Re: Cracking the 9010A ROM signature generator

From: Kev <KKlopp_at_erols.com>
Date: Mon Jun 10 2002 - 20:24:49 EDT

<x-html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META content='"MSHTML 4.72.3612.1706"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>John,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I'd love to get a copy of that workbook but I
definitely cann't absorb a 12 MB e-mail.&nbsp; You could pull down the 9100
manuals &amp; just leave a note to request those if someone needs them, after
all who the heck needs those?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Thanks,</FONT></DIV>
<DIV><FONT face=Arial size=2>Kev</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 solid 2px; MARGIN-LEFT: 5px; PADDING-LEFT: 5px">
    <DIV><FONT face=Arial size=2><BR><BR>&nbsp;</DIV></FONT><FONT
    face="Arial, Helvetica">More on this - reading the 9010A Troubleshooting
    Seminar - Student Workbook # 805663 (1985), I find a reference to Rom
    Signatures. &quot;To develop a ROM signature, the data is 'compressed' into
    a 4 digit hexadecimal number by passing all the ROM data through a
    <I>two-stage CRC type</I> (this is new info for us!) of signature
    algorithm&quot;<BR><BR>I recommend that any student of the 9010A print this
    booklet out and read it thoroughly. I am constantly finding neat tid-bits
    that are not nearly as well covered in the Operators Manual. For example -
    how the probe interfaces with the UUT. If you use the synchronize function
    then the probe ONLY shows activity during valid Read/Write periods. Also the
    Probe pulse can be synchronized with the R/W.<BR><BR>A lot of other useful
    training is there.<BR><BR><A href="ftp://www.flippers.com/Fluke" eudora =
    autourl>ftp://www.flippers.com/Fluke</A> <BR><BR>I can send copies of the
    Workbook to anyone that needs one. I believe it is about 12 megs....My space
    is limited on my server <BR><BR>John :-#)#<BR><BR>
    <BLOCKQUOTE class=cite cite type = cite>Further digging, and watching
        the Fluke 9010 Training video (Fluke 9010Training1.RM minutes 40 - 46)
        leads me to believe that this is a mathematical function called a
        Pseudorandom Binary Sequence. It looks to me as if Fluke adopted HP's
        Signature standard of a sixteen-bit register with the feedback form of
        X(16) + X(12) + X(7) + 1.&nbsp; (One of 2048 possible feedback taps, the
        computer industry uses CRC-16 X(16) + X(15) + X(2) + 16 or CCITT-16
        X(16) + X(12) + X(5) + 1 commonly... ) A bit hairy to dig out of the
        code I am sure!<BR><BR>I think this work is done in the base unit, the
        pod just streams the data into it.<BR><BR>I believe that they use a
        software PBSC generator that takes each BIT and pushes it through the
        sixteen-bit register (above)... I wonder if this is similar to how
        ROMIDENT works?<BR><BR>So now I am looking at making a simple Fluke
        Checksum program to run like
        this:<BR>----------------------------------------------------------------------<BR>Display
        - Checksum Test - Select Range<BR>Display - Beginning of
        ROM<BR>Dis...&nbsp;&nbsp;&nbsp; -&nbsp; End of ROM<BR><BR>Begin&nbsp;
        (Label 1)<BR>Go to 1st ROM location<BR>Add ROM byte to data memory
        location<BR>Increment ROM address by 1<BR>Is this &gt; End of ROM?<BR>If
        not then goto Begin<BR><BR>Display Checksum (read Data memory
        location)<BR>END<BR>-----------------------------------------------------------------<BR><BR>At
        the moment I don't know how to take a Byte of data and add it to the
        previous one (Within the Fluke script). Have a simple script that asks
        for the beginning and ending address, then chugs through the ROM...just
        haven't figured out the additive (in the Checksum meaning) process with
        Fluke Script.<BR><BR>Any suggestions?<BR><BR>John
        :-#)#<BR><BR><BR><BR>At 05:50 PM 11/08/01, you wrote:<BR>
        <BLOCKQUOTE class=cite cite type = cite>The signature (I can't call
            it a checksum..;-) is the same no matter where the memory location
            is (tried 0000 &amp; 0001, then 0154 &amp; 0155 for example-same
            results) with a 6800 pod on a different test bed (Heathkit 6800
            trainer) and 9010A (shop) base unit.<BR><BR>The first results were
            with a 6802 pod on an old Heathkit 6802 trainer and my 9010A that is
            at home.<BR><BR>Looks to me like the process is something like this,
            take the 8 bit byte, reverse the last four bits order and exchange
            it with the first four bits. Add a 1 to the least significant bit if
            odd... Shall dig around some more and try other
            combinations.<BR><BR>The Operators Manual states:<BR><BR>&quot;Rom
            Signature is a four-digit HEXADECIMAL number that is a shorthand
            representation of the data obtained in an area of ROM memory. The
            ROM signature is obtained by successively dividing the data in ROM
            by a binary number (they DON't say what the @!$%#$@% number is! -
            JR). The resulting signature identifies the data from which it is
            obtained, and provides a convenient way of&quot; (....blah blah, no
            other description of the process).&quot;<BR><BR>John :-#)#<BR><BR>At
            02:55 PM 11/08/01, you wrote:<BR>
            <BLOCKQUOTE class=cite cite type = cite>I've done some
                dissassembly on the code for both the pod and the base,
                and<BR>have to agree with David, whatever it was written in had
                an awful<BR>compiler! - It's not easy tracking down anything,
                since the code is so<BR>illogical!<BR><BR>the code in the pod is
                a little more understandable, but only just, and
                not<BR>understanding (yet) how the pod communicates to the UUT
                makes ot difficult<BR>to follow as well.<BR><BR>My next step in
                the attack on understanding the code is to try and create
                an<BR>emulator for the pod software, at least then I may be able
                to trap all of<BR>the reads/writes that communicate with the pod
                (I need to know this for a<BR>later project anyway!) -
                hopefully, seeing the data transfers may help
                gain<BR>understanding in how the entire thing works<BR><BR>from
                your examples, it certainly follows no checksum algorithm I know
                of,<BR>reversing the bit pattern either needs a lookup table
                (which I will check<BR>for in a minute) or some nasty
                calculations (which again, should be<BR>obvious!). I'm going to
                have another troll though the 48k of code looking<BR>for
                anything that may implement such things.<BR><BR>just out of
                interest, does the 6502 pod (or another 8 bit pod) generate
                the<BR>same checksum, and secondly, does it generate the same
                checksum for the same<BR>data at a different address
                ?<BR><BR><BR>&nbsp;To UNSUBSCRIBE from techtoolslist, send a
                message with &quot;UNSUBSCRIBE&quot; in the<BR>&nbsp;message
                body to: techtoolslist-request@flippers.com. Please direct
                other<BR>&nbsp;questions, comments, or problems to
                jrr@flippers.com.</BLOCKQUOTE></BLOCKQUOTE></FONT></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

</x-html>
Received on Mon Jun 10 17:40:38 2002

This archive was generated by hypermail 2.1.8 : Tue Dec 02 2003 - 18:40:45 EST