Re: Gottlieb / Q*bert scripts for the 9010A/9100

From: Zonn <zonn_at_zonn.com>
Date: Wed May 08 2002 - 18:58:31 EDT

On Wed, 8 May 2002 22:50:54 +0100, "Phillip Eaton" <inbox@phillipeaton.com>
wrote:

>AFAIK, the signature that Rom Ident uses is a standard CRC-32 calculation,
>which is calculated in an identical way to CRC-16 and CCITT CRCs, using all
>bits of each byte in the file.
>
>The polynomial may be different (i.e. more bits for CRC-32), but the
>technique is the same for any CRC/Signature calculation. Have a search for
>CRC-16 and CRC-32 on Google, you get back loads of results.
>
>WinZip uses CRC-32, as does MAME, to see the CRC-32 for a file, zip it up in
>WinZip (8.0?) and set the configuraiton options to show the CRC. You'll see
>it's 8 hex characters i.e. 32 bits.

Just for the fun of it I wrote a quick program that tried all possible feedback
combinations for 16 bit CRCs (65536 combinations), none of them generated the
proper signatures, so it's more than just a variation of the standard CRC
calculations.

(FWIW: I also tried reversing the bit read order. I ran this shifting in both
the LSB and the MSB first, neither worked.)

The signature may be easily cracked though, assuming no hidden states are saved
in the Fluke processor.

If this is similar to a standard signature, then given a starting CRC of 16
bits, and a new bit to shift in, the new CRC value will always be one of two new
values, depending upon whether the bit value is a zero or a one.

For instance if the current CRC is AB12, and the new bit to be shifted in is a
one, and that creates a new CRC of 34F7, and if shifting a one into a CRC of
AB12 *always* creates a new CRC of 34F7, then the signature can be calculated
using two 128k lookup tables.

If the above is true then a program could be written that would:

   if (next bit == 0)
      crc = CrcTbl0[crc];

   else
      crc = CrcTbl1[crc];

That would pretty much be the whole signature calculation, and you can ignore
any internal functions being done by the Fluke code.

This would work assuming the signature does work similar to a CRC. If Fluke,
for some reason, wants to make things really tough, they could do something
similar to what a MD5 calculation does. It keeps track of previous bytes and
changes the results based on what it previously read. For instance a CRC of
AB12 with a one shifted in would only become 34F7 if the previous bit was a 0,
otherwise it would be something else. That would be bad :^(

There is hardware for running an HP signature in the 9010a. I found this in the
service manual (page 4 of 4 of the main board schematic, or something like that,
there was no page number). Included in the calculation was a counter that
counts the number of high to low transitions made by the incoming data
bitstream.

If this circuit is being used to calculate the sigs, it could be that this count
value is being added back into the calculation to convolute things. If this is
the case, the above solution won't work.

This could be tested by, finding two identical signatures, using different
bytes, that created the same CRC, and then adding a third byte to see if they
are both still equal.

For instance if the bytes:

  00 45 = CRC-1234, and,
  12 BC = CRC-1234,

then the CRC for the three bytes "00 45 01" should equal the CRC for "12 BC 01".
This would be an immediate indicator as to whether or not we are dealing with a
"standard" CRC calculation of some type. It would also be an indicator as to how
hard it will be to crack the code.

Anybody know of two different ROMs, or byte streams that result in the same
signature?

