Products > Test Equipment
Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
SilverSolder:
--- Quote from: dietert1 on February 24, 2021, 10:16:18 pm ---In the 8502A the memory map is the same, except is has only 768 Bytes of RAM and no EEPROM. EPROM consists of 4x i2732 in one instrument, the other one has a mezzanine with lots of mask ROMs AM9218.
Meanwhile i spent some hours looking into the firmware 3.0.0 and found it perfectly obfuscated. They went to great detail trying to hide essential pieces of the workings. For example in several places they replaced the jump instruction by an indirect jump through a ROM constant function pointer. System vectors RSTn are routed through RAM function pointers with variable destinations. Also they use a reverse memcpy() to hide the base addresses of data and code structures. I guess it was all written in assembly language. There is no interpreter and i didn't see a full floating point library. I doubt it can be reverse engineered using a general tool. I used a simulator and a disassembler, both with mods to log backplane access, RAM function calls and the like. Meanwhile the disassembler knows 19 obfuscated entry points in addition to the eight system vectors.
Regards, Dieter
--- End quote ---
It never occurred to me that the "spaghetti" was an intentional attempt at obfuscation, but it makes perfect sense with the crazy stuff we are seeing inside the EPROMs... see my answer to @joeqsmith, perhaps we can untie the knot via the U18 listing?
joeqsmith:
--- Quote from: dietert1 on February 24, 2021, 10:16:18 pm ---In the 8502A the memory map is the same, except is has only 768 Bytes of RAM and no EEPROM.
--- End quote ---
That's good to know. I'm more confident now in my results. My next step will be to start reading up on the 8080.
Back in the early/mid 80s, I had a friend who worked as a third tier programmer for a large company. Micros back then had very limited resources. The first tier programmers world write the code until they ran out of resources. I was then handed over to the 2nd tier who would clean up and optimize the code to get things to fit. If they couldn't pull it off, it went to the final group. They were allowed to completely rewrite the code and would typically optimize it to the point it was no longer maintainable. It's very possible that what you are seeing is a result of no longer caring about how well the software looks and could be maintained but rather how to get it to fit and meet timing. I've never worked for a company where the goal was to make the code unreadable. More it was the end result of what was being asked. :-DD
--- Quote ---....replaced the jump instruction by an indirect jump through a ROM constant function pointer.
--- End quote ---
I few years ago I decided to test some handheld DMMs and I ended up designing a small transient generator to help automate the task. I decided to go all old tech one last time, right down to the wire wrap. The microcontroler I used was the Motorola MC68701 which has 2K ROM. It's all written in assembler and I am doing exactly what you describe in several places of the code. I think I even have some indirect tables in RAM that change in order to save a few bytes. That codes a mess.
U18 is really just a decoder. Could have been a PAL. The code space is linear and if you look at the contents, you can see how that jumper remaps things. But that jumper is fixed so I highly doubt there is anything funny going on with U18 creating some top secrete code security system.
SilverSolder:
It just goes to prove, once code gets messy enough, it becomes indistinguishable from an intentional effort to obfuscate! :D
joeqsmith:
Did you find a disassembler / assembler combo that allows you to reassemble the disassembled code and match the binary?
To attempt to make use of the improved BAUD rate, I may not need to go to that level but if you have the tool chain sorted, I would start getting it setup.
SilverSolder:
No, I stopped at the disassembly part (and quickly ran out of Aspirin).
...In other news, I downloaded the TL866ii software and noted that it actually still has all the high voltage chips in its database (i.e. the same chips as the previous models), opening the possibility for adding an external Vpp supply for 21V and 25V chips, it seems.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version