:Electronic Component]]

Latest revision as of 18:49, 18 November 2017

ACID protection chip within a cartridge (bottom)

The ACID (Amstrad Cartridge Identification Device) protection chip is used in the cartridges of the Plus series and the GX4000 game console. After Nocash decrypted the internal algorithms it is possible to replace the protection chip with a complex programmable logic device (CPLD).


Technical

The 16pin ACID chip (in the cartridge) is sending a serial data stream to the 160pin ASIC chip (in the computer). The data stream is generated by some shift/xor logic, and is also affected by the EPROM address/enable signals. If the data stream isn't correct, then the ASIC does scatter access to RAM, making the cartridge unusable.

;ACID reverse-engineered 13-16 February 2010 by nocash (Martin Korth)
;below is repeated on every CLK cycle...
CmpVal=13596h, XorVal=0c820h
if PinA0=1 then CmpVal=CmpVal XOR 0000ch, XorVal=XorVal XOR 00004h
if PinA1=1 then CmpVal=CmpVal XOR 06000h, XorVal=XorVal XOR 06000h
if PinA2=1 then CmpVal=CmpVal XOR 000c0h, XorVal=XorVal XOR 00080h
if PinA3=1 then CmpVal=CmpVal XOR 00030h, XorVal=XorVal XOR 00020h
if PinA4=1 then CmpVal=CmpVal XOR 18000h, XorVal=XorVal XOR 08000h
if PinA5=1 then CmpVal=CmpVal XOR 00003h, XorVal=XorVal XOR 00000h
if PinA6=1 then CmpVal=CmpVal XOR 00600h, XorVal=XorVal XOR 00000h
if PinA7=1 then CmpVal=CmpVal XOR 01800h, XorVal=XorVal XOR 00800h
if PinCE=0 AND (ShiftReg OR 100h)=CmpVal then ShiftReg=ShiftReg XOR XorVal
NewBit=ShiftRegBit0 XOR ShiftRegBit9 XOR ShiftRegBit12 XOR ShiftRegBit16
ShiftReg=(ShiftReg SHR 1) + (NewBit SHL 16)
Wait for falling edge on PinCLK
if PinCCLR=0 then ShiftReg=1FFFFh      ;\done at falling CLK edge
PinSIN=ShiftRegBit0                    ;/
;Mind that above is a software example - a hardware solution obviously
;wouldn't require CmpVal and XorVal registers - instead, hardware would
;directly deal with the PinAx (or NOT PinAx) signals.

Replacing or overwriting the EPROM in existing cartridges is easy, so the ACID doesn't prevent piracy or homebrew programming. However, it prevents commercial developers from producing unlicensed cartridges.

Timings

Although the functionatlity of the ACID chip is known. The timings of the signals coming from the computer is still unknown (reverse-engineering was done on a ACID chip, without owning a CPC+/GX4000).

  • CLK is known to be 4MHz, and SIN is known to be updated on falling edge of CLK, as seen on this picture.
  • Judging from the ACID chip, /CCLR is checked on falling edge of CLK. However, juding from this picture, /CCLR is changing on falling edge of CLK. If this is true (the picture resolution isn't perfect), then it's unclear how the ACID can interprete /CCLR in a stable way while it's changing. Possibly, it can't do that at all (ie. it might act unstable, and the CPC+ might need to retry sending /CCLR several times).
    • WANTED: A picture showing CLK and /CCLR without ACID connected (at better resolution) would help!
    • A picture showing CLK and /CCLR with ACID connected is found here.
  • The /CE timing is still unknown, too. The ACID might check A0-A7 on raising or falling edge of /CE. Or, on raising or falling edge of CLK while /CE being LOW. Or at whatever other time.
    • WANTED: A picture showing CLK and /CE would help!
    • WANTED: Best also showing one or more of the A0-A7 signals.

Pinout

           +--()--+
       GND |1   16| +5V      AMSTRAD 40908
       A7  |2   15| A6       1L03P1003
       CLK4|3   14| A5       JAPAN
       NC  |4   13| A4
       CCLR|5   12| A3
       SIN |6   11| A2
       /CE |7   10| A1
       GND |8    9| A0
           +------+
Pin number Name Direction Description
1 GND - Ground
2 A7 Input EPROM Address A7
3 CLK4 Input Clock (4 MHz)
4 NC - Not connected
5 CCLR Input Reset ACID
6 SIN Output Serial Data
7 /CE Input EPROM Chip enable
8 GND - Ground
9 A0 Input EPROM Address A0
10 A1 Input EPROM Address A1
11 A2 Input EPROM Address A2
12 A3 Input EPROM Address A3
13 A4 Input EPROM Address A4
14 A5 Input EPROM Address A5
15 A6 Input EPROM Address A6
16 +5V - Vcc

Note: The two GND pins are interconnected with each other (inside of the chip). The NC pin seems to be always high.

Clones

  • An ACID replacement using a Xilinx XC9536 CPLD and some Verilog code based on nocash's reverse engineering work has been built by Octoate and Nilquader.
  • Miguel Angel (aka mcleod_ideafix) has published all the info about his implementation of the ACID in a CPLD, verilog sources included [1]
  • It's possible to use the CPC+ without ACID by exploiting a timing bug in the CPC+/GX4000-ASIC Chip. (Developed by Nilquader)

Pictures

  • ACID chip decapped. Many thanks to Sean Riddle!

Misc

Investigations