-Zonn

>Cheers,
>Phillip Eaton
>
>> -----Original Message-----
>> From: John Robertson [mailto:jrr@flippers.com]
>> Sent: 08 May 2002 22:44
>> To: Phillip Eaton; TechToolsList@flippers.com
>> Subject: RE: Gottlieb / Q*bert scripts for the 9010A/9100
>>
>>
>> Home today fighting a small chest infection...
>>
>> I don't think these ROM Signatures generated by the base numbers are true
>> "Signatures" after all. Note that the coding for them does not follow the
>> convention of using HP's ACFHPU, rather the "signature" generated uses
>> standard HEX nomenclature.. Now I wonder what this number
>> actually is...I'm
>> going to try to use my new Arium ML1400 Logic Analyzer to see if
>> I can find
>> the section of code in the base that actually is used to create the ROM
>> signature and report back.
>>
>> I think it is more likely a signature similar to the one ROMIDENT uses...
>> anyone know it's root formula?
>>
>> John :-#)#
>>
>> At 10:06 AM 07/05/2002 +0100, Phillip Eaton wrote:
>>
>> >Ah ha! You've just spotted the reason for my previous
>> >question - What's the polynomial?
>> >
>> >I worked out the Cat Box polynomial directly from the PCB,
>> >you can actually _see_ the address counter and the XOR
>> >feedback points. Apparently the Cat Box polynomial is the
>> >same as the HP one.
>> >
>> >Now it gets a bit confusing... (Especially as I've not
>> >actually had time to get stuck into my Fluke and confirm all
>> >of this!)
>> >
>> >/As far as I can see/ The Fluke creates a signature with a
>> >similar procedure to a boring old checksum, by reading each
>> >byte of a region of memory space and performing a calculation
>> >on it to produce a single 16 bit signature. To create the
>> >signature, it right shifts each bit of each byte into the
>> >polynomimial XOR 'circuitry'. On the Cat Box the 'circuitry'
>> >is physical, but is probably software on the 9010a for
>> >reasons shown below.
>> >
>> >On a Fluke, there seems to be a bit of general confusion as
>> >to where the calculation is done, in the pod or in the main
>> >unit. I would be very surprised if it were done in the pod
>> >but I could be wrong. (I hope to have a look myself in the
>> >summer, when I've finished college...)
>> >
>> >Anyway, the Cat Box performs Signature /Analysis/, which also
>> >produces a signature, but not by reading in a chunk of bytes
>> >and creating a signature from them via software.
>> >
>> >Using a probe, it reads the chain of bits that occur at a
>> >particular point on a PCB when the address bus is ramped from
>> >0 to FFFFH. To test one part of a circuit e.g. a single ROM,
>> >you would tie a sig analysis start and stop line to the chip
>> >enable of the ROM which in effect maps to that ROMs address
>> >space only.
>> >
>> >If you point the probe at the one data line of the ROM, you
>> >will get a stream of bits which you can XOR in a similar way
>> >to the standard Fluke signature. BUT the calculation will
>> >only be performed on one bit of each byte as there are 8 data
>> >lines and you only have one probe! Thus, you get 8 signatures
>> >per ROM as shown in the Atari Cat Box signature reference for
>> >each PCB.
>> >
>> >A Fluke signature is an improved way of testing a ROMs
>> >integrity over a checksum, but it can't be used to analyse
>> >anything other than a fixed areas of memory space i.e. ROM.
>> >Signature /Analysis/ can test /any/ digital part of a circuit
>> >as long at it derives from the processor's address and data
>> >decoding (i.e you can't do the video circuitry).
>> >
>> >My program uses a software way of calculating the signature,
>> >but it emulates the Atari probe hardware i.e. by testing only
>> >1 bit of a byte and thus it is an emulator, as opposed to
>> >just a signature generator.
>> >
>> >I originally wrote it to do the 8 bits of a ROM, but this
