Email or username:

Password:

Forgot your password?
Top-level
Tube❄️Time

someone's dumped the MOS version of this microcontroller using a clever circuit and a test mode. i don't know if it will work with the NCR version of the chip, however.

e4aws.silverdr.com/hacks/6500_

86 comments
Tube❄️Time replied to Tube❄️Time

let's see what happens when i throw the switch. it's putting 10V bursts on the reset pin, so i hope nothing gets damaged.

Tube❄️Time replied to Tube❄️Time

no luck, sadly. it's supposed to be clocking in a program over PORTC, but there appears to be output contention (see how the voltage levels on ch4 don't always make it to a logic high)

William D. Jones replied to Tube❄️Time

@tubetime Well, saves me the trouble of trying mine :P.

Tube❄️Time replied to Tube❄️Time

i'm not giving up. maybe it needs more clocks before bringing reset high. the datasheet says "at least 8"

Tube❄️Time replied to Tube❄️Time

oh that's interesting, the port C output is pulsing sometimes (and the data line doesn't get contention).

Tube❄️Time replied to Tube❄️Time

so the code that the exploit loads into RAM pulses the port C (all pins) with an LDA #$FF ; STA $82; KDA #$00; STA $82. the LDA is 2 cycles and the STA is 3 cycles. but the pin is high for 10 clock cycles...

Tube❄️Time replied to Tube❄️Time

OH! it has a clock divider on the input. so it's actually 5 CPU cycles. i think this exploit actually is running, but not consistently.

Tube❄️Time replied to Tube❄️Time

holy crap it is working, it's dumping real 6502 code

Tube❄️Time replied to Tube❄️Time

looks like the key finding is that i needed 2 more sets of clock cycles before bringing RESET up to 10V.

Tube❄️Time replied to Tube❄️Time

starting the disassembly process.

Tube❄️Time replied to Tube❄️Time

finished the disassembly process, more or less. you can read the commented source code here: github.com/schlae/HardDriveInf

Tube❄️Time replied to Tube❄️Time

and i learned some interesting things along the way. the drives have this weird set of resistors and driver chips tied to the stepper motor phases. it's for microstepping while in recovery mode!

Tube❄️Time replied to Tube❄️Time

the idea is that you assert a control pin that puts the drive in recovery mode, and it will try to read a track 15 times while shifting the head side to side very slightly. this is apparently only implemented in the ST-01 disk controller.

Tube❄️Time replied to Tube❄️Time

essentially all of the drives i've inspected do not actually have these components soldered down, so it must have been an uncommonly used feature that was removed to save cost.

Tube❄️Time replied to Tube❄️Time

another fun one is the empty space for an EPROM and a latch chip. these weren't used to store drive firmware (as i thought before) but they store a giant lookup table of microstep values *for each individual track* so you could presumably trim individual drives to avoid bad areas on a platter.

Tube❄️Time replied to Tube❄️Time

of course it controls the head position regardless of the physical platter, so it wouldn't really be helpful unless the drive only had a single platter in it. i've never seen an actual chip soldered in here and it was completely removed in later board revisions, so i guess they never fully implemented it.

F4GRX Sébastien replied to Tube❄️Time

@tubetime you got impressive knowledge from analysing these drives. It's unheard of. This will be so useful for anyone wanting to fix these drives, thank you so much for the full #retrocomputing community.

Tube❄️Time replied to Tube❄️Time

time to reverse engineer the platters themselves. what secrets can we find?

Tube❄️Time replied to Tube❄️Time

with this setup I can control the stepper from the Arduino without the drive's microcontroller interfering. then I can use the Saleae to digitize the data.

Tube❄️Time replied to Tube❄️Time

confirmed that there are two index tracks, one at track -2 (relative to user data starting on track 0) and another on track 616 (user data ending on track 614). the D2 square wave is directly from the hall effect sensor, 2 cycles per revolution. the D1 pulses are this signal divided by 2. MCU read data is the index signal as seen by the MCU after being processed with a one-shot.

Tube❄️Time replied to Tube❄️Time

here is a closeup. the raw MFM data shows a square wave of 5MHz for most of it, but there is a short section (4ms long) of 1.8MHz. the one-shot acts as a primitive data separator and the MCU can then detect this index marker and reset the hall effect divider flip flop.

Tube❄️Time replied to Tube❄️Time

now it gets a little strange. there seems to be a secret set of 17 hidden sectors on track -1.

William D. Jones replied to Tube❄️Time

@tubetime Dynamic CHS parameters for a programmable hard disk controller like the WDXT-GEN?

William D. Jones replied to Tube❄️Time

@tubetime I have a stalled project to RE the WDXT-GEN BIOS, because I got tired of it's shitty/uninformative error messages.

If you don't use one of the 4 hardcoded drive types, the BIOS will write your drive type (CHS, Write Precomp, Reduced WC, etc) to somewhere on the drive that's _not_ the data area.

It's not actually clear to me where the data is actually written, but IIRC, the "magic" value to provide to the controller is "write to track 0 with an out-of-bounds sector".

Tube❄️Time replied to Tube❄️Time

oops didn't mean to leave you hanging. turns out my track numbering is off by one. this is actually track 0 and it has regular MFM data on it. i wrote a quick-and-dirty routine to convert it and it just has regular WD1010-style headers for 17 sectors.

Tube❄️Time replied to Tube❄️Time

i made a table showing the layout on the platters themselves. only head 0 has the index marker tracks. there are 2 of them, one at track -1 and the other at track 617.

Tube❄️Time replied to Tube❄️Time

to allow your computer's HDD controller to park the heads, it lets you step past the user data area end track of 614 to go all the way in to track 670. theoretically, if you mistype the BIOS # of cyls, you could try to store data here and even overwrite the inner index track!

Tube❄️Time replied to Tube❄️Time

this will confuse the drive when it powers up. it'll eventually go find the index track on the outside edge, but only after an extended search sequence. you can't command the drive to step to track -1, so you can't overwrite that track.

Simon Frankau replied to Tube❄️Time

@tubetime I have loved this thread. While I've got into bit-level understanding of floppies before, hard disks have always been mysterious black boxes to me, and while at a logical level I understood they'd be something like this, this actual reversing has been a great way to remind myself they're not magic! Thanks.

Tube❄️Time replied to Simon

@sgf thanks! yes, it's easier to understand the older drives, but there's a steady, linear progression from then to modern drives.

Tube❄️Time replied to Tube❄️Time

trying to digitize the entire drive using the Saleae. one drawback is exporting as a CSV takes f o r e v e r

Andrew Zonenberg replied to Tube❄️Time

@tubetime CSV is a horrible interchange format (other than being supported by literally everything). Bulky, slow to parse, slow to generate, difficult to do random access in, etc.

But it's not going anywhere.

Tube❄️Time replied to Andrew

@azonenberg yeah I gave up, I'll try the digital format next

Andrew Zonenberg replied to Tube❄️Time

@tubetime This is why the native format for ngscopeclient is just float[] with some attached metadata in a yaml file lol.

I haven't looked at the saleae binary format. Is it documented somewhere? I should write an importer for it.

Tube❄️Time replied to Tube❄️Time

the real reason for all this is that there's data on this ST225N (SCSI version of the drive) on the right. I want this data.

I already tried a board swap but the SCSI version stores its firmware on track -1 and -2 instead of an index signal. my hacked board should be able to handle it, though.

Chuck replied to Tube❄️Time

@tubetime If its your "original bitcoin cold wallet with 2500 bitcoin" I'm gonna lose it 🙂

Tube❄️Time replied to Tube❄️Time

the design of the ST225N is essentially an ST225 but with the data separator and controller built in. they changed the microcontroller to an 8051, and stored a bunch of the firmware on some hidden tracks.

Tube❄️Time replied to Tube❄️Time

boards are swapped. now let's image the whole drive in about 175 seconds to a giant Saleae capture file!

John de Largentaye replied to Tube❄️Time

@tubetime Real Men™️ backup their data with a logic analyzer!

Tube❄️Time replied to Tube❄️Time

wrote a crappy python program to interpret MFM data, and it seems we have some sectors. they are using a different sector header format and there seems to be a lot of corrupted data.

Tube❄️Time replied to Tube❄️Time

there are a few sectors with the drive firmware (negative cylinders) but then there appears to be real data. "DOS" might be part of some partition table scheme.

Tube❄️Time replied to Tube❄️Time

the sector header might follow the format used by the Adaptec AIC-010 chip (which the ST-225N uses). wow, a 32-bit CRC. i wonder which one...

Tube❄️Time replied to Tube❄️Time

wow there is definitely data on this drive. i'm fudging the MFM decoding to try and skip over errors.

Ricardus replied to Tube❄️Time

@tubetime hopefully the data on that drive will reveal the secret of the Kennedy assassination. You are putting a lot of work in after all.

Jonas - 3j14 replied to Tube❄️Time

@tubetime is that an Android Arduino? No way this runs android (?)

Tube❄️Time replied to Jonas - 3j14

@nichtjonas it is a Mega 2560 that was custom made by Android back in 2011. it has a USB host interface that can connect to phones of that era. they were giving them away...

Go Up