H8/536 ROM Decompiler
The ROM used is from a SONY RCP-TX7 Camera Panel. Some of the code in this repo may be bias to the functions of that particular use case with the H8/536.
This repo now includes a standalone Python helper for the H8/536 ROM image:
python h8536_decompiler.py ROM\M27C512@DIP28_1.BIN --out build\rom_decompiled.asm --json build\rom_decompiled.json
If you are using the repo-local venv:
.\.venv\Scripts\python.exe h8536_decompiler.py --out build\rom_decompiled.asm --json build\rom_decompiled.json --cycles --callgraph-dot build\callgraph.dot
To turn the structured decompile output into conservative C-like pseudocode:
.\.venv\Scripts\python.exe h8536_pseudocode.py build\rom_decompiled.json --out build\rom_pseudocode.c --cycles
To generate a focused RX/TX serial-path pseudocode view from the reconstruction metadata:
.\.venv\Scripts\python.exe h8536_serial_pseudocode.py build\rom_decompiled.json --out build\rom_serial_pseudocode.c
To run the newer sidecar protocol and gate/queue analysis tools:
.\.venv\Scripts\python.exe h8536_serial_gate.py build\rom_decompiled.json --out build\rom_serial_gate.txt
.\.venv\Scripts\python.exe h8536_rx_branch_trace.py build\rom_decompiled.json --out build\rom_rx_branch_trace.txt
.\.venv\Scripts\python.exe h8536_report_source_trace.py build\rom_decompiled.json --out build\rom_report_sources.txt
.\.venv\Scripts\python.exe h8536_table_xrefs.py --out build\rom_table_xrefs.txt
.\.venv\Scripts\python.exe h8536_ccu_seed_hints.py build\rom_decompiled.json --out build\rom_ccu_seed_hints.txt
.\.venv\Scripts\python.exe h8536_eeprom_layout.py build\rom_decompiled.json --out build\rom_eeprom_layout.txt
.\.venv\Scripts\python.exe h8536_consistency.py build\rom_decompiled.json --out build\rom_consistency.txt
.\.venv\Scripts\python.exe h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt
To start the current emulator harness:
.\.venv\Scripts\python.exe h8536_emulator.py --max-steps 1000000 --stop-on-heartbeat --interval-steps 512
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 4000000 --stop-on-tx
.\.venv\Scripts\python.exe h8536_emulator_probe.py --max-steps 1000000 --stop-on-tx --p9-fast-path
.\.venv\Scripts\python.exe h8536_emulator_rx_probe.py --preset connect-lcd
.\.venv\Scripts\python.exe h8536_emulator_rx_divergence.py --default-frames --uart-timing --wait-heartbeats 2 --summary-only
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --prompt-screen
.\.venv\Scripts\python.exe scripts\connect_ok_matrix.py --suite minimal --prompt-observation --result-json captures\connect-ok-minimal-result.json
.\.venv\Scripts\python.exe scripts\connect_ok_advance_sweep.py --suite core --prompt-observation --result-json captures\connect-ok-advance-core-result.json
.\.venv\Scripts\python.exe scripts\serial_ack_probe.py --ack-frame "05 00 40 00 00 1F"
.\.venv\Scripts\python.exe scripts\serial_scenario.py scenarios\ack-race-000-001.json --log captures\ack-race-000-001.txt --result-json captures\ack-race-000-001-result.json
.\.venv\Scripts\python.exe scripts\serial_scenario.py scenarios\table-sweep-ack-000-07f.json --log captures\table-sweep-ack-000-07f.txt --result-json captures\table-sweep-ack-000-07f-result.json
.\.venv\Scripts\python.exe scripts\state_map_runner.py --preset ok --prompt-screen
.\.venv\Scripts\python.exe scripts\state_map_runner.py --analyze-log captures\ack-race-000-001.txt
.\.venv\Scripts\python.exe h8536_emulator_state_search.py --preset connect-queue --target ok --first-hit --json-out build\connect-state-search-ok.json
.\.venv\Scripts\python.exe h8536_emulator_bench_replay.py captures\bench-connect-lcd-sequence-20260525-214411.txt --assert-bench-parity
.\.venv\Scripts\python.exe h8536_emulator.py --max-steps 250000 --p9-fast-path --eeprom-seed blank --eeprom-save build\emulator-eeprom-boot.bin --eeprom-report build\emulator-eeprom-boot.txt --eeprom-report-json build\emulator-eeprom-boot.json
The real-device bench helper uses pyserial; install repo dependencies with .\.venv\Scripts\python.exe -m pip install -r requirements.txt if needed.
The current PT2/protocol reconstruction is documented in docs/pt2-protocol.md.
Real Bench Serial Format
The real RCP serial link is 38400 8E1, not 38400 8N1. This is backed by the ROM SCI1 init:
build/rom_decompiled.asm:437:SCI1_SMR = H'24, async 8-bit, even parity, 1 stop.build/rom_decompiled.asm:438:SCI1_SCR = H'3C, RX/TX enabled.build/rom_decompiled.asm:439:SCI1_BRR = H'07.
The traced board path is H8/536 SCI1 through the MAX202: H8 pin 66 P95/TXD to MAX202 pin 11, and MAX202 pin 12 to H8 pin 67 P96/RXD.
Bench scripts default to even parity now. Keep --parity E explicit in important captures, and use --parity N only to reproduce older 8N1 captures. With the wrong 8N1 format, commands fall into the RX error/retry path instead of the normal command handlers; apparent 07... frames from those captures should be treated as error/retry echoes until repeated under 8E1.
Confirmed bench result under 8E1: the CONNECT path can reach CONNECT: OK, the CAM POWER lamp illuminates, and the numeric readouts illuminate as ----.
Minimal smoke-test shape:
.\.venv\Scripts\python.exe scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --parity E --prompt-screen --log captures\8e1-connect-ok-smoke.txt
What It Does
- Decodes the H8/500 instruction set used by the H8/536.
- Reads the H8/536 minimum-mode vector table from the ROM.
- Recursively traces reachable code from reset, interrupt, and trap vectors.
- Emits labels for branch and call targets.
- Tracks
LDC.B #xx, BRalong traced control flow so later short absolute@aa:8operands can resolve automatically. - Annotates H8/536 register accesses such as
P1DDR,SYSCR1,WCR, watchdog, timer/SCI/A-D, and RAM-control registers. - Decodes register bitfields and selected hardware semantics for setup writes.
- Annotates interrupt priority registers and DTC enable routing registers.
- Emits memory-region metadata for vector, DTC, RAM, register-field, and mode-dependent program/external space.
- Parses the DTC vector table described by the manual and decodes DTC register-information blocks.
- Tracks SCI setup writes and can infer baud rates from SMR/BRR when
--clock-hzis supplied. - Annotates SCI protocol actions such as TDRE waits, TDR writes, RDR reads, RX/TX interrupt enables, and receive-error clears.
- Reconstructs evidence-supported SCI1 serial frame candidates, including the apparent six-byte TX/RX units and XOR checksum seeded by
0x5A. - Infers candidate serial protocol semantics from validated frames, including
RX[0] & 0x07command dispatch, likely index/value byte roles, and response staging throughF850-F854. - Generates a focused RX/TX serial-path pseudocode view from those serial reconstruction and protocol-semantic candidates.
- Marks H8 word-destination writes fed by byte immediates as explicit zero-extension in pseudocode, including the heartbeat queue write at
loc_4067. - Emits a decompiler/pseudocode consistency report for width semantics that are easy to misread.
- Decodes observed serial byte captures into six-byte frames, validates checksums, labels capture-observed heartbeat/call/camera-power candidates, and summarizes heartbeat cadence.
- Accepts both analyzer-style lines such as
RX 006 bytes ...and the idle referenceframe 006 ...format inROM/rcp-txd-idle-only.txt. - Reconstructs the autonomous serial gate/queue state-machine around
loc_3FD3,loc_BAF2,F9B0/F9B5,FAA2/FAA3/FAA5, theF9C4/FRT2 idle heartbeat gate atloc_4046, and the resend path throughBE9E/BED5. - Emits a focused SCI1 RX branch trace covering RXI/ERI byte capture, six-byte checksum validation, selector decode, the
FAA2 == 0initial dispatcher, theFAA2 != 0continuation dispatcher, command0x00/0x01/0x02/0x04/0x05/0x06/0x07handlers, table surfaces, retry/error echoes, the separateBE70/F970selector-processing and3E54/F870serial-report queues, the TXI/RXI continuation-collapse interlock, RX-to-TX feedback loops, and session-timeout side effects. - Traces direct callers to
loc_3E54to identify report queue sources and conservatively flags whether observed report indexes such as0x0007are ROM-proven constants or runtime/capture observations. - Generates table/index cross-reference reports for candidate value/current/secondary/flag tables and LCD text correlations.
- Mines ROM-backed CCU seed hints from table xrefs, selector dispatch, LCD text terms, and observed report overlays, then proposes syntactically valid command-0 seed frames and command-1 readback frames for high-value selectors.
- Mines the ROM-backed X24164 EEPROM layout, including the factory F400-F4FF shadow defaults, the page-0 EEPROM signature/options header, the fifteen blank-by-default 8-byte record slots loaded into F7B8-F82F, and the serial selector-to-persistent-offset map used by command 0/4 handlers.
