There are four IC on this card.
Does someone have the number of these IC ??

Good luck finding them...and if you do good luch unlocking one of them.
I guess it is secret.
By all means share if you have any luch though

The number must be on each of these IC.
Also, these IC are not locked

:) The ATMEGA is a 2561 part -- 16 MHZ rated ...
The FT232R ( or FT232RL ) part is the USB to RS232 converter ...
There are TWO eight pin parts ... One is clock generator chip (number and pin out unknown!?) and the other is likely a 93C46 EEPROM ... A schematic and some good photo's of the board are now being posted.... THE LABELS on the IC's HAVE BEEN GROUND OFF ! ... wonder why ? ... hope this helps ... I'm all for DIY !!!
Can someone provide more info ? The part number for the clock gen IC ? ...
Can someone read the 93C46 and provide a dump ? LET's go DIY !!!! ....
( This should be on the DIY channel before it goes black !!!! ... )

Thanks ...
it is a beginning

good luck,,,you will indeed make history if you cracked this industry trade secret :)

It's not a big secret. This is only a microcontroller, eeprom , clock and interface.
It coulld be interresting to do your own card (for hobby) for someone who is used to play with electronic.
But for most of us, it is better to buy this card.

thats why I have a :) at the end to show my humorous intent

The only way you would be able to make one of these is if you incorporated a 4066 switch and made it internal with a USB port out the back.. then just use it like an FTA with a cardslot switch. Saying so its likely theres encryption on the card itself so clones are not easily made and usable with fab5's releases.

Unless you have access or own your own fabrication shop.. the wafers are too thin and likely multi-layer.. cheaper,easier and quicker to buy.

The only way you would be able to make one of these is if you incorporated a 4066 switch and made it internal with a USB port out the back.. then just use it like an FTA with a cardslot switch. Saying so its likely theres encryption on the card itself so clones are not easily made and usable with fab5's releases.

Unless you have access or own your own fabrication shop.. the wafers are too thin and likely multi-layer.. cheaper,easier and quicker to buy.

It's only two-layer and a shop downtown sells the correct thickness at $5 for 2 sq. feet.

DIY FTW.

Well, if someone can mesure the clock frequency and observe if the clock change in real time. I guess this is the Phase Lock Loop which can be controlled by ATMEGA chip ???? or by the receiver's clock ??? otherwise we just dump the EEPROM and put in the ATMEGA128, it should work. I remember the AVR using this kind of chip to generate the clock synchronized with receiver....to avoid the jitter

recog:

The 2 8 pin IC's are what package type? do you know? You also mention that photos and schematic are to be posted any luck with that yet? would appreciate a link!! Are you sure that the eeprom is a 93C46 ....... I have seen elsewhere that it may be a 24LC512 but these are quite different chips.

Anyone with an update to these questions would help the DIY process since I have a source that can do the CAD work and the board manufacturing, I am sure this is a 2 layer board, the 128 was and the connectivity is not anymore complicated on this one ......... and even if it is a multilayer it still would not be a problem.

In summation I would appreciate the following:

1. Schematic and photos as mentioned by recog (or someone else if you have them)
2. The package format for the 2 - 8 pin chips (SOIC-8 possibly??)
3. Does anyone know for sure the Eeprom part number???
4. The clock generator chip part number???
5. If someone out there has one of these units I would appreciate some input as to whether this is a 2 layer or a multilayer, you should be able to tell and if you can't I will ask you some questions and will know by the answers.

I am presently waiting for a schematic that has been reverse engineered from an actual board but any answers to the questions above will move this along much faster. Thanks in advance for anyone's help, very much appreciated.

PS: Yes this is my first post in this forum since this was the first thread I could find in Google that spoke about the component parts.

Regards, cad4fta.

Nobody out there that can help??

Without a bootloader it's going to be worthless anyways.

Bootloader on an USBAtmega 256 can be dumped, we just apparently don't have many hackers willing to attack the card, or if already done people haven't made it public. That is if the bootloader is just the watchdog on the Atmega 256. There is a timing attack that can be performed to defeat the watchdog.
But defeating it and actually recreating it on another IC are 2 different animals.

The FTD USB to Serial converter could be the other option for a bootloader, it has a security feature on it that allows for a unique chip ID to be established. Could be potentially alot harder to crack that nut, but If that were the case then you could just pull the Atmega IC and mount it on an Legacy board and go to work dumping it that way.

I don't know if anyone has actually pulled one off the board and remounted an tried dumping it, seems like obvious first try.

If the watchdog is the only thing on the Atmega256 IC and you remount it on a legacy board, then this code is supposed to be the basis for defeating a watchdog on a Atmel chipset:

**Note: I am not a coder, so questions about how to use this are wasted on me.**

Detailed Description

#include <avr/wdt.h>

This header file declares the interface to some inline macros handling the watchdog timer present in many AVR devices. In order to prevent the watchdog timer configuration from being accidentally altered by a crashing application, a special timed sequence is required in order to change it. The macros within this header file handle the required sequence automatically before changing any value. Interrupts will be disabled during the manipulation.

Note:
Depending on the fuse configuration of the particular device, further restrictions might apply, in particular it might be disallowed to turn off the watchdog timer.

Note that for newer devices (ATmega88 and newer, effectively any AVR that has the option to also generate interrupts), the watchdog timer remains active even after a system reset (except a power-on condition), using the fastest prescaler value (approximately 15 ms). It is therefore required to turn off the watchdog early during program startup, the datasheet recommends a sequence like the following:

#include <stdint.h>
#include <avr/wdt.h>

uint8_t mcusr_mirror;

void get_mcusr(void) \
__attribute__((naked)) \
__attribute__((section(".init3")));
void get_mcusr(void)
{
mcusr_mirror = MCUSR;
MCUSR = 0;
wdt_disable();
}

Saving the value of MCUSR in mcusr_mirror is only needed if the application later wants to examine the reset source, but clearing in particular the watchdog reset flag before disabling the watchdog is required, according to the datasheet.


