How to dump 6801 - 8052.com

Back to Subject List

Old thread has been locked -- no new posts accepted in this thread

???
11/17/06 05:26
Read: times

#128146 - How to dump 6801
Responding to: ???'s previous message

Dumping the 6801 is a bit tricky. following is the code I wrote to send out the serial port as a hex dump. The trick is you need external code in eprom, but it must not overlay the mask rom (0xe000-0xffff) - so how do you get it to execute the eprom code? I made a GAL to decode the addresses so that the eprom appears in the vector space (0xfff0..0xffff) and the code is at 0x6000. Downside is you loose the vector addresses of the code you want to dump - upside is that it is pretty obvious when you disassemble the code. Crystal frequency is 4.9152Mhz, baud rate is 9600. Press reset and the micro starts dumping its secrets!

This worked on the hitachi cpu of the kawasaki box and the mitsubishi box, but did not work for some mask motorola parts from a bosch box. A HC11 disassembler works for 6801, but the timers etc are different.

Save This Code

  Mon Oct 13 2003 22:09                                                                                                  Page    1







               2500 A.D. 6800 Macro Assembler  -  Version 4.01a
               ------------------------------------------------

                       Input  Filename : getrom.asm
                       Output Filename : getrom.obj


    1                          	;-------------------------------------------------------------------------
    2                          	;
    3                          	;	suck the code out of the 6801 mask rom device (we hope!)
    4                          	;
    5                          	;
    6                          	;-------------------------------------------------------------------------
    7          6000            	rombot	equ	06000h		;start address of the rom
    8          7FFF            	romtop	equ	07fffh		;top of rom
    9                          	;
   10                          	;	internal register equates
   11                          	;
   12          0000            	port1_ddr	equ	0
   13          0001            	port2_ddr	equ	1
   14          0002            	port1		equ	2
   15          0003            	port2		equ	3
   16          0004            	port3_ddr	equ	4
   17          0005            	port4_ddr	equ	5
   18          0006            	port3		equ	6
   19          0007            	port4		equ	7
   20          0008            	tcsr		equ	8
   21          0009            	count_hi	equ	9
   22          000A            	count_lo	equ	10
   23          000B            	outcomp_hi	equ	11
   24          000C            	outcomp_lo	equ	12
   25          000D            	incap_hi	equ	13
   26          000E            	incap_lo	equ	14
   27          000F            	port3csr	equ	15
   28          0010            	rmcr		equ	16
   29          0011            	status		equ	17
   30          0012            	rxbuff		equ	18
   31          0013            	txbuff		equ	19
   32          0014            	ram_ctrl	equ	20
   33                          	;
   34                          	;
   35                          	;
   36                          	pshx	macro
   37                          		fcb	3ch
   38                          		endm
   39   6000                   		org	rombot
   40   6000   86 09           	start	lda	#09h		;4800 baud @2.4567mhz/9600 baud @ 4.1952
   41   6002   97 10           		sta	rmcr
   42   6004   86 02           		lda	#2
   43   6006   97 11           		sta	status		;enable transmitter
   44   6008   86 0D           		lda	#0dh
   45   600A   97 13           		sta	txbuff		;send carriage return
   46   600C   8E 00 F0        		lds	#00f0h		;setup the stack
   47                          	;
  Mon Oct 13 2003 22:09                                                                                                  Page    2




   48                          	;	test code...
   49                          	;
   50                          	;lp
   51                          	;	ldaa	status
   52                          	;  	anda	#20h
   53                          	;	beq	lp
   54                          	;	ldaa	#'T'
   55                          	;	staa	txbuff
   56                          	;	bra	lp
   57                          	;
   58                          	;
   59                          	;
   60   600F   CE E0 00        	dump	ldx	#$e000		;->internal rom
   61   6012   BD 60 63        	dump1	jsr	pcrlf
   62   6015   86 4C           		ldaa	#'L'
   63   6017   BD 60 58        		jsr	pchar
   64   601A   BD 60 74        		jsr	paddr
   65   601D   BD 60 6E        		jsr	pspace
   66   6020   86 09           		ldaa	#$09
   67   6022   BD 60 58        		jsr	pchar		;print tab
   68   6025   86 66           		ldaa	#'f'
   69   6027   BD 60 58        		jsr	pchar
   70   602A   86 63           		ldaa	#'c'
   71   602C   BD 60 58        		jsr	pchar
   72   602F   86 62           		ldaa	#'b'
   73   6031   BD 60 58        		jsr	pchar
   74   6034   86 09           		ldaa	#$09
   75   6036   BD 60 58        		jsr	pchar
   76   6039   C6 10           		ldab	#16		;16 bytes /line
   77   603B   86 24           	dump2	ldaa	#'$'
   78   603D   BD 60 58        		jsr	pchar
   79   6040   A6 00           		lda	0,x		;get byte
   80   6042   BD 60 7F        		jsr	phex
   81   6045   86 2C           		ldaa	#','
   82   6047   BD 60 58        		jsr	pchar
   83   604A   BD 60 6E        		jsr	pspace
   84   604D   08              		inx			;next byte
   85   604E   5A              		decb
   86   604F   26 EA           		bne	dump2		;next byte/line
   87   6051   8C 00 00        		cpx	#$0000
   88   6054   26 BC           		bne	dump1
   89   6056   20 FE           	loop	bra	loop		;next line
   90                          	
   91                          	;
   92                          	;	print a char out the serial port
   93                          	;
   94   6058   36              	pchar	psha			;save A
   95   6059   96 11           	pchar1	lda	status		;get comms status
   96   605B   84 20           		anda	#20h		;mask for tdre bit
   97   605D   27 FA           		beq	pchar1		;wait till empty
   98   605F   32              		pula			;restore A
   99   6060   97 13           		sta	txbuff		;send it
  100   6062   39              		rts
  101   6063                   		
  102                          	
  103                          	;
  104                          	;	print cr/lf
  Mon Oct 13 2003 22:09                                                                                                  Page    3