- Adds a Sony RCP-TX7 board profile that ties H8/536 pin 66
P95/TXDand pin 67P96/RXDto the MAX202 RS232 transceiver. - Flags/manual-annotates TEMP-register access ordering for FRT and A/D 16-bit peripheral registers.
- Scans unreached ROM ranges for ASCII strings and pointer-table candidates.
- Scans likely LCD/menu text records, groups display-text regions, and reports literal/near matches for terms such as
CONNECT. - Emits function summaries and a direct-call graph in JSON, with optional Graphviz DOT output.
- Tracks conservative per-basic-block register/control-register dataflow in JSON and comments known value changes.
- Discovers RAM/external/global symbols from memory references and pointer tables, including read/write counts and xrefs.
- Adds indirect
JSR/JMP @Rnflow hints when a nearby indexed word load looks like a pointer table dispatch. - Adds Appendix A cycle estimates to JSON and can append them to ASM comments.
- Summarizes straight-line block timing and backward-branch loop timing when requested.
- Handles the E-clock transfer instructions
MOVFPEandMOVTPE. - Recognizes likely LCD E-clock access routines at
H'F200/H'F201, including busy-flag polling and data/control writes. - Generates a separate C-like pseudocode view from the JSON, preserving labels, calls, branches, register names, inferred symbols, metadata comments, optional cycle notes, and simple structured
if/do whilepatterns. - Provides an early H8/536 emulator harness with ROM/RAM/register memory mapping, reset-vector boot, SCI1 transmit capture, MOV condition-code updates,
SCB/F, stack/call/return support, indirectJMP/JSR @Rndispatch, scaffolded SCI1 RXI/ERI/TXI and interval timer scheduling, manual-derived FRT1/FRT2 OCIA cycle scheduling, a P9 bit-banged bus model, an X24164 two-wire EEPROM model on tracedP91/SCLandP97/SDA, logical EEPROM image load/save/reporting, a 16x4 LCD bus/DDRAM model forH'F200/H'F201, and an opt-in P9 transfer fast path. - Includes an emulator probe that reports hot PCs, recent P9/SCI accesses, serial report queue/gate traces, RAM lifecycle watches, final SCI1/TXI state, and captured P9 byte candidates while running the real ROM.
- Includes an RX command probe that boots until SCI1 RXI is serviceable, injects host six-byte frames through RDR/RDRF, can optionally schedule bench-style UART byte arrivals at real spacing, listens for device TX frames, and reports serial latch/table/LCD-buffer and emulated-LCD effects.
- Includes a bench helper for replaying the emulator-derived CONNECT LCD frame sequence against the real device through COM5, with optional COM6 relay power cycling and timestamped capture logs.
- Includes a CONNECT: OK bench matrix runner that power-cycles between cases and tests the known sequence, single frames, primer pairs, order permutations, inter-frame gaps, repeats, and hold time to separate magic-frame, primer, cadence, and latch behavior.
- Includes a CONNECT: OK advance sweep runner that recovers to the known OK cadence, waits for an active RCP report frame, then sends one candidate continuation/ACK frame so ACK-only, selector-zero-refresh, and command-5 special selectors can be compared from the same baseline.
- Includes a bench ACK probe that reproduces the
01 00 00...->01 00 01...visible retry burst, waits for07 80 40 20 90 2D, then sends a candidate command-5 ACK and reports whether the target keeps repeating. - Includes a checksum-resynchronizing bench receiver that scans RX byte streams for valid six-byte frames, avoids common shifted-heartbeat false locks, and can fall back to the old fixed six-byte slicer with
--sync fixed. - Includes a JSON scenario bench runner for repeatable multi-step serial tests, including low-latency ACK-aware command-1 probes that can send the current command-5 ACK candidate immediately after the retry frame appears, with explicit max-ACK/max-target guardrails.
- Includes a PT2 state-map-aware bench runner/analyzer for the current CONNECT gate proof: it hunts a fresh device
07...visible-drain token candidate, sends exactly one selector-zero command-4 force, probesE000[0]with command 1, optionally uses command 7 to recover a hidden finalized response, and labels likely token-destroying turns. - Includes a bounded emulator CONNECT state-search tool that patches small ROM-derived RAM/table surfaces, runs either the direct CONNECT branch or the selector-zero queue dispatch path, and classifies LCD outcomes as OK, DXC, NOT ACT, or other.
- Includes a bench-log replay harness that feeds recorded host TX frames back into the ROM emulator with bench-style UART byte timing by default and asserts parity against the real device's observed response/LCD state.
Current serial observations:
- Idle capture reference:
ROM/rcp-txd-idle-only.txt. - Idle frame:
00 00 00 00 80 DA. - Capture-side label:
heartbeat_alive_candidate. - Idle cadence from the reference file: 54 frames, average about 699.9 ms, min 601 ms, max 803 ms.
