You can help CodeWalrus stay online by donating here. | New CodeWalrus | Old (dark mode) | Old (light) | Discord server
We have an anniversary Game Jam! Click here for more info.

Visicom Textphone Reverse-engineering

b/Hardware Started by Keoni29, November 17, 2014, 10:39:48 PM

Previous topic - Next topic

0 Members and 17 Guests are viewing this topic.

u/Keoni29 December 04, 2014, 09:25:59 PM
I took a closer look at the disassembly of the ISR for interrupt 1 and added some comments. I found out that there are two rx buffers: One for the modem and one for something hooked up to PIA1. I don't think it is the video chip.

isr1:
fae5  b8            PUSH A               --
fae6  c8            PUSH B               --
fae7  a7  01 80 13  BTJZP %>1,P128,@>fafe -- ACIA: If a byte was received
faeb  80  81        MOVP P129,A          -- ACIA: Read received byte
faed  76  40 3c 35  BTJO %>64,R60,@>fb26 -- ? Discard byte if receive buffer is full
faf1  32  3d        MOV R61,B            -- ? Calculate offset in buffer
faf3  53  3f        AND %63,B            -- ? (Buffer size: 64 bytes)
faf5  ab  46 b2     STA @>46b2(B)        -- ? Save byte to receive buffer
faf8  d3  3d        INC R61              -- ? Increment byte counter
fafa  d3  3c        INC R60              -- ?
fafc  e0  28        JMP @>fb26           -- ? Return from isr
label:
fafe  a7  80 b1 29  BTJZP %>128,P177,@>fb2b -- ? If PIA2 triggered an IRQA1
fb02  80  b0        MOVP P176,A          -- PIA2: Read data from PORTA
fb04  80  a0        MOVP P160,A          -- PIA1: Read data from PORTA (? is value from PIA2 discarted? why?)
fb06  23  0f        AND %15,A            -- Get lowest 4 bits
fb08  76  20 3e 1a  BTJO %>32,R62,@>fb26 -- ? Return if something happens
fb0c  32  3f        MOV R63,B            -- ? Calculate offset in buffer
fb0e  53  1f        AND %31,B            -- ? (Buffer size: 32 bytes)
fb10  ab  46 f2     STA @>46f2(B)        -- ? Save byte to receive buffer
fb13  d3  3f        INC R63              -- ? Increment byte counter
fb15  d3  3e        INC R62              -- ?
fb17  73  bf 26     AND %191,R38         -- ?
fb1a  88  00 00 38  MOVD %>0000,R56      -- ?
fb1e  88  00 00 36  MOVD %>0000,R54      -- ?
fb22  88  00 00 41  MOVD %>0000,R65      -- ?
isr1_end1:
fb26  c9            POP B                --
fb27  b9            POP A                --
fb28  d5  46        CLR R70              -- ?
fb2a  0b            RETI                 -- return from interrupt
label:
fb2b  a7  80 b3 f7  BTJZP %>128,P179,@>fb26 -- ? If PIA2 triggered an IRQB1
fb2f  80  b2        MOVP P178,A          -- PIA2: Read byte from PORTB
fb31  a2  04 b3     MOVP %4,P179         -- PIA2: PORTB output register is selected
fb34  e0  f0        JMP @>fb26           -- Return from isr
fb36  76  ff 2f 01  BTJO %>255,R47,@>fb3b --
fb3a  0b            RETI                 -- return from interrupt
label:
fb3b  d2  2f        DEC R47              -- ? Decrement while R47 is not zero
fb3d  dd  2d        RRC R45              -- ? Get carry bit from DEC operation and rotate
fb3f  dd  2e        RRC R46              -- ? Rotate right R45/46
fb41  e3  04        JHS @>fb47           --
fb43  a3  f7 06     ANDP %247,P6         -- ? PORTB[3] = Carry flag
fb46  0b            RETI                 -- return from interrupt
fb47  a4  08 06     ORP %8,P6
fb4a  0b            RETI                 -- return from interrupt
Last Edit: December 04, 2014, 10:22:12 PM by keoni29
u/Dream of Omnimaga December 06, 2014, 04:32:27 PM
Wait, those phones used assembly too? O.O

Not that I can dechiper it but it's interesting nonetheless. Sometimes, we don't realize that almost everything is a computer. >.<
u/Keoni29 December 06, 2014, 04:52:01 PM
Yeah this thing is almost a microcomputer. The only thing that is missing is a basic interpreter :P
I want to get my own software on it somehow. I was working on a pin adapter for my atari2600 cartridge which allows it to be used with the visicom.

For a demo I need to:
- Initialize the cpu,
- Initialize the PIA's
- Initialize the video chip
- Write to the video chip's character generator ram
- Write characters to the display
- Actually learn how to write TMS70xx assembly :P

That's right: I have been disassembling and reverse engineering w/o any knowledge of TMS70xx assembly. I learned a lot about it by looking at the disassembly though! I have not written a single line of TMS70xx assembly yet, but once I know how to do the first 5 things I will write code for it.

