DuPAL - A dedicated toolset for reverse engineering PAL/HAL SPLD's

Kai Robinson

TinkerDifferent Board President 2023
Staff member
Founder
Sep 2, 2021
1,165
1
1,173
113
42
Worthing, UK
If like me you're into the reverse engineering of stuff like the SPLD PAL/HAL chips used on early 68k macs, you might be interested in this - DuPAL


It's not just software, it's also an open source hardware project you can build yourself. Once assembled, you put a PAL chip into the board, run the software, and essentially it should 'reverse' the chip functions for you.

It's been possible to reverse PAL's previously, but generally only devices which are purely combinatorial in nature, not registered ones - DuPAL does all of these:

Combinatorial
  • PAL10L8
  • PAL16L8
  • PAL20L8
Registered
  • PAL16R4
  • PAL16R6
  • PAL16R8
  • PAL20R4
  • PAL20R6
  • PAL20R8
 
  • Wow
  • Like
Reactions: demik and Stephen

demik

Tinkerer
Oct 11, 2021
42
36
18
I build one of theses a while ago. It's not magical on complex PALs, like combinatorial ones with multiple feedbacks. But they do help.
Registered ones are better reversed using the DuPAL_Peeper tool than brute forcing with the DuPAL_Analyzer

Good stuff !
 
  • Like
Reactions: Kai Robinson

Bolle

Tinkerer
Nov 1, 2021
49
83
18
Just as the readme on github says, this is by far not a tool to "dump" PALs at all.
It's more or a just a tool to assist manually rewriting equations to match existing PALs. (no need to say - it's great at that though)
So figuring out PALs using DuPAL still takes a lot of time, effort and knowledge about the circuit it's sitting in (#3 not necessarily needed but it helps A LOT if you at least roughly know what's going on)

Most of the time it's just like demik already said, it's the combinatorial PALs that are hard, not the registered ones. On a combinatorial PAL with feedbacks everything happens asynchronously... depending on how things are set up there will be states that happen so fast (at the speed of the propagation delay of the device) that you can't see them while probing the device. In some cases (more often than you think) this turns out to be important, for example when you're working with timing sensitive components... DRAM control is what comes to mind and where I have seen exactly this happening in multiple different devices.
A registered PAL has strictly defined states that you can easily clock through and take notes of the changes and write equations or build truth tables accordingly. This is actually much easier.
 
Last edited: