13 KiB
H8/536 ROM Decompiler
The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536.
This repo now includes a standalone Python helper for the H8/536 ROM image:
python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json
If you are using the repo-local venv:
.\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot
To turn the structured decompile output into conservative C-like pseudocode:
.\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles
To generate a focused RX/TX serial-path pseudocode view from the reconstruction metadata:
.\.venv\Scripts\python.exe h8536_serial_pseudocode.py build\rom_decompiled.json --out build\rom_serial_pseudocode.c
To run the newer sidecar protocol and gate/queue analysis tools:
.\.venv\Scripts\python.exe h8536_serial_gate.py build\rom_decompiled.json --out build\rom_serial_gate.txt
.\.venv\Scripts\python.exe h8536_report_source_trace.py build\rom_decompiled.json --out build\rom_report_sources.txt
.\.venv\Scripts\python.exe h8536_table_xrefs.py --out build\rom_table_xrefs.txt
.\.venv\Scripts\python.exe h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt
To start the current emulator harness:
.\.venv\Scripts\python.exe h8536_emulator.py --max-steps 1000000 --stop-on-heartbeat --interval-steps 512
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 4000000 --stop-on-tx
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 1000000 --stop-on-tx --p9-fast-path
What It Does
- Decodes the H8/500 instruction set used by the H8/536.
- Reads the H8/536 minimum-mode vector table from the ROM.
- Recursively traces reachable code from reset, interrupt, and trap vectors.
- Emits labels for branch and call targets.
- Tracks
LDC.B #xx, BRalong traced control flow so later short absolute@aa:8operands can resolve automatically. - Annotates H8/536 register accesses such as
P1DDR,SYSCR1,WCR, watchdog, timer/SCI/A-D, and RAM-control registers. - Decodes register bitfields and selected hardware semantics for setup writes.
- Annotates interrupt priority registers and DTC enable routing registers.
- Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space.
- Parses the DTC vector table described by the manual and decodes DTC register-information blocks.
- Tracks SCI setup writes and can infer baud rates from SMR/BRR when
--clock-hzis supplied. - Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears.
- Reconstructs evidence-supported SCI1 serial frame candidates, including the apparent six-byte TX/RX units and XOR checksum seeded by
0x5A. - Infers candidate serial protocol semantics from validated frames, including
RX[0] & 0x07command dispatch, likely index/value byte roles, and response staging throughF850-F854. - Generates a focused RX/TX serial-path pseudocode view from those serial reconstruction and protocol-semantic candidates.
- Decodes observed serial byte captures into six-byte frames, validates checksums, labels capture-observed heartbeat/call/camera-power candidates, and summarizes heartbeat cadence.
- Accepts both analyzer-style lines such as
RX 006 bytes ...and the idle referenceframe 006 ...format inROM/rcp-txd-idle-only.txt. - Reconstructs the autonomous serial gate/queue state-machine around
loc_3FD3,loc_BAF2,F9B0/F9B5,FAA2/FAA3/FAA5, and the resend path throughBE9E/BED5. - Traces direct callers to
loc_3E54to identify report queue sources and conservatively flags whether observed report indexes such as0x0007are ROM-proven constants or runtime/capture observations. - Generates table/index cross-reference reports for candidate value/current/secondary/flag tables and LCD text correlations.
- Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66
P95/TXDand pin 67P96/RXDto the MAX202 RS232 transceiver. - Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers.
- Scans unreached ROM ranges for ASCII strings and pointer-table candidates.
- Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as
CONNECT. - Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output.
- Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes.
- Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs.
- Adds indirect
JSR/JMP @Rnflow hints when a nearby indexed word load looks like a pointer table dispatch. - Adds Appendix A cycle estimates to JSON and can append them to ASM comments.
- Summarizes straight-line block timing and backward-branch loop timing when requested.
