More ccu based mining
This commit is contained in:
168
build/rom_ccu_seed_hints.txt
Normal file
168
build/rom_ccu_seed_hints.txt
Normal file
@@ -0,0 +1,168 @@
|
||||
H8/536 CCU Seed Hint Report
|
||||
|
||||
Summary: The RCP likely waits for the CCU to seed mirrored state tables, then uses those selector values to update LCD text, panel lamps, and report state changes.
|
||||
Confidence: medium
|
||||
|
||||
Table Model:
|
||||
- primary_value_table_candidate: H'E000-H'E3FF; accesses=31 static selectors=0x000, 0x002, 0x003, 0x023, 0x040, 0x081, 0x092, 0x093, 0x0A7, 0x0B7, 0x0B9, 0x0F6
|
||||
- secondary_value_table_candidate: H'E400-H'E7FF; accesses=8 static selectors=none
|
||||
- current_value_table_candidate: H'E800-H'EBFF; accesses=14 static selectors=0x000, 0x003, 0x040, 0x081, 0x092, 0x0F6
|
||||
- flag_table_candidate: H'EC00-H'EFFF; accesses=6 static selectors=0x000
|
||||
|
||||
Highest-Value Selector Candidates:
|
||||
- 0x000 heartbeat_or_idle_report_candidate: score=18 tables=primary_value_table_candidate, current_value_table_candidate, flag_table_candidate
|
||||
- primary_value_table_candidate write in loc_4096: MOV:G.W #H'0080, @H'E000
|
||||
- current_value_table_candidate write in loc_4096: MOV:G.W #H'0080, @H'E800
|
||||
- flag_table_candidate write in loc_4075: CLR.W @(-H'1400,R0)
|
||||
- idle report selector and CONNECT OK emulator condition both center on selector zero
|
||||
seed frames: 0x0080 -> 00 00 00 00 80 DA; 0x8080 -> 00 00 00 80 80 5A
|
||||
readback frame: 01 00 00 00 00 5B
|
||||
- 0x093 state_selector_candidate: score=15 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_17C9: BTST.W #12, @H'E126
|
||||
- primary_value_table_candidate read in loc_17FB: BTST.W #12, @H'E126
|
||||
- primary_value_table_candidate read in loc_182D: BTST.W #5, @H'E126
|
||||
- primary_value_table_candidate read in loc_1891: BTST.W #5, @H'E126
|
||||
readback frame: 01 01 13 00 00 49
|
||||
- 0x0F6 active_status_bridge_candidate: score=14 tables=primary_value_table_candidate, current_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_48FA: BTST.W #13, @H'E1EC
|
||||
- primary_value_table_candidate read in loc_48FA: MOV:G.W @H'E1EC, R0
|
||||
- current_value_table_candidate write in loc_48FA: MOV:G.W R0, @H'E9EC
|
||||
- loc_48FA tests E1EC bit13 and can enqueue report selector 0x00F6
|
||||
seed frames: 0x2000 -> 00 01 76 20 00 0D
|
||||
readback frame: 01 01 76 00 00 2C
|
||||
- 0x003 default_enabled_bit_candidate: score=11 tables=primary_value_table_candidate, current_value_table_candidate
|
||||
- primary_value_table_candidate write in loc_4096: MOV:G.W #H'8000, @H'E006
|
||||
- current_value_table_candidate write in loc_4096: MOV:G.W #H'8000, @H'E806
|
||||
- ROM default table writes E000/E800 selector 0x003 to 0x8000
|
||||
seed frames: 0x8000 -> 00 00 03 80 00 D9
|
||||
readback frame: 01 00 03 00 00 58
|
||||
- 0x040 default_all_ones_or_status_block_candidate: score=11 tables=primary_value_table_candidate, current_value_table_candidate
|
||||
- primary_value_table_candidate write in loc_4096: MOV:G.W #H'FFFF, @H'E080
|
||||
- current_value_table_candidate write in loc_4096: MOV:G.W #H'FFFF, @H'E880
|
||||
- ROM default table writes E000/E800 selector 0x040 to 0xFFFF and bench tests repeatedly touched the 0x40 family
|
||||
seed frames: 0xFFFF -> 00 00 40 FF FF 1A; 0x4030 -> 00 00 40 40 30 6A
|
||||
readback frame: 01 00 40 00 00 1B
|
||||
- 0x081 state_selector_candidate: score=9 tables=primary_value_table_candidate, current_value_table_candidate
|
||||
- primary_value_table_candidate read in vec_ad_adi_3D99: MOV:G.W @H'E102, R0
|
||||
- primary_value_table_candidate read in vec_ad_adi_3D99: CMP:G.W @H'E102, R1
|
||||
- current_value_table_candidate write in loc_15E0: MOV:G.W R1, @H'E902
|
||||
