# H8/536 ROM Decompiler The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536. This repo now includes a standalone Python helper for the H8/536 ROM image: ```powershell python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json ``` If you are using the repo-local venv: ```powershell .\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot ``` To turn the structured decompile output into conservative C-like pseudocode: ```powershell .\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles ``` To generate a focused RX/TX serial-path pseudocode view from the reconstruction metadata: ```powershell .\.venv\Scripts\python.exe h8536_serial_pseudocode.py build\rom_decompiled.json --out build\rom_serial_pseudocode.c ``` ## What It Does - Decodes the H8/500 instruction set used by the H8/536. - Reads the H8/536 minimum-mode vector table from the ROM. - Recursively traces reachable code from reset, interrupt, and trap vectors. - Emits labels for branch and call targets. - Tracks `LDC.B #xx, BR` along traced control flow so later short absolute `@aa:8` operands can resolve automatically. - Annotates H8/536 register accesses such as `P1DDR`, `SYSCR1`, `WCR`, watchdog, timer/SCI/A-D, and RAM-control registers. - Decodes register bitfields and selected hardware semantics for setup writes. - Annotates interrupt priority registers and DTC enable routing registers. - Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space. - Parses the DTC vector table described by the manual and decodes DTC register-information blocks. - Tracks SCI setup writes and can infer baud rates from SMR/BRR when `--clock-hz` is supplied. - Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears. - Reconstructs evidence-supported SCI1 serial frame candidates, including the apparent six-byte TX/RX units and XOR checksum seeded by `0x5A`. - Infers candidate serial protocol semantics from validated frames, including `RX[0] & 0x07` command dispatch, likely index/value byte roles, and response staging through `F850-F854`. - Generates a focused RX/TX serial-path pseudocode view from those serial reconstruction and protocol-semantic candidates. - Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66 `P95/TXD` and pin 67 `P96/RXD` to the MAX202 RS232 transceiver. - Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers. - Scans unreached ROM ranges for ASCII strings and pointer-table candidates. - Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as `CONNECT`. - Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output. - Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes. - Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs. - Adds indirect `JSR/JMP @Rn` flow hints when a nearby indexed word load looks like a pointer table dispatch. - Adds Appendix A cycle estimates to JSON and can append them to ASM comments. - Summarizes straight-line block timing and backward-branch loop timing when requested. - Handles the E-clock transfer instructions `MOVFPE` and `MOVTPE`. - Recognizes likely LCD E-clock access routines at `H'F200`/`H'F201`, including busy-flag polling and data/control writes. - Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured `if`/`do while` patterns. The generated listing is written to: ```text build/rom_decompiled.asm ``` The optional JSON output is useful for scripts or later analysis: ```text build/rom_decompiled.json ``` ## Useful Options ```powershell python h8536_decompiler.py --help ``` - `--mode min|max`: vector format. This ROM appears to be minimum mode; `min` is the default. - `--entry H'1234`: add an extra entry point to recursive tracing. - `--linear`: linear-sweep the selected range instead of tracing from vectors. - `--start H'1000 --end H'D100`: constrain the decode range. - `--br H'FE`: resolve short absolute `@aa:8` operands through a known base-register value. - `--clock-hz 16000000`: infer SCI baud rates from manual BRR formulas. - `--board-profile sony_rcp_tx7|none`: include or suppress known board-trace annotations. - `--cycles`: append Appendix A cycle estimates to assembly comments. - `--timing`: include straight-line block and backward-branch loop timing summaries. - `--callgraph-dot build\callgraph.dot`: write a Graphviz DOT call graph. For pseudocode: ```powershell python h8536_pseudocode.py --help ``` - `--no-asm`: omit original assembly text from pseudocode line comments. - `--no-addresses`: omit instruction addresses from pseudocode line comments. - `--cycles`: include cycle estimates from the JSON. - `--no-structure`: preserve label/goto output instead of simple structured `if`/loop output. - `--max-functions N`: emit only the first `N` functions for focused review. For focused serial pseudocode: ```powershell python h8536_serial_pseudocode.py --help ``` - `--tx-only`: emit only the candidate transmit path. - `--rx-only`: emit only the candidate receive path. - `--no-evidence`: omit evidence-address comments. - `--no-manual`: omit manual-reference comments. - `--no-board`: omit board/MAX202 comments. - `--no-semantics`: omit candidate command/field semantics. ## Code Layout - `h8536_decompiler.py`: compatibility wrapper for the CLI. - `h8536/cli.py`: argument parsing and end-to-end orchestration. - `h8536/decoder.py`: instruction and effective-address decoding. - `h8536/tables.py`: manual-derived opcode/vector/register tables. - `h8536/vectors.py`: exception and DTC vector parsing. - `h8536/dtc.py`: DTC register-information block decoding. - `h8536/analysis.py`: recursive tracing, linear sweep, labels, function grouping, and call graph analysis. - `h8536/data_analysis.py`: unreached string and pointer-table candidate scans. - `h8536/memory.py`: manual-derived memory-region tagging. - `h8536/cycles.py`: Appendix A cycle estimate tables. - `h8536/dataflow.py`: conservative register/control-register value tracking. - `h8536/symbols.py`: RAM/external/global symbol discovery from references and data tables. - `h8536/indirect.py`: indirect call/jump and pointer-table dispatch hints. - `h8536/lcd_text.py`: LCD/menu text record scanning, fuzzy search, and text xrefs. - `h8536/lcd_driver.py`: LCD E-clock access and busy-poll recognizer. - `h8536/timing.py`: block and loop cycle summaries. - `h8536/sci.py`: SCI setup tracking and baud inference. - `h8536/sci_protocol.py`: SCI transmit/receive/status semantic annotations. - `h8536/serial_reconstruction.py`: cautious higher-level SCI frame reconstruction from decompiled evidence. - `h8536/serial_semantics.py`: candidate command/field semantics inferred from serial frame use. - `h8536/serial_pseudocode.py`: focused RX/TX protocol pseudocode generation from reconstruction metadata. - `h8536/board_profile.py`: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path. - `h8536/peripheral_access.py`: FRT/A-D TEMP-register access analysis. - `h8536/pseudocode.py`: JSON-to-C-like pseudocode generation. - `h8536/render.py`: assembly and JSON output. - `h8536/model.py`, `h8536/rom.py`, `h8536/formatting.py`: shared data structures and helpers. - `h8536_pseudocode.py`: pseudocode CLI wrapper. - `h8536_serial_pseudocode.py`: focused serial pseudocode CLI wrapper.