- Handles the E-clock transfer instructions
MOVFPEandMOVTPE. - Recognizes likely LCD E-clock access routines at
H'F200/H'F201, including busy-flag polling and data/control writes. - Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured
if/do whilepatterns. - Provides an early H8/536 emulator harness with ROM/RAM/register memory mapping, reset-vector boot, SCI1 transmit capture, MOV condition-code updates,
SCB/F, stack/call/return support, scaffolded SCI1 TXI/interval/FRT1-OCIA/FRT2-OCIA interrupt scheduling, a P9 bit-banged bus model, and an opt-in P9 transfer fast path. - Includes an emulator probe that reports hot PCs, recent P9/SCI accesses, final SCI1/TXI state, and captured P9 byte candidates while running the real ROM.
Current serial observations:
- Idle capture reference:
ROM/rcp-txd-idle-only.txt. - Idle frame:
00 00 00 00 80 DA. - Capture-side label:
heartbeat_alive_candidate. - Idle cadence from the reference file: 54 frames, average about 699.9 ms, min 601 ms, max 803 ms.
- Observed capture labels such as
cam_power_button_candidateandcall_button_candidateare deliberately treated as capture overlays, not protocol facts hard-coded in ROM.
The generated listing is written to:
build/rom_decompiled.asm
The optional JSON output is useful for scripts or later analysis:
build/rom_decompiled.json
Common derived outputs:
build/rom_pseudocode.c
build/rom_serial_pseudocode.c
build/rom_serial_gate.txt
build/rom_report_sources.txt
build/rom_table_xrefs.txt
build/callgraph.dot
Useful Options
python h8536_decompiler.py --help
--mode min|max: vector format. This ROM appears to be minimum mode;minis the default.--entry H'1234: add an extra entry point to recursive tracing.--linear: linear-sweep the selected range instead of tracing from vectors.--start H'1000 --end H'D100: constrain the decode range.--br H'FE: resolve short absolute@aa:8operands through a known base-register value.--clock-hz 16000000: infer SCI baud rates from manual BRR formulas.--board-profile sony_rcp_tx7|none: include or suppress known board-trace annotations.--cycles: append Appendix A cycle estimates to assembly comments.--timing: include straight-line block and backward-branch loop timing summaries.--callgraph-dot build\callgraph.dot: write a Graphviz DOT call graph.
For pseudocode:
python h8536_pseudocode.py --help
--no-asm: omit original assembly text from pseudocode line comments.--no-addresses: omit instruction addresses from pseudocode line comments.--cycles: include cycle estimates from the JSON.--no-structure: preserve label/goto output instead of simple structuredif/loop output.--max-functions N: emit only the firstNfunctions for focused review.
For focused serial pseudocode:
python h8536_serial_pseudocode.py --help
--tx-only: emit only the candidate transmit path.--rx-only: emit only the candidate receive path.--no-evidence: omit evidence-address comments.--no-manual: omit manual-reference comments.--no-board: omit board/MAX202 comments.--no-semantics: omit candidate command/field semantics.
For protocol trace and capture logs:
python h8536_protocol_trace.py --help
python h8536_protocol_capture.py --help
h8536_protocol_trace.py --direction tx 00 00 15 80 00 CF: decode raw bytes as protocol frames.h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt: parse timestamped captures, recombine split chunks, validate checksums, and summarize cadence/gate hints.--jsonon the capture tool emits machine-readable frame and cadence data.
For gate/queue and table reports:
python h8536_serial_gate.py --help
python h8536_report_source_trace.py --help
python h8536_table_xrefs.py --help
h8536_serial_gate.py: reports the autonomous TX gate and report queue evidence.h8536_report_source_trace.py: traces directloc_3E54report enqueue sources. Current finding: no direct staticR3 = 0x0007enqueue in the JSON, so CAM power0x0007remains runtime/capture-observed unless a later indirect/table path proves it.h8536_table_xrefs.py: emits candidate table/index xrefs and LCD text correlation hints.
