| |
Fresh
Registered: Jan 2005
Posts: 101 |
MPS803 external EPROM
Hi everyone,
some time ago I purchased for nearly nothing an old MPS803 and these days I found the time to open it to clean it up and, well, to take a look at what's inside.
It turns out the motherboard has a couple of free sockets where you can put, respectively, a 74373 and a 2732 (or 2764).
The Service Manual states that by adding those ICs and shorting a jumper you can switch from internal D7811G ROM to external EPROM.
Looking at the emulators I only found a font file (mps803) so my first guess is it can only be used for fonts. Still, according to the Service Manual, the EPROM should basically replace the internal ROM.
Now, I do know the hardware is heavily limited, but I'm pretty curious about this extension: is it only useable for fonts or is it possibile to put code there?
And if the latter, is there any documentation about it?
Thanks you all! |
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11385 |
If you find out, let us know, so we can emulate it :)
I have only ever heard about alternative font ROMs for that matter |
| |
BiGFooT
Registered: Mar 2002
Posts: 33 |
7811 can operate with an external ROM when the M0 (pin 29) and M1 (pin 27) set to low. Unfortunately, I'm not aware about any kind of dump or hacked MPS803 ROM in the wild. You can run any code with this external ROM method. In theory, running code above 4K and switching the M1 pin on-the-fly it's even possible to dump the internal ROM.
Here's a good read about 7811 hacking: http://zine.r-massive.com/casio-rz-1-firmware-hacking/ |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
Thanks Bigfoot,
yes, that's the same site I found yesterday and I had the same idea: trying to add a switch to change MODE 1 while the device is on.
This evening I traced down some ports I'll use to test if my code is actually working. I'll test them tomorrow.
Then I'll try to create something more complex, copy it on both $0000 and $1000, and move the execution to $1000+: if changing M1 doesn't trigger reset or some other IRQs/NMIs, and - most of all! - if I've understood it correctly, the execution should transparently continue above $1000 on the first block of my EPROM.
If confirmed, this indeed could be used to dump the mask ROM.
There are a lot of assumptions but maybe it's going to work.
Will surely let you know! |
| |
chatGPZ
Registered: Dec 2001
Posts: 11385 |
It isnt the same MCU as in 1520, right? https://e4aws.silverdr.com/hacks/6500_1/ |
| |
Krill
Registered: Apr 2002
Posts: 2980 |
Hmm no, should be one of https://en.wikipedia.org/wiki/78K#78K1_Series - more specifically https://www.cpcwiki.eu/imgs/7/74/UPD7811G_Datasheet.pdf =) |
| |
Walt
Registered: May 2004
Posts: 47 |
Many years ago a friend and me wanted to modify the font of a Commodore printer (can't remember the model). It used an EPROM and we did get it to work after debugging the power-up code and realising it did a checksum of the whole EPROM and would halt if it was wrong... |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
Ok, I've just completed some first coding attempts.
At least the first assumption is verified: I could indeed execute code using the EPROM.
I read the button status (Port C - Bit 0) and used it to control power led (Port C - Bit 4).
As of now, the only downside is that playing with this stuff is quite slow as I need to reburn a EPROM everytime, nevertheless I'll try to go further. |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
It worked!
I managed to dump the whole mask ROM of the MCU of the printer so now I can start disassemble it.
I'd be glad to share both the dump codes and the dump itself somewhere, for preservation. Do you think there may be copyright problems putting it here? |
| |
chatGPZ
Registered: Dec 2001
Posts: 11385 |
Not sure in what form it would qualify a release here - i'd put it on github and then send Bo Zimmermann a mail so he can put it on zimmers.net too |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
Ok, thanks Groepaz.
If you're curious you can find all the stuff here: https://bitbucket.org/freshness79/78c11romdumper/
I'll drop a drop email to Zimmermann, as you suggested. |
| |
BiGFooT
Registered: Mar 2002
Posts: 33 |
Well Fresh, it's nice to see your first results and achievement.
The dump looks promising, as it's something, but it's not good. I don't know if it's misaligned, or something else, but doesn't add up.
The init seems to be good
LXI SP,0 ; init stack
MVI EOM,0 ; disable timer
JRE PC+2d ; jump to 0x35
...
0x35:
MVI A,8
MOV ???,A ; Move to unknown register? That 0 is not a valid register somewhat.
MVI A,0x8e
MOV ???,A ; Move to unknown register? That 0 is not a valid register somewhat.
MVI A,0
MOV PA,A
...
Also, it seems that the EI / RTI interrupt handling is looks good, but the overall picture of the dump is - at least for me - doesn't add up.
---
Anyway, I'm happy that you was able to do this and I hope that it's not an address / data collision/timing issue with the mode switching. I hope that you can figure out what's the problem or what happened and we can start to dissect this newer seen before piece of code. |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
Totally true, BigFooT.
There were indeed some errors in both printer and C64 sides:
The most impactful were on printer code, but in general the whole protocol was far from being reliable.
Now it's still quite ugly - first time I fiddle with serial cable - but at least it does its job pretty well and way faster than the first version.
A preview of the first lines:
0000: 04 00 00 LXI SP,$0000 ; Init stack pointer
0003: 64 83 90 MVI EOM,$90 ; Set LV1 and enable output
0006: 4e 2d JRE $0035 ; => 0035
<...>
0035: 69 08 MVI A,$08 ; Enable RAM
0037: 4d d0 MOV MM,A
0039: 69 8e MVI A,$8E ; Set control mode
003b: 4d d1 MOV MCC,A ; for some pins of port C
003d: 69 ff MVI A,$FF ; Put all ports in input mode
003f: 4d c0 MOV PA,A
0041: 4d c1 MOV PB,A
0043: 4d c2 MOV PC,A
<...>
|
| |
Claus_2015
Registered: Oct 2012
Posts: 53 |
Cool stuff! Next step: run Doom on continuous paper \o/ |
| |
chatGPZ
Registered: Dec 2001
Posts: 11385 |
BTW, could you tell what exactly is printed on the IC? Is there a commodore specific part number? (I'm just renaming all the files in VICE to use the part numbers, and it would make sense to use this proper dump now :))
That said, i wonder where the charset data comes from... there should be at least 2k (1k for upper and 1k for lowercase) ... but... mmh :) how much RAM does this controller have? Is it decompressing it on the fly? |
| |
BiGFooT
Registered: Mar 2002
Posts: 33 |
@Fresh: It's a good dump \o/ Great job mate.
I need to check the schematics to start the dissecting, but it's a nice code with weird jumptables. :)
@Groepaz: It's from $0c3f of the dump, 160 characters in total, 7x6 bits. The offset calculation code is at $09c0 in the rom code.
 |
| |
Fresh
Registered: Jan 2005
Posts: 101 |
@BigFooT: nice finding! :)
I'm going to start looking at the code now, pity there doesn't seem to be some ASCII signature or similar, would have been a nice trivia. Yes, space is really tight...
@Groepaz, BigFooT already answered most of your questions, for completeness:
- The MCU part number is "D7811G 111-U32053A", its socket is labeled "#4" on PCB.
- It has 4k internal ROM and 256 byte RAM.
"U32053A" is the ROM revision, maybe there are printers with different firmware version which we could dump. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11385 |
Cool cool! Bigfoot: is it "bit packed"? Can you tell a bit more so i dont have to work it out as well? =) nvm, got it :) |