>> >added an extra loop, and all I was really trying to do was
>> >show how it worked, so I went back to just one bit for
>> >clarity.
>> >
>> >Note BASIC has no bitwise operators so the code is a bit
>> >cumbersome, if you rewrote it in C, or even better Forth, it
>> >would be a fraction of the size.
>> >
>> >You could quite easily modify my emulation to either create
>> >all 8 checksums together like the Cat Box or pass all of the
>> >information from each byte serially into the calculation like
>> >the Fluke (if you knew it's polynomial).
>> >
>> >Cheers,
>> >Phillip Eaton
>> >http://www.phillipeaton.com
>> >
>> >---- Original message ----
>> > >Date: Mon, 06 May 2002 21:45:41 -0700
>> > >From: John Robertson <jrr@flippers.com>
>> > >Subject: RE: Gottlieb / Q*bert scripts for the 9010A/9100
>> > >To: "Phillip Eaton" <inbox@phillipeaton.com>,
>> ><TechToolsList@flippers.com>
>> > >
>> > >
>> > >Hi Phillip,
>> > >
>> > >I just tried your emulator on a bunch of Asteroid files and
>> >compared them
>> > >with the signatures on the 9010 and I do not get the same
>> >results... Does
>> > >it not setup the same Signature that HP designed and thus
>> >should it not
>> > >give the same results for any file as the Fluke would do on
>> >a ROM signature
>> > >test? The signatures generated by your emulator are
>> >consistent - identical
>> > >files give identical signatures...
>> > >
>> > >Might I ask what the "Bit number <0 - 7>" refers to in the
>> >emulator?
>> > >
>> > >John :-#)#
>> > >
>> > >At 11:08 PM 06/05/2002 +0100, Phillip Eaton wrote:
>> > >
>> > >
>> > >>I wrote one of these a few years back. It's part of my
>> >Atari Cat Box
>> > >>signature analysis write-up which is held at
>> > >>http://www.gamearchive.com/video/manufacturer/atari/vector/s
>> >ignatures/
>> > >>
>> > >>It includes a very simple program source code (to aid
>> >understanding) to do
>> > >>what you mentioned in MS DOS QBasic for the Cat Box.
>> > >>
>> > >>You could quite easily use it as a base to write your own,
>> >or simply change
>> > >>the polynomial in mine and it'd do what you need.
>> > >>
>> > >>How did you work out the ploynomial?
>> > >>
>> > >>Cheers,
>> > >>Phillip Eaton
>> > >>
>> > >> > -----Original Message-----
>> > >> > From: owner-techtoolslist@www.flippers.com
>> > >> > [mailto:owner-techtoolslist@www.flippers.com]On Behalf
>> >Of John Robertson
>> > >> > Sent: 06 May 2002 22:03
>> > >> > To: TechToolsList@flippers.com
>> > >> > Subject: Re: Gottlieb / Q*bert scripts for the 9010A/9100
>> > >> >
>> > >> >
>> > >> >
>> > >> > What we need is for some bright person to write a simple
>> >utility that
>> > >> > converts data files to signatures. The signature formula
>> >is fairly simple
>> > >> > and if combined with Bill Ung's ROMSUM would be a nice
>> >tool for our
>> > >> > package. If you don't know ROMSUM it is a dos utility
>> >that will give a
>> > >> > checksum listing plus the ROM size for a single or group
>> >of files...
>> > >> >
>> > >> > The Signature process is a CRC process that uses the
>> >following feedback
>> > >> > equation: X(to the 16th) + X(to the 12th) + X(to the
>> >9th) +X(to
>> > >> > the 7th) +
>> > >> > 1 or
>> > >> > P(X) = X(15th) + X(9th) + X(7th) +X(4th) + 1
>> > >> >
>> > >> > So who wants to make a simple (not for me!) binary
>> >program that
>> > >> > allows one
>> > >> > to input a file and outputs it's signature?
>> > >> >
>> > >> > John :-#)#
>> > >> >
>> > >> > At 09:11 AM 06/05/2002 -0400, Kev wrote:
>> > >> >
>> > >> >
>> > >> >
>> > >> > >Anyone written any test scripts for these or at the
>> >very least have some
>> > >> > >checksum signatures?
>> > >> > >
>> > >> > >Thanks,
>> > >> > >Kev
>> > >> >
>> > >> >
>> > >
>>
>>
>
Received on Wed May 08 16:54:23 2002

This archive was generated by hypermail 2.1.8 : Tue Dec 02 2003 - 18:40:44 EST