Profile picture
matthew venn @matthewvenn
, 15 tweets, 7 min read Read on Twitter
Taking a couple of days off to see my pinball fanatic buddy Stuart in the UK. I want to make a pinball #fpga mashup! We're going to try and intercept ram writes and figure out when the high score is broken!
On the train to the airport I will test my verilog model of the SRAM against the real thing and see if I can read and write to it.
Installed the SRAM adapter board and then machine wouldn't start! Fairly terrifying! After an hour of debugging traced to a blown fuse and dodgy socket... Phew! 😌
Now showing the address on the LEDs. Next step, power off machine and try to dump the SRAM to my pc for inspection.
first output of the SRAM dump! Now I have to find the high score (550,000). Which is 0x86470, so should be stored probably in 4 consecutive bytes.
hmm, if I dump the SRAM twice I get different checksums for each dump - so I have something wrong with the verilog that controls the SRAM. Perhaps timing?
Looking at the schematics, SRAM is backed up by a coin cell via a diode. So with machine off (so I can read the SRAM with FPGA), perhaps levels are too low.
Right, not getting anywhere - taking a break. What do people think of this assumption: default high score gets written to SRAM after reset. Max score is 999999, so stored in 4 bytes. So if I look for 0x00_08_64_70 I should find the address of the high score in SRAM. Right?
Ps. M6800 processor is big endian.
good progress this morning thanks to the tip from @micko_mame and @anachrocomputer! Instead of searching for the hex value of the score, I searched for the packed BCD: 55 00 00. Address 1149 looks promising - so I checked the same address after getting a fake high score...
@micko_mame @anachrocomputer So I'm looking for 80 39 50. Get this instead. Funny byte ordering. Then I wrote that Score value back to a reset SRAM chip and get 503950! So getting closer!
Looks like it's not packed BCD, but lowest 4 bits in each byte from address 0x1148. Don't know what the upper 4 bits are 4, any ideas? After writing these values I can update the high score to the old one!
And after writing 00010000 to 0x1148 I can reset the high score to 10,000 and that makes it easy to beat. So next step is snoop the bus while the machine is playing and whenever those addresses are read - store the data lines as it means a new high score is set.
Snooper was easy, just listen to chip enable, address and data lines and when the SRAM is read at the high score address store it for later retreival over serial! Works! Final (pointless) step is to auto tweet it.
And auto tweeter straight forward - just had to reset the high score to something lower so I could beat it!

And here's the repo if you're interested in the Verilog. github.com/mattvenn/ds260…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to matthew venn
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#fpga

More from @matthewvenn see all

Profile picture
my next #fpga project as suggested by @ico_TC: Fourier analysis of fast ADC with results shown on a VGA monitor. This is such a cool video to understand what Fourier analysis is:
and this is a great paper on implementing the FFT in hardware - didn't think it was going to be so tricky! web.mit.edu/6.111/www/f201…
OK, @ebrombaugh gave me a tip on the sliding DFT comm.toronto.edu/~dimitris/ece4…
which looks a lot simpler to implement on an #FPGA. I've written the algo in python to test against the numpy FFT. github.com/mattvenn/fpga-…
Read 14 tweets

Related threads

Profile picture
Briefing on Iran Sanctions state.gov/secretary/rema… (from @StateDept)
MS NAUERT: Thank you, sir. Good morning, everyone, and welcome to today’s on-the-record call on the Iran snapback sanctions. We’re pleased to have with us Secretary of State Mike Pompeo and Secretary of the Treasury Steve Mnuchin. They will each have brief remarks at the top and
then take several of your questions. We’ll start first with Secretary Pompeo.

Secretary, please, go ahead.

SECRETARY POMPEO: Thank you, Heather. Good morning, everyone, and thank you for joining the call. Earlier this year, President Trump withdrew from
Read 77 tweets
Profile picture
#Khashoggi Case Thread: I am going to ‘pin’ this post to use it as an ‘Info Thread’ on the #Khashoggi Case. I am in #Turkey. I’ve been following the case closely and with access to sources & experts here. This is a very ‘sensitive’ criminal case due to ‘Diplomatic Booby Traps’!!!
The Evidence Obtained Outside Cameras will not show any evidence of ‘tempering’ but other than license plates of dozens of diplomatic cars (Many with tinted windows-large trunks) with related time stamp, drivers Info, model/year: Nothing.
#Turkish Intel-Investigative Bodies also have the list of all Diplomatic & Private Saudi & “other significant’ Planes in #Turkey for the period of ‘interest.’ Many of the Target airports have their own security cameras & related evidence.
Read 335 tweets
Profile picture
It's time for the #Cin thread. #Days #DOOL
Let's start with Ciara mentioning to Julie that Tripp was making a romantic dinner for her. #Cin #Days
"Ciara, that's wonderful. So you're possibly going to be getting that pussy beaten up tonight? Are you sure you're ready for that? You were raped two years ago. I know that pain and so do a shit ton of women on this show." #Cin #Days
Read 136 tweets
Profile picture
THREAD

#CambridgeAnalytica #Russia ties.
1.Alexander Kogan a #CambridgeUniversity academic, who orchestrated harvesting #Facebook data, is tied to a #Russian University and had grants for researching into social media networks.
2.Alexander Kogan harvested the data in cooperation with #CambridgeAnalytica.
Read 81 tweets
Profile picture
I’m a bit tired of this “UK citizens overseas sacrificed in Brexit negotiations” stories.

So I am going to try - as fairly as possible - to lay out what happened in last week’s deal, and what it means.

1/10
The type of story that annoys me is ones like this theguardian.com/politics/2017/… by @lisaocarroll in The Guardian.

2/10
A quote from The Guardian piece:
“One of the biggest fears of Britons in Europe is that they will remain “landlocked” in the country in which they now live, unable to move across borders to work for meetings, or for business contracts.”

This is not actually quite true.

3/10
Read 11 tweets
Profile picture
The marvellous @deer_ful with a #Gameboy solo and liberal interpretation of @kingandqueenw1 acoustic club rules.
New to me @theindelicates with magnificent trousers and dogging as a metaphor for brexit. Excellent!
Bringing a fantastic evening to a close the wonderful @emma_kupa. Great night all round. Will be back!
Read 225 tweets

Trending hashtags

#Merkel #Consulate #Gameboy #Latakia #OPCW #RichardBurt #EU #PowerInTheDarkness #California #ChemicalAttacks #Khashoggi #NorthKoreanSanctions #russiansanctions #UnitedStates #DF #KremlinAnnex #Breitbart #UnitedKingdom #YPG #MIC #DoctorWhoTrailer #SaudiLobby #Russian #NYTimes #civictech

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!