6502.org Forum  Projects  Code  Documents  Tools  Forum
It is currently Sat Nov 23, 2024 9:03 pm

All times are UTC




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Wed Aug 04, 2021 6:54 am 
Offline

Joined: Wed Aug 04, 2021 6:07 am
Posts: 3
Hi
I for the last few months, I have been repairing multiple defects on a 1989 vintage Wavetek 2520A 0.2MHz to 2.2GHz RF signal generator. At the time it was an expensive item of USA made test equipment.
You can read about my efforts to restore this equipment here: https://www.eevblog.com/forum/repair/wavetek-2025a-0-2-2-200mghz-rf-sig-gen-repair/ It is controlled with a 6502 microprocessor.
Image
I have hit a problem. The 2520A is fitted with an optional feature called phase modulation. This feature was disabled when I replaced the nvram (non-volatile RAM). This nvram device, made by Dallas, included a battery that maintained the memory when power was off. These batteries generally last 10-15 years or so. The battery in my 2520A is about 32years old.

When I replaced the nvram, I was able to go through the in-buillt calibration routines, stored in the ROMs, that restored the data held on the nvram. I was able to go through the calibration routines and all was good, except that the phase modulation (PM) feature was no longer active.

My theory is that the data to enable the PM feature was stored on the nvram and that the battery still worked well enough to hold that data. The only way to write data to the nvram is within the 2520A. There are no interfaces or connectors that would allow bus access to the nvram. The only way to get external data into the nvram is via the keypad. I think it is most likely that the data to enable the PM feature was entered with a factory secret sequence via the keypad. It is probably a single byte (or bit) that enables the execution of a routine held on a ROM.

I have quite a lot of info about the Wavetek 2520A. I have the Operator Manual and the Service Manual. These include circuit diagrams and descriptions of how everything works. The 2520A was designed to be repaired.
When I was much younger I designed and built a 80186 computer and wrote a custom operating system in assembler. I don't have experience with disassembly of 6502 code.

I want to search the program ROMs to see if I can discover how the PM feature is enabled. To do this I think I need to disassemble the code and search for a hidden keypad sequence. I am seeking help, here on this forum, with the problem of disassembling the code to find any secret key pad sequence. I am not asking for someone to do this for me. I am asking for advice on the best path to follow.

The first question I have is what disassembler should I use?
Is anyone up for a challenge?

Dazz


Last edited by dazz on Wed Aug 04, 2021 9:58 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 04, 2021 7:11 am 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10986
Location: England
WFDis is well-regarded:
https://www.white-flame.com/wfdis/


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 04, 2021 10:17 am 
Offline

Joined: Wed Aug 04, 2021 6:07 am
Posts: 3
Hi
My apologies. I have asked the question in the wrong place.
The Wavetek is controlled by a 6805uP.
I have found the NSA Ghidra disassembler suite of tools.
Ghidra supports the 6502 so that may make this post useful to someone.

Dazz


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 04, 2021 11:25 am 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10986
Location: England
No problem! As you say, Ghidra is also worth a look. (I have to say I haven't tried it.)


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 04, 2021 10:30 pm 
Offline
User avatar

Joined: Sat Dec 01, 2018 1:53 pm
Posts: 730
Location: Tokyo, Japan
dazz wrote:
My apologies. I have asked the question in the wrong place.
The Wavetek is controlled by a 6805uP.

Well, maybe not entirely the wrong place, since there are a few MC680x users here, though most of us tend to be pretty quiet about it.

Last year I did a fair amount of 6800 and 6809 disassembly using f9dasm. This is a command-line disassembler driven by a text annotation file (the documentation is most easily viewed here); you tweak the annotation file with a text editor and then run the disassembler to get a new file with the result. If you're allergic to non-GUI things like this you may hate it, but I find it a much easier way of working, particularly because it's easy to commit changes to Git as you go along, making it easy to roll back when things go wrong, share work, have multiple developers working at the same time, and so on.

The general framework can be seen in various projects in the retroabandon group on GitLab. fm7re, a microcomputer ROM disassembly, is I think the most recent iteration of the tools, but panasonic-jr, also a microcomputer ROM disassembly, is almost as recent and a much larger example. rcse-mystery-board and altair-680-basic are both older projects; the latter has been stalled for quite a while. (I often take disassemblies only as far as I need to extract some specific information; I leave the result in a public repo for me or others to continue later should we feel the urge.)

Unfortunately, as you'll see from this family tree post, the 6805 is a 6800 variant with slightly different ISA, and the 6805 is not supported by f9dasm. However, f9dasm already does support multiple ISAs (6800, 6802/6808 and 6801/6803 are all close variants, and 6809/6309 are a different CPU) so it should not be too difficult to add support for another ISA to f9dasm. The 6805 is just a 6800 variant (though it does change things like some register sizes) so with luck there wouldn't be too much to add.

(That said, I must admit the limitations of f9dasm have from time to time made me think about just writing a new disassembler, this time in a faster/easier language like Python.)