- Static/runtime finding:
F9C4is a candidate idle heartbeat/report countdown. Init loadsH'14,loc_BA26reloadsH'07after a send, FRT2 OCIA decrements it, andloc_4046can enqueue reportH'0000when it reaches zero and the queue is empty. - Emulator timing finding: the ROM initializes FRT2 with
TCR=H'02andOCRA=H'7A12; using the manual'sphi/32prescaler gives a 1,000,000-cycle OCIA period, so the default--clock-hz 10000000models that tick as 100 ms and the post-sendF9C4=H'07heartbeat delay as about 700 ms. - Runtime-confirmed heartbeat path:
loc_4067writesH'0000into the queue via a zero-extended word move,loc_BAF2/loc_BB08dequeue it,loc_BB1C/loc_BB20/loc_BB2Bstage the TX bytes, andloc_BA26emits00 00 00 00 80 DA. - Emulator LCD finding: the ROM writes the boot/no-active-session message to the LCD bus as
CONNECT:NOT ACTon line 0 by the time SCI1 RX is serviceable. Valid and invalid six-byte host frames leave that display active while normal serial replies/heartbeats continue. - Bench serial-format finding: real hardware talks
38400 8E1. Earlier8N1captures primarily exercised SCI1 parity/error handling and retry echoes, not the normal command path. After switching bench scripts to even parity, the selector-zero CONNECT path can reachCONNECT: OK. - Bench CONNECT recovery finding:
CONNECT:NOT ACTis recoverable without a power cycle. This makes it a normal no-active-session/cleared-state display rather than a terminal latch; tests can now probe from the idle NOT ACT state directly, then separately check whether OK is held or needs periodic CCU-like refresh traffic. - Bench CONNECT cadence finding: the
40 -> 80 -> C0sequence stayed atCONNECT:NOT ACTwith 10 ms, 50 ms, and 150 ms gaps, but producedCONNECT: OKthen returned toCONNECT:NOT ACTwith 700 ms and 1.5 s gaps. At 700 ms, single40/80/C0frames did not work, but all tested two-frame pairs did. Repeated80 -> 80at about 700 ms also worked, so the values do not need to differ. The no-power-cycle NOT ACT recovery capture produced repeated02 00 02 00 00 5AOK-path responses before heartbeat traffic resumed. - Bench special-selector finding: in the CONNECT OK advance sweep, command-5 selector
0x006C(05 00 6C 00 00 33) producedCONNECT OKthen a blank LCD with the CAM POWER lamp still on, while selector0x006D(05 00 6D 00 00 32) producedCONNECT OKthenCOPY IN PROGRESSthenCONNECT NOT ACT. Forced ROM decoding confirms0x006C -> H'2FAFand0x006D -> H'3015; the0x006Dpath sets display selectorF732=H'1903, a longF798countdown, and the ROM contains theCOPY IN PROGRESSLCD string. Isolated reruns are still needed because theallsweep did not power-cycle between every case. - ROM report-source finding: the active
02/01 ...frames exposed during CONNECT OK attempts are autonomousF870 -> BAF2 -> BA26report-queue transmissions, not ordinary command-1 readbacks. The ROM setsFAA2.3/FAA3.7after sending them, so the CCU probably needs to answer in that continuation window with command4,5, or6to consume the report queue and keep the session alive. - Board/P9 finding: traced MCU pin 62
P91reaches X24164 pin 6SCL, and MCU pin 68P97reaches the shared X24164 pin 5SDAnode. The emulator now treats the ROM'sC121/C08B/C0DB/C10C/C142P9 routines as an X24164-style two-wire EEPROM bus, with ROM logical addresses0x000-0x7FFon theH'A0/H'A1control-byte family and0x800-0xFFFonH'E0/H'E1. - EEPROM role finding:
loc_40BBchecksP7DR.7and theF402 == H'6B6Fsignature before defaulting EEPROM/shadow tables;loc_4103writes ROM default words throughBFE0,loc_41D2reads sixteen 8-byte records intoF7B0-F82F, and the command-4 path atBD2B-BD5Fcan persist serial table writes whenF76E.7is set. - EEPROM layout finding:
build\rom_eeprom_layout.txtcurrently identifies the ROM factory table atH'C964-H'CA63, the F400 shadow defaults, page 0 offset0x000-0x007as the signature/options header (00 00 6B 6F FE 00 00 00), pages 1-F offset0x00-0x07as blank-by-default record slots, and 89 selector mappings from theH'C564table into F400/EEPROM offsets.F404defaults toH'FE00and is tested as option/feature bits, whileF76Ecombines persistence enable, dispatch suppression, and low-nibble EEPROM page selection. - Emulator EEPROM-image finding:
build\emulator-eeprom-boot.txtcaptures a blank-EEPROM boot defaulting pass. The ROM writes 2108 words, leaves page 0's signature/options header intact, blanks page 1-F record headers, and the final image matches the ROM factory/default baseline. Use--eeprom-load/--eeprom-saveto persist an emulated EEPROM image across runs and compare command-induced changes. - Emulator board-state finding: P7 now reads external pin state for input bits, so the DIP-off default is modeled as
