Conversation

Notices

1. Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:22 JST Tube🌞Time

   I'm tinkering with some old hard drives, like this ST-251.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:46 JST Tube🌞Time

     in reply to

     track -2 contains the same 32 sectors on all heads. it seems to be 8051 code (02 is the LJMP instruction). i'm guessing this is the main drive operating code.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 28-Aug-2024 01:55:46 JST Foone🏳️‍⚧️

     in reply to

     @tubetime it's 8052? this is my surprised face

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:47 JST Tube🌞Time

     in reply to

     looks like this came out of an Apple system. this is on track 0 which is user data.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:47 JST Tube🌞Time

     in reply to

     track -1, head 0, sector 19 contains the drive serial number as ASCII text. interesting.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:47 JST Tube🌞Time

     in reply to

     and we've got copyright text at track -1, head 0, sector 0.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:48 JST Tube🌞Time

     in reply to

     i've got another ST-225N to try and extract firmware from. the board was apparently dead, but eventually i might try it out with my other ST-225N logic board (i hope it still works)

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:48 JST Tube🌞Time

     in reply to

     just have to move this hacked up ST-225 logic board over. it's cabled to an Arduino that runs the stepper motor so i can get to the hidden tracks.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:48 JST Tube🌞Time

     in reply to

     it spins up and i've captured the negative tracks! (the Marker bit is a signal pulsed by the Arduino when it changes tracks or heads. it just cycles through all the heads in order, then goes to the next track)

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:49 JST Tube🌞Time

     in reply to

     i'm trying to correlate the drive's data output (valid on the rising edge, each pulse has a fixed width) with the analog data. it seems to have a delay of about 180ns caused by the analog filter and the propagation through the comparator.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:49 JST Tube🌞Time

     in reply to

     going to dump the drive firmware for the ST-225N's 8051 microcontroller. this has never been dumped before. this firmware reads additional firmware off the platter, but i've already dumped that data.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:49 JST Tube🌞Time

     in reply to

     well that was easy!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:50 JST Tube🌞Time

     in reply to

     i decided to try and get a better read of the firmware tracks (-1 and -2 on all the heads). this time i'm capturing analog data from the drive's test points.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:50 JST Tube🌞Time

     in reply to

     not all the surfaces have a good amplitude. this could explain some of the issues i was having. (channel 2 has a pulse whenever the head changes.)

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:50 JST Tube🌞Time

     in reply to

     anyway this analog signal comes off the drive's analog test points (circled). this signal comes after the differentiator (IC 9E1) and the first stage analog filter, but before the second stage filter.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:51 JST Tube🌞Time

     in reply to

     so even though this disk image is probably irrecoverable, i want to learn as much as a can. this drive was from the Amiga Comspec, and i want to see if i can figure out how to replicate the disk layout. this segment here is from the Kickstart disk.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:51 JST Tube🌞Time

     in reply to

     well now i feel a bit stupid. this thread from a few years ago includes links to disassembled drivers and ROMs, as well as a sample disk image.

     https://eab.abime.net/showthread.php?t=89982&page=2

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:52 JST Tube🌞Time

     in reply to

     trying to capture more of the drive image to a binary. we'll see how it goes.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:52 JST Tube🌞Time

     in reply to

     hmm there's some funny stuff in here.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:53 JST Tube🌞Time

     in reply to

     there are a few sectors with the drive firmware (negative cylinders) but then there appears to be real data. "DOS" might be part of some partition table scheme.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:53 JST Tube🌞Time

     in reply to

     the sector header might follow the format used by the Adaptec AIC-010 chip (which the ST-225N uses). wow, a 32-bit CRC. i wonder which one...

