Reading the firmware from AmPAL18P8

I have these parts in my device, I guess they are used as I/O expanders providing an access to some buttons and LEDs to a CPU, they are connected to the CPU with a parallel 8-bit bus. I need to either read them and copy the firmware or to make new ones which will behave exactly the same.


If anyone ever will read this thread while searching for a method to read a PAL device. Here is what helped me out: [http://dreamjam.co.uk/emuviews/readpal.php](http://dreamjam.co.uk/emuviews/readpal.php)


If you can remove the chip from the PCB, it is quite trivial to decode the "firmware" from the chip. It is basically a sum-of-products type asynchronous logic (no DFFs). It has 10 input-only pins, and 8 IO-pins (the direction can be dynamic). Easy way could be by hooking the 10 input pins directly to FPGA (output) pins, and the 8 IO-pins to FPGA input pins and through 1k resistor to FPGA output pins. The FPGA is then configured to go through all 2\^18 (262k) combinations, and recording PAL output values (1, 0, or input (Hi-Z)). Then you need to generate an algorithm to reduce the data back to sum-of-products format. If you need to actually replicate the chip, you can take some low-cost CPLD/FPGA (e.g. Efinix Trion) and mount it to a small PCB with pin headers in same form factor as the original PAL. The 5V IO might pose a problem as majority of today's FPGAs don't go over 3V3.


Intriguing. I didn't think about brute forse. Can you amplify into this idea? I'm a novice in FPGA. I have Altera MAX II EPM240T100C5N board. Essentially I can remove the chips from the PCB. Is there any ready code for my case?


These things aren't even FPGAs. They are PALs.


I understand. I wonder if there's some readily available solution to decipher the interconnections. Nevertheless it has become possible for me to do it with the info given to me here. I appreciate it


Start by creating vhdl (or verilog) model of the PAL chip, so that the "configuration" can be changed with ease (e.g. vhdl's generics). Then create the brute-force-stimulator and run it against the PAL model in simulator. Now you have the raw data, and you can start generating an algorithm to convert it to sum-of-products.


brute force is the only way, there is no flash or EEPROM to read PALs. https://en.wikipedia.org/wiki/Programmable_logic_device you must essentialy reverse engineer the logic gate combinations that are present in the chip. i.e. determine which fuses have been blown.