Tricking the 6502 addressing to access 54KBytes of SRAM

Modding and Technical Issues

Moderator: Moderators

User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

Kakemoms wrote:I understand you have personal objections, but without testing we would never know what is possible.
That's technical objections and they are the result of people far more qualified than me doing empirical research.
Edit: I remembered that NMOS is using a pullup resistor (load) on its output to push output high. In the event that the output is low, the NMOS transistors will pull that load as can be seen here: https://en.wikipedia.org/wiki/NMOS_logic. What we are doing here is basically pulling the same load externally. Still, testing will be the only way to make certain this is safe.
Actually what you're doing is using an external source of current to defeat the effect of the pull down transistor of a TTL-LS chip, not NMOS.

TTL-LS uses bipolar schottky transistors while NMOS uses FETs.

Since the original NMOS 6502 uses an enhancement mode FET for pull-down and a depletion mode FET for pull-up (not a resistor - TTL-LS chips do that), the way to pull down A13 with the minimum stress to components while achieving the correct logic threshold would be to pull it down no lower than 1V. That's below the threshold of 1.3~1.5V but minimizes the voltage drop. The pull-up transistor will still source the same amount of current but the power dissipated in it is Volts x current and will be lessened accordingly.
Be normal.
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

eslapion wrote: That's technical objections and they are the result of people far more qualified than me doing empirical research.
Well, research requires data, and I don't see any data. Do you have some reference to this? I would say its more likely that static electricity killed the cartridges as they tend to have their connector exposed while laying around.
eslapion wrote: Actually what you're doing is using an external source of current to defeat the effect of the pull down transistor of a TTL-LS chip, not NMOS.

TTL-LS uses bipolar schottky transistors while NMOS uses FETs.

Since the original NMOS 6502 uses an enhancement mode FET for pull-down and a depletion mode FET for pull-up (not a resistor - TTL-LS chips do that), the way to pull down A13 with the minimum stress to components while achieving the correct logic threshold would be to pull it down no lower than 1V. That's below the threshold of 1.3~1.5V but minimizes the voltage drop. The pull-up transistor will still source the same amount of current but the power dissipated in it is Volts x current and will be lessened accordingly.
Well this is confusing. According to wikipedia:
Depletion-load processes replace this transistor with a depletion-mode NMOS at a constant gate bias, with the gate tied directly to the source. This alternative type of transistor acts as a current source until the output approaches 1, then acts as a resistor. The result is a faster 0 to 1 transition.

So, basically it acts as a resistor in this case, but if we pull it too far down it will go into current source mode? I can try to measure the actual current when I get back home (currently camping in Italy). It should show when the transition occurs.
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

Concerning the data, here's the information from TI's datasheet:
In the case of the LS138 decoder, the recommended operating conditions indicate the maximum low level current should not exceed 8mA.

If you need to pour more than 8mA to defeat the !CS of the BASIC or Kernal ROM then you exceed the recommended limits.

Defeating an active low TTL-LS means you are above 1.5V and the lower you set your target voltage, the less current is required. But there is a safer solution.

If your objective is to defeat a high signaling address line from a 6502 made with NMOS process then your job is going to be extremely easy and much safer. Skoe says the Ioh for NMOS chips is about 500uA or 0.5mA and that's because this type of chip is designed to signal to TTL-LS chips which all have a 10kOhms pull-up input impedance so pull down always requires more current.

If one wanted to safely make a cartridge game that uses self modification as a form of copy protection then you'd simply have to make sure the CPU is trying to write high level values as you can't know if the ROM is CMOS (CMOS is strong current high or low) or not but you can be assured the CPU is NMOS; it will always have low currents on logic '1'.

I don't know if this is of any value to your project but I noticed there is one more address line on the cart port than is actually required. The largest addressable area from the cart port is 8k in size (BLK 1,2,3,5) and this requires 13 address lines to map completely however the address lines on the cart port are numbered CA0 to CA13 or 14 lines. This allows you to know if the CPU is addressing an even or odd BLK area; you can distinguish between BASIC and Kernal.

If CA13 is high and BLK 1,3 and 5 are also all high then you know for sure the CPU is addressing the kernal.
So, basically it acts as a resistor in this case, but if we pull it too far down it will go into current source mode? I can try to measure the actual current when I get back home (currently camping in Italy). It should show when the transition occurs.
Makes sense... when signaling a transition from 0 to 1, what matters most is to raise the voltage from 0 to 1.5 as fast as possible to get to a level where you have a logic 1. Then the rest of the transition from 1.5 to maximum can be much slower.

This is also a reason why one should never use 74HC logic ICs with NMOS chips. They use 2.5volts as a point of transition instead of the proper TTL value.
Be normal.
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

eslapion wrote:Concerning the data, here's the information from TI's datasheet:
In the case of the LS138 decoder, the recommended operating conditions indicate the maximum low level current should not exceed 8mA.

If you need to pour more than 8mA to defeat the !CS of the BASIC or Kernal ROM then you exceed the recommended limits.

Defeating an active low TTL-LS means you are above 1.5V and the lower you set your target voltage, the less current is required. But there is a safer solution.

If your objective is to defeat a high signaling address line from a 6502 made with NMOS process then your job is going to be extremely easy and much safer. Skoe says the Ioh for NMOS chips is about 500uA or 0.5mA and that's because this type of chip is designed to signal to TTL-LS chips which all have a 10kOhms pull-up input impedance so pull down always requires more current.

If one wanted to safely make a cartridge game that uses self modification as a form of copy protection then you'd simply have to make sure the CPU is trying to write high level values as you can't know if the ROM is CMOS (CMOS is strong current high or low) or not but you can be assured the CPU is NMOS; it will always have low currents on logic '1'.

I don't know if this is of any value to your project but I noticed there is one more address line on the cart port than is actually required. The largest addressable area from the cart port is 8k in size (BLK 1,2,3,5) and this requires 13 address lines to map completely however the address lines on the cart port are numbered CA0 to CA13 or 14 lines. This allows you to know if the CPU is addressing an even or odd BLK area; you can distinguish between BASIC and Kernal.

If CA13 is high and BLK 1,3 and 5 are also all high then you know for sure the CPU is addressing the kernal.

Makes sense... when signaling a transition from 0 to 1, what matters most is to raise the voltage from 0 to 1.5 as fast as possible to get to a level where you have a logic 1. Then the rest of the transition from 1.5 to maximum can be much slower.

This is also a reason why one should never use 74HC logic ICs with NMOS chips. They use 2.5volts as a point of transition instead of the proper TTL value.
That is exactly what I tried to say in the start of this tread. A13, BLK1/3/5 all HIGH means that we are in BLK7, e.g. The Kernal ROM. Unfortunately A13 LOW doesn't tell us anything since we dont have BLK0 or 4 on the expansion port. So one needs to do unconventional things to decide if we are trying to access BLK6.

I agree on the 138 - its harder to force, so I will focus on BLK7/Kernal ROM as one only needs to pull A13 from the 6502 LOW-ish (1.5Volt) to prevent ROM access. And only in the second half of the CLK2 being HIGH (as shown). Both (higher voltage and shorter time) limits the needed current to do this.
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

Kakemoms wrote:That is exactly what I tried to say in the start of this tread. A13, BLK1/3/5 all HIGH means that we are in BLK7, e.g. The Kernal ROM. Unfortunately A13 LOW doesn't tell us anything since we dont have BLK0 or 4 on the expansion port. So one needs to do unconventional things to decide if we are trying to access BLK6.

I agree on the 138 - its harder to force, so I will focus on BLK7/Kernal ROM as one only needs to pull A13 from the 6502 LOW-ish (1.5Volt) to prevent ROM access. And only in the second half of the CLK2 being HIGH (as shown). Both (higher voltage and shorter time) limits the needed current to do this.
If you pull A13 low when the kernal is accessed, you retarget the access to BLK6 which is BASIC ROM.

I suspect what you should do is pull A15 low which would retarget the access to BLK3. If you pull A14 low then you retarget the access to BLK5 which may also be good.
Be normal.
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

eslapion wrote: If you pull A13 low when the kernal is accessed, you retarget the access to BLK6 which is BASIC ROM.

I suspect what you should do is pull A15 low which would retarget the access to BLK3. If you pull A14 low then you retarget the access to BLK5 which may also be good.
Okey, poor choice of words. If I pull A13 too low, it gets into Basic ROM. I tested this on a real Vic-20. But if you pull it "not so low", the data is messy. E.g. There is nothing that answers the address call, so datalines retain their last value (more or less). This is what happended in the last picture of the A1084 monitor I posted earlier in the tread (the poor picture that is half grey). When I get home again I can connect all the lines to my logic analyzer so it is easier to see.

Until then I can only worry about the beach, sun and too many mosquitoes. Ciao!
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

Kakemoms wrote:That is exactly what I tried to say in the start of this tread. A13, BLK1/3/5 all HIGH means that we are in BLK7, e.g. The Kernal ROM. Unfortunately A13 LOW doesn't tell us anything since we dont have BLK0 or 4 on the expansion port. So one needs to do unconventional things to decide if we are trying to access BLK6.

