Difference between revisions of "Roland DIF-AT"
| Line 5: | Line 5: | ||
[https://www.roland.com/br/products/dif-at24/ Roland's page on the DIF-AT] | [https://www.roland.com/br/products/dif-at24/ Roland's page on the DIF-AT] | ||
| − | [[File:DIFAT 24.jpg|thumb| | + | [[File:DIFAT 24.jpg|thumb|Roland publicity image |alt=]] |
===Brief outline -=== | ===Brief outline -=== | ||
| Line 29: | Line 29: | ||
===PCB Photos -=== | ===PCB Photos -=== | ||
<gallery> | <gallery> | ||
| − | File:DIF-AT MAIN.JPG|Main board | + | File:DIF-AT MAIN.JPG|'''Main board''' |
| − | File:H8 3005 CPU.JPG|Cpu (not mcu!) | + | File:H8 3005 CPU.JPG|'''Cpu (not mcu!)''' |
| − | File:Main Board Side On.JPG|Main board, alt | + | File:Main Board Side On.JPG|'''Main board, alt''' |
| − | File:SRAM + NOR FLASH.JPG|SRAM + NOR Flash (512kb) | + | File:SRAM + NOR FLASH.JPG|'''SRAM + NOR Flash (512kb)''' |
| − | File:ALESIS OTP CPLD.JPG|alt=Custom Alesis chip OTP? GAL?|Custom Alesis chip OTP CPLD? GAL? | + | File:ALESIS OTP CPLD.JPG|alt=Custom Alesis chip OTP? GAL?|'''Custom Alesis chip OTP CPLD? GAL?''' |
| − | File:TDIF-BOARD.JPG|alt=TDIF daughter board|TDIF daughter board | + | File:TDIF-BOARD.JPG|alt=TDIF daughter board|'''TDIF daughter board''' |
| − | File:5v conditioning circuit.jpeg|alt=5v power conditioning|5v power conditioning | + | File:5v conditioning circuit.jpeg|alt=5v power conditioning|'''5v power conditioning''' |
| − | File:Sync section optocouplers.JPG|alt=sync circuitry with optocouplers| | + | File:Sync section optocouplers.JPG|alt=sync circuitry with optocouplers|'''Sync circuitry with optocouplers''' |
| − | File:Reset circuit.jpg|alt=Reset IC and switch|Reset IC and switch | + | File:Reset circuit.jpg|alt=Reset IC and switch|'''Reset IC and switch''' |
| − | File:Xilinx CPLD.jpg|alt=Xilinx CPLD with JTAG pads visible (pin 50, 81 silkscreen)|Xilinx CPLD with JTAG pads visible (pin 50, 81 silkscreen) | + | File:Xilinx CPLD.jpg|alt=Xilinx CPLD with JTAG pads visible (pin 50, 81 silkscreen)|'''Xilinx CPLD with JTAG pads visible (pin 50, 81 silkscreen)''' |
</gallery> | </gallery> | ||
| Line 53: | Line 53: | ||
A 50 pin header provides easy access to most address lines and relevant (to operation) CPU/RAM/Flash lines. This will be convenient to run a logic capture during boot and operation later. I beeped out the 50 pin connector - Many pins have multiple connections. Happily; the vias were not tented - this was a long endeavour even with continuity through the vias : ) Below, the findings and some general notes: <gallery> | A 50 pin header provides easy access to most address lines and relevant (to operation) CPU/RAM/Flash lines. This will be convenient to run a logic capture during boot and operation later. I beeped out the 50 pin connector - Many pins have multiple connections. Happily; the vias were not tented - this was a long endeavour even with continuity through the vias : ) Below, the findings and some general notes: <gallery> | ||
| − | File:DIFat 50 pin header1 .png|alt=dif at pin header pins 1 - 16| | + | File:DIFat 50 pin header1 .png|alt=dif at pin header pins 1 - 16|'''Header pins 1 - 16''' |
| − | File:DIFat 50 pin header2.png|alt=header pins 16 - 24| | + | File:DIFat 50 pin header2.png|alt=header pins 16 - 24|'''Header pins 16 - 24''' |
| − | File:DIFat 50 pin header3.png|alt=header pins 15 to 38| | + | File:DIFat 50 pin header3.png|alt=header pins 15 to 38|'''Header pins 15 to 38''' |
| − | File:DIFat 50 pin header4.png|alt=header pins 38 to 50| | + | File:DIFat 50 pin header4.png|alt=header pins 38 to 50|'''Header pins 38 to 50''' |
| − | File:DIFAT PIN HEADER GENERAL NOTES.png|alt=general notes about CPU SRAM, inferred operation| | + | File:DIFAT PIN HEADER GENERAL NOTES.png|alt=general notes about CPU SRAM, inferred operation|'''General notes about inferred operation''' |
</gallery> | </gallery> | ||
| Line 66: | Line 66: | ||
Perhaps Roland just had a load of these in house already and it was cheaper to use them than get a smaller device. Or maybe it was the only suitable device in that range? | Perhaps Roland just had a load of these in house already and it was cheaper to use them than get a smaller device. Or maybe it was the only suitable device in that range? | ||
