1
0
Files
h8-536-decoder/README.md
2026-05-25 15:18:47 +10:00

6.4 KiB

H8/536 ROM Decompiler

The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536.

This repo now includes a standalone Python helper for the H8/536 ROM image:

python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json

If you are using the repo-local venv:

.\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot

To turn the structured decompile output into conservative C-like pseudocode:

.\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles

What It Does

  • Decodes the H8/500 instruction set used by the H8/536.
  • Reads the H8/536 minimum-mode vector table from the ROM.
  • Recursively traces reachable code from reset, interrupt, and trap vectors.
  • Emits labels for branch and call targets.
  • Tracks LDC.B #xx, BR along traced control flow so later short absolute @aa:8 operands can resolve automatically.
  • Annotates H8/536 register accesses such as P1DDR, SYSCR1, WCR, watchdog, timer/SCI/A-D, and RAM-control registers.
  • Decodes register bitfields and selected hardware semantics for setup writes.
  • Annotates interrupt priority registers and DTC enable routing registers.
  • Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space.
  • Parses the DTC vector table described by the manual and decodes DTC register-information blocks.
  • Tracks SCI setup writes and can infer baud rates from SMR/BRR when --clock-hz is supplied.
  • Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears.
  • Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66 P95/TXD and pin 67 P96/RXD to the MAX202 RS232 transceiver.
  • Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers.
  • Scans unreached ROM ranges for ASCII strings and pointer-table candidates.
  • Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as CONNECT.
  • Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output.
  • Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes.
  • Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs.
  • Adds indirect JSR/JMP @Rn flow hints when a nearby indexed word load looks like a pointer table dispatch.
  • Adds Appendix A cycle estimates to JSON and can append them to ASM comments.
  • Summarizes straight-line block timing and backward-branch loop timing when requested.
  • Handles the E-clock transfer instructions MOVFPE and MOVTPE.
  • Recognizes likely LCD E-clock access routines at H'F200/H'F201, including busy-flag polling and data/control writes.
  • Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured if/do while patterns.

The generated listing is written to:

build/rom_decompiled.asm

The optional JSON output is useful for scripts or later analysis:

build/rom_decompiled.json

Useful Options

python h8536_decompiler.py --help
  • --mode min|max: vector format. This ROM appears to be minimum mode; min is the default.
  • --entry H'1234: add an extra entry point to recursive tracing.
  • --linear: linear-sweep the selected range instead of tracing from vectors.
  • --start H'1000 --end H'D100: constrain the decode range.
  • --br H'FE: resolve short absolute @aa:8 operands through a known base-register value.
  • --clock-hz 16000000: infer SCI baud rates from manual BRR formulas.
  • --board-profile sony_rcp_tx7|none: include or suppress known board-trace annotations.
  • --cycles: append Appendix A cycle estimates to assembly comments.
  • --timing: include straight-line block and backward-branch loop timing summaries.
  • --callgraph-dot build\callgraph.dot: write a Graphviz DOT call graph.

For pseudocode:

python h8536_pseudocode.py --help
  • --no-asm: omit original assembly text from pseudocode line comments.
  • --no-addresses: omit instruction addresses from pseudocode line comments.
  • --cycles: include cycle estimates from the JSON.
  • --no-structure: preserve label/goto output instead of simple structured if/loop output.
  • --max-functions N: emit only the first N functions for focused review.

Code Layout

  • h8536_decompiler.py: compatibility wrapper for the CLI.
  • h8536/cli.py: argument parsing and end-to-end orchestration.
  • h8536/decoder.py: instruction and effective-address decoding.
  • h8536/tables.py: manual-derived opcode/vector/register tables.
  • h8536/vectors.py: exception and DTC vector parsing.
  • h8536/dtc.py: DTC register-information block decoding.
  • h8536/analysis.py: recursive tracing, linear sweep, labels, function grouping, and call graph analysis.
  • h8536/data_analysis.py: unreached string and pointer-table candidate scans.
  • h8536/memory.py: manual-derived memory-region tagging.
  • h8536/cycles.py: Appendix A cycle estimate tables.
  • h8536/dataflow.py: conservative register/control-register value tracking.
  • h8536/symbols.py: RAM/external/global symbol discovery from references and data tables.
  • h8536/indirect.py: indirect call/jump and pointer-table dispatch hints.
  • h8536/lcd_text.py: LCD/menu text record scanning, fuzzy search, and text xrefs.
  • h8536/lcd_driver.py: LCD E-clock access and busy-poll recognizer.
  • h8536/timing.py: block and loop cycle summaries.
  • h8536/sci.py: SCI setup tracking and baud inference.
  • h8536/sci_protocol.py: SCI transmit/receive/status semantic annotations.
  • h8536/board_profile.py: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path.
  • h8536/peripheral_access.py: FRT/A-D TEMP-register access analysis.
  • h8536/pseudocode.py: JSON-to-C-like pseudocode generation.
  • h8536/render.py: assembly and JSON output.
  • h8536/model.py, h8536/rom.py, h8536/formatting.py: shared data structures and helpers.
  • h8536_pseudocode.py: pseudocode CLI wrapper.