I agree on the 138 - its harder to force, so I will focus on BLK7/Kernal ROM as one only needs to pull A13 from the 6502 LOW-ish (1.5Volt) to prevent ROM access. And only in the second half of the CLK2 being HIGH (as shown). Both (higher voltage and shorter time) limits the needed current to do this.
Since you find I lack data to support my position, let me inform you for the record that Mike has a very similar opinion to mine concerning your approach to this idea.
Mike wrote:Kakemoms deliberately ignores some fundamental principles of digital electronics. It is not, and never was, a good idea to let two digital outputs play tug-of-war. However, as long as he only fries his own VIC-20 with those experiments, that's not my problem.
I still believe the best solution is to use a CPLD and pass the top 6 address lines of the CPU through a multiplexer to generate a fake address when accessing remapped areas.

Happy vacations...
Be normal.
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

eslapion wrote:
Kakemoms wrote:That is exactly what I tried to say in the start of this tread. A13, BLK1/3/5 all HIGH means that we are in BLK7, e.g. The Kernal ROM. Unfortunately A13 LOW doesn't tell us anything since we dont have BLK0 or 4 on the expansion port. So one needs to do unconventional things to decide if we are trying to access BLK6.

I agree on the 138 - its harder to force, so I will focus on BLK7/Kernal ROM as one only needs to pull A13 from the 6502 LOW-ish (1.5Volt) to prevent ROM access. And only in the second half of the CLK2 being HIGH (as shown). Both (higher voltage and shorter time) limits the needed current to do this.
I still believe the best solution is to use a CPLD and pass the top 6 address lines of the CPU through a multiplexer to generate a fake address when accessing remapped areas.

Happy vacations...
Oh well, its an obvious way to solve the problem to play by the rules. Now, my professional field is physical electronics and I can only tell you that there are currents, voltages and heating involved. Nothing more or less. So if we apply a negative current to suppress the operation of a positive current (or vice versa) we get heat.

I agree that you don´t normally want to heat a component unnecessary, but in some cases you have to. In such cases its all about heat management. In high-speed electronics thats what you do - you heat the components as the current density approaches the insane. You try to keep current and voltage low (smaller components, new materials), but its all about density as smaller components give more power dissipation per square area.

For the 6502 you are talking about 8um gates which are huge compared to modern counterparts. The power draw of the processor is also very low, but as I said in a previous post I am not comfortable with drawing too much current out of a pin. The reason is that you can almost draw all the current (that goes into the 6502) out from a single address bus pin! So we have to limit it. It means reducing current or how long it is applied. So I am not saying I have the perfect way of accessing BLK7 and using it as SRAM, but it seems to work, at least for short periods of time.

As for any damage that may occur, I only repeat my self when I say I have to test it. If a NMOS 6502 can sustain 100mA output for a long time (hours) I would be very surprised. If it can sustain a lower current at longer time, I can re-test that by heating the component to 80C or 100C to see how long it survives. That is the "normal" way of lifetime testing. Because nothing lives forever.
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

... as long as he only fries his own VIC-20 with those experiments, that's not my problem ...
As for the 6502, as I said, the NMOS version is more or less an open collector output IC with very little Ioh. If you pull low some of it's output lines while it is signaling high, the "tug-of-war" should be measured in a few hundreds of microamps - no matter what the size of the gates. These are buffered you know, as shown by the detailed study of the 6561 by lance.ewing.
Be normal.
User avatar
mrr19121970
Vic 20 Nerd
Posts: 873
Joined: Tue Jan 19, 2016 9:22 am
Location: Germany
Occupation: IT service manager

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by mrr19121970 »

This is claiming to be a 64k ram expansion for the VIC20 ? Here

Image
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

@mr19121970
Yes and it does exactly what Kakemoms wants to avoid at all costs, paging.

This is absolutely not something you can use as a kernal replacement cartridge if that's what you had in mind. It shows up in the usual VIC-20 cart port dedicated memory areas.
Be normal.
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

mrr19121970 wrote:This is claiming to be a 64k ram expansion for the VIC20 ? Here
Interesting! I didn't know that a 64K expansion was made in the heydays of the Vic. Those guys were forward thinking!

My other project here has a 128K or 256K paged expansion. But this tread is about non-paged expansion. It means you have to put a Kernal copy or replacement in BLK7 to make the Vic-20 boot. :wink:
Kakemoms
Vic 20 Nerd
Posts: 740
Joined: Sun Feb 15, 2015 8:45 am

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Kakemoms »

Just to follow up on this. I have been experimenting with different access modes into a CPLD from the Vic-20, and one of the things that I wanted to test was this unusual way of using the BLK7 area.

The reason is that the (missing) BLK7 signal can be "constructed" as

BLK7= NOT(BLK1 AND BLK3 AND BLK5 AND A13)

Thus, all the signals are available at the Vic-20 expansion port to see if the 6502 is accessing the Kernal ROM (>$E000).

