Back around late March of 1996 when these mod chips first became available, there was a lot of querying on the newsgroups as to what this chip could be that makes it cost as much as $80. Several people (myself included) had this vision of folks buying an eighty dollar NAND gate.
It didn't turn out to be that simple, of course. Through experimentation several folks found out that the "14-pin" chip was in fact a hacked-off 18-pin microcontroller known as a PIC16C54. (This was accelerated by the fact that some of the chips started appearing with the device number left intact--the chip sellers were getting tired of scraping off the number.)
This bit of news started several reverse-engineering efforts from April 1996 through December 1996. I would see the occasional post about engineers looking to collaborate with other engineers on figuring out the chip. I made a web site in those early months listing all of the information the impromptu team of engineers had managed to determine. But then a curious thing happened...
One by one these engineers started disappearing from the joint effort. I myself was not actively working on the reversing of a mod chip in this early going; my intent was to collect as much information as possible before attempting my own project. But these disappearing engineers made me curious. Then I determined what was happening:
As each interested party figured out how the mod chip worked, they suddenly "clammed up." The idea was to participate in the joint effort right up until a successful reversing was accomplished. Then, as was likely the goal from the start, they kept the information private so as to churn out and sell a bunch of mod chips at well under the price of current sellers. This would drop the price from about $60-$80 to $30-$40. As far as prices go, this is exactly what happened. As more and more people reversed the chip (I estimate about half a dozen or so as of November 1996) the price went down further as both original sellers and reversed-chip sellers went competitive. And yes, no doubt some of the price drop was a result of original sellers and their distributors competing, but the effects of the reversed chips was just as, if not more, significant.
In late November of 1996, I finally got my hands on an actual mod chip. After all that time, no one had yet offered source code for the thing. I decided to attempt my own, reversing of the chip--and I didn't even know PIC assembly language! I do, however, have extensive experience with embedded hardware and other various microcontrollers. I decided that whatever the PIC mod chip was doing, it couldn't be very complicated as it only had half a kiloword (12-bit instructions) of ROM. The goal of my project was simple: if I figured out how to make one of these mod chips, I would give the source code out to anyone who wanted it. None of this hidden-agenda "figure it out and then keep it to myself so I can sell them" stuff. I do offer them for sale, but I do NOT keep my source code private! Anybody that wants it can get it from these web pages.
I fashioned a ribbon cable to attach to the ten wiring points in the console and brought the cable out to a DIP header. That way, I could operate the machine completely assembled and still have access to the signals of interest.
A few things were obvious from the outset: +3.5v power to the chip, a 4MHz clock, the reset line was used and the door switch was one of the signals. That left only five wires to figure out. I attached my logic analzyer to the signal wires and started collecting information. Half an evening into the project, I decided that three of those remaining wires weren't doing anything at all. Those three wires were just "camouflage" to discourage us reverse-engineers. (I did speak with one of the first people to reverse the chip about this later; he confirmed my suspicion that the wires were bogus.) This left two wires to figure out.
Addendum 02/14/97 -- After examining the source code for an original 10-wire mod chip, I must confess I was wrong: the three "fake" wires *did* have a function. However, this function turned out to be unnecessary. This is why the 10-wire version could be reduced (after removing references in the source code) to the 7-wire version. Those two remaining wires turned out to be the ones that actually did the work. I drew a crude schematic of the circuit to which the wires attached, and was able to determine that one of the wires, when brought "active low," would block whatever original data was going through the circuit. I call this the "gate" wire. The other wire, the "data" wire, provides replacement data once the original data is blocked.
The only thing left to do was determine the data provided by the mod chip. Fortunately, my logic analyzer has a huge sample buffer and can sample high-speed data for up to a minute. It turns out I didn't need it. After examining the initial data for the "data" pin (pin 7), it proved to be a slow serial data stream at about 4 milliseconds per bit. (My analyzer could sample this data stream using 1ms samples for over an hour!) As it was, the serial data output by the mod chip repeated every six seconds. The only remaining task was to convert the serial data timing diagrams of the analyzer into a data block a microcontroller could use. This data block appears in the source code archives. The project was almost complete.
Since I knew Z8 coding extremely well, I chose a Z86E02 (another 18-pin microcontroller) as the target device for my initial mod chip source code. Having a Z86E0x in-circuit emulator and programmer didn't hurt, either. :) I wrote a quick program to emulate the delays and serial data of the original mod chip. I loaded it into the Z8-ICE and attached it to my console.
It worked the VERY FIRST TIME!
I resurrected my REI mod chip project site and added pages describing the Z8 version and added the source files. Later, since every mod chip up to that point had been a PIC16C54 I decided why not and as my first PIC project wrote the source code available on these pages for PIC16C54s. Hearing of the PIC12C508 (8-pin chip), I decided to write a version for it, as have a couple of other people.
And that is the story of how I decided to not only reverse the chip but actually do what no one else was willing to do: give you the source code.
---The Old Crow, January 1997