Saturday, March 19, 2022

Reverse Engineering MC6809 SBC... The Easy Way!

I previously documented my ultimately successful attempt to reverse engineer the CMS 9619 Advanced Single Board Computer. The main goal was to get a memory map of the system, including I/O addresses. Having this memory map makes disassembling the firmware on these boards much easier. The process I used prevously was labor intensive, and required me to:

  1. figure out what each of the pins on the PAL IC (that decodes the addresses) connects to;
  2. lookup datasheets to see if it is an input or output pin;
  3. build a small circuit to increment through all of the possible inputs;
  4. write a program to display all of the actual outputs for those inputs.
This took a lot of work and most of it is will only apply to the particular address decoder I was working on.

Ideally, I would want to just keep everything connected in circuit and just have the processor increment through all of the address lines for me, like a 16 bit binary counter. Hmm... Fortunately, the MC6809 has just such a feature built in! The "HCF" (Halt and Catch Fire!) instruction will halt the processor and increment the MC6809 address lines while holding R/W' high, causing it to output every possible address, and select every I/O chip on the board. This is perfect to build a memory map. Even better, since just one instruction does all of this, all I need to do is wire up that one instruction on the data bus and let the processor do the rest. I don't even need to program an EEPROM! Then, I can just observe the addresses and I/O enable lines using a cheap (under $10) logic analyzer. I could even use an Apple II (or another 6809 SBC) with a MC6821 PIA (or MC6522 VIA) to track the signal changes.

In the end, I decided to just program an EEPROM with a lot of HCF instructions: % touch HCF.bin % os9 padrom -c=205 8192 ./HCF.bin % minipro -p AT28C64 -w ./HCF.bin % xxd -s $((16#1FF0)) ./HCF.bin 

00001ff0: cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
and I used my cheap logic analyzer to check the addresses and the chip select pins on the various I/O ICs on the board. Although this took a couple of steps (A15-A9 addresses, then A8-A2 addresses, before settling on A11-A8 with 4 chip select lines), I think it was probably faster than building a cable to connect to the Apple II APIO (MC6821) card, and I am pretty sure the Apple II could not have polled the lines fast enough.
Note channels 3-7 (A11-A7)incrementing nicely with HCF instruction
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)