The CPU inside the VCI-100
The CPU inside the VCI-100 Posted on: 20.08.2008 by robert chanda I checked out the controller inside the VCI-100, and according to Ean's upgrade video, it's a Hitachi H8/3052:http://www.nuhorizons.com/developmen...y_brochure.pdf http://www.datasheet4u.com/download.php?id=527539 That thing has way more features than strictly necessary - 512K flash ROM, 8K RAM, programmable DMA (not used), timers and clock pulse generators galore (not used). It only has two ADC channels on the chip so it must be polling the knobs and using an analog multiplexer, but it has 70+8 digital inputs/outputs! (8 of the channels are output only) That means it can read 70 switches without needing any extra hardware, or control 78 output LEDs. The part is sold by Hitachi's IC arm called Renesas, and the GNU based toolchain is available here: http://tool-support.renesas.com/eng/toolnews/h8_1.htm http://tool-support.renesas.com/eng/toolnews/h8.html FYI, Renesas are having a developer conference in October in San Diego (http://devconrenesas.com/index.html) where you can meet the Mythbusters (http://devconrenesas.com/schedule/sp...amie_adam.html) WTF? | |
| Xavier Emanuels 22.10.2008 |
Originally Posted by frak
|
| Hannes Deburchgraeve 19.09.2008 |
Originally Posted by Fatlimey
|
| robert chanda 08.09.2008 |
Originally Posted by BentoSan
|
| team DonX 08.09.2008 |
Originally Posted by 4nT1
With Ean as leader |
| Xavier Emanuels 06.09.2008 |
Originally Posted by 4nT1
|
| NATAN SHMIT 01.09.2008 |
Originally Posted by BentoSan
|
| DJ Pablo 04.01.2009 | Some new developments/news?? |
| D D 23.10.2008 | So there isn't a one to one relation between pins and inputs then? I believe I need to read a lot more before I comment any further... |
| Adolf Hit 22.10.2008 | Hey Frak, The only hardware mods needed would be if you are actually trying use the unused pins. The Vestax engineers would have all ready tied pins they had no need for to GND or VCC. |
| D D 22.10.2008 | So all of the input pins on the chip are used? I guess I misunderstood the start of the thread saying that there were spare inputs... Soon as I get my VCI I am going to be ordering both the overlay and the firmware kit, you have no idea how much of a raging clue finding this website has given me! BTW - do you ever sleep? Or are you one of Ean's more radical VCI-100 mods? |
| Xavier Emanuels 22.10.2008 |
Originally Posted by frak
|
| D D 22.10.2008 | Also, in the H3800H doc, at the beginning it says:
2. Treatment of Unused Input Pins
Note: Fix all unused input pins to high or low level. Generally, the input pins of CMOS products are high-impedance input pins. If unused pins are in their open states, intermediate levels are induced by noise in the vicinity, a pass- through current flows internally, and a malfunction may occur. |
| D D 22.10.2008 | Any suggestions for what I can use to disassemble in OS X? I would love to have a bash at some of this... |
| DJ Strutzip 18.10.2008 | this question is kinda off topic, but I've long wondered the difference in the signal sent from encoders as apposed to knobs/sliders? What is required to retrofit between the two? |
| Dj Gjaka 17.10.2008 | More power to you Fatlimey |
| team DonX 08.10.2008 | Ok, don't worry it's life! I'll wait.... |
| robert chanda 09.10.2008 | On hold while I start up this evening
club event, build sets of speakers, work on my Bome's MIDI maps to add looping and beatjumps, and sort out some 5 hour sets from this pile of half listened to new tracks, remain married and try not to ignore my 2yo kid. So! It may take some time... :-) |
| team DonX 08.10.2008 | Any news about reverse engineering? ;-) |
| Hannes Deburchgraeve 19.09.2008 |
Originally Posted by Fatlimey
|
| robert chanda 08.09.2008 |
Originally Posted by BentoSan
|
| team DonX 08.09.2008 |
Originally Posted by 4nT1
With Ean as leader |
| Xavier Emanuels 06.09.2008 |
Originally Posted by 4nT1
|
