6502.org

//Previous thread: 6509 dissection.

This thread is about a transistor level dissection of the 6702, SuperPET dongle chip,
brought to you by Frank Wolf and ttlworks.

The 6702 bus interface only has one Byte.

There is a shift register tied to every Bit of that Byte,
length and output polarity of the shift registers does vary.

Reading the Byte means reading the outputs of the 8 shift registers.

When writing a Byte to the 6702 data register,
data register outputs and the shift register outputs are XORed and fed into the shift register inputs.

After a 0 to 1 transition in the D0 data register Bit,
all of the shift registers are shifted by 1 Bit,
and that's basically it: security through obscurity.


Note:
For consistence with Frank's notation, low_active signals are named foo#, not /foo.

Orientation for all the chip pictures: D3,D4 pads are North.

Eagle 6.4 schematics for my schematic pictures in this thread,
just in case if somebody needs them.

Note: KiCad is supposed to be able to import these schematics,
unfortunately it doesn't seem to be possible to disable the layers 'name' and 'value' in KiCad schematics,
so making my schematics look nice and clean in KiCad will require some work, sorry.

0) cheat sheet

A very simplified schematic to give an overview about what came out during the dissection.
A picture of the 6702 silicon, with the interesting areas marked according to the cheat sheet.

Note the yellow and orange boxes:
These are 64 shift register cells, one Bit each.
From West to East, the layout of every second shift register Bit cell is rotated by 180°, we are getting there later.
Just as a reference, another picture of the 6702 silicon without the markings.

1) RES, located South West.

The low active RES# signal goes through an inverting super buffer, then through an inverter, then through another inverting super buffer,
and becomes the high_active RES signal.

2) CS, mostly located at the Southern corner of the chip.

We have the four high_active chip select signals CS0, CS1, CS2, CS3, which have to be 1 for selecting the chip.
We have the three low_active chip select signals CS4#, CS5#, CS6#, which have to be 0 for selecting the chip.

CS4# goes through an inverting super buffer, then an inverter, then to the gate which switches a metal trace named CS_NOR to GND.
Means if CS4# is 1, CS_NOR is switched to GND, same thing for CS5# and CS6#.
CS3 goes through an inverting super buffer, then to a dead inverter, and to the gate which switches a metal trace named CS_NOR to GND.
Means if CS3 is 0, CS_NOR is switched to GND, same thing for CS0, CS1, CS2.
If you take a closer look at the layout: depending on how a tiny trace is connected on the metal layer,
a CS input can be configurated to be high_active or low_active.
There also is a pullup resistor tied to the CS_NOR metal trace, to make it work as a NOR gate.
The CS_NOR metal trace goes into an inverter, and becomes the low active CS# chip select signal.

3) rw circuitry, located East in the chip.

We have a 3 input NOR gate with a fast push/pull output, which generates the READ signal for the D0..D7 data pad drivers.
NOR gate inputs are CS#, PHI2_in# (inverted PHI2 from the bus, we are getting there later), and R/W# inverted by a super buffer.

We have a 4 input NOR gate (output switches a pullup resistor to GND) which generates the WRITE signal for the D0..D7 data pad buffers.
The high_active WRITE also goes through an inverter and becomes the low_active WRITE#.
NOR gate inputs are CS#, PHI2_in#, the signal from the R/W# pad directly,
and the signal from the R/W# pad delayed by the super buffer mentioned above plus three inverters.
Means, that when WRITE is generated, there is a delay on the falling edge of R/W#.

I think that's for deglitching R/W# when it comes to writes,
maybe in case when the chip is used in an environment where the CPU shares the bus with a video controller (like in the C64).
Reads are not critical, because reads don't modify any register Bits inside the chip.

//Don't ask my, why the designers had used two FETs per gate input instead of one FET in that 4 input NOR...

4) D0 register (plus D0 pad buffer\driver) located North West on the chip.

