Confused about ST9 boot

stmcu · ‎2003-04-19

Posted on April 19, 2003 at 19:42

stmcu · ‎2011-05-17

Posted on May 17, 2011 at 11:33

I'm trying to reverse engineer a system that has an ST9030 with a 256KB EEPROM (a TMS28F series). The first 16 bytes of the EEPROM contain:

48 C0 DD 03 F0 4C 81 40 0D 01 F0 4C DB 00 F0 4E

That would lead me to believe that the starting address is at 48C0. However, this is the code at that address (courtest of IDA Pro 4.5):

ROM:48C0 popu R7 ; Pop from User Stack

ROM:48C2 djnz r14, loc_48C4 ; Decrement a Working Register and Jump if Non Zero

ROM:48C4

ROM:48C4 loc_48C4: ; Compare Word

ROM:48C4 cpw rr0, (rr6)

ROM:48C6 ld -(rr4), R85 ; Load

ROM:48C9 ld (r5), R194 ; Load

ROM:48CC adc r10, (r3) ; Add with Carry

ROM:48CE adcw rr4(rr4), rr12 ; Add Word with Carry

ROM:48D1 or R224, #0x8C ; 'O' ; Logical OR

ROM:48D4 djnz r13, loc_48D6 ; Decrement a Working Register and Jump if Non Zero

This code doesn't make a lot of sense. How can the first operation be a pop off the user stack? Is the stack uninitialized, or at least empty? What is there to pop?

johan239955_stm1_stmicro · ‎2011-05-17

Posted on May 17, 2011 at 11:33

Question for you : is this component a ST90R30 or ST9030 ?

What you are doing only works if this part is a ST90R All the memory is external to the ST9 meaning you can get the reset vector and therefore the whole program memory content by reading the external memory.

If this part is a ST9030 then it is going to be a little bit tricky. This device has 8k of internal memory so you would need to read this memory to reverse engineer this system.

Based on your feedback, you must be in this situation so 48C0h first byte of your external memory is not your reset vector which explains the rest...

Take care,

Jojo

stmcu · ‎2011-05-17

Posted on May 17, 2011 at 11:33

Yes, I do have an ST9030. I can't find any detailed specs for this chip, so I don't know how to access the 8KB ROM. Can you tell me how, or can you at least tell me where I can find specs?

johan239955_stm1_stmicro · ‎2011-05-17

Posted on May 17, 2011 at 11:33

This part has been declared obsolete for a very long time. Documents, programmer or even datasheet are no longer available through ST. Your best bet would be a broker.

I check my archive and the only thing I have is a quik description of this product :

- 8k ROM

- 56 IOs through a PLCC68

- 1 WD

- 1 Multi Fct Timer

- 1 SPI

- 1 SCI

- 1 ADC

Jojo

johan239955_stm1_stmicro · ‎2011-05-17

Posted on May 17, 2011 at 11:33

A broker buys parts just before they are declared obsolete by their manufacturer (last time buy). They then hope to resale them with a very high margin to customer in needs.

Customers have no choice but to pay since the broker is then the only company with stock.

Web is the best way to find brokers however I have not seen any for this particular part. It has been obsolete for a very long time.

Your best bet is therefore to understand what signals, commands, acknowledge are required, what tasks are executed. Then to implement all of these with another device.

For your last questions, you have control, status and data registers for all peripherals, SPI included. However, it depends on the ST9030 firmware to let you read the contents of this registers or any memory location.

Take care,

Jojo

stmcu · ‎2011-05-17

Posted on May 17, 2011 at 11:33

A broker? For micricontrollers? I've never heard of such a thing. How would I find one?

Is there a standard way to communicate with the SCI? That is, is there some register or memory area that is typically associated with the SCI? I want to be able to search for instructions that look like they are reading or writing to the SCI.

For example, on IBM PC and compatible computers, I/O address 0x3F8 is associated with the first serial port, so if you saw any code that was reading or writing to this port, you'd know it was trying to control the serial port. Is there anything like that for the ST9?

[ This message was edited by: timur on 19-04-2003 22:54 ]