e872030675c0249b1241c34d21d0586532d59640
H8/536 ROM Decompiler
The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536.
This repo now includes a standalone Python helper for the H8/536 ROM image:
python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json
If you are using the repo-local venv:
.\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot
To turn the structured decompile output into conservative C-like pseudocode:
.\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles
What It Does
- Decodes the H8/500 instruction set used by the H8/536.
- Reads the H8/536 minimum-mode vector table from the ROM.
- Recursively traces reachable code from reset, interrupt, and trap vectors.
- Emits labels for branch and call targets.
- Tracks
LDC.B #xx, BRalong traced control flow so later short absolute@aa:8operands can resolve automatically. - Annotates H8/536 register accesses such as
P1DDR,SYSCR1,WCR, watchdog, timer/SCI/A-D, and RAM-control registers. - Decodes register bitfields and selected hardware semantics for setup writes.
- Annotates interrupt priority registers and DTC enable routing registers.
- Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space.
- Parses the DTC vector table described by the manual and decodes DTC register-information blocks.
- Tracks SCI setup writes and can infer baud rates from SMR/BRR when
--clock-hzis supplied. - Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears.
- Reconstructs evidence-supported SCI1 serial frame candidates, including the apparent six-byte TX/RX units and XOR checksum seeded by
0x5A. - Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66
P95/TXDand pin 67P96/RXDto the MAX202 RS232 transceiver. - Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers.
- Scans unreached ROM ranges for ASCII strings and pointer-table candidates.
- Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as
CONNECT. - Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output.
- Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes.
- Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs.
- Adds indirect
JSR/JMP @Rnflow hints when a nearby indexed word load looks like a pointer table dispatch. - Adds Appendix A cycle estimates to JSON and can append them to ASM comments.
- Summarizes straight-line block timing and backward-branch loop timing when requested.
- Handles the E-clock transfer instructions
MOVFPEandMOVTPE. - Recognizes likely LCD E-clock access routines at
H'F200/H'F201, including busy-flag polling and data/control writes. - Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured
if/do whilepatterns.
The generated listing is written to:
build/rom_decompiled.asm
The optional JSON output is useful for scripts or later analysis:
build/rom_decompiled.json
Useful Options
python h8536_decompiler.py --help
--mode min|max: vector format. This ROM appears to be minimum mode;minis the default.--entry H'1234: add an extra entry point to recursive tracing.--linear: linear-sweep the selected range instead of tracing from vectors.--start H'1000 --end H'D100: constrain the decode range.--br H'FE: resolve short absolute@aa:8operands through a known base-register value.--clock-hz 16000000: infer SCI baud rates from manual BRR formulas.--board-profile sony_rcp_tx7|none: include or suppress known board-trace annotations.--cycles: append Appendix A cycle estimates to assembly comments.--timing: include straight-line block and backward-branch loop timing summaries.--callgraph-dot build\callgraph.dot: write a Graphviz DOT call graph.
For pseudocode:
python h8536_pseudocode.py --help
--no-asm: omit original assembly text from pseudocode line comments.--no-addresses: omit instruction addresses from pseudocode line comments.--cycles: include cycle estimates from the JSON.--no-structure: preserve label/goto output instead of simple structuredif/loop output.--max-functions N: emit only the firstNfunctions for focused review.
Code Layout
h8536_decompiler.py: compatibility wrapper for the CLI.h8536/cli.py: argument parsing and end-to-end orchestration.h8536/decoder.py: instruction and effective-address decoding.h8536/tables.py: manual-derived opcode/vector/register tables.h8536/vectors.py: exception and DTC vector parsing.h8536/dtc.py: DTC register-information block decoding.h8536/analysis.py: recursive tracing, linear sweep, labels, function grouping, and call graph analysis.h8536/data_analysis.py: unreached string and pointer-table candidate scans.h8536/memory.py: manual-derived memory-region tagging.h8536/cycles.py: Appendix A cycle estimate tables.h8536/dataflow.py: conservative register/control-register value tracking.h8536/symbols.py: RAM/external/global symbol discovery from references and data tables.h8536/indirect.py: indirect call/jump and pointer-table dispatch hints.h8536/lcd_text.py: LCD/menu text record scanning, fuzzy search, and text xrefs.h8536/lcd_driver.py: LCD E-clock access and busy-poll recognizer.h8536/timing.py: block and loop cycle summaries.h8536/sci.py: SCI setup tracking and baud inference.h8536/sci_protocol.py: SCI transmit/receive/status semantic annotations.h8536/serial_reconstruction.py: cautious higher-level SCI frame reconstruction from decompiled evidence.h8536/board_profile.py: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path.h8536/peripheral_access.py: FRT/A-D TEMP-register access analysis.h8536/pseudocode.py: JSON-to-C-like pseudocode generation.h8536/render.py: assembly and JSON output.h8536/model.py,h8536/rom.py,h8536/formatting.py: shared data structures and helpers.h8536_pseudocode.py: pseudocode CLI wrapper.
Description
A small decoder to convert a dumped ROM for a Hitachi H8/536 to ASM and C-like Pseudo code.
Languages
Assembly
54.3%
Python
38.5%
C
7.2%