--p7-input 0xFF;--eeprom-seed factorycan pre-seed the X24164 devices andF400-F4FFshadow from the ROM default table for already-initialized-state experiments. - RX probe finding: the
--preset connect-lcdsequence is sensitive to injection timing and modeled external state. With timed UART injection, the emulator can still reachCONNECT: OK/02 00 02 00 00 5A, while the real bench remains atCONNECT NOT ACT; this points to missing session/P9/external-panel context rather than a simple checksum or UART-spacing issue. - Emulator state-search finding: the minimum ROM-visible OK display condition is now reproducible without serial. Direct entry at
loc_2CB9withE000[0]=0x8080and unsuppressedF730=0reachesCONNECT: OK; the queued selector-zero path also reaches OK whenF970[0]=0,F9B9=0,F9B4=1,E000[0]=0x8080, andF730=0. This makes the bench problem sharper: prove whether serial can retainE000[0]=0x8080and enqueue selector zero without the reset/clobber path clearing it first. - Bench follow-up: replaying the emulator CONNECT sequence on the real device did not switch the LCD to OK. The real device answered the
04 00 00 80 00 DEstep with07 80 C0 60 20 5Din the captured run and remained atCONNECT NOT ACT, so the next mismatch to chase is the missing visible07 80 C0 60 20 5Dresponse/session context rather than the LCD OK branch. - CCU seed-hint finding:
build\rom_ccu_seed_hints.txtcurrently ranks selector0x000,0x0F6,0x003, and0x040as the highest-value fake-CCU stream candidates. The generated seed frames are00 00 00 80 80 5A,00 01 76 20 00 0D,00 00 03 80 00 D9, and00 00 40 FF FF 1A, with command-1 readbacks listed beside them. - Observed capture labels such as
cam_power_button_candidateandcall_button_candidateare deliberately treated as capture overlays, not protocol facts hard-coded in ROM.
The generated listing is written to:
build/rom_decompiled.asm
The optional JSON output is useful for scripts or later analysis:
build/rom_decompiled.json
Common derived outputs:
build/rom_pseudocode.c
build/rom_serial_pseudocode.c
build/rom_serial_gate.txt
build/rom_report_sources.txt
build/rom_table_xrefs.txt
build/rom_ccu_seed_hints.txt
build/rom_eeprom_layout.txt
build/rom_consistency.txt
build/emulator-eeprom-boot.txt
build/callgraph.dot
Useful Options
python h8536_decompiler.py --help
--mode min|max: vector format. This ROM appears to be minimum mode;minis the default.--entry H'1234: add an extra entry point to recursive tracing.--linear: linear-sweep the selected range instead of tracing from vectors.--start H'1000 --end H'D100: constrain the decode range.--br H'FE: resolve short absolute@aa:8operands through a known base-register value.--clock-hz 16000000: infer SCI baud rates from manual BRR formulas.--board-profile sony_rcp_tx7|none: include or suppress known board-trace annotations.--cycles: append Appendix A cycle estimates to assembly comments.--timing: include straight-line block and backward-branch loop timing summaries.--callgraph-dot build\callgraph.dot: write a Graphviz DOT call graph.
For pseudocode:
python h8536_pseudocode.py --help
--no-asm: omit original assembly text from pseudocode line comments.--no-addresses: omit instruction addresses from pseudocode line comments.--cycles: include cycle estimates from the JSON.--no-structure: preserve label/goto output instead of simple structuredif/loop output.--max-functions N: emit only the firstNfunctions for focused review.
For focused serial pseudocode:
python h8536_serial_pseudocode.py --help
--tx-only: emit only the candidate transmit path.--rx-only: emit only the candidate receive path.--no-evidence: omit evidence-address comments.--no-manual: omit manual-reference comments.--no-board: omit board/MAX202 comments.--no-semantics: omit candidate command/field semantics.
For protocol trace and capture logs:
python h8536_protocol_trace.py --help
python h8536_protocol_capture.py --help
h8536_protocol_trace.py --direction tx 00 00 15 80 00 CF: decode raw bytes as protocol frames.h8536_protocol_capture.py ROM\rcp-txd-idle-only.txt: parse timestamped captures, recombine split chunks, validate checksums, and summarize cadence/gate hints.--jsonon the capture tool emits machine-readable frame and cadence data.