| Adil Laresh 06.09.2008 | amazing progress.. reverse engineer deluxe its a shame Vestax wont release the source code or whatever is needed for the community to enhance such a great product. if the code is open source vestax could also use it in future products... Ean surely you could give the word on this one... even if there is an agreement between Vestax and 1 or 2 people max and they sign nda's or something... higher resolution midi sounds dreamy |
| NATAN SHMIT 01.09.2008 |
Originally Posted by BentoSan
|
| Xavier Emanuels 01.09.2008 |
Originally Posted by 2dfruit
|
| Virginia Ortiz 31.08.2008 | big ups to you guys |
| NATAN SHMIT 31.08.2008 | I'm no programmer, so I don't have a notion as to what you fellas are talking about here. What sort of things are possible if you complete what you's are trying to do? |
| Xavier Emanuels 26.08.2008 | Wow nice Fatlimey, thats some impressive work. Your way ahead of me i am still reading about the basics of assembly Ive done some light coding and memory hacking in the past but nothing as deep as assembly :eek: This is a great opportunity to learn though and your posts are certainly helping out *thumbs up* |
| robert chanda 26.08.2008 | Been browsing through some assembly toevening
. The instruction set has almost no surprises - your basic 16-bit RISC machine with 24-bit addresses. The precise memory map depends on some pin settings (MD0,MD1,MD2) that select whether the CPU has external ram, and if so what the address space looks like. Without cracking open my machine (again, I'm such a hardware slut) I can't tell which mode the machine is set to use, but it has to be one of 5,6 or 7 as the BIN file writes ROM to the jump tables and ROM. I'm guessing it's using mode 7, the super-special chip-only design with no external RAM, just 8K internal Static RAM and heaps of ROM, but that's just a guess. The address maps are on page 95 of 845 in the 3052.pdf document (I had to shorten the PDF name to save my sanity). The other PDF, the "h8300.pdf" file has a useful list of instructions in section 2.2. Having both docs open to crossreference works well. So, back to the code. I'm using the 1.3 code to start with as I know there has to be a crucial decision point when the OS chooses between the 1.2 and 1.3 codebases, and that's what I'm looking for initially. It's an exercise in familarize myself with the code layout. The jump table at address 0x0000 says the code starts at 0x3FD2 - slap bang in the middle of the ROM in the memory map. Some notes on the code. Code:
003FD2 7A07 00FF FF10 MOV.L #H'00FFFF10,ER7 003FD8 7A00 0000 8000 MOV.L #H'00008000,ER0 003FDE 7A01 00FF EF10 MOV.L #H'00FFEF10,ER1 003FE4 7A02 00FF F296 MOV.L #H'00FFF296,ER2 Code:
003FEA 1F92 CMP.L ER1,ER2 003FEC 5870 0008 BEQ H'003FF8:16 Code:
003FF0 6C0B MOV.B @ER0+,R3L 003FF2 689B MOV.B R3L,@ER1 003FF4 0B71 INC.L #1,ER1 003FF6 40F2 BRA H'003FEA:8 Write that byte to 0xEF10, add 1 to the pointer. Branch always to somewhere above this starting point... Code:
003FF8 5E00 3952 JSR @H'003952:24 003FFC 5670 RTE When you return, pop the CC and PC from the stack. (strange. The SP contains nothing at this pooint, so the function above had better fill it with something) Code:
003FFE 0100 6DF0 MOV.L ER0,@-ER7 004002 0100 6DF1 MOV.L ER1,@-ER7 004006 0100 6DF2 MOV.L ER2,@-ER7 00400A 0100 6DF3 MOV.L ER3,@-ER7 00400E 0100 6DF4 MOV.L ER4,@-ER7 004012 0100 6DF5 MOV.L ER5,@-ER7 004016 0100 6DF6 MOV.L ER6,@-ER7 00401A 5E00 5AF2 JSR @H'005AF2:24 00401E 0100 6D76 MOV.L @ER7+,ER6 004022 0100 6D75 MOV.L @ER7+,ER5 004026 0100 6D74 MOV.L @ER7+,ER4 00402A 0100 6D73 MOV.L @ER7+,ER3 00402E 0100 6D72 MOV.L @ER7+,ER2 004032 0100 6D71 MOV.L @ER7+,ER1 004036 0100 6D70 MOV.L @ER7+,ER0 00403A 5670 RTE So that's the beginning of work. The function we jump to at 0x3952 is interesting. Code:
003952 7A03 00FF F052 MOV.L #H'00FFF052,ER3 003958 7A05 0000 37BE MOV.L #H'000037BE,ER5 00395E 7906 0001 MOV.W #H'0001,R6 Code:
