Email or username:

Password:

Forgot your password?
125 comments
Tube❄️Time replied to Tube❄️Time

collecting the info is a pretty manual process.

Tube❄️Time replied to Tube❄️Time

the "ring lsi" is interesting. it provides an adjustable linear regulator to set the stepper motor supply voltage (set through SPI bus) and it monitors the "ringing" on a winding after it has been driven and is settling.

Tube❄️Time replied to Tube❄️Time

i've moved on to the read/write LSI. the read channel is somewhat tricky because it uses four (!) one-shot timers to turn the raw analog signal coming from the read preamplifiers into an output pulse that represents a flux transition.

Tube❄️Time replied to Tube❄️Time

this later revision of the st-251 uses a mask-ROM microcontroller. it's very similar to the R6518, at least in the pinout. it also latches its internal address bus on a bunch of the pins during the rising edge of phi2! this means i can spy on the program counter and any other memory addresses being accessed.

Tube❄️Time replied to Tube❄️Time

the firmware from the older board revision (which uses an external EPROM chip) has been dumped and (mostly) analyzed! see github.com/schlae/HardDriveInf

Tube❄️Time replied to Tube❄️Time

unfortunately we don't have a dump of the protected mask ROM, but it seems to be somewhat similar, and the 6502 puts *every* address it accesses on the bus, so you can see it accessing special function registers and the stack, allowing you to infer quite a bit about what is going on.

Tube❄️Time replied to Tube❄️Time

here's where things get really interesting. i've pulled in the imagery of the early ST-251 board and overlaid my Kicad traces from the newer revision.

it's almost like a visual diff--now i can see exactly what changes were made between board versions, which means i can back out a schematic as well!

Tube❄️Time replied to Tube❄️Time

well that was epic! i've completely reverse engineered this older revision. details in the repo (github.com/schlae/HardDriveInf)

Tube❄️Time replied to Tube❄️Time

another day, another board revision!

this one has minor electrical changes from the previous one, mainly adding control over the spindle motor *power level* from the microcontroller. that way they were able to lower the average power consumption.

github.com/schlae/HardDriveInf

Tube❄️Time replied to Tube❄️Time

this is the control board for the ST-225 hard drive. it's an earlier revision. so far it's not too dissimilar from the ST-251 but the stepper motor driver circuit is quite different.

Tube❄️Time replied to Tube❄️Time

and just like that...the ST225 logic board is now in KiCad.

check it out: github.com/schlae/HardDriveInf

Bob Davidson replied to Tube❄️Time

@tubetime
more and more impressed with KiCad. Also, my renewal for Altium is coming up😡

John "Dobbymoodge" Lamb replied to Tube❄️Time

@tubetime I've never wanted to play a DOOM map this badly in my life.

Tube❄️Time replied to Tube❄️Time

turns out there is another variation of the ST-225 logic board. looks like a cost reduction.

Tube❄️Time replied to Tube❄️Time

OK, this one is done! amazingly, it also helped me solve a mystery on the ST-251. on this later drive, the board has a custom chip that captures data from the current track and outputs a "processed" version of it to the MCU through the PA2 GPIO pin. how does it process it? i didn't know until today.

Tube❄️Time replied to Tube❄️Time

so the 20527 board in the ST-225 uses a discrete circuit for doing the same task. it has two 74123 one-shot pulse generators connected in series with each other and going out to the MCU (on PA7 because this board uses a variant).

Tube❄️Time replied to Tube❄️Time

the key observation is that the pin state depends on the frequency of the signal coming in. for DC, it is normally low. for frequencies *higher* than about 2.6MHz, it also stays low. but for a particular window of frequencies (1.4 to 2.6MHz) the pin goes *high*.

Tube❄️Time replied to Tube❄️Time

why is this useful? it turns out that these drives have a 1.75MHz signal recorded onto specific tracks, letting the MCU (which controls the stepper motor) know if it has gone outside of the data area.

so basically, you step around, and if you see this pin go high (and stay high) then you know you're out of bounds.

Tube❄️Time replied to Tube❄️Time

there is a special signal recorded at track -2. it is the same 1.75MHz but it has short bursts of twice the frequency (2F). this lets the MCU know that (1) it is at track -2, and (2) it lets it synchronize the hall effect sensors.

you get multiple pulses per revolution, so you need a way to sync up the divider chain so you get an index signal that is repeatable.

Tube❄️Time replied to Tube❄️Time

so from the ST-225 to the ST-251, this function got swallowed up in the drive interface chip. but at least now i know how it works.

Tube❄️Time replied to Tube❄️Time

i think i'll try to dump the microcontroller on the ST-225.

