6502.org Forum  Projects  Code  Documents  Tools  Forum
It is currently Sun Nov 24, 2024 6:16 pm

All times are UTC




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: 6702 dissection
PostPosted: Tue Jul 06, 2021 6:56 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
//Previous thread: 6509 dissection.

This thread is about a transistor level dissection of the 6702, SuperPET dongle chip,
brought to you by Frank Wolf and ttlworks.

The 6702 bus interface only has one Byte.

There is a shift register tied to every Bit of that Byte,
length and output polarity of the shift registers does vary.

Reading the Byte means reading the outputs of the 8 shift registers.

When writing a Byte to the 6702 data register,
data register outputs and the shift register outputs are XORed and fed into the shift register inputs.

After a 0 to 1 transition in the D0 data register Bit,
all of the shift registers are shifted by 1 Bit,
and that's basically it: security through obscurity.


Note:
For consistence with Frank's notation, low_active signals are named foo#, not /foo.

Orientation for all the chip pictures: D3,D4 pads are North.


Last edited by ttlworks on Mon Jul 12, 2021 8:05 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 6:57 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
Eagle 6.4 schematics for my schematic pictures in this thread,
just in case if somebody needs them.

Note: KiCad is supposed to be able to import these schematics,
unfortunately it doesn't seem to be possible to disable the layers 'name' and 'value' in KiCad schematics,
so making my schematics look nice and clean in KiCad will require some work, sorry.

Attachment:
6702r0_dissect_schematics.zip [125.52 KiB]
Downloaded 67 times


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 6:59 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
0) cheat sheet

A very simplified schematic to give an overview about what came out during the dissection.

Attachment:
6702_0_cheat_sheet.png
6702_0_cheat_sheet.png [ 90.2 KiB | Viewed 1983 times ]


A picture of the 6702 silicon, with the interesting areas marked according to the cheat sheet.

Note the yellow and orange boxes:
These are 64 shift register cells, one Bit each.
From West to East, the layout of every second shift register Bit cell is rotated by 180°, we are getting there later.

Attachment:
6702r0_orientation.png
6702r0_orientation.png [ 85.24 KiB | Viewed 1983 times ]


Just as a reference, another picture of the 6702 silicon without the markings.

Attachment:
6702r0_small.png
6702r0_small.png [ 401.45 KiB | Viewed 1983 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:02 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
1) RES, located South West.

The low active RES# signal goes through an inverting super buffer, then through an inverter, then through another inverting super buffer,
and becomes the high_active RES signal.

Attachment:
si6702_1_res.png
si6702_1_res.png [ 20.6 KiB | Viewed 1983 times ]

Attachment:
6702_1_res.png
6702_1_res.png [ 34.33 KiB | Viewed 1983 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:06 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
2) CS, mostly located at the Southern corner of the chip.

We have the four high_active chip select signals CS0, CS1, CS2, CS3, which have to be 1 for selecting the chip.
We have the three low_active chip select signals CS4#, CS5#, CS6#, which have to be 0 for selecting the chip.

CS4# goes through an inverting super buffer, then an inverter, then to the gate which switches a metal trace named CS_NOR to GND.
Means if CS4# is 1, CS_NOR is switched to GND, same thing for CS5# and CS6#.

Attachment:
si6702_2_cs4.png
si6702_2_cs4.png [ 22.46 KiB | Viewed 1981 times ]


CS3 goes through an inverting super buffer, then to a dead inverter, and to the gate which switches a metal trace named CS_NOR to GND.
Means if CS3 is 0, CS_NOR is switched to GND, same thing for CS0, CS1, CS2.

Attachment:
si6702_2_cs3.png
si6702_2_cs3.png [ 21.14 KiB | Viewed 1981 times ]


If you take a closer look at the layout: depending on how a tiny trace is connected on the metal layer,
a CS input can be configurated to be high_active or low_active.

