This part will focus on the analyze of the firmware I made so far, in order to fix a few issues I have encountered in my unit, as related in previous previous part.
It will be updated as I make progress on disassembling and understanding the firmware.
Original Firmware
The original firmware I have in my unit if the version "2060048 SPECIAL WB68".
Here are the 3 EPROM images dumped form there:
Modified Firmware
The current version of the firmware I run on my device is the following:
I have fixed a few issues of the original firmware, but not all of them:
- the power meter works (with a very quick calibration for now),
- there is no more a 160MHz Offset on startup, but the Offset lights remains on (until I manually clear the frenauency offset values),
- the 5 digits displayed on startup is not fixed either.
Disassembling the firmware
f9dasm
At first, I used to use f9dasm to disassemble the firmware. It does the job but seriously lacks power.
Nonetheless, here is the result of this first attempt:
In this file, I only identified a bunch of routines. The interesting part starts at address 0x5F19, which is the address where the CPU jumps after a RESET (as configured in the interrupt vector table at the very end of the address space, namely addresses [0xFFF2:0xFFFF].
radare2
Then I discovered radare2, which is an awesome tool. When I started to try to use it, it had no complete and proper support for the MC6809 back then, so I had to write my own version of the architecture support, including ESIL support (unfortunately I never took the time to finish the work and submit my work upstream. I may try to finish this in the next few month).