Mike Morris
2023-10-27 08:33:18 UTC
I have an abandonware industrial device that runs a Z180 with a 27c512 for the firmware (64kb), a 43256 RAM (32kb) and an - and a Exar 88C681 I/O expander.
I have supposedly full schematics and an image file (a .bin) of the firmware.
There is a slave processor - a 68HC11 with a 27c256 and a SCN2681 I/O expander. The CPUs talk to each other both with parallel latches both ways and by a internal serial port both ways. Why? I just want to know how and why it does what it does.
Legalities: I own the hardware - several pieces of it.
The manufacturer can't be contacted (disconnected phone), no email.
There is no support for it.
My platforms that I have available are Win10-64 bit, Win10 32bit, Win7-64 bit and Win7-32 bit.
I'd like to disassemble the firmware with several objectives:
1) I'm curious how it does it's internal functions.
2) the serial port on the unit presently runs at 1200 or 2400 baud (selected by a 1-bit dip switch)
I'd like to patch the 1200 baud position to at least 9600 if not 19.2k.
3) the I/O uses Televideo 920 cursor addressing.
I'd like to rewrite that subroutine to ANSI / VT102.
4) there's a display routine that summarizes the ongoing processes.
One of the fields maxes out at 65k counts (i.e. 16 bits). As a result I have to download the log files every few weeks. I'd like to make that 24 bits so I can dump it quarterly.
As I said, I just want to know how it does what it does.
30 years ago I learned more about multiprocess programming by reading the listings of the Univac 1108 OS and poking around with the monitor/debugger than any textbook of the time. I also replaced the idle routine in the OS with a routine that displayed the total clock ticks used by each process.
Nowadays it's called reverse engineering the software.
Likewise I learned more about real-time programming by reading the assembly code listings of Data General's RealTimeOS and writing a routine that replaced the idle routine (two JMP instructions that ping-ponged back and forth) with a routine that ran 1, 2, 3, 4 or 5 dots back and forth across a 16-bit LED light bar... The number of lit dots showed the number of active processes, and the less time the CPU spent in the idle loop the slower the LEDs swept back and forth...
30+ years ago I disassembled 40kb of Z80 code back to 27000+ lines of Z80 assembly using Dazzlestar. I hope the tools are more advanced now.
I just hope it's assembled code rather than compiled code...
I'm doing this out of pocket just for the learning... I can't afford a copy of IDA Pro, and neither the teaser version or the free version does Z180 (or Z80).
Thanks in advance for any help / pointers / ideas.
Mike
I have supposedly full schematics and an image file (a .bin) of the firmware.
There is a slave processor - a 68HC11 with a 27c256 and a SCN2681 I/O expander. The CPUs talk to each other both with parallel latches both ways and by a internal serial port both ways. Why? I just want to know how and why it does what it does.
Legalities: I own the hardware - several pieces of it.
The manufacturer can't be contacted (disconnected phone), no email.
There is no support for it.
My platforms that I have available are Win10-64 bit, Win10 32bit, Win7-64 bit and Win7-32 bit.
I'd like to disassemble the firmware with several objectives:
1) I'm curious how it does it's internal functions.
2) the serial port on the unit presently runs at 1200 or 2400 baud (selected by a 1-bit dip switch)
I'd like to patch the 1200 baud position to at least 9600 if not 19.2k.
3) the I/O uses Televideo 920 cursor addressing.
I'd like to rewrite that subroutine to ANSI / VT102.
4) there's a display routine that summarizes the ongoing processes.
One of the fields maxes out at 65k counts (i.e. 16 bits). As a result I have to download the log files every few weeks. I'd like to make that 24 bits so I can dump it quarterly.
As I said, I just want to know how it does what it does.
30 years ago I learned more about multiprocess programming by reading the listings of the Univac 1108 OS and poking around with the monitor/debugger than any textbook of the time. I also replaced the idle routine in the OS with a routine that displayed the total clock ticks used by each process.
Nowadays it's called reverse engineering the software.
Likewise I learned more about real-time programming by reading the assembly code listings of Data General's RealTimeOS and writing a routine that replaced the idle routine (two JMP instructions that ping-ponged back and forth) with a routine that ran 1, 2, 3, 4 or 5 dots back and forth across a 16-bit LED light bar... The number of lit dots showed the number of active processes, and the less time the CPU spent in the idle loop the slower the LEDs swept back and forth...
30+ years ago I disassembled 40kb of Z80 code back to 27000+ lines of Z80 assembly using Dazzlestar. I hope the tools are more advanced now.
I just hope it's assembled code rather than compiled code...
I'm doing this out of pocket just for the learning... I can't afford a copy of IDA Pro, and neither the teaser version or the free version does Z180 (or Z80).
Thanks in advance for any help / pointers / ideas.
Mike