003962 1900 SUB.W R0,R0 003964 0B50 INC.W #1,R0 003966 7920 7FFF CMP.W #H'7FFF,R0 00396A 4DF8 BLT H'003964:8 Add 1 to R0 Compare R0 to 0x7FFFF If it's less then branch to the increment - it's a loop that does nothing! Maybe it creates a necessary delay? 0x7ffff is a typical value. Who can say. Next comes a BIGASS block of function calls. Code:
00396C 5E00 3B4E JSR @H'003B4E:24 003970 5E00 3F02 JSR @H'003F02:24 003974 5E00 4F0C JSR @H'004F0C:24 003978 5E00 0200 JSR @H'000200:24 00397C 5E00 2AA4 JSR @H'002AA4:24 003980 5E00 3636 JSR @H'003636:24 003984 5E00 0870 JSR @H'000870:24 003988 5E00 4FDE JSR @H'004FDE:24 00398C 5E00 54CE JSR @H'0054CE:24 003990 5E00 59C2 JSR @H'0059C2:24 003994 5E00 413A JSR @H'00413A:24 003998 5E00 372A JSR @H'00372A:24 00399C 5E00 3B76 JSR @H'003B76:24 0039A0 5E00 4178 JSR @H'004178:24 Also notehow all the JSRs so far are to addresses less than the starting address - a typical layout for functions inside the same C file, jumping to functions that have already been defined. This won't hold for much longer. OK, bedtime. |
| DJ Anand Kumar 26.08.2008 | Umm... Does Google or Babelfish have a translation for this thread? It looks really complicated and exciting, but it's way beyond my comprehension. Anyhow, enjoy - seems like some people are having fun. |
| donavan djarkasi 26.08.2008 | Great stuff Fatlimey. Got me interested right away and I'll help the way I can. Bento said it, get this baby to next lvl. |
| robert chanda 26.08.2008 | The next step- a manual for the H8/3052 chip itself: http://documentation.renesas.com/eng...2_3052bfhm.pdf Or the more condensed programming guide the chip family (300H): http://documentation.renesas.com/eng...213_h8300h.pdf Bit of light reading for you. |
| robert chanda 21.08.2008 |
Originally Posted by BentoSan
We do know that the 1.3 firmware contains two separate systems, the 1.2 and the 1.3 which are switchable at bootup. So the first thing to do is start from the boot address and look for this decision point - once you find that it should be possible to break the map into to sections and then cross-match their shared subroutines. The other thing to do to build a memory map of the H8 processor to find out what addresses hold the IO pins and ADC registers, so that we can recognize button reads and highlight them. Currently the assembler just prints out "load register from address FFFFblah" which could mean anything. It's time to start attaching meaning to specific addresses. Usually I'd do this on paper - print out the whole dump, pin it up on a wall and have at it with highlighters and notes, but that's not so easily shareable. Not sure how to proceed in a shareable manner. I believe I'll just do what I can and report back. Can anyone find a concise summary of the instruction set that doesn't involve buying a book? |
| Xavier Emanuels 21.08.2008 |
Originally Posted by tekki
|
| Random X 21.08.2008 | I am no big fan of dissasembling assembly. But if needed, I can try to help out? |
| Xavier Emanuels 21.08.2008 |
Originally Posted by Fatlimey
|
| Xavier Emanuels 21.08.2008 | Whoa i got some sleep and went to work and get back to find you guys are all over this Sweet !
Originally Posted by midifidler
Time to start decompiling this baby |
| Dj Daxsen 21.08.2008 | Fat Limey you are the man! I could probably help out with some C work down the road but i haven't dabbled in Assembler before. Exciting stuff though!!! (WORD UP THE NERDS!!!!!!) |
| Jenny Pow 21.08.2008 | What do they really have to lose for giving that information out? that wouldnt be copyright infrindgement(or something like it) would it? |
| Adolf Hit 20.08.2008 | Fascinating work! My knowledge of assembler is minimal, but Ill help out where I can. Vestax should really release the source though, they must realize by now they have a future classic in their hands, by being the first major company to release source, even to a select few developers they will cement that. |
<< Back to Reviews of DJ equipment Reply