Building a Simulation of the AY-3-8500

A glimpse at the partly-working simulation

Not long after I finished my last post, I decided to change the goals of this project from simply reverse-engineering blocks of the chip to building a gate-by gate simulation of the entire chip. This is a huge undertaking, so I'll explain my decision making process and describe how the digitization process works.

To recap, the General Instruments AY-3-8500 was an entire "Pong-like" game system on a chip introduced in the mid 1970s. In early 2017, Sean Riddle obtained, opened, and photographed a specimen. In my first (and only) post I explained the chip's pin layout, and showed how the ground and power is routed throughout the chip. Its not much, but you can read about it here

Why build a simulation

Originally I planned to reverse engineer blocks of the chip from the outside in, starting with the Sync and Clock circuitry. This process consists of following and marking the conductive traces visible in Sean's images. These traces can form transistors by crossing regions of polysilicon, the whiteish-yellow areas in the image. If you follow the traces connected to the other parts of the transistor, you should be able to eventually build a circuit diagram of key areas of the chip.

This is easier said than done. First this chip has a ton of transistors (approximately 3189) A few thousand is a lot less than the billions that make up modern microprocessers thankfully. This means a lot of connections, so isolating even a single circuit is difficult. Second these components are quite hard to see. The thinnest features (the diffusion lines) are as little as three pixels wide, and in some areas, almost indiscernible.

A single transistor, only a few pixels across

Given these circumstances, the chances that I would make an error in the process of reverse-engineering was all but guaranteed. Fixing any errors would be quite hard because testing  is very difficult. The solution this? Build a digital model of the chip.

The Visual 6502 Project

Much of the inspiration for this undertaking came from the amazing work of the visual 6502 team. The team has obtained, decapped, imaged, and digitized samples of notable chips. This information allowed them to create a simulation of these tiny computers down to the level of individual transistors. Not only did these dedicated individuals build simulations of these amazing machines, the code necessary for the JavaScript simulations is open source, allowing anyone to simulate other chips.

A screenshot of one of their simulations

Creating a simulation of the AY-3-8500 would greatly aid reverse-engineering, bug-fixing, and educational value. It is an excellent specimen of a 1970s-era application-specific chip (ASIC.)With these benefits in mind, I set out on converting Sean Riddle's die photos into a working simulation.

Digitizing The Chip

The simulation represents different components of the chip with lists of coordinates defining the edges of different traces and transistors, as well as their properties. To digitize a chip, one must somehow turn the die photos into massive files containing this information. While the simulation code is available on GitHub I couldn't find what tools they used to create these.

A closer look at the simulation, the visuals are built out of polygons

I got in contact with some members of the Visual6502 team, who told me that the python scripts they used to create the segment and transistor files were never released publicly. I decided to set out and create my own "Image Compiler" to do this. As no one has shared one of these,  I'm planning on putting mine (called ChipTools) on GitHub once its done.

I'm not too familiar with the ins and outs of advanced image manipulation tools as I've never needed them. MS-Paint got the job done for me when I needed to make simple graphics. Because of this, I decided to design ChipTools to process images edited by basic paint programs. Below is an unedited section of the chip, next to it is an edited version that, when converted to a JavaScript file, will produce the list of polygons for the top metal layer. I used mtPaint, a GPL program with a simple interface, to edit the original image.

As you can see, the process involves drawing solid-color boxes on top of where the metal wires are. I created five total files for the four (important) layers of the chip; metal, vias, polysilicon, and diffusion. The vias and polysilicon were drawn into a single file (to help line them up) which was read twice. The forth file contained only four polygons which create some of the characters at the bottom of the chip.

Here are the other layers. In the left image, the yellow indicates polysilicon, which makes up the transistors. As this chip is NMOS, the transistor will turn "on" whenever the metal on top of it has a high charge (Vss.) This electrically connects the diffusion (grey in the right image) on either side of the transistor. The purple squares are the vias, these connect the diffusion with the metal above. Lastly, the orange areas are pull-up transistors. They connect to Vss and keep a section of the circuit pulled high, until a transistor grounds it. The simulation needs to treat pull-up transistors differently, which is why I gave them another color. While drawing the transistors I realized I could save a good amount of work by programming the ChipTools compiler to recognize which are pull-ups. (By detecting if they're connected to Vss)

Even without the source files complete, I managed to add them to the simulation. Of course, as the chip is missing a large section, it doesn't work yet. It is a good visual demonstration of whats been digitized so far.

The simulation, note the missing area of diffusion (pink) in the upper right.

Whats Next?

