HEX study!!! More info needed!!!

**Mircea Vasiliu** · 14-02-2002, 10:09 AM

Hello to all interested!

Here is some info about the HEX. Maybe someone can check this out and confirm if it's ok or I made a mistake somewhere.

The PIC uses PORTA bit 0 and 1 for transmission control with the PC and PORTB bits 0-3 for reading data from PC and bits 4-7 for sending back data to PC.

In dex0 after program starts it expects the sequence:
0x5, 0xA, comm
from PC, where comm is 1, 2 or 3.
- for 1 it expects another command that can be 2, 3, 4
- for 2 it expects 1, 2, 3, 4, 5, 6, 7 or 8
- for 3 it expects 1, 2, 3, 4 or 5

The 5, A, 3 command seemed the most interesting. Its subcommands do something like this:
1 (076F) - writes to the PC 10 bytes of info, 4 taken from hex data at address 000A (1, 2, 0x13, 0x89) - someone said this could be hex version - and 6 bytes from EEPROM starting at address 0x78 with the third and fourth value complemented.
2 (04EA) - reads from PC 4 bytes with a length and then length groups of 4 bytes from which a control value is calculated. After this it send the control value (4 bytes) back to PC normally, complemented and 4 zeros.
3 (06F2) - reads from PC 12 values, does some heavy processing on them (maybe algo!!!) and writes them back to PC
4 (0715) - reads 12 values from PC, does some processing (some EEPROM values are involved this time) and writes them back to PC
5 (0792) - reads from PC 4 bytes that contain an EEPROM address, a value and a check. If the check is OK write the value to EEPROM.
All values send to PC are followed by a 1 byte XOR checksum

This is what I found so far. Maybe someone can help me further. What I don't know is the protocol used by the PC to communicate with the box. If someone has tried to reverse that it would be very helpful!! If we know what values are sent to the box it would be easier.

I will try (when I have some time) to make a small emulator of the PIC capable of running the hex and will try to feed him some values to see what it does, but this will be just a shot in the dark without some actual values.

All the best,
ldril

**o_MAST** · 14-02-2002, 01:30 PM

What program do you have used for disassemble the hex?

Bye

**Mircea Vasiliu** · 14-02-2002, 02:14 PM

I used this program found on the net.

ldril

**Mircea Vasiliu** · 14-02-2002, 02:16 PM

And here is the compiled version... just run pic14dis dex0.hex > dex0.asm

**o_MAST** · 14-02-2002, 03:52 PM

**Mircea Vasiliu** · 14-02-2002, 04:34 PM

This is the hex disassembled. It's a little hard to read since it uses numbers for all register (I didn't have time to modify the disassembler). The second file is the same except a small subroutine at the end used to initialize the EEPROM with some values:
from 0x78: A5 5A 5A A5 00 00

**||Joe** · 14-02-2002, 09:12 PM

mate this stuff is excellent. but I do not understand asm very well. any idea for where I can download instruction set reference for this pic?
thanks
outerc0re

**Mircea Vasiliu** · 15-02-2002, 09:43 AM

Here it is:

http://www.microchip.com/download/lit/pline/picmicro/families/16ce62x/40182c.pdf

Everything about the pic.

Some other important addreses are:

01B8 - reads a byte from eeprom from address in register 70
01D4 - writes to eeprom, at address in register 70 the value from reg 71
0541 - reads a whole byte from portb (as two nibbles)
0571 - writes a whole byte to portb (as two nibbles)

I forgot that the sources for dejan soft are available. When I have some time I'll look into them as well and try to combine the information. If someone has already done this thing it would be helpful to share it here...

**Oxo Boxo** · 15-02-2002, 12:02 PM

Correction!

0x541 - Sramble memory location from 68 to 6F f(EE[7C],EE[7D]);

**Mircea Vasiliu** · 15-02-2002, 02:16 PM

@Oxo Boxo
You're right. I mislooked the address. The correct one for read byte is 0x55C, the next routine.

Thread: HEX study!!! More info needed!!!

Thread Tools

Display

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions