Saturday, October 6, 2007

Set and Clear

Well I finally dumped and disassembled the Set038 chip that is used to setup a PE+ machine that has had a battery replaced or just a bad data image.

This fairly simple program is also used to setup a denomination and choose if you have a bill acceptor attached.

I've been using this program to better understand what goes into the battery-backed ram and how the cmos is accessed.

After a lot of investigation in the code, I found that the cmos is attached to address #9000 using an I2C bus as a communication mechanism. It appears that #9000 is a write only address to affect (wc, scl and sda). Further analysis seems to point to #8000 bit 7 as the read bit for data and acks. The #8000 address is normally used for Output Bank A, but bit 7 is not documented in the operator screen as being used.

Based on schematics, and a visual look-over, I have a X2404P cmos which can hold 512 bytes (4K-bits) of information.

I found some code that tests the integrity of the cmos etc and commented it out in order to see what would happen. The screen above is the result. I am able to fully run the Set038 chip program in the emulator and simulate saving data to battery-backed ram. The program fails if I don't comment out the block of code that tests the device. Tracing this particular dump has really helped me understand the inner workings of the cmos communication.

My next step is to make it work without commenting out the section of code that verifies the cmos etc. This will require driver changes to simulate a 24c04 eeprom.

1 comment:

Stiletto said...

See this:

BTW, we're pretty impressed. :)