Sega's FD1089 security module reverse engineeringThe FD1089 module variants from Hitachi / SEGA were fabricated in a plastic case, on the back of the module a epoxy layer is visible together with two rows of pins arranged as DIP64. This arrangement mimics a standard 68000 CPU as intended by SEGA.
The sample shown below features the SEGA code 317-0013, this indicates the module was used as part of a Enduro Racer game board.
As is, the module measures 8.72cm by 2.85cm, not a small piece for a cpu.
The plastic case features a top cover providing access to the battery container, as shown below as many as three batteries could be fitted at once, perhaps allowing for longer data retention configurations. All modules I've seen myself just make use of one battery slot only.
Hitachi seemed to keep all things home by employing Hitachi Maxell CR-2032 3 volt batteries. This one was dated 1986 week 06, long enough!
For some reason a white looking dust was found inside all over the battery container, a battery byproduct over the years?
Lastly, there's a big letter B stamped, this corresponds with the specific module type under review: FD1089B. Modules A stamped inside correspond to FD1089A variants.
X-ray glasses on so we can see what it looks like inside, this is one of the fun parts of the project. For the first time you have a look inside and start trying to make sense of the internals, this one is busy and is no standard IC on a package. Time to start planning an attack.
In order to try gain clean access inside we test the epoxy with a strong paint remover for a few days.
Unfortunately this didn't produce any significant results, the epoxy in the FD1089 is well formulated and is resistant to this type of attack.
By employing a combination of heat and patience it is possible to separate the plastic case from the epoxy block.
A weak spot on the epoxy curing caused by trapped air is discovered, this allowed for a unique early view of the shinny internal pcb as shown below.
Time to keep going deeper and plan to attack the epoxy, first a few measurements are made to understand dimensions whenever needed later on. The epoxy block on its own does 8.49cm by 2.60cm.
With the help of higher resolution x-rays we start to get full control of what's going on in there, eg enumeration of devices, guessing the purpose of each device, producing early diagrams, etc...
As shown below, the FD1089 uses a total of four different chips in its operation. left to right: A custom IC (this is where the security magic happens), a 68000 CPU, a 6264 SRAM chip, and a MB3771 voltage monitor (when needed, this takes care of switching power from VCC to VBATT and vice-versa).
The first three chips are HITACHI bare dies directly glued onto the top of the pcb, the MB3771 is in full form as a surface mount device soldered on the back of the pcb.
Next, we need to have a fully validated understanding of the internal interconnect (aka, how things connect to each other and the outside)
The tool of preference for this project was a precision CNC, nothing fancy, just a standard Aliexpress sourced kit. The goal here is precise enough milling so we reveal the circuit while avoiding fatal damage to the interconnect and chips, especially the custom IC.
Hours later, a significant part of the the copper surface is fully exposed and the custom IC preserved in place, though this didn't come without surprises and a couple of drill bits broken. Just below the IC you can see another unexposed rectangle area, this happened to be a ceramic insert placed there during fabrication to protect access to a sensitive area of the module
At this point a further donor module got dremel down bare to understand how many more ceramic inserts were there, in total the FD1089 module has four ceramic inserts, two on the front and two on the back shown below in white, they protect key SRAM signals such as the data bus to prevent extraction of the encryption key through direct drilling.
At this point I was convinced this module was probably very expensive to produce back in the day.
For illustration of the above lets take the following example and visual representation: Four data bit vias from the SRAM are covered with ceramic both at the origin near the SRAM as well as at the destination close to the custom IC.
Beyond being cool and almost a craft, not sure why this was done, if an attacker could drill from above with the intention of making contact, it could do so at other parts of the circuit by exposing the copper, you don't require a via specifically for that.
More hours of careful drilling allow us to gain access to further key areas of the pcb, when this process is completed we can work on the next part of this reverse engineering.
Diagraming the interconnect and how chips relate to each other is a critical step before we proceed to examine any deep down chip logic.
Once we are ready to explore the custom chip, a further donor unit is put under the knife, the goal here is to cut down the minimum possible sample to allow extraction of the custom IC die housed inside.
Bonus: a cross section of the pcb reveals its four layers, the inner two are dedicated to VCC / GND distribution only.
The smallest possible bite size sandwich is produced, inside not visible is the custom IC, left you can see in white a couple of the ceramic inserts guarding access.
![]()
The sample was then put in a nitric acid beauty spa for several rounds.
At each round the sample was inspected for progress and cleaning. IC dies are very fragile and patience is key, this waited 30+ years, so it may as well wait another day if necessary.
Finally getting closer, both ceramic bits are released, below them you can see the back of the IC die now exposed.
A final round allowed for the chip die to be fully exposed clean. Pharaonic honors please.
Stay tuned for the next article, we will explore this chip under the microscope. Happy reversing.
