Logic Analyzer + AI = ?

[Trash80toG4]

Wondering if anyone has seen AI used to crack protected programmable logic?

Target chip is the PLDC20G10 on my current obsession, the Radius FPD for Mac Plus.
https://media.digikey.com/pdf/Data Sheets/Cypress PDFs/PLDC20G10B, PLDC20G10.pdf

24pin DIP IC provides up to 22 inputs and 10 outputs. By running known combinations of its I/O lines and some functions of the device derived from the block diagram of the boardf, might AI beat the snot outta the thing and come up with a workable clone, if not an exact copy of the target chip?

Don't mean to have multiple threads running for that project, but this seems an interesting subject in and of itself?

 

[Trash80toG4]

https://www.researchgate.net/publication/379268393_Artificial_intelligence_AI_and_reverse_engineering_-THE_BASICS

(2024). Artificial intelligence (AI) and reverse engineering -THE BASICS.

reformatted for clarity_________________________________________________________________________

Understanding System Functionality: AI can analyse the behaviour of a system,
such as a software program or a physical device, to infer its internal workings.
This can be immensely helpful for engineers trying to reverse engineer complex systems,
allowing them to understand the relationships between different components
and how they interact.

AI algorithms can process vast amounts of data, like a program's input, output,
and internal states. By analysing these, AI can identify patterns and relationships
between different parts of the system. Imagine a program that takes numbers as input
and produces specific outputs.

AI can analyse these inputs and outputs to build a model of how the program transforms
the data internally. This model helps engineers understand how the program works
even without seeing its source code.

Decoding Encoded Data: AI can be used to crack codes and reverse engineer encryption
algorithms. This has applications in security, where it can be used to identify
vulnerabilities in encryption systems, and also in data recovery, where it can be used
to access lost data that has been encrypted.

AI excels at pattern recognition. It can be trained on massive datasets of encrypted
and unencrypted data. This training allows it to identify patterns in the encrypted data
that might correspond to specific coding schemes. By analysing these patterns,
AI can potentially crack the code and reveal the original data. This is similar
to how AI can recognize objects in images-by finding patterns that differentiate
a cat from a dog.

Identifying Design Patterns: By analysing a system's design, AI can identify
patterns that can reveal clues about how it was built and what its purpose is.
This can be a valuable asset in understanding the logic behind a system and
facilitating the process of recreating it.

AI can analyse the structure of a system, like the layout of a circuit board
or the organization of code. By comparing this structure to known design patterns,
AI can make educated guesses about how the system was built and what its purpose might be.
Imagine AI analysing a circuit board. By recognizing patterns of how components
are connected (known design patterns for certain functionalities), AI can infer
what function each part serves in the overall circuit.

Automating Recreation Tasks: Once a system has been reverse engineered,
AI can be used to automate the process of recreating it. This can involve tasks
such as generating code, designing new components, or even simulating the system's
behaviour. This can significantly speed up the reverse engineering process and
make it more efficient. Once AI understands a system, it can be used to automate
tasks involved in rebuilding it. In code generation, AI can analyse existing code
and use that knowledge to write new code with similar functionality.

For designing new components, AI can be trained on existing designs and use
that knowledge to create new components that fit the reverse-engineered system.
AI can even simulate the system's behaviour by creating a virtual model that mimics
how the original system works. In essence, AI acts as a powerful analyst in
the reverse engineering process. It can sift through complex data, identify
hidden patterns, and even help recreate the system based on its findings.
_______________________________________________________________________________________________

Drat the luck, my MD/PhD rug rat left his research lab position on Monday to go into industry. He might have been able to get this paper for me.

Anybody out there in a research organization in order to get the paper in .PDF?

 

[Trash80toG4]

AI in Reverse Engineering | How Artificial Intelligence is Transforming Cybersecurity, Malware Analysis, and Software Auditing

Artificial Intelligence (AI) is revolutionizing reverse engineering by automating complex tasks such as malware detection, vulnerability assessment, binary analysis, and debugging. AI-driven decompilers, machine learning models, and neural networks help cybersecurity professionals analyze...

www.webasha.com

Wondering if we can use AI to deduce and clone the operations of IWM? ITXPlus that @max1zzz is working on could really use a clone of that chip!

 

[Elemenoh]

Interested to see where this goes. I've been using Claude to analyze schematics, then provide symptoms for it to troubleshoot down to the component. It's been very helpful so far.

 

[Trash80toG4]

Thank you! Finally a response! Started a parallel thread on MLA to get a discussion going.
Got a suggestion to use SCI-Hub to source paper, but for anything more recent than 2022 it suggests https://scinet.usda.gov/

Got links for Claude?
_________________________________________________________________________________________________

It's looking more and more like the function of any given Programmable Logic can be noodled out and reconstructed via AI. Reverse engineering an entire circuit board is mentioned. If I can get one of our PAL cracking/reverse engineering enthusiasts involved we might make some baby steps for taking this deeper into the bowels of the Mac's proprietary giblets?