  105                          	;
  106   6063   86 0D           	pcrlf	lda	#0dh
  107   6065   BD 60 58        		jsr	pchar
  108   6068   86 0A           		lda	#0ah
  109   606A   BD 60 58        		jsr	pchar
  110   606D   39              		rts
  111                          	;
  112                          	;	print a space
  113                          	;
  114   606E   86 20           	pspace	lda	#20h
  115   6070   BD 60 58        		jsr	pchar
  116   6073   39              		rts
  117                          	
  118                          	;
  119                          	;	print address in X
  120                          	;
  121   6074                   	paddr	pshx			;save X onto the stack
  122   6074   3C              		fcb	3ch
  123   6075                   		endm
  124   6075   32              		pula			;get high address
  125   6076   33              		pulb			;get low address
  126   6077   BD 60 7F        		jsr	phex
  127   607A   17              		tba			;get low address
  128   607B   BD 60 7F        		jsr	phex
  129   607E   39              		rts
  130                          	;
  131                          	;	convert byte in Acc to ascii hex and output
  132                          	;
  133   607F   36              	phex	psha
  134   6080   46              		rora
  135   6081   46              		rora
  136   6082   46              		rora
  137   6083   46              		rora
  138   6084   BD 60 88        		jsr	phex1
  139   6087   32              		pula
  140   6088   84 0F           	phex1	anda	#0fh
  141   608A   81 09           		cmpa	#9
  142   608C   2F 02           		ble	phex2
  143   608E   8B 07           		adda	#7		;add ascii offset for A-F
  144   6090   8B 30           	phex2	adda	#30h		;add ascii offset for numbers		
  145   6092   BD 60 58        		jsr	pchar		;print it
  146   6095   39              		rts
  147                          	
  148                          	
  149                          	
  150                          	
  151                          	;
  152                          	;	vectors-hardware maps us there
  153                          	;
  154   FFF0                   		org	0fff0h
  155   FFF0   FFFF            	sci_vec	fdb	0ffffh
  156   FFF2   FFFF            	tof_vec	fdb	0ffffh
  157   FFF4   FFFF            	ocf_vec	fdb	0ffffh
  158   FFF6   FFFF            	icf_vec	fdb	0ffffh
  159   FFF8   FFFF            	irq_vec	fdb	0ffffh
  160   FFFA   FFFF            	swi_vec	fdb	0ffffh
  161   FFFC   FFFF            	nmi_vec	fdb	0ffffh
  Mon Oct 13 2003 22:09                                                                                                  Page    4




  162   FFFE   6000            	rst_vec	fdb	rombot
  163                          	
  164                          	



           Lines Assembled :  164             Assembly Errors :  0

List of 15 messages in thread

Topic Author Date
Help in reverse-engineering an old 8051-based ECU?              01/01/70 00:00
   Toyota boxes perhaps?              01/01/70 00:00
      Not Toyotal, although that's already been "hacked"              01/01/70 00:00
         Are the mazda & honda the same?              01/01/70 00:00
            Getting there...              01/01/70 00:00
               Two different beasts!              01/01/70 00:00
                  I could kick myself.              01/01/70 00:00
                     Mazda vs Kawasaki box              01/01/70 00:00
                        Yep, 680x chip.              01/01/70 00:00
                           How to dump 6801              01/01/70 00:00
   Have you verified the fixed connections?              01/01/70 00:00
      Not yet...              01/01/70 00:00
   ignore this double post, plz.              01/01/70 00:00
   email address?              01/01/70 00:00
      Ping me here...              01/01/70 00:00

Back to Subject List

Topic	Author	Date
Help in reverse-engineering an old 8051-based ECU?		01/01/70 00:00
Toyota boxes perhaps?		01/01/70 00:00
Not Toyotal, although that's already been "hacked"		01/01/70 00:00
Are the mazda & honda the same?		01/01/70 00:00
Getting there...		01/01/70 00:00
Two different beasts!		01/01/70 00:00
I could kick myself.		01/01/70 00:00
Mazda vs Kawasaki box		01/01/70 00:00
Yep, 680x chip.		01/01/70 00:00
*How to dump 6801*		01/01/70 00:00
Have you verified the fixed connections?		01/01/70 00:00
Not yet...		01/01/70 00:00
ignore this double post, plz.		01/01/70 00:00
email address?		01/01/70 00:00
Ping me here...		01/01/70 00:00