tunozemichanの日記 / tunozemichan's diary

SORD社のコンピューターM68やM68MXの解析についての備忘録です。This blog is a memorandum about the analysis of SORD's computers M68 and M68MX.

Analyzing the BIOS of SORD M68MX (Summary Part 1)

I do not have any software for SORD M68MX. The CP/M-68K for SORD M68 that I received through the Facebook community before did not work with  M68MX because the hardware configuration is completely different.

It's a shame that I can only see the startup screen of this rare machine that I got. So I set my goal to analyze the BIOS of M68MX and somehow make it work with the original CP/M-68K.

 

The inside of M68MX consists of two boards, upper and lower, and the BIOS is mounted on the lower board in two separate ROMs, ODD and EVEN.

 

f:id:tunozemichan:20210531150053j:plain

 

Remove this ROM and read the internal data with a ROM writer. Now you have the ROM binaries for ODD and EVEN.

The next step is to sort it correctly and merge it into a single binary file. I used WinHex, but I'm sure anything will do.

I will refer to the integrated binary file as BIOS.BIN. I will analyze it using a disassembler.

For the time being, I used radare2, but then I found out about ghidra, and now I mainly use this one. ghidra is multi-platform and free. ghidra differs from radare2 in its design philosophy and features modern mouse operations. ghidra is designed to scratch your itch by displaying a simple reference when you mouse over an area of interest. I recommend it.

 

In the following, I will write about my own way of doing binary analysis, which is for beginners.

I used the following procedure to analyze it.

 

1. Have a good disassembler and reverse engineering tool. I think ghidra is the first choice for this. If you have a chip that supports it, dasm is also a good choice. radare2 is difficult to learn.

 

2. Find out the reset entry point of the target CPU. m68k has the stack at the top at 0x0, and the reset vector (the address to start execution when reset) at 0x4.

 

3. Look at the board and check for the presence of a CRT controller (HD46505SP in M68MX) and an ACIA (MC6850 or HD6850) used for serial communication. In the M68MX, I also find a DMA controller (uPD8257C), a floppy disk controller (uPD765AC), a real-time clock (RTC58321S), and a programmable time module (HD6840P).

 

4. Examine the simplest yet most important ACIA initialization process and find that part in the disassembled code: in the case of the 6850, write a master reset (0x3) to the control register, followed by the protocol setting value. It looks like there are a lot of protocol options, but we can exclude them since it is unlikely to communicate with 7 bits or stop bits with 2 bits.

Find the default code by excluding the possible settings. The communication protocol of the M68MX was set to 8bit, no parity, stop bit 1, and the communication speed was 1/16 of the transmit/receive input clock. The frequency of this clock has already been observed with an oscilloscope (see my previous blog post), and it was 76.9 kHz. Dividing this value by 16 gives us the communication speed, which is 4800 bps.

Once the control register is identified, the next address is the data register. This will lead you to the subroutines for sending and receiving single characters, continuous transmission, and so on.

 

5. Most computers with floppy disks will read the first boot track of the floppy disk and boot from it. So, the floppy disk controller (FDC) is always initialized in the BIOS. The FDC of the M68MX is the uPD765AC. This FDC requires a SPECIFY command as initialization. The command is a 3-byte instruction with 0x3 as the first byte. The last two bytes are hard to find because of the large number of cases. However, since these three bytes are lined up, you can find them by looking at the code from the beginning, paying attention to the area that is used as data. This search has revealed the status and data registers of the FDC. However, at present, I have not found any track reads. In principle, they should be there...

 

6. I also looked for the CRT controller (CRTC) code, although it is not particularly important. It is faster to look for this in the character sequence information in the binary file than to look for it head-on. The M68MX for Japan is equipped with Fujitsu's Kanji ROM. Therefore, when starting up, the screen displays "Please set the floppy disk. The first thing to do is to find the place in the BIOS code where this character is defined. The characters in Fujitsu's Kanji ROM are in JIS (Japanese Industrial Standards) code, so it is not difficult to find the code. From there, you can find the subroutine that displays the character in CRTC.

 

With the above steps, I gradually revealed the functions of the M68MX. It's a daunting task with so many advanced ICs. Nevertheless, I think I'm pretty close to starting CP/M-68K once I figure out the ACIA and FDC area. Currently, I have very little idea about RAM mapping, but I would like to run a memory test code on the actual machine to find out.