This project has been steadily progressing in my available free time since late January. As of this post, the compiler code is almost complete. I've done the painstaking task of tracing out every metal connection, transistor, and via on the chip. The tracing of the diffusion layer is about 70% complete. Once I'm done with it I'll have to debug any errors or missed components in the simulation. After the chip seems to be working, I'll need to create an interface so that I, and eventually everyone else, can view the chip's output, as well as turn various circuits on and off.

In the meantime you can comment or ask questions below. Hopefully the next post won't be too far in the future, as the simulation is close to being functional.

Reverse Engineering the AY-3-8500, part 1: Demystifying the Pins

Sean's chip prior to decapping

Back in the mid 1970's home video games were just starting up. Before Overwatch, Battlegrounds, Final Fantasy, Mario, and even Space Invaders there was PONG. The simple game involved little more than a ball of light and a pair of paddles, yet is an iconic demonstration of video game's humble beginnings. I decided that as a personal challenge/hobby project I will attempt to reverse engineer one of these PONG systems, specifically one that could fit onto a single chip. I'll post my discoveries as well as my progress here to document how a tiny system like this worked.

The General Instruments AY-3-8500

Many microchips have detailed histories behind them, this particular one is no exception. Here is a brief rundown. In late 1972 Atari released the first arcade versions of PONG to immediate success. It was so successful in fact, that numerous other companies copied the design and sold "clones" of the system. Atari tried to keep ahead of the copycats, but with the increasing pace of integrated circuit technology, a new market was opening. In 1973 Atari began to envision shrinking the dozens of chips in the arcade machines into a single integrated circuit, and selling it as a device which consumers could plug into their TV and play at home. By Christmas of '75 Atari released their home PONG system (originally under the Sears brand name) It was an inexpensive system allowing two people to play a game of PONG together on their TV, in COLOR!! The numerous clone makers quickly attempted to follow Atari into this new market, which was not as easy. 

A standard PONG system from the time. Courtesy of David Winter at Pong Story

For a system to contain all of the necessary circuitry at a price/size acceptable for home use, custom circuits had to be designed. Atari had a 2+ year head start over its competition in this regard, and refused to share it's chips with it's competitors. Magnavox contracted with Texas Instruments to design and supply a set of chips suitable for a home system. General Instruments, a large chip producer at the time had an idea on how to capitalize on this business. They would design and produce a capable Pong-game chip similar to Atari's, and sell it to anyone. Thus the creatively named AY-3-8500 was born, and numerous companies built their own Pong-game consoles with GI's chip at their heart.

For more history on these early video games, I strongly suggest checking out Pong Story. It has a great repository of information including the explanation above, as well as documentation relating to this chip.

The AY-3-8500 has the capability to play seven different games. By "games" I mean five variations of Pong-style games, as well as two target shooting games if a light gun was connected. Some additional settings allowed difficulty adjustment. A RF Modulator was required to interface it's output to an analog television set, signals were in monochrome, although color was possible with a support chip. It's circuitry could produce 3 different beeps during gameplay, as well as display the score on the top of the screen. I'll attempt to find out which sections of the chip correspond to these different functions, as well as how they are implemented in silicon.

The Die Photos

Decapping a chip like this is not very easy. First you have to get a hold of one, If you're looking for a particular chip, peer-to-peer trading sites like Ebay might have a device which contains one, or the chip itself. Second, if the chip is in a ceramic or round package a hacksaw and/or hammer can get it open. Unfortunately, this particular chip is packaged in epoxy, which means near-boiling Nitric acid is required to chemically attack its package. Lastly, a strong metallurgical microscope is needed to photograph the internals. (A metallurgical microscope shines light from above, unlike a biological one which shines from below)

As I had no desire to mess around with fuming acids (again), I was delighted to find that Sean Riddle had obtained, decapped, and done the necessary photography and image-stitching in February of 2017. His post about it is here. Sean has decapped dozens of chips on his website and blog, but many chips, like this one, have not had any reverse-engineering work done on them yet.

This particular chip is the AY-3-8500-1, the NTSC  specific design. According to the packaging it was made in the 43rd production week of 1976, over 41 years ago.

The AY-3-8500, before and after metal removal

Above are the two die photos. They look quite different, despite being the same chip. The one on the left is the surface of the chip after being decapped. The one on the right is the same chip after being treated by further acid or ultrasonic cleaning (I'll ask him about details on this particular decapping) Sean's post also has a third die shot which is shown below. That picture is similar to the first one, with more epoxy residue remaining.

Having both photos will be very helpful. Those light grey strips in the left picture are the conductive traces on top of the chip. They electronically connect various components together. Not all the action is on the surface though, with the metal removed you can have a clearer look at what happens in the polysilicon and substrate layers as in the right photo. I'll have more on the layers and transistor structure later.