readback frame: 01 01 01 00 00 5B
|
||||
- 0x092 state_selector_candidate: score=9 tables=primary_value_table_candidate, current_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_2650: MOV:G.W @H'E124, R0
|
||||
- primary_value_table_candidate read in loc_2650: CMP:G.W @H'E124, R0
|
||||
- current_value_table_candidate write in loc_2650: MOV:G.W R0, @H'E924
|
||||
readback frame: 01 01 12 00 00 48
|
||||
- 0x06B connection_latch_clear_candidate: score=7 tables=none
|
||||
- when F731.7 is set, command 5 on this selector clears F731.7/F790.7
|
||||
- selector dispatches to H'2F72
|
||||
readback frame: 01 00 6B 00 00 30
|
||||
- 0x06C command5_be70_candidate: score=7 tables=none
|
||||
- continuation command 5 calls BE70 for selector 0x006C
|
||||
- selector dispatches to H'2FAF
|
||||
readback frame: 01 00 6C 00 00 37
|
||||
- 0x06D command5_be70_candidate: score=7 tables=none
|
||||
- continuation command 5 calls BE70 for selector 0x006D
|
||||
- selector dispatches to H'3015
|
||||
readback frame: 01 00 6D 00 00 36
|
||||
- 0x007 camera_power_report_candidate: score=5 tables=none
|
||||
- observed RCP autonomous report frame(s): 00 00 07 80 00 DD
|
||||
- selector dispatches to H'2DC3
|
||||
readback frame: 01 00 07 00 00 5C
|
||||
- 0x015 call_button_report_candidate: score=5 tables=none
|
||||
- observed RCP autonomous report frame(s): 00 00 15 80 00 CF, 00 00 15 00 00 4F
|
||||
- selector dispatches to H'2E39
|
||||
readback frame: 01 00 15 00 00 4E
|
||||
- 0x023 state_selector_candidate: score=5 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate write in loc_400C: CLR.W @H'E046
|
||||
- selector dispatches to H'2EE6
|
||||
readback frame: 01 00 23 00 00 78
|
||||
- 0x06E command5_be70_candidate: score=5 tables=none
|
||||
- continuation command 5 calls BE70 for selector 0x006E
|
||||
readback frame: 01 00 6E 00 00 35
|
||||
- 0x096 connection_latch_clear_candidate: score=5 tables=none
|
||||
- when F731.7 is set, command 5 on this selector clears F731.7/F790.7
|
||||
readback frame: 01 01 16 00 00 4C
|
||||
- 0x097 connection_latch_clear_candidate: score=5 tables=none
|
||||
- when F731.7 is set, command 5 on this selector clears F731.7/F790.7
|
||||
readback frame: 01 01 17 00 00 4D
|
||||
- 0x0C6 connection_latch_clear_candidate: score=5 tables=none
|
||||
- when F731.7 is set, command 5 on this selector clears F731.7/F790.7
|
||||
readback frame: 01 01 46 00 00 1C
|
||||
- 0x0F8 connection_latch_clear_candidate: score=5 tables=none
|
||||
- when F731.7 is set, command 5 on this selector clears F731.7/F790.7
|
||||
readback frame: 01 01 78 00 00 22
|
||||
- 0x002 state_selector_candidate: score=3 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_2650: BTST.W #13, @H'E004
|
||||
readback frame: 01 00 02 00 00 59
|
||||
- 0x0A7 state_selector_candidate: score=3 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_1705: BTST.W #15, @H'E14E
|
||||
readback frame: 01 01 27 00 00 7D
|
||||
- 0x0B7 state_selector_candidate: score=3 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_174D: BTST.W #13, @H'E16E
|
||||
readback frame: 01 01 37 00 00 6D
|
||||
- 0x0B9 state_selector_candidate: score=3 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_1795: BTST.W #13, @H'E172
|
||||
readback frame: 01 01 39 00 00 63
|
||||
- 0x110 state_selector_candidate: score=3 tables=primary_value_table_candidate
|
||||
- primary_value_table_candidate read in loc_1795: BTST.W #15, @H'E220
|
||||
readback frame: 01 01 90 00 00 CA
|
||||
- 0x012 state_selector_candidate: score=2 tables=none
|
||||
- selector dispatches to H'2E03
|
||||
readback frame: 01 00 12 00 00 49
|
||||
|
||||
Display Text Hints:
|
||||
- CONNECT: 0 hit(s)
|
||||
- COMM LINK: 4 hit(s) - H'77F4 'literal COMM LINK', H'78F4 'literal COMM LINK', H'77F4 'COMM LINK ITEM-1Xw'
|
||||
- COMPLETED: 2 hit(s) - H'A027 'literal COMPLETED', H'A025 'COMPLETED'
|
||||
- CAM: 6 hit(s) - H'7149 'literal CAM', H'71FC 'literal CAM', H'72C7 'literal CAM'
|
||||
- BARS: 12 hit(s) - H'72D1 'literal BARS', H'757D 'literal BARS', H'9C61 'literal BARS'
|
||||
- BLACK: 22 hit(s) - H'65CC 'literal BLACK', H'6647 'literal BLACK', H'6709 'literal BLACK'
|
||||
- IRIS: 6 hit(s) - H'6461 'literal IRIS', H'6A92 'literal IRIS', H'A5CA 'literal IRIS'
|
||||
- GAIN: 10 hit(s) - H'6825 'literal GAIN', H'7813 'literal GAIN', H'98A1 'literal GAIN'
|
||||
- SHUTTER: 4 hit(s) - H'6FB2 'literal SHUTTER', H'781A 'literal SHUTTER', H'6FAE 'SHUTTER Xo'
|
||||
- CALL: 8 hit(s) - H'B53E 'literal CALL', H'B563 'literal CALL', H'B62F 'literal CALL'
|
||||
- POWER: 0 hit(s)
|
||||
- AUTO: 34 hit(s) - H'693E 'literal AUTO', H'6A52 'literal AUTO', H'6B40 'literal AUTO'
|
||||
- DIAG: 6 hit(s) - H'6BF5 'literal DIAG', H'6C19 'literal DIAG', H'6E46 'literal DIAG'
|
||||
- DXC: 0 hit(s)
|
||||
|
||||
Selector Dispatch Hints:
|
||||
- table H'28A6: 25 non-default/interesting entries
|
||||
- selector 0x000 -> H'2CB9 (dispatch index 0x000)
|
||||
- selector 0x007 -> H'2DC3 (dispatch index 0x007)
|
||||
- selector 0x012 -> H'2E03 (dispatch index 0x012)
|
||||
- selector 0x013 -> H'2E06 (dispatch index 0x013)
|
||||
- selector 0x015 -> H'2E39 (dispatch index 0x015)
|
||||
- selector 0x016 -> H'2E5A (dispatch index 0x016)
|
||||
- selector 0x017 -> H'2E85 (dispatch index 0x017)
|
||||
- selector 0x018 -> H'2E6F (dispatch index 0x018)
|
||||
- selector 0x01A -> H'2EC4 (dispatch index 0x01A)
|
||||
- selector 0x023 -> H'2EE6 (dispatch index 0x023)
|
||||
- selector 0x024 -> H'2F0C (dispatch index 0x024)
|
||||
- selector 0x025 -> H'2F1C (dispatch index 0x025)
|
||||
- selector 0x043 -> H'2F4A (dispatch index 0x043)
|
||||
- selector 0x04A -> H'2F5C (dispatch index 0x04A)
|
||||
- selector 0x04E -> H'2F5C (dispatch index 0x04E)
|
||||
- selector 0x052 -> H'2F5C (dispatch index 0x052)
|
||||
|
||||
Candidate Fake-CCU Seed Plan:
|
||||
- cmd0 seed selector 0x000 = 0x8080: 00 00 00 80 80 5A
|
||||
selector zero active/connect candidate from emulator state search
|
||||
- cmd0 seed selector 0x003 = 0x8000: 00 00 03 80 00 D9
|
||||
ROM default state also sets selector 0x003 high bit
|
||||
- cmd0 seed selector 0x040 = 0xFFFF: 00 00 40 FF FF 1A
|
||||
ROM default all-ones/status candidate touched by bench 0x40 family
|
||||
- cmd0 seed selector 0x0F6 = 0x2000: 00 01 76 20 00 0D
|
||||
sets E1EC bit13 candidate used by loc_48FA report bridge
|
||||
|
||||
Bench Implications:
|
||||
- Do not wait for non-heartbeat reports as the only activation source; the CCU may be expected to push initial table state first.
|
||||
- Use command 0 writes for initial seeding, then command 1 readbacks for verification. Treat command 4/5/6 as continuation-only until a live report proves otherwise.
|
||||
- Selector zero remains the highest-value activation candidate because the emulator reaches CONNECT OK when E000[0]=0x8080 and the selector-zero processing queue runs.
|
||||
- E1EC/selector 0x00F6 is a strong follow-up candidate because loc_48FA tests bit13 there and can enqueue report 0x00F6.
|
||||
- LCD text terms such as CAM/BARS/BLACK/COMM LINK appear in ROM records, but they are not direct serial payload strings; they point to selector-driven display builders.
|
||||
|
||||
Caveats:
|
||||
- Selector names are candidates, not confirmed protocol labels.
|
||||
- Static table xrefs prove that firmware reads/writes a selector; they do not prove the external CCU must seed it on boot.
|
||||
- Generated frames are syntactically valid six-byte host frames; bench safety still depends on timing and current RCP state.
|
||||
Reference in New Issue
Block a user