Tube❄️Time replied to Tube❄️Time

someone's dumped the MOS version of this microcontroller using a clever circuit and a test mode. i don't know if it will work with the NCR version of the chip, however.

e4aws.silverdr.com/hacks/6500_

Tube❄️Time replied to Tube❄️Time

let's see what happens when i throw the switch. it's putting 10V bursts on the reset pin, so i hope nothing gets damaged.

Tube❄️Time replied to Tube❄️Time

no luck, sadly. it's supposed to be clocking in a program over PORTC, but there appears to be output contention (see how the voltage levels on ch4 don't always make it to a logic high)

William D. Jones replied to Tube❄️Time

@tubetime Well, saves me the trouble of trying mine :P.

Tube❄️Time replied to Tube❄️Time

i'm not giving up. maybe it needs more clocks before bringing reset high. the datasheet says "at least 8"

Tube❄️Time replied to Tube❄️Time

oh that's interesting, the port C output is pulsing sometimes (and the data line doesn't get contention).

Tube❄️Time replied to Tube❄️Time

so the code that the exploit loads into RAM pulses the port C (all pins) with an LDA #$FF ; STA $82; KDA #$00; STA $82. the LDA is 2 cycles and the STA is 3 cycles. but the pin is high for 10 clock cycles...

Tube❄️Time replied to Tube❄️Time

OH! it has a clock divider on the input. so it's actually 5 CPU cycles. i think this exploit actually is running, but not consistently.

Tube❄️Time replied to Tube❄️Time

holy crap it is working, it's dumping real 6502 code

Tube❄️Time replied to Tube❄️Time

looks like the key finding is that i needed 2 more sets of clock cycles before bringing RESET up to 10V.

Tube❄️Time replied to Tube❄️Time

starting the disassembly process.

Tube❄️Time replied to Tube❄️Time

finished the disassembly process, more or less. you can read the commented source code here: github.com/schlae/HardDriveInf

Tube❄️Time replied to Tube❄️Time

and i learned some interesting things along the way. the drives have this weird set of resistors and driver chips tied to the stepper motor phases. it's for microstepping while in recovery mode!

ShutterBugged replied to Tube❄️Time

@tubetime Have you figured out yet how it syncs up the divider chain?

Tube❄️Time replied to ShutterBugged

@developing_agent yes it pulses a GPIO pin and that clears the divider flip flop.

ShutterBugged replied to Tube❄️Time

@tubetime I mean more like knowing when to do that (which 2F region should be the index pulse), or is that arbitrary and doesn't matter?

Tube❄️Time replied to ShutterBugged

@developing_agent the 2F region is once per revolution, so i think it doesn't matter as long as it is consistent. my guess is the edge between the 2F and 1.75MHz regions.

ShutterBugged replied to Tube❄️Time

@tubetime If there's only one 2F region, what do you get multiple pulses of per revolution? (and need a divider chain for?)

Tube❄️Time replied to ShutterBugged

@developing_agent you get multiple pulses per revolution off the spindle motor's hall effect sensor. you need a way to divide this down (usually with a chain of T flip flops) to get a pulse that occurs once per revolution. the disk controller uses this to place the sectors in their correct locations. it needs to be in the same spot every time otherwise the controller will get confused.

ShutterBugged replied to Tube❄️Time

@tubetime Ah, so the divider chain is driven from the spindle hall effect sensor, and the single 2F region sets which hall pulse is the zero index.

William D. Jones replied to Tube❄️Time

@tubetime The ST-412 has an NCR 6500/1. This was also used in the Amiga keyboard controller.

There's a schematic floating around from the Amiga ppl for a circuit which dumps out a 6500/1's internal ROM. I still have the 6500/1 off my dead ST-412, but haven't gotten around to making the dumper yet.

Wonder if a similar circuit could be used for R6518...

Tube❄️Time replied to William D. Jones

@cr1901 i found this: e4aws.silverdr.com/hacks/6500_ but it seems to be for the Commodore version of the 6500/1

Lee Cremeans replied to Tube❄️Time

@tubetime @cr1901 I *think* the NCR and Rockwell versions of the 6500/1 were identical to the Commodore version (since that's why Seagate could swap between them so easily).

Tube❄️Time replied to William D. Jones

@cr1901 also i think the st-412 (at least one version) also uses an external EPROM which has been dumped and is on bitsavers.

ShutterBugged replied to Tube❄️Time

@tubetime whatever happened to the capsoff people who used to dump arcade maskroms/maskrom microcontrollers? are they still around anywhere?

Go Up