[sdiy] Andromeda A6 hardware questions

Rainer Buchty rainer at buchty.net
Wed Mar 3 20:20:04 CET 2010 

On Wed, 3 Mar 2010, cheater cheater wrote:

> Reverse engineering this thing should be much easier than that;
> coldfire is supported by IDA Pro and Hexrays, which could make the
> work much easier;

The key word is "could". It can't do much, in fact.

What a mediocre disassembler will do for you is automatically marking 
reset, interrupt, and trap routines rathern than leaving jump vector 
tracing to you.

What a good disassembler will do for you is separating code from data, 
so that you won't end up with trying to dissassemble data sections or 
scratching your head over wrong offsets. It will also track memory 
references for giving you a proper start for labeling 
variables/routines.

What a really good disassembler will do for you is creating "jump trees" 
to see which routines call what.

But that's about it.

It won't tell you the meaning of the gazillion of variables lying around 
in RAM. Not to mention data structures.

It won't tell you where the UI parsing is done, nor will it tell you how 
the several tasks (e.g. UI parsing, MIDI engine, synthesis engine, 
sequencer) are intermingled.

And it definitely won't tell you little dirty tricks like the following 
(which is how cooperative task switching is performed within 
the ESQ1/SQ80 OS):

                 JSR	$84BA
                 fdb	$0B4F	<--- this is 2 bytes of data, not code
                 RTS


84BA:           PSHS        U,X,B,A,CC
                 ORCC        #$10
                 LDX         +$07,S
                 LDU         ,X++
                 STX         +$07,S
 		...

And this one is just uncommon (at least to me it was), not difficult, or 
even willingly obfuscated.

> Finally, modifying the thing shouldn't be too difficult. The physical
> communication with the VLSI should be easy to figure out *if* we can
> get at the pins - it's not using gigahertz bus speeds and even very
> old logical analyzers will probably be able to help us figure it out.

I've got an FZ-1 for you, then, to figure out the register interface of 
the 2 sample playback ASICs (GAA, GAB) in there. And by figuring out I 
mean *including* documented bit patterns of control words, not just 
"it's sitting on these addresses".

Or the display controller protocol, for starters.

And the FZ-1 is *easy* as there's some *official* OS information 
floating around...

> Since the OS is in a ROM, it should be fairly trivial to set up a 
> develop-upload-test pipeline.

If you figured out how the hardware works, yes.

Without proper hardware documentation it might well take an infinite 
amount of time to accumulate the required knowledge.

Rainer

More information about the Synth-diy mailing list