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:53 JST Tube🌞Time

     in reply to

     wow there is definitely data on this drive. i'm fudging the MFM decoding to try and skip over errors.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:54 JST Tube🌞Time

     in reply to

     the design of the ST225N is essentially an ST225 but with the data separator and controller built in. they changed the microcontroller to an 8051, and stored a bunch of the firmware on some hidden tracks.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:54 JST Tube🌞Time

     in reply to

     boards are swapped. now let's image the whole drive in about 175 seconds to a giant Saleae capture file!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:54 JST Tube🌞Time

     in reply to

     wrote a crappy python program to interpret MFM data, and it seems we have some sectors. they are using a different sector header format and there seems to be a lot of corrupted data.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:55 JST Tube🌞Time

     in reply to

     trying to digitize the entire drive using the Saleae. one drawback is exporting as a CSV takes f o r e v e r

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:55 JST Tube🌞Time

     in reply to

     the real reason for all this is that there's data on this ST225N (SCSI version of the drive) on the right. I want this data.

     I already tried a board swap but the SCSI version stores its firmware on track -1 and -2 instead of an index signal. my hacked board should be able to handle it, though.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:56 JST Tube🌞Time

     in reply to

     oops didn't mean to leave you hanging. turns out my track numbering is off by one. this is actually track 0 and it has regular MFM data on it. i wrote a quick-and-dirty routine to convert it and it just has regular WD1010-style headers for 17 sectors.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:56 JST Tube🌞Time

     in reply to

     i made a table showing the layout on the platters themselves. only head 0 has the index marker tracks. there are 2 of them, one at track -1 and the other at track 617.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:56 JST Tube🌞Time

     in reply to

     to allow your computer's HDD controller to park the heads, it lets you step past the user data area end track of 614 to go all the way in to track 670. theoretically, if you mistype the BIOS # of cyls, you could try to store data here and even overwrite the inner index track!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:56 JST Tube🌞Time

     in reply to

     this will confuse the drive when it powers up. it'll eventually go find the index track on the outside edge, but only after an extended search sequence. you can't command the drive to step to track -1, so you can't overwrite that track.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:57 JST Tube🌞Time

     in reply to

     here is a closeup. the raw MFM data shows a square wave of 5MHz for most of it, but there is a short section (4ms long) of 1.8MHz. the one-shot acts as a primitive data separator and the MCU can then detect this index marker and reset the hall effect divider flip flop.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:57 JST Tube🌞Time

     in reply to

     now it gets a little strange. there seems to be a secret set of 17 hidden sectors on track -1.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:58 JST Tube🌞Time

     in reply to

     time to reverse engineer the platters themselves. what secrets can we find?

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:58 JST Tube🌞Time

     in reply to

     with this setup I can control the stepper from the Arduino without the drive's microcontroller interfering. then I can use the Saleae to digitize the data.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:58 JST Tube🌞Time

     in reply to

     confirmed that there are two index tracks, one at track -2 (relative to user data starting on track 0) and another on track 616 (user data ending on track 614). the D2 square wave is directly from the hall effect sensor, 2 cycles per revolution. the D1 pulses are this signal divided by 2. MCU read data is the index signal as seen by the MCU after being processed with a one-shot.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:59 JST Tube🌞Time

     in reply to

     another fun one is the empty space for an EPROM and a latch chip. these weren't used to store drive firmware (as i thought before) but they store a giant lookup table of microstep values *for each individual track* so you could presumably trim individual drives to avoid bad areas on a platter.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:55:59 JST Tube🌞Time

     in reply to

     of course it controls the head position regardless of the physical platter, so it wouldn't really be helpful unless the drive only had a single platter in it. i've never seen an actual chip soldered in here and it was completely removed in later board revisions, so i guess they never fully implemented it.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:00 JST Tube🌞Time

     in reply to

     and i learned some interesting things along the way. the drives have this weird set of resistors and driver chips tied to the stepper motor phases. it's for microstepping while in recovery mode!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:00 JST Tube🌞Time

     in reply to

     the idea is that you assert a control pin that puts the drive in recovery mode, and it will try to read a track 15 times while shifting the head side to side very slightly. this is apparently only implemented in the ST-01 disk controller.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:00 JST Tube🌞Time

     in reply to

     essentially all of the drives i've inspected do not actually have these components soldered down, so it must have been an uncommonly used feature that was removed to save cost.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:01 JST Tube🌞Time

     in reply to

     looks like the key finding is that i needed 2 more sets of clock cycles before bringing RESET up to 10V.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:01 JST Tube🌞Time

     in reply to

     starting the disassembly process.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:01 JST Tube🌞Time

     in reply to

     finished the disassembly process, more or less. you can read the commented source code here: https://github.com/schlae/HardDriveInfo/blob/main/st225/firmware/80007-001_commented.txt