For the emulator harness:
python h8536_emulator.py --help
python h8536_emulator_probe.py --help
--rom PATH: use an explicit ROM path instead of auto-discoveringROM\M27C512@DIP28_1.BIN.--max-steps N: bound execution.--trace: print executed instructions.--stop-on-heartbeat: stop only if00 00 00 00 80 DAis emitted through SCI1 TDR.--interval-steps N: tune the scaffolded interval timer cadence.--frt1-ocia-steps N/--frt2-ocia-steps N: tune rough FRT compare-interrupt cadence.--p9-fast-path: shortcut known P9 transfer routines for exploration.- Current status: boots from
H'1000, initializes SCI1, models the first P9 bit-banged handshakes, captures P9 byte candidates, can optionally fast-path known P9 routines, and schedules FRT1/FRT2 OCIA. The probe now reaches the SCI1 transmit path, but still needs more timing/peripheral fidelity before it emits the full observed heartbeat frame.
Code Layout
h8536_decompiler.py: compatibility wrapper for the CLI.h8536/cli.py: argument parsing and end-to-end orchestration.h8536/decoder.py: instruction and effective-address decoding.h8536/tables.py: manual-derived opcode/vector/register tables.h8536/vectors.py: exception and DTC vector parsing.h8536/dtc.py: DTC register-information block decoding.h8536/analysis.py: recursive tracing, linear sweep, labels, function grouping, and call graph analysis.h8536/data_analysis.py: unreached string and pointer-table candidate scans.h8536/memory.py: manual-derived memory-region tagging.h8536/cycles.py: Appendix A cycle estimate tables.h8536/dataflow.py: conservative register/control-register value tracking.h8536/symbols.py: RAM/external/global symbol discovery from references and data tables.h8536/indirect.py: indirect call/jump and pointer-table dispatch hints.h8536/lcd_text.py: LCD/menu text record scanning, fuzzy search, and text xrefs.h8536/lcd_driver.py: LCD E-clock access and busy-poll recognizer.h8536/timing.py: block and loop cycle summaries.h8536/sci.py: SCI setup tracking and baud inference.h8536/sci_protocol.py: SCI transmit/receive/status semantic annotations.h8536/serial_reconstruction.py: cautious higher-level SCI frame reconstruction from decompiled evidence.h8536/serial_semantics.py: candidate command/field semantics inferred from serial frame use.h8536/serial_pseudocode.py: focused RX/TX protocol pseudocode generation from reconstruction metadata.h8536/protocol_trace.py: raw six-byte protocol frame decoder/checksum validator.h8536/protocol_capture.py: timestamped serial capture parser, frame recombiner, and cadence/gate-session analyzer.h8536/serial_gate.py: autonomous TX gate/queue state-machine reconstruction.h8536/report_source_trace.py: directloc_3E54report enqueue source tracer.h8536/table_xrefs.py: table/index xrefs and LCD correlation report generation.h8536/emulator/: early H8/536 emulator package split into CPU state, memory map, SCI1 TX capture, P9 bus model, runner, probe, CLI, and peripheral scaffolding.h8536/board_profile.py: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path.h8536/peripheral_access.py: FRT/A-D TEMP-register access analysis.h8536/pseudocode.py: JSON-to-C-like pseudocode generation.h8536/render.py: assembly and JSON output.h8536/model.py,h8536/rom.py,h8536/formatting.py: shared data structures and helpers.h8536_pseudocode.py: pseudocode CLI wrapper.h8536_serial_pseudocode.py: focused serial pseudocode CLI wrapper.h8536_protocol_trace.py,h8536_protocol_capture.py: protocol analysis CLI wrappers.h8536_serial_gate.py,h8536_report_source_trace.py,h8536_table_xrefs.py: sidecar analysis CLI wrappers.h8536_emulator.py,h8536_emulator_probe.py: emulator CLI wrappers.