1 (edited by Shiru 2021-12-22 20:28:30)

Topic: Reverse engineering of a music greeting card chip

May be a very interesting read to some, the reverse engineering process of a music greeting card chip. There are numerous chips of this kind, but they're function much alike, so it is very likely they're all share a very similar design. Read the original tweets or a condensed thread.

TL;DR - it is a hardwired machine with a 64-byte ROM that uses 4 bits for pitch and 2 bits for duration. No real computations are going here, it is not an MCU of sorts, just a very simple state machine. The most interesting part is how it produces the frequencies. I was wondering on this matter in the regards of the Game & Watch, with its 32 kHz oscillator, and it seems this one uses the same trick: an RC generated 32 kHz source get divided with a 7-bit LFSR instead of an actual counter, which is also cheaper on the transistor count. Actual pitch for the 16 notes is pre-programmed with the values loaded to the LFSR, so it is not square wave, but some bit patterns unique for each note.

As it is a mask ROM hardwired non-programmable chip, we can't really reprogram one for our needs. However, we can emulate it with a modern MCU, and drive it with a custom 64-byte sequence. Like, the tiniest ATTiny10 should be able to do the trick easily (and it has 1024 bytes, enough for a dozen of the short songs).

website - 1bit music - other music - youtube - bandcamp - patreon - twitter (latest news there)

Re: Reverse engineering of a music greeting card chip

Ha, I always wondered how those work. Nice read indeed, thanks for sharing!
The part about using LSFR to produce frequencies is most interesting. I tried to implement this idea in a ZX beeper engine once but didn't manage to reduce the overhead from needing to implement the LSFR in software down to a level where it would offer any advantage over just using 16-bit counters.

3 (edited by Shiru 2021-12-22 19:43:00)

Re: Reverse engineering of a music greeting card chip

In order to make a software emulator with very authentic sound and limitations, we need to read out the contents of a chip, and make a parser that would yield the melody that is contained in the chip.

There is a bit older but high resolution photo of the UM66 die, so I used it to read out the mask ROM contents visually. This is the UM66T-19L variant that contains the For Alice (Für Elise) song. This video features a music card with this song, I guess that's is that encoded in the binary data below.

We know from the die photos that the LFSR is 7 bit, but the taps are unknown. There are different possibilities on that, and I can't figure out the actual one from the die photo (yet). The input frequency is presumably 32768 Hz, no intermediate dividers. There is a 9 bit divided (or that's a multiple of 9) for the clock frequency that somehow gets converted into the note durations (using another LUT), though.

One ROM on the die is 7x16 bits, that's presumably a pitch LUT for 16 pitches with 7 bits to initialize the LFSR. The weird part is that there is 3 of 16 entries are all 0. The addressing is horizontal (0..15):

0000110001000011
0010001011110000
0001100001010101
0011110000100010
0011001110110101
0010100011000011
0011110010100010

Another ROM, the largest on the die, is 16x24 bit. That's presumably the song data that is presented with 6 bits per note (4 bits for pitch, 2 for duration), 64 notes total. 16 is 1/4 of the sequence length, so the addressing is at partially horizontal (0..15 in the lowest 4 bits of the address), but the arrangement of the chunks is unknown:

1000001001111101
0000001001111101
0000010011111011
1100010001000001
1101010110100100
1101010110100110
1010101101001100
0011101110111110
1000000110000010
1000000110000010
0000001100000100
0011010011011110
0111110011010000
1111110011010010
1111100110100101
1010100101101010
1111111110111111
0111111110111111
1111111101111110
1111111111110110
1111111111110111
1111111111110111
1111111111101111
0111011101111111

Yet another ROM is 4x4 bits. That's presumably the note duration ROM, although presumably a song position is encoded as 4 bits pitch and 2 bits duration. Not sure why there is 16 bits then:

0110
1000
1010
1001

website - 1bit music - other music - youtube - bandcamp - patreon - twitter (latest news there)

Re: Reverse engineering of a music greeting card chip

The arrangement of the chunks in the song ROM is likely visually linear - basically first 64 bits of the data is bit 0 of the whole song, then next 64 bits are bit 1, and so on (there is binary decoder to the left from the mask ROM field, and its control lines seem to be parallel). So it should look more like:

1000001001111101000000100111110100000100111110111100010001000001
1101010110100100110101011010011010101011010011000011101110111110
1000000110000010100000011000001000000011000001000011010011011110
0111110011010000111111001101001011111001101001011010100101101010
1111111110111111011111111011111111111111011111101111111111110110
1111111111110111111111111111011111111111111011110111011101111111

This way it really looks like the duration is encoded in the two bottom rows (two top bits).

website - 1bit music - other music - youtube - bandcamp - patreon - twitter (latest news there)

Re: Reverse engineering of a music greeting card chip

Random brainfart, maybe the 16 bits rom are mask values for some binary counter that is related to the pitch lut? ie pitch lut contains base init values for the lsfr for one octave, and the 16bit rom has something to do with selecting an octave.

Re: Reverse engineering of a music greeting card chip

While I was blindly experimenting with the extracted data trying to figure how to make it work, Ken Shirriff made a huge post full of precious information on the chip internals. In fact it has been explored back in 80s in an electronic magazine. So now it is totally possible to emulate the thing. I think the Arduino will be a good host - readily available, easily programmable. A more hardcore option would be an ATTiny implementation in assembly, it would function just like the original - one chip and no external components besides the battery and the speaker.

website - 1bit music - other music - youtube - bandcamp - patreon - twitter (latest news there)

Re: Reverse engineering of a music greeting card chip

Excellent article, thanks. I have a hunch this lsfr trickery could also be useful for 1-bit engine code.

ATTiny would be an interesting hardware emulation backend to support in Bintracker, actually. So Bintracker could serve as an editor for greeting card melodies, haha. Perhaps that's overkill for something this simple though.

Re: Reverse engineering of a music greeting card chip

What about using Padauk PMS150c? Might make for a circuitry small enough to fit into an actual gift card.

Re: Reverse engineering of a music greeting card chip

I think it is just fine, it has everything that is needed and the schematics can contain just a battery, chip, and piezo speaker. It has just a half of the ATtiny10 power, but for much lower price. The only problem is that 150 has OTP memory, i.e. it is can be programmed only once. There is 154 that features Flash memory instead, the price is tad higher.

I'm still trying to figure out the actual LFSR implementation to get proper pitches.

website - 1bit music - other music - youtube - bandcamp - patreon - twitter (latest news there)