For gate/queue and table reports:
python h8536_serial_gate.py --help
python h8536_rx_branch_trace.py --help
python h8536_report_source_trace.py --help
python h8536_table_xrefs.py --help
python h8536_ccu_seed_hints.py --help
python h8536_eeprom_layout.py --help
python h8536_consistency.py --help
h8536_serial_gate.py: reports the autonomous TX gate and report queue evidence.h8536_rx_branch_trace.py: reports the SCI1 RX branch tree. Current finding: command0x04/0x05/0x06are continuation-path commands behindFAA2 != 0, so a standalone command-4 force from idle should not reachBD0E.h8536_report_source_trace.py: traces directloc_3E54report enqueue sources. Current finding: no direct staticR3 = 0x0007enqueue in the JSON, so CAM power0x0007remains runtime/capture-observed unless a later indirect/table path proves it.h8536_table_xrefs.py: emits candidate table/index xrefs and LCD text correlation hints.h8536_ccu_seed_hints.py: mines table, dispatch, LCD, and observed-report hints for the CCU-side state stream the RCP may expect before active displays/reports.h8536_eeprom_layout.py: mines the X24164 EEPROM layout, ROM factory defaults, persistent record slots, and serial selector-to-EEPROM offset mapping.h8536_consistency.py: flags JSON-to-pseudocode semantic hazards such as byte immediates written to word destinations.
For the emulator harness:
python h8536_emulator.py --help
python h8536_emulator_probe.py --help
python h8536_emulator_rx_probe.py --help
python h8536_emulator_rx_divergence.py --help
--rom PATH: use an explicit ROM path instead of auto-discoveringROM\M27C512@DIP28_1.BIN.--max-steps N: bound execution.--trace: print executed instructions.--stop-on-heartbeat: stop only if00 00 00 00 80 DAis emitted through SCI1 TDR.--interval-steps N: tune the scaffolded interval timer cadence.--clock-hz N: set the CPU/phi clock used for calibrated FRT1/FRT2 compare timing; the default is 10 MHz.--frt1-ocia-steps N/--frt2-ocia-steps N: optional legacy overrides for forcing rough FRT compare cadence in targeted tests.--p9-fast-path: shortcut known P9 transfer routines for exploration. Fast-path byte/marker calls now feed the X24164 EEPROM model, andBFE0/BFFEwrapper shortcuts perform EEPROM word write-verify/read operations against the modeled banks.--p9-fast-optimistic-wrapper: legacy fallback for older wrapper experiments; the knownBFE0/BFFEEEPROM wrappers now use the X24164 model instead.--p7-input 0xFF: set external P7 input pin state; this matters for the EEPROM defaulting gate atP7DR.7and the DIP-switch style inputs.--eeprom-seed blank|factory: choose blank X24164 power-on state or pre-seed the X24164/shadow tables from the ROM defaults before reset.--eeprom-load PATH: load a 0x1000-byte logical X24164 EEPROM image before boot/probe; page 0 is also mirrored into the F400 shadow so the ROM's earlyF402signature check sees the loaded state.--eeprom-save PATH: save the final 0x1000-byte logical EEPROM image after boot/probe.--eeprom-report PATH/--eeprom-report-json PATH: write a ROM-layout-aware EEPROM snapshot with page records, write logs, factory diffs, and F400 shadow diffs.--trace-report-gates,--trace-report-queue, and--trace-ram-lifecycle: inspect the serial report queue,loc_4046/F9C4gate, and watched RAM byte history.--target-frame "00 00 00 00 80 DA": compare staged/emitted TX bytes against an expected six-byte frame.h8536_emulator_rx_probe.py "04 00 00 80 00": append the checksum, inject the host frame through SCI1 RX, and summarize responses.h8536_emulator_rx_probe.py --uart-timing --uart-baud 38400 "04 00 00 80 00": inject all six host bytes with bench-style wire spacing of about 260 us per byte, letting RXI/TXI/timers interleave; if the ROM has not clearedRDRFbefore the next byte, the SCI model raisesORER. The real bench link is8E1.h8536_emulator_rx_probe.py --uart-timing --uart-format 8E1 --tx-wire-timing --wait-heartbeats 2 --post-frame-ms 700 "04 00 00 80 00 DE" "04 00 00 80 00 DE": replay the CONNECT refresh shape after heartbeat readiness and keep the emulator running for a bench-scale gap after each frame. The RAM trace now tags interesting accesses with the executing ROM PC, models SCI1 TDRE/TXI at 8E1 character time, and reports whether X24164 EEPROM bytes were written.h8536_emulator_rx_probe.py --preset connect-lcd: replay the current CONNECT LCD activation candidates.h8536_emulator_rx_divergence.py --default-frames --uart-timing --wait-heartbeats 2 --summary-only: run the focused RX divergence trace for the bench mismatch. It flags whether a frame reached cmd0BC69, cmd1BCD7, retry echo, command-7 replay, autonomousBAF2report output, or the TX/RX overlap-collapse path.scripts\serial_table_dump.py --port COM5 --relay-port COM6 --start 0x000 --count 0x200 --log captures\table-read.txt: read-only command-1 sweep of the firmware-exposed serial table state for EEPROM/shadow inference. Bench serial scripts default to8E1because the ROM initializes SCI1 as async 8-bit even parity, 1 stop; pass--parity Nonly when reproducing older 8N1 captures.scripts\serial_scenario.py scenarios\ack-race-000-001.json --log captures\ack-race-000-001.txt --result-json captures\ack-race-000-001-result.json: run the focused0x000 -> 0x001retry probe with immediate reactive ACK and a 2 ms poll interval, to test whether command 5 can arrive before the second07 80 40 20 90 2Dretry.scripts\serial_scenario.py scenarios\early-ack-000-001.json --log captures\early-ack-000-001.txt --result-json captures\early-ack-000-001-result.json: send the same command-1 pair, then send command-5 ACK immediately without waiting for the retry frame.scripts\serial_scenario.py scenarios\table-sweep-ack-000-07f.json --log captures\table-sweep-ack-000-07f.txt --result-json captures\table-sweep-ack-000-07f-result.json: run a repeatable bench scenario that sweeps selectors0x000-0x07Fand sends05 00 40 00 00 1Fonly after07 80 40 20 90 2Dappears. The checked-in scenario stops if it reaches 8 ACKs or 32 target hits. Use--sync fixedonly when comparing against the old non-resyncing receiver.scripts\state_map_runner.py --preset ok --prime-frame "01 80 40 40 30 EB" --prime-repeat 1 --prompt-screen: run the state-map proof sequence against the bench device. The runner waits for a device07...visible-drain candidate, guards briefly so TXI can finish, sends the selector-zero force, then probes direct readback and command-7 recovery without inserting a command-0/command-1 destroyer before the force.scripts\state_map_runner.py --analyze-log captures\ack-race-000-001.txt --json-out captures\ack-race-000-001-state-map.json: classify an existing capture using the same state-map rules and report whether the selector-zeroBD0E -> E000[0]edge was proven.h8536_emulator_state_search.py --preset connect-queue --target ok --first-hit --json-out build\connect-state-search-ok.json: run the bounded emulator state search for the minimum selector-zero queue condition that reachesCONNECT: OK. The default matrix variesE000[0]andF730, seedsF970[0]=0, starts atloc_2806, and executes real ROM code into the LCD handler.h8536_emulator_state_search.py --preset custom --pc 0x2CB9 --word E000=0x8080 --byte F730=0 --target ok: directly test the CONNECT handler branch with explicit internal state patches.scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --prompt-screen: power-cycle the bench device, wait for heartbeat readiness, send04 00 00 40 00 1E,04 00 00 80 00 DE,04 00 00 C0 00 9E, log RX/TX, and prompt for observed LCD text.scripts\bench_connect_lcd_sequence.py --port COM5 --relay-port COM6 --no-power-cycle --prompt-before-send --prompt-screen --post-sequence-read 10 --log captures\connect-notact-to-ok.txt: prove the recoverable path by waiting forCONNECT:NOT ACT, then sending the CONNECT sequence without cycling power.scripts\connect_ok_matrix.py --suite minimal --prompt-observation --result-json captures\connect-ok-minimal-result.json: run the first reproducibility pass for the 8E1 CONNECT: OK discovery. It power-cycles between cases and tests the known sequence, each single frame, and the likely primer pairs.scripts\connect_ok_matrix.py --suite gap --prompt-observation --result-json captures\connect-ok-gap-result.json: rerun the known40 -> 80 -> C0order with varied inter-frame gaps to test whether cadence matters.scripts\connect_ok_matrix.py --suite hold --prompt-observation --result-json captures\connect-ok-hold-result.json: rerun the known order with longer post-send observation windows to test whether CONNECT: OK is latched or needs continued traffic.h8536_emulator_bench_replay.py captures\bench-connect-lcd-sequence-20260525-214411.txt --assert-bench-parity: replay a real bench log into the emulator using timed UART RX by default and intentionally fail while any response/LCD state still diverges from the bench-observedCONNECT NOT ACTplus07 80 C0 60 20 5Dpath. Pass--polite-rxfor the old wait-until-consumed injection mode.- Current status: boots from
H'1000, initializes SCI1, models the traced X24164 EEPROM bus on P9, captures P9 byte candidates, can optionally fast-path known P9 EEPROM routines, schedules FRT1/FRT2 OCIA from timer registers and--clock-hz, captures the ROM-driven LCD lineCONNECT:NOT ACT, and emits the observed heartbeat frame00 00 00 00 80 DA.