I know how to do most things in that list at this point. I have to look at the disassembly a bit more to make sure that I know how to do it. (Perhaps there are some hardware bugs that need to be fixed in software.)
u/Dream of Omnimaga December 06, 2014, 06:07:32 PM
So what's the CPU and its speed, as well as the RAM, in this thing?
u/Keoni29 December 06, 2014, 08:10:18 PM
Edit: The TMS70xx is rated at 5MHz, but it is clocked at 3,579545 MHz in the visicom. This is probably for timing reasons.
More specs can be found here:
http://8times8.eeems.me:81/project/software/visicom/#h1

Edit: I started probing around the board again. It appears that the ACIA is not hooked up to the modem. Instead it is used for serial communication. It is wired up to the DB25 connector at the back. I might be able to use this simple interface for debugging while I can't get video on the screen yet. It's quite easy to set the ACIA up for serial communications.
Last Edit: December 06, 2014, 09:28:22 PM by keoni29
u/Dream of Omnimaga December 07, 2014, 03:43:17 AM
Ok thanks for the info :)
u/TIfanx1999 January 03, 2015, 02:03:57 AM
Pretty neat stuff!
u/Keoni29 January 05, 2015, 09:05:04 PM
Found out that there are even more bugs in the tms7000 disassembler. So far this is the list:

Disassembler bugs:
1. Relative jump addresses are not calculated properly
Status: fixed
Relative jump offset values are added to the PC after the instruction is fetched. When an instruction is 4 bytes long the total sum is:
> PC + 4 + offset (relative to the beginning of the instruction)
offset is a value ranging from -128 to 127

2. Something wrong with opcode a8. Disassembler output:
Status: unresolved
> f749  a8  d8 9a 12  MOVD %!>(uint16=55450)0012(B),R%!d(MISSING) --
> f6f3  a8  d8 c2 12  MOVD %!>(uint16=55490)0012(B),R%!d(MISSING) --

3. Unknown vectors at the end of the rom are actually trap vectors
Status: fixed
4. Interrupt handler labels are placed incorrectly.
Status: temporary fix: got rid of it altogether
5. Trap instructions are reversed
Status: fixed
6. Several missing opcodes
Status: unresolved
7. Wrong mnemonics with certain opcodes.
Status: unresolved
u/Dream of Omnimaga January 06, 2015, 12:16:39 AM
Ouch, sorry to hear. I hope this doesn't compromise your plans if you had projects with this Textphone. D:
u/Keoni29 January 06, 2015, 08:49:54 AM
Most of these are easy fixes, but I just have not got around to fix them all yet. Most of these bugs indicate a lack of understanding of the cpu. I don't think the creator of the disassembler new much about the tms7000 or he was just coding very sloppy and did not check if the disassembled code would result in the same code as before it was assembled.
u/Keoni29 January 10, 2015, 12:00:53 AM
I wrote a quick and dirty test to see if I can get my own code to work on the visicom. It will blink an LED if all goes well. Now I have to build a pin adapter for my atari2600 backup cartridge that fits in the rom socket.
The next thing I am planning to write is a simple monitor program. It will allow me to peek and poke around in various memory locations using a terminal program on my pc.
u/Dream of Omnimaga January 10, 2015, 06:12:24 AM
I am curious: Why an Atari 2600 cart in particular? Is it for compatibility reasons or is it just easier to work with for this particular hardware?
u/Keoni29 January 10, 2015, 12:18:55 PM
Just because it's the fastest way to get a rom onto this device with the hardware I have at my disposal.

Edit: Just finished building the pin adapter. The blinking light program works!
Last Edit: January 10, 2015, 01:54:15 PM by Keoni29
u/Keoni29 January 11, 2015, 04:56:51 PM
I have been busy figuring out how to use all the peripherals of the visicom. So far I can:
- Set up the serial clock generator.
- Control the MCU's internal I/O port.
- Use interrupts
- Read and write data over serial (using the ACIA)
- Read keystrokes from the keyboard

I solved some interrupt problems by looking at the disassembly. It seems like the people who designed this thing ran into the same problems as I did :P
Next I want to output characters on the screen.

Last Edit: January 11, 2015, 05:40:34 PM by Keoni29
u/Dream of Omnimaga January 11, 2015, 06:36:38 PM
You ruined a $700 Atari game?? O.O just kidding, good job so far.
Website statistics


MyCalcs | Ticalc.org | Cemetech | Omnimaga | TI-Basic Developer | MaxCoderz | TI-Story | Casiocalc.org | Casiopeia | The Museum of HP Calculators | HPCalc.org | CnCalc.org | Music 2000 Community | TI Education | Casio Education | HP Calcs | NumWorks | SwissMicros | Sharp Calculators
Powered by EzPortal