A Moogle  🏳️‍🌈 💻 🎮 🎶 🇸🇪

The NUM exploit is a bit more involved, but is basically an accidentally discovered method of /RESET-glitching the 68705 to enter NUM (Non-User Mode, a sort of debug mode meant for evaluation boards) even if the P5-only "SNM" security bit is set. (cont/d)

https://seanriddle.com/mc68705p5.html  explains the gist of using non-user mode on the MC68705P3/P5: tie Port C bit 0 to 7.5VDC through a resistor to enable NUM, and tie the 8 lines of Port A to VCC and GND through resistors such that they are being pulled to the "NOP" opcode, 0x9D. (cont'd)

The /RESET glitching to make the chip enter NUM even if the protection bit is set is very simple: Tie the /RESET pin high with a resistor. That's it. If you never actually assert /RESET low after power-up the chip gets very confused internally, and enters a glitchy... (cont'd)

variant of NUM where it pretty much just sequentially spams the contents of the internal EPROM out port B on every 2nd or 4th clock, and alternating with those clocks spits the current address out port B and port C bits 1, 2 and 3 in a somewhat weird bit ordering. (cont'd)

Note that if the SNM bit is NOT set on a P5 part and you try to use the glitched-NUM mode, the chip will sometimes only dump the data from 0x59D-0x7FF and then quickly jump back to 0x59D (this has to do with 0x9d being wired to port A). In this case, you need (cont'd)

to use the more complex method that device programmers like the BPMMicro BP-1200/BP-1400/BP-1410/BP-1600/BP-1610/etc use to dump/verify the internal EPROM, which involves manipulating port A in NUM to place a small program into the RAM of the device, and jump to that. (cont'd)

That small program then dumps the contents of the EPROM out of port B.

Thank you so much, this is a huge help! I just got up, I'll have to go over it again once my brain is running, but it looks like we can do the NUM attack with stuff we have on hand so that's fantastic. (cont'd)