Attachment:
si6702_cs_polarity.png
si6702_cs_polarity.png [ 11.8 KiB | Viewed 1981 times ]


There also is a pullup resistor tied to the CS_NOR metal trace, to make it work as a NOR gate.
The CS_NOR metal trace goes into an inverter, and becomes the low active CS# chip select signal.

Attachment:
si6702_cs_inverter.png
si6702_cs_inverter.png [ 15.77 KiB | Viewed 1981 times ]

Attachment:
6702_2_cs.png
6702_2_cs.png [ 93.82 KiB | Viewed 1981 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:08 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
3) rw circuitry, located East in the chip.

We have a 3 input NOR gate with a fast push/pull output, which generates the READ signal for the D0..D7 data pad drivers.
NOR gate inputs are CS#, PHI2_in# (inverted PHI2 from the bus, we are getting there later), and R/W# inverted by a super buffer.

We have a 4 input NOR gate (output switches a pullup resistor to GND) which generates the WRITE signal for the D0..D7 data pad buffers.
The high_active WRITE also goes through an inverter and becomes the low_active WRITE#.
NOR gate inputs are CS#, PHI2_in#, the signal from the R/W# pad directly,
and the signal from the R/W# pad delayed by the super buffer mentioned above plus three inverters.
Means, that when WRITE is generated, there is a delay on the falling edge of R/W#.

I think that's for deglitching R/W# when it comes to writes,
maybe in case when the chip is used in an environment where the CPU shares the bus with a video controller (like in the C64).
Reads are not critical, because reads don't modify any register Bits inside the chip.

//Don't ask my, why the designers had used two FETs per gate input instead of one FET in that 4 input NOR...

Attachment:
si6702_3_rw.png
si6702_3_rw.png [ 43.73 KiB | Viewed 1981 times ]

Attachment:
6702_3_rw.png
6702_3_rw.png [ 100.55 KiB | Viewed 1981 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:10 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
4) D0 register (plus D0 pad buffer\driver) located North West on the chip.

The shift register output goes through a non_inverting super buffer, then to the D0 pad driver,
and to a XNOR gate which feeds shift register output XNOR the low_active D0 data register output
back to the shift register input.

The D0 pad driver is nothing fancy, and its output is enabled with the high_active control signal READ.

The signal from the D0 pad goes through an inverting super buffer and through three inverters before entering the latch,
means that the data register latch stores D0 in inverted form.

//The delay which is built up by these inverters improves data write hold timing.

The edge detection circuitry which makes the shift registers shift by one Bit taps the high_active D0_reg signal from the D0 data register.

Note:
RES sets the low_active data register outputs to 0,
means the data register Bits are set during a RESET.

D0..D7 register (plus pad buffers\drivers) have identical layout on the chip, except for that D0_reg signal tapped from the D0 register.

Attachment:
si6702_4_d0_register.png
si6702_4_d0_register.png [ 93.72 KiB | Viewed 1981 times ]

Attachment:
6702_4_d0_register.png
6702_4_d0_register.png [ 226.7 KiB | Viewed 1981 times ]

If you wonder why I'm drawing circles at the two FET inputs of the non_inverting super buffer which reads the shift register:
in the chip layout, we have vias there.

For D0..D7, there always is a metal trace between the two vias,
but to me it feels like the chip designers wanted to be able to change the functionality of that buffer by changing connections of that metal trace.


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:11 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
5) clock generation

First, we have a two input NOR gate with push/pull output, generating the clock signal PHI_shift.
With some flipflops and inverters tied to its inputs, it works as a rising edge detector scanning the D0_reg output of the data register.
If there was a rising edge at the D0 data register Bit, PHI_shift goes high for one PHI cycle and makes the shift registers advance by one Bit.

Second, we have a RS flipflop which generates the non_overlapping signals PHI1 and PHI2.
RS flipflop is set/cleared by the external PHI2_in signal (which goes through an inverting super buffer for 'set', and then through an inverter for 'clear').

Third, we have two NOR gates with push/pull output which generate the clock signals PHI1_hold and PHI2_hold from the PHI1 and PHI2 outputs of the RS flipflop
if PHI_shift is inactive (these two clock signals make sure that the Bits in the dynamic shift register are getting refreshed if no shifting takes place).