This is interesting in a way, because access to the Kernal kan be monitored, but I also wanted to test if one could "write" to this area from the 6502 and record the databus signal (e.g. the byte one wanted to store there). It was basically something I did out of curiosity (the scientist in me refusing to accept the obvious).

I can confirm now that this is impossible. Its not surprising since the ROM access does not involve any CRW signal from the 6502, so the ROMs are actually responding as the 6502 was reading, and voilá; massive databus conflicts can be seen. In that conflict, there is no way to record any data coming out of the 6502; the ROM response is too fast for the 6502 data to be seen.

All-in-all this has been discussed before, but from this I can confirm that writing to the ROM areas is a very bad idea and that it can damage your Vic-20 (over time). This has already been pointed out before, but now also experimentally.

There is a way to disable the ROM from responding, but that involves forcing the 6502 A13 output line LOW and is generally not a good idea due to the high currents involved. If one really wants to get access to memory "under" the ROMS (like in the C64), the only way would be to rewire the ROM CS lines (which, since most of the Vic-20 machines have socketed ROMS, is not so difficult).
User avatar
Mike
Herr VC
Posts: 4816
Joined: Wed Dec 01, 2004 1:57 pm
Location: Munich, Germany
Occupation: electrical engineer

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by Mike »

Kakemoms wrote:I can confirm now that this is impossible. Its not surprising since the ROM access does not involve any CRW signal from the 6502, so the ROMs are actually responding as the 6502 was reading,
... for the record, "as the 6502 was writing" ...
and voilá; massive databus conflicts can be seen. In that conflict, there is no way to record any data coming out of the 6502; the ROM response is too fast for the 6502 data to be seen.

All-in-all this has been discussed before, but from this I can confirm that writing to the ROM areas is a very bad idea and that it can damage your Vic-20 (over time). This has already been pointed out before, but now also experimentally.
No - that writes to ROM would damage the VIC-20, even if not immediately, but over time - that is only your own conclusion.

Unless CPU, ROMs and glue logic have been changed from the factory default, all involved chips are either NMOS or (LS-)TTL. In case of bus conflicts, the internal pull-up resistors of the output drivers will limit the sink current, and the result on the bus will still be a wired-AND in most cases - i.e. 0 dominates.

The situation changes, if one replaces either CPU or ROMs or both by CMOS variants. Then, bus conflicts really get interesting: when a CMOS EPROM outputs high on one of its data bus pins, and the NMOS 6502 makes tug-of-war with low, you have the maximum current. The same setup with 1 by CPU and 0 by EPROM has at least still the NMOS resistor in the CPU as current limiter. Similar considerations apply with CMOS CPU and original NMOS ROM. If both are replaced by CMOS parts, both 'directions' are equally dangerous and will overload the bus drivers within short time.

But, as I said, no issue with original hardware. And no need to stir up people.
User avatar
eslapion
ultimate expander
Posts: 5458
Joined: Fri Jun 23, 2006 7:50 pm
Location: Canada
Occupation: 8bit addict

Re: Tricking the 6502 addressing to access 54KBytes of SRAM

Post by eslapion »

Mike wrote:Unless CPU, ROMs and glue logic have been changed from the factory default, all involved chips are either NMOS or (LS-)TTL. In case of bus conflicts, the internal pull-up resistors of the output drivers will limit the sink current, and the result on the bus will still be a wired-AND in most cases - i.e. 0 dominates.

The situation changes, if one replaces either CPU or ROMs or both by CMOS variants. Then, bus conflicts really get interesting: when a CMOS EPROM outputs high on one of its data bus pins, and the NMOS 6502 makes tug-of-war with low, you have the maximum current. The same setup with 1 by CPU and 0 by EPROM has at least still the NMOS resistor in the CPU as current limiter. Similar considerations apply with CMOS CPU and original NMOS ROM. If both are replaced by CMOS parts, both 'directions' are equally dangerous and will overload the bus drivers within short time.

But, as I said, no issue with original hardware. And no need to stir up people.
Correct!

I learned only a few years ago (from Thomas 'Skoe' Giesel) NMOS digital ICs can only pull-up a few microamps but they can pull down a few dozen milliamps so bus conflicts NMOS to NMOS aren't so bad but NMOS to CMOS do exactly as you said.

Although in the VIC-20, the CPU is rarely replaced with a CMOS version, most JiffyDOS installations replace the kernal with a CMOS (E)PROM, most RAM expansions and many VIC-20 game cartridges (mostly from companies other than Commodore) contain CMOS digital ICs - my Atarisoft Robotron 2084 does.

The Behr-Bonz multicart carries a CMOS 27C160 EPROM and the Megacart also has various CMOS ICs.
Last edited by eslapion on Sat Apr 15, 2017 8:07 pm, edited 2 times in total.
Be normal.
Post Reply