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:02 JST Tube🌞Time

     in reply to

     oh that's interesting, the port C output is pulsing sometimes (and the data line doesn't get contention).

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:02 JST Tube🌞Time

     in reply to

     so the code that the exploit loads into RAM pulses the port C (all pins) with an LDA #$FF ; STA $82; KDA #$00; STA $82. the LDA is 2 cycles and the STA is 3 cycles. but the pin is high for 10 clock cycles...

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:02 JST Tube🌞Time

     in reply to

     OH! it has a clock divider on the input. so it's actually 5 CPU cycles. i think this exploit actually is running, but not consistently.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:02 JST Tube🌞Time

     in reply to

     holy crap it is working, it's dumping real 6502 code

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:03 JST Tube🌞Time

     in reply to

     no luck, sadly. it's supposed to be clocking in a program over PORTC, but there appears to be output contention (see how the voltage levels on ch4 don't always make it to a logic high)

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:03 JST Tube🌞Time

     in reply to

     i'm not giving up. maybe it needs more clocks before bringing reset high. the datasheet says "at least 8"

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:04 JST Tube🌞Time

     in reply to

     i think i'll try to dump the microcontroller on the ST-225.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:04 JST Tube🌞Time

     in reply to

     someone's dumped the MOS version of this microcontroller using a clever circuit and a test mode. i don't know if it will work with the NCR version of the chip, however.

     https://e4aws.silverdr.com/hacks/6500_1/

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:04 JST Tube🌞Time

     in reply to

     let's see what happens when i throw the switch. it's putting 10V bursts on the reset pin, so i hope nothing gets damaged.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:05 JST Tube🌞Time

     in reply to

     why is this useful? it turns out that these drives have a 1.75MHz signal recorded onto specific tracks, letting the MCU (which controls the stepper motor) know if it has gone outside of the data area.

     so basically, you step around, and if you see this pin go high (and stay high) then you know you're out of bounds.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:05 JST Tube🌞Time

     in reply to

     there is a special signal recorded at track -2. it is the same 1.75MHz but it has short bursts of twice the frequency (2F). this lets the MCU know that (1) it is at track -2, and (2) it lets it synchronize the hall effect sensors.

     you get multiple pulses per revolution, so you need a way to sync up the divider chain so you get an index signal that is repeatable.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:05 JST Tube🌞Time

     in reply to

     so from the ST-225 to the ST-251, this function got swallowed up in the drive interface chip. but at least now i know how it works.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:06 JST Tube🌞Time

     in reply to

     OK, this one is done! amazingly, it also helped me solve a mystery on the ST-251. on this later drive, the board has a custom chip that captures data from the current track and outputs a "processed" version of it to the MCU through the PA2 GPIO pin. how does it process it? i didn't know until today.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:06 JST Tube🌞Time

     in reply to

     so the 20527 board in the ST-225 uses a discrete circuit for doing the same task. it has two 74123 one-shot pulse generators connected in series with each other and going out to the MCU (on PA7 because this board uses a variant).

