Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Hacking a Sega Starship Troopers PinballLSE Lightning Talk

Pierre Surply

EPITA 2016

Oct 14, 2014

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 1 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Playfield

Figure: Playfield

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 2 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Playfield

Figure: Playfield

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 3 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Backbox

Figure: CPU/Sound Board

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 4 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Backbox

Figure: CPU/Sound Board

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 5 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Backbox

Figure: IO Board

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 6 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Backbox

12

3 4

+ −

~~

BRDG21

F23

2Vout

3Vin

1

Adjust

LM338K U19

+10V

+8VAC

+8VAC2

FROM XFORMER

12

C203

+5V

R114

L2

12

C32

R115

R116

R117

Figure: Power Supply

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 7 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Replacing ROM

Figure: ROM Summary

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 8 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Replacing ROM

Figure: Homemade flash programmer

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 9 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Replacing ROM

Figure: pinout mismatch

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 10 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Replacing ROM

Figure: Mirroring

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 11 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Replacing ROM

Figure: Bank system

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 12 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Finding address space

1 A

2 B

3 C

4 G2A

5 G2B

6 G1

15Y0

14Y1

13Y2

12Y3

11Y4

10Y5

9Y6

7Y7

74138 U204

1 A

2 B

3 C

4 G2A

5 G2B

6 G1

15Y0

14Y1

13Y2

12Y3

11Y4

10Y5

9Y6

7Y7

74138 U205

A0

A1

A2

A0

A1

A2

A3

A3

SOLA

SOLB

SOLC

FLMP

FLIP0

FLIP1

AUX0

AUX1

\LMPSTB

AUXLMP

LMPDAV

+5V

IOSTB

NC

NC

NC

NC

AUXSTB

A0−A3

Figure: Address decoding

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 13 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Finding address space

I02

I11

I23

I34

I45

I56

I67

I78

I89

I911

FI5 17

FI4 16

FI3 15

FI2 14

FI1 13

PAL16L8

F0 12

FI6 18

F7 19

U213

A14

A15

A13

E

Q

VMA

RW

A11

A12

MPIN

A9

A10

XA0

ROMCS

RAMCS

IOPORT

SNDSTB

IOSTB

Figure: PAL16L8

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 14 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Finding address space

Figure: Dumping PAL16L8

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 15 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Finding the address space

Using Quine-McCluskey method

ROMCS = A15 + A14

RAMCS = A15·A14·A13·(A12+A11+A10+A9+RW +MPIN)

IOPORT = A15 + A14 + A12 + A11 + XA0

IOSTB = A15 + A14 + A13 + A11

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 16 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Handle reset circuitry

3 TOL

1 PBRST

2 TD

4 GND

8Vcc

7ST

6RST

5RST

DS1232 U210 +5V

IORESET

RESET

WX

0

WY 0

10 CLK

11 Reset

9Q1

7Q4

5Q5

4Q6

6Q7

13Q8

12Q9

14Q10

15Q11

1Q12

2Q13

3Q14

4020 U2

Q

RESET

C

B

A

NC

NC

NC

NC

NC

NC

NC

NC

NC

BSELB

1A

2B

3C

4G2A

5G2B

6G1

15 Y0

14 Y1

13 Y2

12 Y3

11 Y4

10 Y5

9 Y6

7 Y7

74138U214

A8

A9

A10

A12

IOSTB

A7

SWLO

DPSW

SWSTB

SWM

PLIN

POUT

STATUS

1 OE

3 1D

4 2D

7 3D

8 4D

13 5D

14 6D

17 7D

18 8D

21Q

52Q

63Q

94Q

125Q

156Q

167Q

198Q

11 CLK

74HC374 U211

A15

XA3

XA2

XA1

XA0

XA5

XA4

NC

NC

BSEL

D2

D1

D0

D5

D4

D3

D7

D6

SW200

Figure: CPU Watchdog

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 17 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Handle reset circuitry

3 TOL

1 PBRST

2 TD

4 GND

8Vcc

7ST

6RST

5RST

DS1232 U210

L204

R272

+5V

R269

LMPSTB

+5V

11 CLK

3 D0

4 D1

7 D2

8 D3

13 D4

14 D5

17 D6

18 D7

1 RESET

2Q0

5Q1

6Q2

9Q3

12Q4

15Q5

16Q6

19Q7

74273 U6

R270

BRESET

R271

+5V

DAV7

DAV6

DAV5

DAV4

DAV3

DAV2

DAV1

DAV0

RESET

D0

D1

D2

D3

D4

D5

D6

D7

LAMP RETURN

DAV0

Figure: IO Watchdog

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 18 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

W00t !

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 19 / 20

Hacking aSega Starship

TroopersPinball

Pierre Surply

Playfield

Backbox

ReplacingROM

Address space

Reset circuitry

Conclusion

Contact

Git: git.psurply.com/sstpinball

IRC: Ptishell@irc.rezosup.org

Mail: surply@lse.epita.fr

Twitter: @Ptishell

Pierre Surply (EPITA 2016) Hacking a Sega Starship Troopers Pinball Oct 14, 2014 20 / 20