This EPROM is a 27C256 with a total of 32K of memory. It came from a removable socket on the board it was installed on, so my guess is that this software is upgradable by simply replacing the chip.
Now, there's a reason I'm not reverse engineering this very far: it's likely not the entire story. This firmware is for a Renesas H8/3062B processor. I can't find the actual chip, but I remember that this document covers basically everything we need to know about it. And if I'm understanding this right, the chip could possibly have its own hardware, masked ROM or otherwise. Okay, so then what's on this chip?
We can only speculate, but for now, I'll guess that it's the user experience. It's really hard to tell if there's any low level code on here (perhaps something to communicate with the Zone Cards on a high level because Zone Cards could be upgraded), but I doubt things like primitive audio routing, display control, and button interrupts could possibly be on here. Or, maybe they are, and all of that stuff is managed by the PLD chips that are inside of it. I simply don't know.
But the goal here is to dump and, at the very least, look at the contents of the chip just so I have a binary copy of the firmware archived. It's been sitting in my closet for a while and even though it has a very long data retention rating, who knows what could happen.
So that's what I did. I decided to try and dump this with an Arduino simply because it's what I had on hand. Unfortunately, I needed a total of 23 pins to fully dump this chip. The Arduino does not have this many pins.
I took this as an excuse to go to Fry's Electronics. I had never been to a Fry's Electronics before, and now that I'm living in Chicago, I took the opportunity and went all the way out to Donwers Grove where the only Fry's in the state decided to set up shop. This place is massive. It's as if Menard's, Radio Shack, Micro Center, and Best Buy all had a depressed child together. This place was vast. It practically had its own zip code and at time it felt like I was the only one in there. It was odd to say the least.
Mainly, I didn't want to wait for a single IC to be shipped to me. In stock, they had an NTE4020B 14-bit binary ripple counter. Clearly, I didn't understand what this meant, because I thought I'd just be able to source 14 of the required 15 address bits directly from this chip. But I was wrong. The second and third bit from the number didn't exist, so I had to source them from the Arduino along with the 15th bit. That was fine though, it wasn't too hard. I just counted on the Arduino and peeled those bits off and wrote them directly to the address pins on the EPROM.
This is the set up. You can barely see the chips being used. But after I confirmed it worked by repeatedly dumping the first hundred or so bytes, I was ready to dump the whole thing.
The easiest way to do this with software I already had was to use PuTTY while also logging its output to file. It logs some extraneous stuff at the beginning, but it was easy to trim that off. I was left with a beautiful 32K file that I didn't understand.
Really, the only way I was able to verify that the dump was correct was the fact that there was some ASCII text in this file.
So that's cool, it's much older than I thought, and I had no idea that the firmware also came from Square D. I only thought they manufactured the boards. Guess Elan sourced the whole product from them. Starting at 0x6940 there is more ASCII text with strings that get displayed on the board. As far as I can tell, I can't see how this gets translated into the actual signalling that drives the board. That's what leads me to believe that this is just a part of the puzzle.
I'll leave the firmware file and the dumb objdump that I couldn't make sense of (it's all disassembled, even the ASCII). Maybe, once I find the processor because I know I still have it, I'll try to figure it out further. But, at the very least, the mission of archiving this stuff is a success. So yay, I guess.
No comments:
Post a Comment