MAMEWorld Forums - News - Dr. Decapitator Update: Double Dragon

> > > http://decap.mameworld.info/
> >
> > Nice one. It's good to know the bootleg MCU contained identical data.
>
> Wow. I'd like to know how THEY managed to read the data!

Dark secret about HD63701Y0 chips which Dr. Decap discovered by accident when probing before wiping the security bit:
This has not been proven to work but because the security bit glitched when Dr Decap was messing with it, it might really be feasible: Power the chip with 3.3v to VCC and VPP (and use 3.3v to drive the address lines) while hooking to the chip in the EPROM program/verify mode. The low voltage causes the protection bit to glitch and oscillate, allowing random bits of the ROM to be read out. Take about 50 of these readings and logical AND them all together and you should get the ROM contents, with no decapping at all.
Note this will only work on HD63701Y0 EPROM/OTPROM parts, not HD6301Y0 mask parts.

P.S. The HD63701Y0 datasheet says to program the same data twice to the part, from 0x0000-0x3fff and 0x4000-0x7fff. This is actually misleading: the real EPROM array lives at 0x0000-0x3fff (and appears at 0xc000-0xffff when chip is running), but writing ANYTHING (except for things with the low two bits set to 0bxxxxx10) to 0x4000 will set the security bit! Writing to 0x4001-0x7fff may or may not have any effect (and this area always reads as 0xFF), but 0x4000 definitely sets the security bit.

If the security bit is set, the part will read as all 0xFF *EXCEPT* for location 0x4000, which will read as 0xFD (or if the secondary security flag was not set, as 0xFC).
If the security bit is NOT set, 0x4000 will read as 0xFF, regardless of the secondary flag state.

LN