Brute Force Dumping PLDs

What are PLDs an why dump them?

A lot of classic arcade games use Programmable Logic Devices aka PLDs, or “PALs” and “GALs” as these chip numbers are often prefixed. Outside EPROMs that store the game data these are probably the most common devices on an Arcade PCB that stores unique code (referred to as a “fuse map”). Unlike EPROMs this code is often not preserved as it’s part of the “Glue Logic” that helps route data around the PCB; and while vital to the function of the PCB it’s often not necessary for Emulation and therefore often gets overlooked. This is unfortunate for the preservation of the PCBs themselves as if any of these devices fail, it becomes impossible to replace without the fuse map to program onto the replacement.

There is an online archive of PLD fuse maps for Arcade and other devices: https://wiki.pldarchive.co.uk And I’m hoping this write up can help you contribute to that archive.

The Challenges with Dumping

Many of the programmers used for EPROMs can also be used to read and write PLD devices as well, though support for PLDs on these programmers isn’t always available, or if it is only particular PLDs may be supported. Also unlike EPROMs PLDs can be “protected” preventing you from reading/dumping the fusemap. These factors further contribute to why there is far less support for preserving PLD data.

One way around these issues is “Brute Force Dumping” since PLDs are often simple logic devices; meaning a particular combination of inputs is passed through an equation to make a different combination of outputs, we can simply attempt every possible input combination and read the resultant output combination, and then analyze that data to reverse engineer the equations to make a new fuse map that functions identical to the original fuse map.

A clever fellow named Charles MacDonald developed a small adapter PCB for some of the most common PLDs found on Arcade boards: http://techno-junk.org/readpal.php
This board essentially lets you plug a PAL16L8, PAL16V8, GAL16V8, or 18CV8 into the adapter, and then use your ROM Programmer to read it as if it’s a 27c020 EPROM, the result is a binary file that contains every input and output combination, this can then be passed through a piece of software to derive the logic.

Limitations to Brute Force Dumping

The biggest limitation to the Charles MacDonald brute force adapter is that it only supports a small number of chips. While these are fare and wide the most common, there are many other PLDs out there that aren’t supported, and would require a differently designed adapter to work.

Another limitation to Brute Force dumping in general is that it doesn’t work on “registered” PLDs. These are PLDs that support a “clock pulse” input on one of the pins and count pulses and change the output logic based on those pulses. The brute force technique doesn’t allow for any clock pulsed input and thus any PLD logic that utilizes that feature can’t be brute force dumped.

There’s more to this then just constructing an adapter and reading the output. There are several more complicated steps to actually build a “JEDEC” file for creating a replacement PLD. This process wasn’t totally clear to me until I went through it a few times so I figure I’d spell it out to help jump start others.

The Process

Step 1: Insert your PLD into the brute-force dumper,
…then insert your dumper PCB into your ROM Programmer.
Supported chips on the Charles MacDonald brute-force dumper PCB:
GAL16V8, PAL16V8, PAL16L8, 18CV8

Step 2: “Read” the “ROM” as a 27c020 or 27c2001
…and save the file as brute_force.bin (you can pick any file name you or extension like).

Step 3: run the the file through the “Analysis Software”
Download the pa.exe command line application here: http://techno-junk.org/readpal.php
use the command line:
pa.exe brute_force.bin > output_logic.pld
replace “brute_force.bin” with the file from your ROM programmer, and replace “output_logic.pld” with what you’d like to name the output logic file.

Step 5: compile the logic
Download and install WinCUPL: https://www.microchip.com/en-us/development-tool/wincupl

Once installed you’ll want to setup the compiler:
open [Options] -> [Compiler]
Under the [Output Files] tab make sure [JEDEC] is checked.
Under the [Minimization] tab make sure [Quine-McCluskey] is checked (this helps with more complex logic)

Open the output_logic.pld file you created with the Analysis Software and change the line that says Device virtual;
to
Device g16v8a;

When you compile this will make your .jed fuse map file for a “GAL16V8” device (this is what you want regardless of what the source device was as GAL chips are much more readily available and much more widely supported on modern ROM Programmers.)

Then you can either click the [Device Dependent Compile] button, or select [Run] -> [Device Dependent Compile].

You’ll get a pop up with “Compilation Results” a successful compile will state “Compilation successful” with 0 Warnings and 0 Errors.

This should create a .jed file with the same name as your .pld file and in the same folder as your .pld file (as well as a .abs and .pdf files that you can ignore).

Step 6: Test the logic
Grab a new/unused GAL16V8 chip (DO NOT USE the one you just dumped) and insert it directly into your ROM Programmer WITHOUT the adapter. Set the device to GAL16V8 and program your new .jed file to the chip.

Insert the chip into the PCB where the original chip came from and test the board to ensure that the logic is correct and the brute force dump was successful. (not all PALs and GALs can be brute forced, so there’s a chance this process doesn’t work! That’s why we test.)

Once you’re done, re-install the original PLD back into your PCB.

Step 7: Submit the dump to the PLD Archive
Take a picture of your PCB with the Original PLDs installed. take close up pictures of each PLD so you can read the label and the U## or IC## on the PCB.

Submit your .jed file and pictures along with information about your PCB to the PLD Archive here: https://wiki.pldarchive.co.uk/

Take pride in the fact that you’re helping preserve hardware!

Other Things to do

The .pld file is the logic “code” for the PLD device, you can muck around and change the equations here to change the function of the PLD. If you study the PCB and determine where the Pins connect on the board, you can rename the placeholder variables in the logic file to something that makes sense for the pin and you can begin to understand what the logic is doing. On Arcade hardware this can open the door to conversions, or help you “derive” the logic for other games on the same hardware where dumps might not be available.

MAME also has a utility called “JEDUTIL” that can reverse a .jed fuse map into logic (though it’s a slightly different format then the .pld format that WinCUPL uses). This is useful since .jed files for different chips are incompatible so if you have a .jed file for a PAL16L8 and want to program a GAL16V8 you’ll need to use something like JEDUTIL to calculate the equations from that .jed file and then recompile.

If there’s interest I might put together some additional guides on understanding .pld logic and using JEDUTIL.

0 Responses to “Brute Force Dumping PLDs”


  • No Comments

Leave a Reply

You must login to post a comment.