Just a thought before I remove the user interface from the RV.
Do you think is possible there may be data contained on the user interface with all the control switch sand display, it is quite a major process removing this so thought I would ask prior to the removal operation.
regards
andrew
I'm afraid the code in Astra24.s19 doesn't 'do' anything. It has a basic 'startup' routine to clear some RAM, which turns out to be ONE byte, and it has a routine at 0x800E that is prepared to 'call' a list of functions from a pointer table, but that list is empty and the count zero. After that, it just sets a flag in RAM and spins in a dead-end loop clearing the watchdog. It accesses NO peripherals, sets no I/O of any kind.
And I can't make heads nor tails of Astra23-s19 - Shortcut List.txt --- what process made that and what do you hope it represents?
SUB8000: PSHH | ;Fetch next byte, increment pointer@0x178 | ||
PSHX | |||
LDHX | 5,SP | ||
LDA | ,X | ||
AIX | #1 | ||
STHX | 5,SP | ||
PULX | |||
PULH | |||
RTS |
;
SUB800E: AIS | #2 | ;Call a list of routines pointed to from 80C9 | |
LDHX | C0X80C1 ;=0 <-count of said list entries | ||
AIX | #-1 | ||
STHX | 1,SP | ;0xFFFF->0x176 | |
BRA | LB8035 | ||
LB801A: | LDA | 1,X | |
LSLA | |||
LDX | ,X | ||
ROLX | |||
ADD | C0X80C4 ;=0x80C9 | ||
PSHA | |||
TXA | |||
ADC | C0X80C3 | ||
PSHA | |||
PULH | |||
PULX | |||
LDHX | ,X | ||
JSR | ,X | ||
TSX | |||
TST | 1,X | ||
BNE | LB8033 | ||
DEC | ,X | ||
LB8033: | DEC | 1,X | |
LB8035: | TSX | ;Already negative, do nothing | |
TST | ,X | ||
BGE | LB801A | ||
AIS | #2 | ||
RTS |
;
SUB803C: AIS | #-4 | ||
LDA | C0X80BC ;=1 | ||
INCA | |||
TSX | |||
STA | 1,X | ;2->0x17B | |
LDA | C0X80BB ;=0 | ||
INCA | |||
STA | ,X | ;1->0x17A | |
LDHX | C0X80BD ;=0x80C5 | ||
BRA | LB806E | ||
LP804F: | PSHX | ||
PSHH | |||
LDA | ,X | ;Fectched from 0x80C5 | |
PSHA | |||
LDA | 2,X | ||
INCA | |||
STA | 6,SP | ;1->0x17C | |
LDA | 3,X | ;0x01 | |
LDX | 1,X | ;0x80 | |
PULH | ; HX = 0x0080 | ||
INCA | ;A=2 | ||
BRA | LB8064 | ||
LB8061: | CLR | ,X ;Clears one RAM, starting at 0x80 | |
AIX | #1 | ||
LB8064: | DBNZA | LB8061 | |
DBNZ | 5,SP,LB8061 ;Dec 0x17C | ||
PULH | |||
PULX | |||
AIX | #4 | ;0x80C5 goes to 0x80C9 | |
LB806E: | DBNZ | 2,SP,LB804F ;Dec 0x17B | |
DBNZ | 1,SP,LB804F ;Dec 0x17A | ||
LDHX | c0X80BF ;=0x80DB | ||
PSHX | |||
PSHH | |||
LB807B: | BSR | SUB8000 | ;Nets 0x00 |
TAX | |||
INCA | |||
STA | 3,SP | ;1->0x17A | |
JSR | SUB8000 | ;Nets 0x00 | |
INCA | |||
STA | 4,SP | ;1->0x17B | |
DECA | |||
BNE | LB808F | ||
CBEQX | #0x00,LB80AA ;So THIS path is taken | ||
JSR | SUB8000 | ||
PSHA | |||
PULH | |||
JSR | SUB8000 | ||
TAX | |||
BRA | LB80A0 | ||
LB809A: | JSR | SUB8000 | |
STA | ,X | ||
AIX | #1 | ||
LB80A0: | DBNZ | 4,SP,LB809A | |
DBNZ | 3,SP,LB809A | ||
BRA | LB807B | ||
LB80AA: | AIS | #2 | |
JSR | SUB800E | ||
AIS | #4 | ||
RTS |
ENTRY: | LDHX | #0x0180 | ||
TXS | ||||
BSR | SUB803C | |||
JMP | LB80CD | ;Flag 'end' and die there |
C0X80BB DB 0x00
C0X80BC DB 0x01
C0X80BD | DW 0x80C5 |
C0X80BF | DW 0x80DB |
C0X80C1 | DW 0x0000 |
C0X80C3 | DB 0X80 |
C0X80C4 | DB 0xC9 |
C0X80C9: DW 0
DW 0 | ||||
LB80CD: | CLI | |||
JSR | SUB80D6 | |||
LB80D1: | STA | 0x1800 | ;Just sit here and keep the watchdog happy | |
BRA | LB80D1 | |||
SUB80D6: MOV | #0x01,0x80 | ;Set 'done' Flag in that one RAM byte | ||
NOP | ||||
RTS | ||||
C0x80DB | DW 0 |
The list.txt file comes from code warrior decoder.exe and is "allegedly" the decoded s19 file for hc08 and is a MASM Listing (.lst) type file that opens in Visual C++ by default. I think the extension was changed on upload to site.
I was hoping it may contain comments or something useful, there must be something somewhere hiding away as I know the manufacturer uses the cyclone pro to program and update the system and the other chip on the board which is a Altera cyclone 2 can not be read or programmed via BDM as far as I know as I had to read that with a USB Blaster
I did wonder if there may be something with in the LCD control panel that stores data, however that is a major task removing it.
It has come to the stage after spending £150 on the USB blaster and £450 on the cyclone pro I start to think is it worth for a £1500 system lol!
But I really do appreciate all your help.
Regards
Andrew Stancliffe
What I find in there is the first 20% looks more like a hex-dump of the attached PC, what with directory paths and all, like: C:\Users\Andrew\My Documents. The disassembly seems to be of that same space, and only covers thru 0x3522 (which is below the S08GT32A flash space, which starts at 0x8000).
It is all very strange indeed.
One thing I just pondered on was the endless loop you mentioned in an earlier post, The dish opens up then blind scans the sky for a max of 300 seconds could this be this? if within the 300 seconds it receives a signal from the correct satellite it then locks onto that and the search ends. I presume the signal to stop would come from the on-board receiver
I have taken the step of removing the control panel an attach a picture of it from what I can see the Texas71576B is what sends a signal for positional motors to operate. I have done a google for the PCB hmi 0370.002.b but it returns a empty search return ......well it was a long shot
The code I have managed to disassemble interacts with NO I/O pins, no internal peripheral devices in any way, and as such cannot be doing ANYTHING within you circuit as programmed. I can only assume what we have is a 'placeholder' for more complex functions that COULD be incorporated. The 'loop' I mentioned is just where that little bit of code 'goes to die' when it has done the little bit of nothing it does. Anything that looks like any kind of 'real activity' is coming from somewhere else entirely.