the other problem (01290200) is more concerning and will need a logic analyzer.
Top-level
170 comments
@nroach44 i have some and tried them but the flex cable part is too stiff and was making it hard to type @tubetime ah that's fair. I'm thinking when I get around to needing them I'll include them in the debug board so you just connect the 40pin cables straight on hmm, so during a read operation, the data is never driven onto the bus (the output stays pulled up to FFFF). looks like the MADE24 line is staying low? that's weird. let me try making the logic ignore it. oh! now the card is putting data onto the bus! the "test1" channel is the data direction for the 74lvc4245 buffers showing that they are transferring data from the card to the host PC. wow, it actually works, i'm able to write a value to the simple register and read it back. this is a HUGE step forward. i'll need to figure out what is up with the MADE24 line. could be that the pin doesn't actually do that. the HDD pinout is one that i reverse engineered a while back, so it might be a mistake. this could also explain the damage to the PC, perhaps the card tried to write to the data bus when it was not supposed to and damaged the output drivers of some other chip. huh, the "MADE24" line is controlled by bit 7 of register 96. I wonder what that is. lol, this is the active high CHRESET! i was wondering why that line seemed to be missing. moving on to the Teensy interface. i had to choose the IO pins carefully so i can make a 16-bit parallel IO port. @fozztexx it's because DBA-ESDI is also inherently 16-bit. weird, but i must say that 256-word sectors is actually kinda satisfying. got the Teensy interface up and running. i'm using direct IO port access on the Teensy 4.1. take a look at core_pins.h in the Teensy header files. basically you can read from GPIOx_PSR and write to GPIOx_DR. i also had to add a short delay to create some setup time for the FPGA--the Teensy 4.1 is a hair too fast lol bidirectional registers now work! i can write a command from the PC to the Teensy, and i can write a response from the Teensy and read it from the PC. there are also status flags showing when new data is available. it may not seem like much, but this is huge progress. excellent progress today. I've been able to implement the "Get Diagnostic Status" command. it transfers the command block and handles the returning status block as well as the flags and interrupts. best of all, it works on real hardware using my diagnostic program! Great progress! But help out simpleton me, I've lost track of what you are doing. Is this still part of reverse engineering things to get a SnarkBarker to work on the expansion port?? Or an entirely different project? @darryl_ramm it is a solid state replacement HDD that works with the weird IBM DBA-ESDI protocol (similar in concept to IDE) @tubetime Cool, I would love to get a 701 butterfly. Had one for years at work. OK why does pin 1 start halfway down the edge of this chip??? my best guess is that the die is rotated to a 45 degree angle. anyway i want to dump the contents so i can analyze the drive firmware. @tubetime I’ve always wondered about that. I think your intuition is accurate since that would allow a smaller package size from less area outside the die needed to route to the external pads. now i'm knee deep in Ghidra listings. this code probably runs the entire hard drive, not just the host interface. Meme image: good news bad news.jpg I have mainly reverse engineered things with user interfaces, so there’s always strings I can work backwards from. Doing something like a hard drive controller is playing the game on extra hard mode. this sort of reverse engineering is very much like solving a challenging puzzle. you push and push until you can deduce something based on what you already know, then you pivot, taking that new knowledge and pushing on that until you learn even more. so last night I identified the power on self test routines by inspection. it's not too hard to identify a checksum routine or a memory test routine. this helped me fill in the memory map. also, the POR test function stores the results at a particular memory location, and the codes match up with the POR error codes in the DBA-ESDI spec! the next step is to search the whole ROM for any instructions that read this memory location--this should identify the functions that generate the status block. drive firmware is turning into a bit of a slog so i switched over to the IBM BIOS. having a spec is nice, but the code will cover a bunch of corner cases. @tubetime Out of curiosity, does the newer IBM BIOS have any similarity to the original IBM PC AT BIOS that they published in the AT Tech Reference from March 1984? Wondering if they ever did a full rewrite at some point. http://bitsavers.trailing-edge.com/pdf/ibm/pc/at/1502494_PC_AT_Technical_Reference_Mar84.pdf managed to reverse engineer enough that I was able to read the defect map out of one of the original hard drives. sounds easy but the process uses DMA. @tubetime I've lost count of the things I've done that "sounds easy but the process uses DMA." working through a nasty timing hazard with the mailbox flags on the command port. sometimes you write data and the "data available" flag never gets set. so now i am digging through the logic that yosys generated to see if it even makes sense. having good test programs is important. here's the status interface register dropping values. the Teensy program is just writing an incrementing number, and the diagnostics program is checking for gaps. @tubetime It's at least so common that the Altium footprint generator has an option for it, although I have never seen it in the wild on any chip sp far. @tubetime A lot of early quad SMD packages numbered starting in the middle of the "top" side, and that was purely a (dumb) thing done by package vendors, and dice were always still mounted orthogonally. (or perhaps _almost_ always) @tubetime Isn't MADE24 supposed to stay low for another four and a half months? @tubetime Is that photo from an Agilent scope screen? If yes, which scope are you using? @tubetime Ah, a dedicated 68 channel 350MHz state logic analyser. "state data rates up to 1.4 Gb/s". Looks cool expensive. Can't even find a price online. My Saleae is far away from that. @tubetime how did you get past it, if the computer's hardware is now borked? |
yes, i made a dedicated interposer/extender board just to help with the logic analyzer connections. it's called the Fing Longer (a reference to Futurama).