133 comments
now i'm knee deep in Ghidra listings. this code probably runs the entire hard drive, not just the host interface. Meme image: good news bad news.jpg I have mainly reverse engineered things with user interfaces, so there’s always strings I can work backwards from. Doing something like a hard drive controller is playing the game on extra hard mode. this sort of reverse engineering is very much like solving a challenging puzzle. you push and push until you can deduce something based on what you already know, then you pivot, taking that new knowledge and pushing on that until you learn even more. so last night I identified the power on self test routines by inspection. it's not too hard to identify a checksum routine or a memory test routine. this helped me fill in the memory map. also, the POR test function stores the results at a particular memory location, and the codes match up with the POR error codes in the DBA-ESDI spec! the next step is to search the whole ROM for any instructions that read this memory location--this should identify the functions that generate the status block. drive firmware is turning into a bit of a slog so i switched over to the IBM BIOS. having a spec is nice, but the code will cover a bunch of corner cases. @tubetime Out of curiosity, does the newer IBM BIOS have any similarity to the original IBM PC AT BIOS that they published in the AT Tech Reference from March 1984? Wondering if they ever did a full rewrite at some point. http://bitsavers.trailing-edge.com/pdf/ibm/pc/at/1502494_PC_AT_Technical_Reference_Mar84.pdf managed to reverse engineer enough that I was able to read the defect map out of one of the original hard drives. sounds easy but the process uses DMA. @tubetime I've lost count of the things I've done that "sounds easy but the process uses DMA." working through a nasty timing hazard with the mailbox flags on the command port. sometimes you write data and the "data available" flag never gets set. so now i am digging through the logic that yosys generated to see if it even makes sense. having good test programs is important. here's the status interface register dropping values. the Teensy program is just writing an incrementing number, and the diagnostics program is checking for gaps. @tubetime got that all sorted out. it was a synchronization issue with the flags between the two interfaces. this is the "seek" command successfully completing! this is a *major* step since it requires 4 working mailboxes and interrupts. another important step today--i got the data port and data port mailbox flags working. it can also detect 8-bit vs 16-bit transfers. getting very close to working PIO transfers. nice! I managed to get PIO data transfers working well enough for the buffer test routine to pass. ok this is fantastic--I've managed to transfer my first actual sector! it's just using PIO and the data is not from a real filesystem, but this is another big step forward! @tubetime Almost makes you want to lovingly caress it's slightly sticky chemically degraded surface. 😉 DMA on Micro Channel is really hard. i'm running a bunch of simulations first, making adjustments to the logic as needed. so many moving parts. @tubetime I wonder if IBM expected you to use a special chip that did a lot of that for you. wow, got four bytes to transfer successfully over DMA! not sure why it got stuck after that. just ran the same test again and it transferred the whole sector over DMA!! so at least read transfers are working partially. writes just hang the machine after transferring half a sector. it's probably time for the logic analyzer. not sure why I always end up in front of a logic analyzer, but here we are. The logic analyzer from the perspective of the PCB: https://www.youtube.com/watch?v=nYPX-QQR9Tg several issues. this first issue, during a host to device write, holds the arbitration bus too long. it should release immediately after the second arb/gnt pulse had a theory and it reproduces in simulation. the transfer request flag isn't getting cleared soon enough. la_dma_selected is what can clear this flag and it is changed on the falling edge of cmd, which is too late to catch the ARB/GNT pulse. yes, that solves the crashing problem. but data isn't getting transferred correctly, so I've got more work to do. weirdly enough, it works the second try!!! something on the host was prematurely turning off DMA. maybe a bug in difdiag. @tubetime it’s been so long since this experiment started I forget what you’re trying to do! so the interrupt_detected flag is supposed to be set in the irq14 handler, and it is *supposed* to be set only when DMA is done. but somehow interrupt_detected is set without the IRQ handler ever being called! then the DMA operation is broken down prematurely. using the logic analyzer, i proved that the irq14 handler never gets called. the only code that *ever* sets the interrupt_detected flag exists in this handler. it's declared as a volatile so it can't be cached in a register. I wrote the flag value out to an unused IO port, 0x4F, so I can see it on the logic analyzer. a neat trick! so i don't know how this flag is getting set. my hack is to preemptively clear the flag right before starting DMA, and so far, it seems to be working. i think this code was "working" with the real ESDI drive because that one uses burst mode DMA and it finishes up very quickly, before the irq14wait routine can exit early. decided to look at the real drive. and guess what--it's not using burst mode. the POS registers have it turned off by default. it's also slow to read the data from the spinning disk, so IBM must have figured that it wasn't really necessary. @tubetime When you find yourself asking, "How did this ever work?" and it turns out the answer is "It didn't." now I'm reading up on accessing SD cards from the Teensy 4.1. looks like SdFat is the library? could it be so easy? @tubetime I've used that library before, yes it really is easy. You probably won't set any throughput records, but it was great for writing diagnostic logs that were later read back and uploaded. turns out it's easy but I had to reformat the SD card using the official sdcard.org utility. anyway, I've read the first sector from a real disk image! the BIOS runs faster than the DIFDIAG utility, and so it seems like it is hitting a timing problem that i didn't hit before. my drive code seems to randomly hang up and not respond correctly. it's occasionally getting a spurious end-of-interrupt command which is really odd and points to an issue with the mailboxes (again, sigh). but it's SO DARN CLOSE. it's transferring sectors from the IML region in the disk image. @tubetime What’s the end goal here, boot the laptop using a SD card that’s emulating a Micro Channel hard drive interface, via Teensy? @tubetime how does that even work? After the first iteration isn't the refresh bit always set, so it's stuck in an infinite loop if it never IRQs? @SteveSyfuhs oh sorry REFRESH_BIT is a macro that grabs an IO port bit that toggles with the DRAM refresh signal every 15us. @tubetime @Netux it's a solid state hard drive replacement that I'm designing. EE but I do some digital stuff too @tubetime I implemented PS/2 DMA in an emulator good enough to get a Sound Blaster working a while ago and god help us all @luigithirty nice, you didn't even have to get burst mode working 😉 @tubetime What is that yellow tape? See that sometimes on Electronics but don't know where to buy or whats special about it. |
@tubetime you don’t drink enough coffee. ;-)