| − | JTAG pads are exposed on the PCB as seen in the image above. I could connect to these to read the CPLD. Pretty soon they were pulled off the board, and I had to solder a pin to the leg temporarily to continue reading data. (before I discovered | + | JTAG pads are exposed on the PCB as seen in the image above. I could connect to these to read the CPLD. Pretty soon they were pulled off the board, and I had to solder a pin to the leg temporarily to continue reading data. (before I discovered tiny IC clips!) |
| − | I connected using Bluetag, OpenOCD and XC3SPROG (open source Xilinx CLI) and was eventually able to read back ID codes and find IR Len etc. I was happy it was | + | I connected using Bluetag, OpenOCD and XC3SPROG (open source Xilinx CLI) and was eventually able to read back ID codes and find IR Len etc. I was happy it was responding. It was fun, confusing and difficult to set up all these tools. I set most of them up on a Raspberry Pi as dedicated hacking server so I can connect remotely to the hot mess setup with my laptop, somewhere more comfortable : ) |
| + | <gallery> | ||
| + | File:XC3SPROG id read.png|alt=XC3SPROG id read|'''XC3SPROG id read''' | ||
| + | File:Pullup info.png|alt=Pullup info from Xilinx|'''Pullup info from Xilinx''' | ||
| + | File:Bluetag pin read.png|alt=BlueTag correctly reads pins|'''BlueTag correctly reads pins''' | ||
| + | File:Open OCD.png|alt=OpenOCD and BlueTag (in BusPirate Mode)|'''OpenOCD and BlueTag (in BusPirate Mode)''' | ||
| + | </gallery> | ||
| + | === BSDL Scan === | ||
| + | After initial ID code read, I used a [https://github.com/viveris/jtag-boundary-scanner BSDL GUI] to determine whether the CPLD was actually passing data throughput. Whilst easy to use when running, this tool took a while to set up (I mistakenly compiled it from source in Windows 7 32 bit - somehow missing the fact there there was a package release) After downloading the BSDL language file from Xilinx and setting up the tool with info from the Xilinx datasheet (super confusing naming convention, cells vs physical pins). Scanner could only run with this set up in Sample mode (OS not present nor running). | ||
| + | |||
| + | It was satisfying to see my logic probe light up on the outputs during BSDL scanning. | ||
| + | |||
| + | Xilinx CPLD confirmed working - big achievement! | ||
At some point I will get a Xilinx Platform Cable to attempt to read the bitstream for archival purposes. However at this stage I'd had to get a few probes etc and didn't really want to get a Xilinx only device. I've had great luck with unlocked devices so far though, everything I've looked at has been open or level 1 : ) | At some point I will get a Xilinx Platform Cable to attempt to read the bitstream for archival purposes. However at this stage I'd had to get a few probes etc and didn't really want to get a Xilinx only device. I've had great luck with unlocked devices so far though, everything I've looked at has been open or level 1 : ) | ||
| + | [[File:VIVERIS BOUNDARY SCANNER.png|thumb|Viveris JTAG Boundary Scanner]] | ||
| + | |||
Revision as of 18:44, 27 April 2026
[Page under construction - as yet incomplete]
PCB photos, Pinouts, Pin header, Device operation, Connections between subsystems. Notes on firmware structure, Machine language monitor program, DFU, firmware extraction, firmware update script (python)
Contents
Brief outline -
I bought this device to repair. They are rare, and interesting. It would not respond any longer or be recognised by host hardware. (it runs in conjunction with host digital mixer / host music production device, translating digital audio formats in real time)
I damaged a lot of traces on the device and gave up on it. However, I learned how to micro-solder and became inspired to continue the repair with reverse engineering techniques. This is my first reverse engineering project, though I have worked on modding and repairing before.
Given the device was already non-responsive (and now damaged) -
Goals-
- De-solder NOR Flash and read firmware.
- Determine potential corruption of firmware.
- Re-flash firmware onto new NOR flash (if good).
- Determine operation / potential corruption of Xilinx CPLD and/or Alesis OTP? IC - read contents if possible.
- Analyse firmware for anything interesting.
- Determine and examine / analyse hardware architecture.
- Repair traces, replace ICs. Test.
- Collate information, share research and findings.
PCB Photos -
Main board
Cpu (not mcu!)
Main board, alt
SRAM + NOR Flash (512kb)
Custom Alesis chip OTP CPLD? GAL?
TDIF daughter board
5v power conditioning
Sync circuitry with optocouplers
Reset IC and switch
Xilinx CPLD with JTAG pads visible (pin 50, 81 silkscreen)
Device Overview
This is a complex device with a 16 bit CPU, Xilinx 95xx CPLD, Custom Alesis chip (Gate array, PAL, GAL, OTP CPLD?) SRAM, NOR flash 512kb, logic and switching for bus arbitration. BREQ Bus request is a very involved circuit. Also CE# Chip Enable NOR Flash is connected through a complicated muxing circuit. The Alesis custom IC handles the WE# Write Enable to the NOR Flash.
No info could be found on the Alesis chip, searching for the numerous IC markings revealed nothing.
The Device is quite old school. This was built for the early generation of ADAT/TDIF machines, still using physical tape. Thankfully a tape machine is not necessary for operation. The sync requirements of locking digital audio using analogue tape definitely adds complexity to this system.
Device has 2 buttons on the PCB: 1 - RESET, reset circuit and IC 2 - Launch monitor diagnostic mode.
A 50 pin header provides easy access to most address lines and relevant (to operation) CPU/RAM/Flash lines. This will be convenient to run a logic capture during boot and operation later. I beeped out the 50 pin connector - Many pins have multiple connections. Happily; the vias were not tented - this was a long endeavour even with continuity through the vias : ) Below, the findings and some general notes:
Header pins 1 - 16
Header pins 16 - 24
Header pins 15 to 38
Header pins 38 to 50
General notes about inferred operation
JTAG/Programming/Firmware
The device has two levels of firmware: NOR Flash and CPLD bitstream. The Xilinx is an older model XC95144 which is programmed over JTAG. However, due to the architecture, bitstream cannot be read out over JTAG (even if unlocked). It still seems strange to me that, this is a 100 pin CPLD, and only 4 inputs and 4 outputs are used! (RBUS data solely, 8 channels L/R)
Perhaps Roland just had a load of these in house already and it was cheaper to use them than get a smaller device. Or maybe it was the only suitable device in that range?
JTAG pads are exposed on the PCB as seen in the image above. I could connect to these to read the CPLD. Pretty soon they were pulled off the board, and I had to solder a pin to the leg temporarily to continue reading data. (before I discovered tiny IC clips!)
I connected using Bluetag, OpenOCD and XC3SPROG (open source Xilinx CLI) and was eventually able to read back ID codes and find IR Len etc. I was happy it was responding. It was fun, confusing and difficult to set up all these tools. I set most of them up on a Raspberry Pi as dedicated hacking server so I can connect remotely to the hot mess setup with my laptop, somewhere more comfortable : )
XC3SPROG id read
Pullup info from Xilinx
BlueTag correctly reads pins
OpenOCD and BlueTag (in BusPirate Mode)
BSDL Scan
After initial ID code read, I used a BSDL GUI to determine whether the CPLD was actually passing data throughput. Whilst easy to use when running, this tool took a while to set up (I mistakenly compiled it from source in Windows 7 32 bit - somehow missing the fact there there was a package release) After downloading the BSDL language file from Xilinx and setting up the tool with info from the Xilinx datasheet (super confusing naming convention, cells vs physical pins). Scanner could only run with this set up in Sample mode (OS not present nor running).
It was satisfying to see my logic probe light up on the outputs during BSDL scanning.
Xilinx CPLD confirmed working - big achievement!
At some point I will get a Xilinx Platform Cable to attempt to read the bitstream for archival purposes. However at this stage I'd had to get a few probes etc and didn't really want to get a Xilinx only device. I've had great luck with unlocked devices so far though, everything I've looked at has been open or level 1 : )
Extract Firmware
I used a TL48 programmer with a 48pin TTSOP to read the NOR Flash firmware contents -
In the image below are the settings needed for a good read. The NOR flash is 16 bit wide, but the CPU is reading it in 8 bit mode (8 bit mode pin is tied low). SHARP LH28F400BVE Parallel NOR Flash 512kb. The chip is from the late 1990s as the device is also, turn of the century 2000s.
Although the strings are legible here, this is because the T48 is re-arranging the byte order automatically. The byte order must be swapped (little endian) in order to disassemble the firmware. I found this out after nonsensical strings were seen, without swapping byte order. I tried some 8 bit reads, but this garbled the strings in the T48. It was clear 16 bit wide was correct, but then byte order needed changing. I used a python script to swap the byte order of the entire dumped firmware file.
The strings are very interesting indeed. Not just a standard 'version' or 'release date' string - they are command strings!
As this device has no screen, a low level diagnostic routine is inferred from their discovery. Looking closely at the last string or two, I was worried that it might be corrupted as there are some missing letters in the string - (ADAT Sync port di onnected and Dectected rather than Detected).