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:06 JST Tube🌞Time

     in reply to

     the key observation is that the pin state depends on the frequency of the signal coming in. for DC, it is normally low. for frequencies *higher* than about 2.6MHz, it also stays low. but for a particular window of frequencies (1.4 to 2.6MHz) the pin goes *high*.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:07 JST Tube🌞Time

     in reply to

     this is the control board for the ST-225 hard drive. it's an earlier revision. so far it's not too dissimilar from the ST-251 but the stepper motor driver circuit is quite different.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:07 JST Tube🌞Time

     in reply to

     and just like that...the ST225 logic board is now in KiCad.

     check it out: https://github.com/schlae/HardDriveInfo

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:07 JST Tube🌞Time

     in reply to

     turns out there is another variation of the ST-225 logic board. looks like a cost reduction.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:08 JST Tube🌞Time

     in reply to

     here's where things get really interesting. i've pulled in the imagery of the early ST-251 board and overlaid my Kicad traces from the newer revision.

     it's almost like a visual diff--now i can see exactly what changes were made between board versions, which means i can back out a schematic as well!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:08 JST Tube🌞Time

     in reply to

     well that was epic! i've completely reverse engineered this older revision. details in the repo (https://github.com/schlae/HardDriveInfo)

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:08 JST Tube🌞Time

     in reply to

     another day, another board revision!

     this one has minor electrical changes from the previous one, mainly adding control over the spindle motor *power level* from the microcontroller. that way they were able to lower the average power consumption.

     https://github.com/schlae/HardDriveInfo/tree/main/st251/21020

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:09 JST Tube🌞Time

     in reply to

     this later revision of the st-251 uses a mask-ROM microcontroller. it's very similar to the R6518, at least in the pinout. it also latches its internal address bus on a bunch of the pins during the rising edge of phi2! this means i can spy on the program counter and any other memory addresses being accessed.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:09 JST Tube🌞Time

     in reply to

     the firmware from the older board revision (which uses an external EPROM chip) has been dumped and (mostly) analyzed! see https://github.com/schlae/HardDriveInfo/blob/main/st251/firmware/ST251_commented.txt

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:09 JST Tube🌞Time

     in reply to

     unfortunately we don't have a dump of the protected mask ROM, but it seems to be somewhat similar, and the 6502 puts *every* address it accesses on the bus, so you can see it accessing special function registers and the stack, allowing you to infer quite a bit about what is going on.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:10 JST Tube🌞Time

     in reply to

     collecting the info is a pretty manual process.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:10 JST Tube🌞Time

     in reply to

     the "ring lsi" is interesting. it provides an adjustable linear regulator to set the stepper motor supply voltage (set through SPI bus) and it monitors the "ringing" on a winding after it has been driven and is settling.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:10 JST Tube🌞Time

     in reply to

     i've moved on to the read/write LSI. the read channel is somewhat tricky because it uses four (!) one-shot timers to turn the raw analog signal coming from the read preamplifiers into an output pulse that represents a flux transition.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:11 JST Tube🌞Time

     in reply to

     this one seems to be for retracting the heads using the stepper motor when power is lost to the drive.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:11 JST Tube🌞Time

     in reply to

     hmm yes it sequences the stepper motor using the spindle motor's back EMF as the clock!

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:11 JST Tube🌞Time

     in reply to

     i've collected more information on the ASICs at https://github.com/schlae/HardDriveInfo.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:12 JST Tube🌞Time

     in reply to

     OK, infodrop for you folks! https://github.com/schlae/HardDriveInfo

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:12 JST Tube🌞Time

     in reply to

     the schematic PDF is in the repo as well as the KiCad source files. i'll be examining the firmware as well as the earlier board revisions.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:12 JST Tube🌞Time

     in reply to

     going to figure out what some of these custom chips do. this one is "10223-502."

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:13 JST Tube🌞Time

     in reply to

     so on my schematic, i've named all the previously nameless pins and the circuit makes sense now.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:13 JST Tube🌞Time

     in reply to

     I need to confirm some component values.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:13 JST Tube🌞Time

     in reply to

     kinda horrifying but this is the best way to test SMD parts out of circuit.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:14 JST Tube🌞Time

     in reply to

     solved a few mystery pins on these Seagate custom chips. they are connected to the magnetic heads.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:14 JST Tube🌞Time

     in reply to

     the ST-225 drive uses a similar circuit but it is an older design and less integrated. the ST-251's SSI257.2 chip drives the center taps of the head windings. they just "garbage collected" the transistors, head select decoder, and resistors driving it along with the transistors that set the write current.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:14 JST Tube🌞Time

     in reply to

     by looking at the ST-412 schematic, i figured out that the ST-251's SSI257 chip contains a bunch of steering diodes as well as an op amp (an NE592 equivalent).

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:15 JST Tube🌞Time

     in reply to

     ok, now what is THIS resistor value?

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:15 JST Tube🌞Time

     in reply to

     it's actually 100 ohms. someone back in the day was making resistors of various values that were all marked 0. great...

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:15 JST Tube🌞Time

     in reply to

     whew. got the layout and schematic captured. there were a few differences compared with the official schematic.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:16 JST Tube🌞Time

     in reply to

     this part takes a while.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:16 JST Tube🌞Time

     in reply to

     what resistor value do you think the circled chip resistor has?

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:16 JST Tube🌞Time

     in reply to

     all of you are wrong. it is a 3K resistor.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:17 JST Tube🌞Time

     in reply to

     so one of these drives blew a tantalum capacitor. i think i will take this board apart for reverse engineering purposes. there are multiple revisions but this will be a good starting point.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:17 JST Tube🌞Time

     in reply to

     with a combination of hot air and a desoldering gun, i've taken it down to just a few surface mount parts. i'm going to leave those in place for now since many of them are not marked. there is also no silkscreen.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:17 JST Tube🌞Time

     in reply to

     they scanned well. i've taken the top and bottom images and lined them up precisely. these reference images are 600dpi but i may go for a lower res version for KiCad since it stores the images in the pcb file, which slows it down a lot.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:18 JST Tube🌞Time

     in reply to

     ok so funny story, the Ghidra target of "65C02" already supports these instructions. at least i know how to customize Ghidra...

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:18 JST Tube🌞Time

     in reply to

     some interesting routines. this one waits for the spindle speed (as measured by the index pulses) to exceed 3593 rpm (or so).

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:18 JST Tube🌞Time

     in reply to

     they have a clever delay-by-x routine. the entry point is delay_entry. and yes, the routine calls its own rts as a way to insert cycles...

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:19 JST Tube🌞Time

     in reply to

     hmm, looks like there are a few instructions that aren't 6502. apparently Rockwell defined a few new ones. it would be nice if Ghidra could handle those.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:19 JST Tube🌞Time

     in reply to

     hmmm what's this

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:19 JST Tube🌞Time

     in reply to

     ahhhhh much better. thanks to whomever added R6518 support to Ghidra just now. oh wait that was me

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:20 JST Tube🌞Time

     in reply to

     this definitely looks like 6502 code. time to pull it into Ghidra.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:20 JST Tube🌞Time

     in reply to

     oh yeah. i've mapped it starting at address 0x3000 but the hardware maps the ROM chip in starting at 0x0100, where it just gets aliased all the way up to 0xFFFF. the absolute jump addresses located in the vectors at the top of the ROM refer to addresses starting at 0x3000, so i'm just using that.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:21 JST Tube🌞Time

     in reply to

     on my board this is the part marked 80118-501
     R1512-11

     and it has the Rockwell logo, making me think it is something from their R6500 series of 6502-compatible microcontrollers.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:21 JST Tube🌞Time

     in reply to

     another version of the board has the EPROM footprint populated, and the chip is marked R6518AJ, which is definitely a Rockwell microcontroller. the firmware has already been dumped.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:21 JST Tube🌞Time

     in reply to

     you can find good info here: https://bitsavers.org/pdf/seagate/mfm/ST-251/

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:22 JST Tube🌞Time

     in reply to

     it would be nice to be able to repair the logic boards. a schematic exists, which is quite helpful.

   • Tube🌞Time (tubetime@mastodon.social)'s status on Wednesday, 28-Aug-2024 01:56:22 JST Tube🌞Time

     in reply to

     what's interesting is that the board hosts a microcontroller. the schematic lists it as a "6510" which makes me think it is 6502-based.