@max1zzz will IWM fit in the socket for your workaround chip and read/write FDD? With the schematic and known function of the rest of the machine this might be an interesting exercise?

 

[Elemenoh]

For Claude I just use the regular app. You can upload a schematic into the conversation and then ask questions about it. For instance, I had a Lisa I had troubleshot down to a transistor on the analog video board, but I didn't quite understand why it resulted in the symptom it was experiencing. So I uploaded the video board drawing and a photo of the symptom on the screen. Then I asked it to analyze the circuit and help explain why that specific component caused that symptom. It was extremely helpful in better understanding how it all worked.

I know that's quite different from what you're talking about, but I'm definitely curious to follow the conversation to see how these tools might be helpful to figure out how to reverse things like PALs, FPGAs etc.

It also makes me think it could be helpful reversing the SIMCheck II I posted about a while back.

 

[Elemenoh]

I just fed in the data sheet for that PLD and asked Claude what it would need to reverse it. Here’s what it replied with:

Perfect! Thank you for sharing the datasheet for the PLDC20G10/PLDC20G10B. This is exactly what I needed to help reverse engineer this device.

Based on the documentation, I can now give you a comprehensive plan for reverse engineering this PLD (Programmable Logic Device):

## What the PLDC20G10 Is

The PLDC20G10 is a CMOS generic 24-pin reprogrammable logic device manufactured by Cypress Semiconductor. It's a sum-of-products (AND-OR) programmable logic device that uses EPROM technology for reprogrammability. It can be configured to replace various standard logic functions (20L10, 20L8, 20R8, etc.).

## Reverse Engineering Approach

Here's how we should approach this reverse engineering task using your logic analyzer:

1. **Physical Identification and Preparation**:
- Identify the pin configuration based on the package type (DIP-24, PLCC-28, etc.)
- Create a safe test setup with proper power supply (5V ±10%)
- Connect your logic analyzer to key pins

2. **Initial Analysis**:
- Power up the device and measure VCC (pin 24) and VSS (pin 12)
- Identify the clock signal (pin 1, labeled CP/I)
- Determine if pin 13 (I/OE) is being used for output enable

3. **Output Configuration Analysis**:
- The device has programmable output cells that can be:
- Registered or combinatorial
- Active HIGH or active LOW
- Output enable from pin 13 or product term

4. **Logic Capture**:
- Use your logic analyzer to capture signals during operation
- Identify which I/O pins (pins 14-23) are being used as inputs or outputs
- Observe the relationship between inputs and outputs

5. **Timing Analysis**:
- Measure propagation delays (tPD = 15-40ns depending on model)
- Check clock-to-output timing (tCO = 10-25ns)
- Verify setup times (tS = 12-35ns)

6. **Logic Function Determination**:
- Map out the truth tables for each output
- Determine if registered or combinatorial mode is being used for each output
- Analyze product terms relationships

## Important Considerations

- The device uses EPROM cells that in unprogrammed state connect both true and complement of every input to the AND gates
- Each output has 8 product terms plus one OE product term
- The device can be in one of 8 different configurations based on three architecture bits (C2, C1, C0)
- The default state is registered/active/LOW/Pin 11 OE

If you're able to provide more details about the specific application or system this PLD is being used in, I can help tailor this approach further. Also, do you know which package type you're working with (DIP, PLCC, LCC)?

 

[Trash80toG4]

WOW! Amazing results. Imagination is racing ATM! Hope these flights of fancy make some sense:

Cannot wait to ask Claude to design what he needs to use RPi/Arduino/whatever hardware and the PCB for it to run as an automated Logic Analyzer. It'd connect over USB in its reverse engineering process. Also to write the software he needs to to do it from Chip Clip to cloning process.

@joethezombie or @Bolle can you read the GAL16V8 and three GAL20V8 chips involved?

If possible, then schematic development of the board would be the next step. Everything else on the board is standard 74 Series Logic, VRAM, ROM and the 68000. Giving Claude the formulas in the GALs and ROM contents should make it a light load for our friend?

If Claude can decode the driver, he can tell the 68000 to send whatever it wants to see coming up on the PLDC20G's Chip Clip.

What's most interesting to me will be if Claude can re-code that mess into doing "horizontal" scan lines and fudge all digital output frequencies to scale its native resolution to a 1280x1024 LCD over DVI-D?

So many silly notions to explore!

 

[Kai Robinson]

For reverse engineering PLD chips, might be worth speaking to Porchy at Jammaarcade, he hosts the PLD archives and helped me reverse the GLU on the SE Reloaded board.