If you're interested in using my methods and tools to do this, I'd be happy to help get you started by doing the initial repo setup with disassembly scripts, walking you through the process I use, and so on. I work on Linux so if you use that or Mac there would be no issue there; if you are a Windows user all this can probably be adapted to the Bash command-line windows provided by Git for Windows. Feel free to get in touch with me by PM if you're interested.

_________________
Curt J. Sampson - github.com/0cjs


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 04, 2021 11:26 pm 
Offline
User avatar

Joined: Fri Dec 11, 2009 3:50 pm
Posts: 3367
Location: Ontario, Canada
I hope you are tracking these replies, Dazz. :)

dazz wrote:
This feature was disabled when I replaced the nvram (non-volatile RAM). [...]
To clarify, I read this as meaning the feature became disabled as a result of replacing the NVRAM -- is that right?


Quote:
The only way to write data to the nvram is within the 2520A. There are no interfaces or connectors that would allow bus access to the nvram. The only way to get external data into the nvram is via the keypad.
It may well be that at the factory they simply unplug the keypad and, in its place, plug in an automated jig that simulates the laborious keystroke sequence necessary to enter large amounts of data (and code?).

FWIW, the Phase Modulation feature may simply be undocumented -- as opposed to actively kept secret and confidential, I mean.

-- Jeff

_________________
In 1988 my 65C02 got six new registers and 44 new full-speed instructions!
https://laughtonelectronics.com/Arcana/ ... mmary.html


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 05, 2021 3:17 am 
Offline

Joined: Wed Aug 04, 2021 6:07 am
Posts: 3
Dr Jefyll wrote:
I hope you are tracking these replies, Dazz. :)

dazz wrote:
This feature was disabled when I replaced the nvram (non-volatile RAM). [...]
To clarify, I read this as meaning the feature became disabled as a result of replacing the NVRAM -- is that right?


Quote:
The only way to write data to the nvram is within the 2520A. There are no interfaces or connectors that would allow bus access to the nvram. The only way to get external data into the nvram is via the keypad.
It may well be that at the factory they simply unplug the keypad and, in its place, plug in an automated jig that simulates the laborious keystroke sequence necessary to enter large amounts of data (and code?).

FWIW, the Phase Modulation feature may simply be undocumented -- as opposed to actively kept secret and confidential, I mean.

-- Jeff


I replaced the nvram with a new version. I don't have the ability to read/write to the nvram standalone so I did not try and transfer the old nvram data to the new nvram. I have sent the old nvram off to someone who has an eprom programmer that will be able to read the nvram, if it still has any memories left after all these years.

The PM feature is listed in the manual as an option. There is nothing in the manual giving any details of the firmware, so no surprises that the nvram contents are not documented.

The interface to the keyboard is serial. It is possible, but unlikely that this would be used as a programming interface. I would be surprised if the nvram included any code. Most likely data only.
In 1989 or so, the easiest option would be to put all code on the eproms. The eproms are socketed for easy upgrades of the firmware. My firmware is ver 5.1.

There is a physical lockable switch to select diagnostics mode. Routines are selected by entering a number on the keypad and seeing the results on the LCD. I suspect that enabling the routine for the PM feature is a simple keypad entry that is not shown in the documentation.

After the 2520A is turned on, it immediately starts a set of self test routines, including the installed features. If I can disassemble the code, I can look through the startup code to find the routine that runs (and fails) the PM feature test. I can also look in the diagnostics code which displays the enabled features (but not any more).

The diagnostics code will include a routine to read the keypad entries and call a related routine. If I can find an undocumented keypad sequence, I can try it and see if the PM mode is enabled.

The 2520A is very much hand built so I would be surprised if there was a plug-in programming module or interface. The diagnostics routines look like factory test routines.

If the old nvram looks like it has retained memories, then I could remove the new nvram, send it off to be written with the old nvram contents.

So I have some options to explore.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 05, 2021 8:05 pm 
Offline
User avatar

Joined: Fri Dec 11, 2009 3:50 pm
Posts: 3367
Location: Ontario, Canada
dazz wrote:
The 2520A is very much hand built so I would be surprised if there was a plug-in programming module or interface.
I'm suggesting the "interface" may have escaped your attention, with the theory that it appears to be (and is) nothing more than the place where the keypad plugs in to associated circuitry. By unplugging the keypad, factory personnel could attach an automated whatchamacallit in its place to perform lengthy keypress sequences for data entry. (It would be a write-only interface; no information would be returned to the gizmo.) No biggie -- I'm just floating the idea.

Quote:
So I have some options to explore.
Yes -- and quite a long road behind you! I read the entire Eevblog topic mentioned in your lead post, and your perseverance is remarkable.

Is it fair to say you'll have no need to disassemble the firmware if the original NVRAM contents can be recovered?

-- Jeff

_________________
In 1988 my 65C02 got six new registers and 44 new full-speed instructions!
https://laughtonelectronics.com/Arcana/ ... mmary.html


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC


Who is online

Users browsing this forum: kenames99 and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: