Re: Cracking the 9010A ROM signature generator

<x-flowed>
Some early results...my math is just horrible so I'm going to need some
help here...
I hooked up the Fluke to some RAM and started generating a table, here are
the results or a two byte ROM signature with the first byte being fixed at
"00" and the second byte cycling from "00" to "1F"
0000 - 00/00 For location 00 & 01
0081 - 00/01 [0000 0000 0000 0001 gives 0000 0000 1000 0001 (note that odd
ALWAYS has a 1 on the end)
0040 - 00/02 [0000 0000 0000 0010 gives 0000 0000 0100 0000 (note that
mirrored bit)
00C1 - 00/03 [0000 0000 0000 0011 gives 0000 0000 1100 0001
0020 [0000 0000 0000 0100 gives 0000 0000 0010 0000 (and so
on....)
00A1
0060
00E1
0010
0091
0050
00D1
0030
00B1
0070
00F1 - 00/0F
0008 - 00/10
0089 - 00/11
0048 - 00/12
00C9 - 00/13
0028
00A9
0068
00E9
0018
0099
0058
00D9
0038
00B9
0078 - 00/1E
00F9 - 00/1F

And a few extras
93D0 - FF/00
9351 - FF/01
9390 - FF/02
9311 - FF/03
.....
93AF - FF/FE
932E - FF/FF

Any ideas? Note that the order is reversed for the bytes, so that 00/01
(0000-some unknown math function- 0001) creates 1000 0001, and 00/02
(0000-some unknown math...- 0010) yields 0100 0000. Note that if the
numbers are odd then the result is odd. Even gives even.

Help!!!

John :-#)#
At 06:08 PM 11/07/01, you wrote:
>Good luck, you'll need it! The code had to have been written
>in some crappy compiler like PL/M or something. It's a
>nightmare to try to unravel. To help you along, here;'s a
>starting point: The calculated 'checksum' signature is stored
>in location 0xF345 and 0xF346 once it has been calculated.
>I got to the point where I had to reverse engineer the command
>protocol between the mainframe and the pods, that's when
>I finally had to give up.
>
>Dave
>
>----- Original Message -----
>From: John Robertson <jrr@flippers.com>
>To: <techtoolslist@flippers.com>
>Sent: Wednesday, November 07, 2001 7:21 PM
>Subject: Cracking the 9010A ROM signature generator
>
>
> > I give up, I am way too frustrated by this stupid signature crap so I am
> > going to dive into my 9010 and see if I can figure out how it is doing it.
> > I first have to figure out if it is in the pod or the base unit, when the
> > signature is being generated I see lots of activity on the pod data buss,
> > so I am assuming the process is handled inside the stupid base. I am going
> > to also see if I can figure out mathematically the difference between the
> > fluke signature and the regular checksum by reading a small bit of data
>and
> > then doing a checksum on the same bit of data, then extrapolating it from
> > there. I suspect that the unit is taking each data line and adding it up,
> > then the next data line...and summing them all together or in series. Gah.
> > digging into it tonight, perhaps I can report out later this evening what
>I
> > fine.
> >
> > Any suggestions? I am NOT an assembly language person...I can read it a
> > bit, I understand the process, but I have not programmed with the stuff
> > more than a few lines.
> >
> > If someone wants to disassemble the ROM in the base unit, the images are
>on
> > ftp://www.flippers.com/public and I found a nice Z80 disassemble called
> > DZ80 http://www.inkland.demon.co.uk/dz80/index.htm heh, heh...
> >
> >
> > John :-#)#
> >
> > To UNSUBSCRIBE from techtoolslist, send a message with "UNSUBSCRIBE" in
>the
> > message body to: techtoolslist-request@flippers.com. Please direct other
> > questions, comments, or problems to jrr@flippers.com.
> >

</x-flowed>
Received on Wed Nov 07 21:57:14 2001