The shift register output goes through a non_inverting super buffer, then to the D0 pad driver,
and to a XNOR gate which feeds shift register output XNOR the low_active D0 data register output
back to the shift register input.

The D0 pad driver is nothing fancy, and its output is enabled with the high_active control signal READ.

The signal from the D0 pad goes through an inverting super buffer and through three inverters before entering the latch,
means that the data register latch stores D0 in inverted form.

//The delay which is built up by these inverters improves data write hold timing.

The edge detection circuitry which makes the shift registers shift by one Bit taps the high_active D0_reg signal from the D0 data register.

Note:
RES sets the low_active data register outputs to 0,
means the data register Bits are set during a RESET.

D0..D7 register (plus pad buffers\drivers) have identical layout on the chip, except for that D0_reg signal tapped from the D0 register.
If you wonder why I'm drawing circles at the two FET inputs of the non_inverting super buffer which reads the shift register:
in the chip layout, we have vias there.

For D0..D7, there always is a metal trace between the two vias,
but to me it feels like the chip designers wanted to be able to change the functionality of that buffer by changing connections of that metal trace.

5) clock generation

First, we have a two input NOR gate with push/pull output, generating the clock signal PHI_shift.
With some flipflops and inverters tied to its inputs, it works as a rising edge detector scanning the D0_reg output of the data register.
If there was a rising edge at the D0 data register Bit, PHI_shift goes high for one PHI cycle and makes the shift registers advance by one Bit.

Second, we have a RS flipflop which generates the non_overlapping signals PHI1 and PHI2.
RS flipflop is set/cleared by the external PHI2_in signal (which goes through an inverting super buffer for 'set', and then through an inverter for 'clear').

Third, we have two NOR gates with push/pull output which generate the clock signals PHI1_hold and PHI2_hold from the PHI1 and PHI2 outputs of the RS flipflop
if PHI_shift is inactive (these two clock signals make sure that the Bits in the dynamic shift register are getting refreshed if no shifting takes place).

6) shift register cell (one Bit)

A nice explanation of how a dynamic shift register works can be found at introduction to VLSI systems, Mead & Conway 1978, PDF page 88.

Nothing fancy there.
Depending on if PHI_shift or PHI2_hold are active, either the data input D or the high_active output Q of the register are fed to the input of an inverter by two switches.
If both switches are open, the trace capacitance (plus gate capacitance) of that inverter are working as a "temporary storage".

A switch controlled by PHI_hold gives the output of that inverter to a second inverter (which works as a "temporary storage" again if the switch is open),
the output of that second inverter is the high_active output Q of the register Bit cell.

High_active Q is turned to low_active Q# by a third inverter.

Shift register Bit cell is cleared when the high_active RES signal is 1, and that's all there is to it.

7) shift registers

Now for the tangled mass of shift register cells.

We have 8 shift register Bit cells per data Bit (that's 64 cells in total),
and for every data Bit the shift register cells are arranged in a 4*2 pattern like that:
If you go from West to East, every second cell is rotated by 180° for making the chip layout more compact.

Length and output polarity of a shift register related to one data Bit is different:
that tiny black dot I did draw into every cell in the picture above is a small area where we have the
signals A,B,C plus the data input of the previous cell on vias,
and the functionality of a cell is programmed on the metal layer by a connection between these vias.
Now for the connections between the cells:

And that's all for now.

6530 is next.

As already mentioned: Great work! I'm always astonished at your precision and speed when dissecting chips!

Chapeau!

Thanks.

Also, I'm always astonished at your precision and speed when it comes to making these polygonized images.
The 6530 layout looks incredibly dense, and I dare to say that not many people out there could polygonize it like that.

Chapeau!

Thanks for that great analysis!

I wonder if we find what I think was a problem with the 6532 timers that you had to write them twice sometimes to start. Or just sloppy programming on my side triggering a race condition...

Impressive !