Inside The Chip

The chip doesn't have any copyright/ownership markings on it, which was common at the time. It does have a number and some letters at the bottom middle of it.

"30285"

"1 3 567 K K JLJ"

Unfortunately, I can only speculate on the meaning of these. I searched online for information on GI chip labeling but came up empty. The 30285 might be an internal part code, or mask revision. The letters might be the initials of the chip's designers (personal markings on chips was also common.) Interestingly, said letters appear different colors because they are each made from a different layer (or doping type) of the silicon.

The chip surface before it had additional cleaning

Looking at the overall chip surface, you can see that it lacks any large repeating areas which would be present if the chip contained RAM or ROM banks. This rules out the possibility that the chip is being run by an internal micro-controller, instead it seems to be a (mostly) digital state machine.

Around the edge of the chip are 24 pads which connect to the DIP pins on the outside of the chip's packaging. I found a diagram of the chip's pins on Pong Story. I was confused for a second because the package has 28 pins, four of these pins however, are unused and thus not connected to the physical chip.

The pin-out of the chip. From the GI Catalog

The next thing to do was to match up the 24 different pins to the 24 pads on the chip. Two pads which should be easy to identify are the "Power" (V_CC) and Ground pads. Integrated circuits are mounted on a substrate which is commonly grounded to disperse stray charges. This substrate is connected to the outer most edge of the chip, which forms a grounded ring. Metal traces branch off from this ring into the circuits to provide ground connections as needed. This grounded ring is also connected to one of the pads, which should connect to the external ground pin

The Ground pin, connected to the
outer ring

According to the diagram, the Ground pin is two pins away from the V_CC (Power in) pin. I took a close look at the two pads which could possibly be the V_CC pin.

The lower pad seems to be disconnected from the rest of the chip. If you look closely a thin strip of doped silicon (slightly discolored) conducts electricity from the pad to an internal circuit. Doped silicon has more resistance than metallic traces, and I doubted that all of the chip's power would flow through that tiny connection.

The upper pad with the capacitor 

Next, I looked at the upper pad, which confused me because there was what seemed to be a smaller pad next to it. That small pad had no evidence of a bond wire attached to it, so I ignored it. The larger pad has a metallic trace leading to the internals of the chip, following this trace, I found that it branched throughout the entire chip. I marked the ground connections and the connection the the upper chip and found that the two had "branches" in every part of the chip. As high and low logic levels are needed to build most logic gates, I can conclude that this top pad connects to the V_CC pin (+6V according to the catalog)

  

The lower pad. Note the doped silicon

The "tiny pad" below the upper pad is only connected to the V_CC pin. This would seem to make it pointless, however the darker doping beneath it (seen in the picture with metal removed) will cause it to act as a weak capacitor. The ground pin is connected to another one of these, which probably serve as small buffers in case of minor power fluctuations.

Pin Labeling

Once I knew the function of two pads, I could match each pad with each external pin. The gold bond wires do not cross so the pad next to pad A on the chip should be connected to the pin next to pin A.

The die surface with pins and power paths marked

I typed the function of each pin next to the pad it connected to. Here you can also see how the Ground (red) and V_CC (blue) traces branch throughout the chip. Interestingly, neither "main line" crosses the other anywhere in the chip, although many data lines travel under them via doped silicon on the bottom of the chip.

After labeling the chip I began to doubt my logic. What if I had the Ground and V_CC lines swapped? To make sure my labeling scheme was the correct one, I looked closely at an input pin and an output pin. The Practice in is connected to the internal circuitry by a thin area of doped silicon. The Score/Field pin however, is connected to the internal circuitry by a (relatively) large driver transistor, necessary to boost the weak on-chip signals to the current necessary to communicate with other components on the circuit board.

Two IO pins, with the Ground and Power traces indicated

Once I checked all the pins, I found that all input pins lacked these driver structures, while all output pins had them. This confirmed my original pin-pad correlations.

Done For Now

Looking closely at Sean Riddle's die photo, I connected each pad to each external pin. A paint program helped mark out the extent of the Power and Ground connections. Along the way, I discovered a few more things which I will explain in my next post.  Due to the chip lacking major identifiable blocks, working inward from external connections will be the best way to reverse-engineer this.

In the next part, we'll dive headfirst into the chip's different layers and how this forms the transistors seen above. Then I'll trace how the chip generates vertical and horizontal sync signals from the 2 MHz clock. In the meantime, feel free to comment and ask questions below.

Also, if you find old electronics and chip reverse-engineering interesting, I recommend checking out Ken Shirriff's blog.  I learned most of my chip structure knowledge from his posts.