Defines
#define wdt_reset() __asm__ __volatile__ ("wdr")
#define wdt_disable()
#define wdt_enable(timeout) _wdt_write(timeout)
#define WDTO_15MS 0
#define WDTO_30MS 1
#define WDTO_60MS 2
#define WDTO_120MS 3
#define WDTO_250MS 4
#define WDTO_500MS 5
#define WDTO_1S 6
#define WDTO_2S 7
#define WDTO_4S 8
#define WDTO_8S 9
Define Documentation

#define wdt_disable ( )

Value:

__asm__ __volatile__ ( \
"in __tmp_reg__, __SREG__" "\n\t" \
"cli" "\n\t" \
"out %0, %1" "\n\t" \
"out %0, __zero_reg__" "\n\t" \
"out __SREG__,__tmp_reg__" "\n\t" \
: /* no outputs */ \
: "I" (_SFR_IO_ADDR(_WD_CONTROL_REG)), \
"r" ((uint8_t)(_BV(_WD_CHANGE_BIT) | _BV(WDE))) \
: "r0" \
)

Disable the watchdog timer, if possible. This attempts to turn off the Enable bit in the watchdog control register. See the datasheet for details.

#define wdt_enable ( timeout ) _wdt_write(timeout)

Enable the watchdog timer, configuring it for expiry after timeout (which is a combination of the WDP0 through WDP2 bits to write into the WDTCR register; For those devices that have a WDTCSR register, it uses the combination of the WDP0 through WDP3 bits).

See also the symbolic constants WDTO_15MS et al.


#define wdt_reset ( ) __asm__ __volatile__ ("wdr")

Reset the watchdog timer. When the watchdog timer is enabled, a call to this instruction is required before the timer expires, otherwise a watchdog-initiated device reset will occur.

#define WDTO_120MS 3

See WDT0_15MS

#define WDTO_15MS 0

Symbolic constants for the watchdog timeout. Since the watchdog timer is based on a free-running RC oscillator, the times are approximate only and apply to a supply voltage of 5 V. At lower supply voltages, the times will increase. For older devices, the times will be as large as three times when operating at Vcc = 3 V, while the newer devices (e. g. ATmega128, ATmega8) only experience a negligible change.

Possible timeout values are: 15 ms, 30 ms, 60 ms, 120 ms, 250 ms, 500 ms, 1 s, 2 s. (Some devices also allow for 4 s and 8 s.) Symbolic constants are formed by the prefix WDTO_, followed by the time.

Example that would select a watchdog timer expiry of approximately 500 ms:

wdt_enable(WDTO_500MS);

#define WDTO_1S 6

See WDT0_15MS

#define WDTO_250MS 4

See WDT0_15MS

#define WDTO_2S 7

See WDT0_15MS

#define WDTO_30MS 1

See WDT0_15MS

#define WDTO_4S 8

See WDT0_15MS Note: This is only available on the ATtiny2313, ATtiny24, ATtiny44, ATtiny84, ATtiny25, ATtiny45, ATtiny85, ATtiny261, ATtiny461, ATtiny861, ATmega48, ATmega88, ATmega168, ATmega164P, ATmega324P, ATmega644P, ATmega644, ATmega640, ATmega1280, ATmega1281, ATmega2560, ATmega2561, ATmega8HVA, ATmega16HVA, ATmega406, AT90PWM1, AT90PWM2, AT90PWM3, AT90USB82, AT90USB162, AT90USB646, AT90USB647, AT90USB1286, AT90USB1287.

#define WDTO_500MS 5

See WDT0_15MS

#define WDTO_60MS 2

WDT0_15MS

#define WDTO_8S 9

See WDT0_15MS Note: This is only available on the ATtiny2313, ATtiny24, ATtiny44, ATtiny84, ATtiny25, ATtiny45, ATtiny85, ATtiny261, ATtiny461, ATtiny861, ATmega48, ATmega88, ATmega168, ATmega164P, ATmega324P, ATmega644P, ATmega644, ATmega640, ATmega1280, ATmega1281, ATmega2560, ATmega2561, ATmega8HVA, ATmega16HVA, ATmega406, AT90PWM1, AT90PWM2, AT90PWM3, AT90USB82, AT90USB162, AT90USB646, AT90USB647, AT90USB1286, AT90USB1287.


Like I have said, I am not a coder. I am a tinker'er. But the USB Atmega has some descent documentation that I will try and locate and put in the file section. Not sure what good it would do to reverse the USBAtmega. Unless you are willing to spend the time commenting out the code, step by step after dissassembling it. Unless you wanted to start trying to adapt coding for the legacy atmegas to it.


Just hang in there, it will receieve the same quality support the Enigma has.

I'm also just another tinker'er. Here's my findings for the processors for Atmega and Enigma microprocessors. They are both z80 processors one made by Zilog and the other by Toshiba. FYI if you download a free version af IDA PRo and change the file extension of Enigma and USB Atmega to .rom instead of .exe it will try to open but will tell you Z80 not supported. I'd nearly be willing to bet the other 3 chips on the atmega and Enigma boards are the same.

are you sure these are the same chips?
just becasue ida PRo says not supported does that mean thats what it is?

here are some close ups!

Fred Raud