Attachment:
si6702_5_clock_generation.png
si6702_5_clock_generation.png [ 80.67 KiB | Viewed 1981 times ]

Attachment:
6702_5_clock_generation.png
6702_5_clock_generation.png [ 136.2 KiB | Viewed 1981 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:13 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
6) shift register cell (one Bit)

A nice explanation of how a dynamic shift register works can be found at introduction to VLSI systems, Mead & Conway 1978, PDF page 88.

Nothing fancy there.
Depending on if PHI_shift or PHI2_hold are active, either the data input D or the high_active output Q of the register are fed to the input of an inverter by two switches.
If both switches are open, the trace capacitance (plus gate capacitance) of that inverter are working as a "temporary storage".

A switch controlled by PHI_hold gives the output of that inverter to a second inverter (which works as a "temporary storage" again if the switch is open),
the output of that second inverter is the high_active output Q of the register Bit cell.

High_active Q is turned to low_active Q# by a third inverter.

Shift register Bit cell is cleared when the high_active RES signal is 1, and that's all there is to it.

Attachment:
si6702_6_shift_register_cell.png
si6702_6_shift_register_cell.png [ 22.1 KiB | Viewed 1980 times ]

Attachment:
6702_6_shift_register_cell.png
6702_6_shift_register_cell.png [ 37.17 KiB | Viewed 1980 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:21 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
7) shift registers

Now for the tangled mass of shift register cells.

We have 8 shift register Bit cells per data Bit (that's 64 cells in total),
and for every data Bit the shift register cells are arranged in a 4*2 pattern like that:

Attachment:
6702r0_shiftreg.png
6702r0_shiftreg.png [ 6.96 KiB | Viewed 1980 times ]


If you go from West to East, every second cell is rotated by 180° for making the chip layout more compact.

Length and output polarity of a shift register related to one data Bit is different:
that tiny black dot I did draw into every cell in the picture above is a small area where we have the
signals A,B,C plus the data input of the previous cell on vias,
and the functionality of a cell is programmed on the metal layer by a connection between these vias.

Attachment:
si6702_7_shift_config.png
si6702_7_shift_config.png [ 4.21 KiB | Viewed 1980 times ]


Now for the connections between the cells:

Attachment:
6702_7_shift_registers.png
6702_7_shift_registers.png [ 108.03 KiB | Viewed 1980 times ]


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 7:22 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
And that's all for now.

6530 is next.


Last edited by ttlworks on Thu Jul 29, 2021 11:34 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 10:48 am 
Offline

Joined: Thu Jul 20, 2017 9:58 am
Posts: 91
As already mentioned: Great work! I'm always astonished at your precision and speed when dissecting chips!

Chapeau!


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 06, 2021 11:35 am 
Offline
User avatar

Joined: Fri Nov 09, 2012 5:54 pm
Posts: 1431
Thanks.

Also, I'm always astonished at your precision and speed when it comes to making these polygonized images.
The 6530 layout looks incredibly dense, and I dare to say that not many people out there could polygonize it like that.

Chapeau!


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Wed Jul 07, 2021 5:24 am 
Offline

Joined: Tue Jul 05, 2005 7:08 pm
Posts: 1043
Location: near Heidelberg, Germany
Thanks for that great analysis!

I wonder if we find what I think was a problem with the 6532 timers that you had to write them twice sometimes to start. Or just sloppy programming on my side triggering a race condition...

_________________
Author of the GeckOS multitasking operating system, the usb65 stack, designer of the Micro-PET and many more 6502 content: http://6502.org/users/andre/


Top
 Profile  
Reply with quote  
 Post subject: Re: 6702 dissection
PostPosted: Tue Jul 13, 2021 11:00 pm 
Offline

Joined: Fri Mar 31, 2017 5:10 pm
Posts: 8
Location: Paris, France
Impressive !


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: Google [Bot] and 67 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: