1
0
Files
h8-536-decoder/README.md
2026-05-25 21:33:19 +10:00

16 KiB

H8/536 ROM Decompiler

The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536.

This repo now includes a standalone Python helper for the H8/536 ROM image:

python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json

If you are using the repo-local venv:

.\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot

To turn the structured decompile output into conservative C-like pseudocode:

.\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles

To generate a focused RX/TX serial-path pseudocode view from the reconstruction metadata:

.\.venv\Scripts\python.exe h8536_serial_pseudocode.py build\rom_decompiled.json --out build\rom_serial_pseudocode.c

To run the newer sidecar protocol and gate/queue analysis tools:

.\.venv\Scripts\python.exe h8536_serial_gate.py build\rom_decompiled.json --out build\rom_serial_gate.txt
.\.venv\Scripts\python.exe h8536_report_source_trace.py build\rom_decompiled.json --out build\rom_report_sources.txt
.\.venv\Scripts\python.exe h8536_table_xrefs.py --out build\rom_table_xrefs.txt
.\.venv\Scripts\python.exe h8536_consistency.py build\rom_decompiled.json --out build\rom_consistency.txt
.\.venv\Scripts\python.exe h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt

To start the current emulator harness:

.\.venv\Scripts\python.exe h8536_emulator.py --max-steps 1000000 --stop-on-heartbeat --interval-steps 512
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 4000000 --stop-on-tx
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 1000000 --stop-on-tx --p9-fast-path
.\.venv\Scripts\python.exe h8536_emulator_rx_probe.py --preset connect-lcd

What It Does

  • Decodes the H8/500 instruction set used by the H8/536.
  • Reads the H8/536 minimum-mode vector table from the ROM.
  • Recursively traces reachable code from reset, interrupt, and trap vectors.
  • Emits labels for branch and call targets.
  • Tracks LDC.B #xx, BR along traced control flow so later short absolute @aa:8 operands can resolve automatically.
  • Annotates H8/536 register accesses such as P1DDR, SYSCR1, WCR, watchdog, timer/SCI/A-D, and RAM-control registers.
  • Decodes register bitfields and selected hardware semantics for setup writes.
  • Annotates interrupt priority registers and DTC enable routing registers.
  • Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space.
  • Parses the DTC vector table described by the manual and decodes DTC register-information blocks.
  • Tracks SCI setup writes and can infer baud rates from SMR/BRR when --clock-hz is supplied.
  • Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears.
  • Reconstructs evidence-supported SCI1 serial frame candidates, including the apparent six-byte TX/RX units and XOR checksum seeded by 0x5A.
  • Infers candidate serial protocol semantics from validated frames, including RX[0] & 0x07 command dispatch, likely index/value byte roles, and response staging through F850-F854.
  • Generates a focused RX/TX serial-path pseudocode view from those serial reconstruction and protocol-semantic candidates.
  • Marks H8 word-destination writes fed by byte immediates as explicit zero-extension in pseudocode, including the heartbeat queue write at loc_4067.
  • Emits a decompiler/pseudocode consistency report for width semantics that are easy to misread.
  • Decodes observed serial byte captures into six-byte frames, validates checksums, labels capture-observed heartbeat/call/camera-power candidates, and summarizes heartbeat cadence.
  • Accepts both analyzer-style lines such as RX 006 bytes ... and the idle reference frame 006 ... format in ROM/rcp-txd-idle-only.txt.
  • Reconstructs the autonomous serial gate/queue state-machine around loc_3FD3, loc_BAF2, F9B0/F9B5, FAA2/FAA3/FAA5, the F9C4/FRT2 idle heartbeat gate at loc_4046, and the resend path through BE9E/BED5.
  • Traces direct callers to loc_3E54 to identify report queue sources and conservatively flags whether observed report indexes such as 0x0007 are ROM-proven constants or runtime/capture observations.
  • Generates table/index cross-reference reports for candidate value/current/secondary/flag tables and LCD text correlations.
  • Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66 P95/TXD and pin 67 P96/RXD to the MAX202 RS232 transceiver.
  • Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers.
  • Scans unreached ROM ranges for ASCII strings and pointer-table candidates.
  • Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as CONNECT.
  • Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output.
  • Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes.
  • Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs.
  • Adds indirect JSR/JMP @Rn flow hints when a nearby indexed word load looks like a pointer table dispatch.
  • Adds Appendix A cycle estimates to JSON and can append them to ASM comments.
  • Summarizes straight-line block timing and backward-branch loop timing when requested.
  • Handles the E-clock transfer instructions MOVFPE and MOVTPE.
  • Recognizes likely LCD E-clock access routines at H'F200/H'F201, including busy-flag polling and data/control writes.
  • Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured if/do while patterns.
  • Provides an early H8/536 emulator harness with ROM/RAM/register memory mapping, reset-vector boot, SCI1 transmit capture, MOV condition-code updates, SCB/F, stack/call/return support, indirect JMP/JSR @Rn dispatch, scaffolded SCI1 RXI/ERI/TXI and interval/FRT1-OCIA/FRT2-OCIA interrupt scheduling, a P9 bit-banged bus model, a 16x4 LCD bus/DDRAM model for H'F200/H'F201, and an opt-in P9 transfer fast path.
  • Includes an emulator probe that reports hot PCs, recent P9/SCI accesses, serial report queue/gate traces, RAM lifecycle watches, final SCI1/TXI state, and captured P9 byte candidates while running the real ROM.
  • Includes an RX command probe that boots until SCI1 RXI is serviceable, injects host six-byte frames through RDR/RDRF, listens for device TX frames, and reports serial latch/table/LCD-buffer and emulated-LCD effects.

Current serial observations:

  • Idle capture reference: ROM/rcp-txd-idle-only.txt.
  • Idle frame: 00 00 00 00 80 DA.
  • Capture-side label: heartbeat_alive_candidate.
  • Idle cadence from the reference file: 54 frames, average about 699.9 ms, min 601 ms, max 803 ms.
  • Static/runtime finding: F9C4 is a candidate idle heartbeat/report countdown. Init loads H'14, loc_BA26 reloads H'07 after a send, FRT2 OCIA decrements it, and loc_4046 can enqueue report H'0000 when it reaches zero and the queue is empty.
  • Runtime-confirmed heartbeat path: loc_4067 writes H'0000 into the queue via a zero-extended word move, loc_BAF2/loc_BB08 dequeue it, loc_BB1C/loc_BB20/loc_BB2B stage the TX bytes, and loc_BA26 emits 00 00 00 00 80 DA.
  • Emulator LCD finding: the ROM writes the boot/no-active-session message to the LCD bus as CONNECT:NOT ACT on line 0 by the time SCI1 RX is serviceable. Valid and invalid six-byte host frames leave that display active while normal serial replies/heartbeats continue.
  • RX probe finding: the --preset connect-lcd sequence reaches the command-0x04 handler; 04 00 00 80 00 DE writes table index zero, fills the LCD line buffer with CONNECT: OK, and emits 02 00 02 00 00 5A in the current emulator model.
  • Observed capture labels such as cam_power_button_candidate and call_button_candidate are deliberately treated as capture overlays, not protocol facts hard-coded in ROM.

The generated listing is written to:

build/rom_decompiled.asm

The optional JSON output is useful for scripts or later analysis:

build/rom_decompiled.json

Common derived outputs:

build/rom_pseudocode.c
build/rom_serial_pseudocode.c
build/rom_serial_gate.txt
build/rom_report_sources.txt
build/rom_table_xrefs.txt
build/rom_consistency.txt
build/callgraph.dot

Useful Options

python h8536_decompiler.py --help
  • --mode min|max: vector format. This ROM appears to be minimum mode; min is the default.
  • --entry H'1234: add an extra entry point to recursive tracing.
  • --linear: linear-sweep the selected range instead of tracing from vectors.
  • --start H'1000 --end H'D100: constrain the decode range.
  • --br H'FE: resolve short absolute @aa:8 operands through a known base-register value.
  • --clock-hz 16000000: infer SCI baud rates from manual BRR formulas.
  • --board-profile sony_rcp_tx7|none: include or suppress known board-trace annotations.
  • --cycles: append Appendix A cycle estimates to assembly comments.
  • --timing: include straight-line block and backward-branch loop timing summaries.
  • --callgraph-dot build\callgraph.dot: write a Graphviz DOT call graph.

For pseudocode:

python h8536_pseudocode.py --help
  • --no-asm: omit original assembly text from pseudocode line comments.
  • --no-addresses: omit instruction addresses from pseudocode line comments.
  • --cycles: include cycle estimates from the JSON.
  • --no-structure: preserve label/goto output instead of simple structured if/loop output.
  • --max-functions N: emit only the first N functions for focused review.

For focused serial pseudocode:

python h8536_serial_pseudocode.py --help
  • --tx-only: emit only the candidate transmit path.
  • --rx-only: emit only the candidate receive path.
  • --no-evidence: omit evidence-address comments.
  • --no-manual: omit manual-reference comments.
  • --no-board: omit board/MAX202 comments.
  • --no-semantics: omit candidate command/field semantics.

For protocol trace and capture logs:

python h8536_protocol_trace.py --help
python h8536_protocol_capture.py --help
  • h8536_protocol_trace.py --direction tx 00 00 15 80 00 CF: decode raw bytes as protocol frames.
  • h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt: parse timestamped captures, recombine split chunks, validate checksums, and summarize cadence/gate hints.
  • --json on the capture tool emits machine-readable frame and cadence data.

For gate/queue and table reports:

python h8536_serial_gate.py --help
python h8536_report_source_trace.py --help
python h8536_table_xrefs.py --help
python h8536_consistency.py --help
  • h8536_serial_gate.py: reports the autonomous TX gate and report queue evidence.
  • h8536_report_source_trace.py: traces direct loc_3E54 report enqueue sources. Current finding: no direct static R3 = 0x0007 enqueue in the JSON, so CAM power 0x0007 remains runtime/capture-observed unless a later indirect/table path proves it.
  • h8536_table_xrefs.py: emits candidate table/index xrefs and LCD text correlation hints.
  • h8536_consistency.py: flags JSON-to-pseudocode semantic hazards such as byte immediates written to word destinations.

For the emulator harness:

python h8536_emulator.py --help
python h8536_emulator_probe.py --help
python h8536_emulator_rx_probe.py --help
  • --rom PATH: use an explicit ROM path instead of auto-discovering ROM\M27C512@DIP28_1.BIN.
  • --max-steps N: bound execution.
  • --trace: print executed instructions.
  • --stop-on-heartbeat: stop only if 00 00 00 00 80 DA is emitted through SCI1 TDR.
  • --interval-steps N: tune the scaffolded interval timer cadence.
  • --frt1-ocia-steps N / --frt2-ocia-steps N: tune rough FRT compare-interrupt cadence.
  • --p9-fast-path: shortcut known P9 transfer routines for exploration.
  • --trace-report-gates, --trace-report-queue, and --trace-ram-lifecycle: inspect the serial report queue, loc_4046/F9C4 gate, and watched RAM byte history.
  • --target-frame "00 00 00 00 80 DA": compare staged/emitted TX bytes against an expected six-byte frame.
  • h8536_emulator_rx_probe.py "04 00 00 80 00": append the checksum, inject the host frame through SCI1 RX, and summarize responses.
  • h8536_emulator_rx_probe.py --preset connect-lcd: replay the current CONNECT LCD activation candidates.
  • Current status: boots from H'1000, initializes SCI1, models the first P9 bit-banged handshakes, captures P9 byte candidates, can optionally fast-path known P9 routines, schedules FRT1/FRT2 OCIA, captures the ROM-driven LCD line CONNECT:NOT ACT, and emits the observed heartbeat frame 00 00 00 00 80 DA.

Code Layout

  • h8536_decompiler.py: compatibility wrapper for the CLI.
  • h8536/cli.py: argument parsing and end-to-end orchestration.
  • h8536/decoder.py: instruction and effective-address decoding.
  • h8536/tables.py: manual-derived opcode/vector/register tables.
  • h8536/vectors.py: exception and DTC vector parsing.
  • h8536/dtc.py: DTC register-information block decoding.
  • h8536/analysis.py: recursive tracing, linear sweep, labels, function grouping, and call graph analysis.
  • h8536/data_analysis.py: unreached string and pointer-table candidate scans.
  • h8536/memory.py: manual-derived memory-region tagging.
  • h8536/cycles.py: Appendix A cycle estimate tables.
  • h8536/dataflow.py: conservative register/control-register value tracking.
  • h8536/symbols.py: RAM/external/global symbol discovery from references and data tables.
  • h8536/indirect.py: indirect call/jump and pointer-table dispatch hints.
  • h8536/lcd_text.py: LCD/menu text record scanning, fuzzy search, and text xrefs.
  • h8536/lcd_driver.py: LCD E-clock access and busy-poll recognizer.
  • h8536/timing.py: block and loop cycle summaries.
  • h8536/sci.py: SCI setup tracking and baud inference.
  • h8536/sci_protocol.py: SCI transmit/receive/status semantic annotations.
  • h8536/serial_reconstruction.py: cautious higher-level SCI frame reconstruction from decompiled evidence.
  • h8536/serial_semantics.py: candidate command/field semantics inferred from serial frame use.
  • h8536/serial_pseudocode.py: focused RX/TX protocol pseudocode generation from reconstruction metadata.
  • h8536/protocol_trace.py: raw six-byte protocol frame decoder/checksum validator.
  • h8536/protocol_capture.py: timestamped serial capture parser, frame recombiner, and cadence/gate-session analyzer.
  • h8536/serial_gate.py: autonomous TX gate/queue state-machine reconstruction.
  • h8536/report_source_trace.py: direct loc_3E54 report enqueue source tracer.
  • h8536/table_xrefs.py: table/index xrefs and LCD correlation report generation.
  • h8536/consistency.py: decompiler/pseudocode semantic consistency checks.
  • h8536/emulator/: early H8/536 emulator package split into CPU state, memory map, SCI1 TX capture, P9 bus model, LCD model, runner, probe, CLI, and peripheral scaffolding.
  • h8536/emulator/rx_probe.py: host-frame injection and response/listener probe for SCI1 RX experiments.
  • h8536/board_profile.py: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path.
  • h8536/peripheral_access.py: FRT/A-D TEMP-register access analysis.
  • h8536/pseudocode.py: JSON-to-C-like pseudocode generation.
  • h8536/render.py: assembly and JSON output.
  • h8536/model.py, h8536/rom.py, h8536/formatting.py: shared data structures and helpers.
  • h8536_pseudocode.py: pseudocode CLI wrapper.
  • h8536_serial_pseudocode.py: focused serial pseudocode CLI wrapper.
  • h8536_protocol_trace.py, h8536_protocol_capture.py: protocol analysis CLI wrappers.
  • h8536_serial_gate.py, h8536_report_source_trace.py, h8536_table_xrefs.py, h8536_consistency.py: sidecar analysis CLI wrappers.
  • h8536_emulator.py, h8536_emulator_probe.py, h8536_emulator_rx_probe.py: emulator CLI wrappers.