Hi, I'm Gus Searcy... The pin number is a mathematical calculation of the serial number. I knew I'd never be able to keep track of remember all the PIN numbers so that's why we made it a mathematical calculation of the serial number. Enjoyed watching you go through the security module. It worked quite well for us as a deterrent for many many people for many many years

Hook up a logic analyzer (a $10 saleae clone will do) to the address bus and see where it accesses when you punch in the pin code. Should pretty much give it to you. If not at least watching the startup process will narrow it down

New subscriber here; I have no idea what this device does but the video was interesting and perhaps I can help a bit. 16:40 All the address decoding hardware is on the main board, so the main board needs access to the !OE input of the 74HCT245 to connect the main board hardware on the data bus (and disable the PROM from the looks of it). The !OE pin is pulled high by the 2k2 pull-up resistor, and the address decoding logic on the main board pulls it low, probably from a 74*138 or similar open-collector/open-drain chip that are commonly used for address decoding. As you mention earlier in the video, there's a missing component that was probably a diode; maybe they were considering the possibility that the address decoder might not be open-collector (I think the 74*254 was a decoder with totem-pole outputs?) while they were developing the security module. They eventually realized they didn't need the diode so they left it out. As someone already said, the PROM is simply used to scramble the address lines to the EPROM. They could be using those I/O port C lines to help with the scrambling but I suspect that they don't and those lines are just to help with programming the PROM at production time. If anything, the 4 lines of port C that go to the 27S21 only possibly generate 16 possible combinations of bit patterns so even if it matters, you would only have to try 16 times to get it right. And the part of the software that asks for the pin code cannot depend on those I/O port lines to be set correctly so that part of the code must be in an area of the EPROM that always gets decoded the same regardless of what port C is set to. And that area is probably at the top of the memory map, because that's also where the 6502 needs to have the reset vector, interrupt vector and NMI vector which should be available right from the start. So even though you don't have hardware to read the 27S21, you could put both the PROM and the EPROM on a breadboard and connect them in basically the same way as they are connected in the module, and then use e.g. a 5 Volt Arduino to generate all the 8192 addresses that are relevant to read your particular EPROM through your matching PROM descrambler. The Arduino can read all the data from the EPROM and send it to the serial port, where you can capture it with a PC to a file, and you can analyze and hack that file. Then it's a matter of finding the code that asks for the PIN, and replace it with NOP or with a JMP instruction to skip it, or whatever. Then you can burn that image file to another 2764 EPROM and hack it into another device. It doesn't even matter where or how the PIN code is stored. On the device to be liberated, you would need to: * Cut the trace that enables the Security Module EPROM enable-input and pull the pin high or low, as appropriate, to deactivate the internal EPROM forever. * Put the hacked EPROM on the address and data bus (you might be able to piggy-back the hacked EPROM on top of an EPROM on the main board, I don't know), and use the signal from the trace that originally went to the module's EPROM enable pin, as the input to enable the hacked EPROM on the main board. * Cut the traces from the address decoding logic on the main board to the !OE and DIR inputs of the 74HCT245. * Put some logic on 74HCT245 DIR and !OE pins so that the original signals are put on there whenever the hacked EPROM is not enabled, but allow data through from the main board into the HCT245 when the enable-line of the hacked EPROM is active. I'll leave that as an exercise for the reader 🙂 There's a good chance that you can pull the 74HCT245 !OE line down permanently once the internal EPROM is permanently deactivated, and you can probably use R/!W (or a boosted and/or inverted version, as appropriate) to generate the DIR signal. I don't know anything about the main board so this would require some further study! If you kill your butler, don't blame me.

By my guess, it looks like the security module was potted with a blank EPROM and PROM in it, which were programmed later (Vpp being exposed) with up-to-date firmware and the PIN. I recall bipolar PROMs being programmed with a high voltage on the /G1 or /G2 pins one bit at a time, which are also exposed to the outside world. The direction and enable pins on the '245 are available too, but someone attempting to pirate the system wouldn't know they're there without depotting the module. I suspect the '245 is to prevent code from appearing on the data bus externally from the module. The address and data busses would be known externally due to the external EPROMs, so if the '245 wasn't there it wouldn't take much to sniff out the data.

As a software engineer I am really curious to know how voice recognition would have worked in the 80s. I know it was pretty crap but its still interesting its amazing for the time. Also I am amazed that no one has reversed one of these yet. Good luck and look forward to seeing what you find.

The prom can be easily readed with a counter like 4040, 4060 (osc included) on the address bus conected to a logic analyzer, you will only need to save the data to a binary file. As @s8wc3 said, connect a 16 bit logic analyzer to the address bus of the eprom and the trigger of the logic analyzer to the front panel "enter" switch, with the eprom file readed you will only have to disassembly less than 50 bytes of code that can be easily done with ida or other tools. Some of this checks are done with conditional jump instructions and changing the jump type or the data that are being compared may unlock the check routine.

My gut is saying you will need a few of them to compare and contrast. Good effort mate!

searcy commented on popular sciences new video on this and said the pin is derived via algo. from the serial number and said he could give a pin to anyone with a serial.

Great use of gimp. Gives me the idea that one could label pads/vias on the image, trace the traces as you've done, then a netlist could be generated automatically. Then a schematic could be generated for one's favorite EDA tool, followed of course a new PCB if desired. I dunno much about gimp, if it has the features to do this, or allows writing plugins that could do it. If not then a stand-alone application (vastly simpler and easier than gimp) might be called for. Would be wonderful to be able to just click anywhere on a trace and have the whole trace light up, then just do manual fixing/tracing as needed.

Amazing sir. So much work .

Gimp for the win! REV4 9-85.. Iv'e always wanted to play with 6502. It's clever how they made it modular like this. I almost get an image of Atari system. I wonder if you could hook it up to a computer?? I love how you went all BigClive on reverse engineer and then some.

CelGen I have two of these in the box with the serial numbers and all the paperwork ...

The EPROM has no security bit to worry about. The PROM can also be read out fully even if there was a write protect bit on it. You could source a replacement CPU and just clip the legs from the old one to pull it out of circuit if there was any mystery tracks under the CPU that needed inspection. Nice job depotting, what solvent did you use? You might be able to just manually read the PROM data on your programmer display, there are only 256 nibbles after all. The PROM may be just for address decoding as you surmised.

Very interesting sir.

I bet the tri state is just the way this module talks to the exterior world, and yes, it's probably the way they program the eprom. I bet the juicy part is the rom, which is not accesible from the outside

Oh yeah on the PopSci video that mentioned you Gus Searcy commented a day ago, and says in the replies can contact him to get pin based off serial number

Hey, great video! I was wondering what solvent you used to clean up all of that resin? looking st depotting some konami "ic's" (not really ic chips) and would love to know what you used.

Don't worry if you are a talking head. You have a nice head.

Post the dump from both PROMS and i'm sure someone will help RE the code. A TNM5000 or TNM7000 programmer should work. I guess it is anyway obvious that one of them stores the the voice data while the other one holds the code.

Just an fyi here: the pin code is a cypher.

May be The EPROM Can be programd with The Voice comands?

i would really be interested in the source code of that thing.. i mean, a simple arduino must be able to implement this...

Is that a mark 8 on the right corner of the screen???

Password needed to view dumps. Oh, irony!