Code Layout
h8536_decompiler.py: compatibility wrapper for the CLI.h8536/cli.py: argument parsing and end-to-end orchestration.h8536/decoder.py: instruction and effective-address decoding.h8536/tables.py: manual-derived opcode/vector/register tables.h8536/vectors.py: exception and DTC vector parsing.h8536/dtc.py: DTC register-information block decoding.h8536/analysis.py: recursive tracing, linear sweep, labels, function grouping, and call graph analysis.h8536/data_analysis.py: unreached string and pointer-table candidate scans.h8536/memory.py: manual-derived memory-region tagging.h8536/cycles.py: Appendix A cycle estimate tables.h8536/dataflow.py: conservative register/control-register value tracking.h8536/symbols.py: RAM/external/global symbol discovery from references and data tables.h8536/indirect.py: indirect call/jump and pointer-table dispatch hints.h8536/lcd_text.py: LCD/menu text record scanning, fuzzy search, and text xrefs.h8536/lcd_driver.py: LCD E-clock access and busy-poll recognizer.h8536/timing.py: block and loop cycle summaries.h8536/sci.py: SCI setup tracking and baud inference.h8536/sci_protocol.py: SCI transmit/receive/status semantic annotations.h8536/serial_reconstruction.py: cautious higher-level SCI frame reconstruction from decompiled evidence.h8536/serial_semantics.py: candidate command/field semantics inferred from serial frame use.h8536/serial_pseudocode.py: focused RX/TX protocol pseudocode generation from reconstruction metadata.h8536/protocol_trace.py: raw six-byte protocol frame decoder/checksum validator.h8536/protocol_capture.py: timestamped serial capture parser, frame recombiner, and cadence/gate-session analyzer.h8536/serial_scenario.py: JSON-driven bench scenario engine shared by real-device serial scripts.h8536/state_map_runner.py: PT2 state-map proof runner and bench-log analyzer for visible-drain token, selector-zero force,E000[0]readback, and command-7 recovery experiments.h8536/serial_gate.py: autonomous TX gate/queue state-machine reconstruction.h8536/report_source_trace.py: directloc_3E54report enqueue source tracer.h8536/table_xrefs.py: table/index xrefs and LCD correlation report generation.h8536/ccu_seed_hints.py: ROM miner for likely fake-CCU state seed selectors and candidate command/readback frames.h8536/eeprom_layout.py: ROM miner for X24164 EEPROM defaults, 8-byte record slots, and serial persistence mapping.h8536/consistency.py: decompiler/pseudocode semantic consistency checks.h8536/emulator/: early H8/536 emulator package split into CPU state, memory map, SCI1 TX capture, bench-style UART injection timing, P9/X24164 EEPROM bus model, LCD model, manual-derived FRT timer scheduling, runner, probe, CLI, and peripheral scaffolding.h8536/emulator/eeprom_image.py: logical EEPROM image dump/report helpers for emulator runs, including factory diffs and record-slot summaries.h8536/emulator/rx_probe.py: host-frame injection and response/listener probe for SCI1 RX experiments.h8536/emulator/state_search.py: bounded internal-state search for CONNECT LCD outcomes using ROM execution plus explicit RAM/table patches.h8536/board_profile.py: Sony RCP-TX7 board-trace annotations, including the MAX202 RS232 path.h8536/peripheral_access.py: FRT/A-D TEMP-register access analysis.h8536/pseudocode.py: JSON-to-C-like pseudocode generation.h8536/render.py: assembly and JSON output.h8536/model.py,h8536/rom.py,h8536/formatting.py: shared data structures and helpers.h8536_pseudocode.py: pseudocode CLI wrapper.h8536_serial_pseudocode.py: focused serial pseudocode CLI wrapper.h8536_protocol_trace.py,h8536_protocol_capture.py: protocol analysis CLI wrappers.h8536_serial_gate.py,h8536_report_source_trace.py,h8536_table_xrefs.py,h8536_ccu_seed_hints.py,h8536_eeprom_layout.py,h8536_consistency.py: sidecar analysis CLI wrappers.h8536_emulator.py,h8536_emulator_probe.py,h8536_emulator_rx_probe.py,h8536_emulator_rx_divergence.py,h8536_emulator_bench_replay.py: emulator CLI wrappers.h8536_emulator_state_search.py: emulator CONNECT state-search CLI wrapper.scripts/bench_connect_lcd_sequence.py: real-device COM5/COM6 bench runner for the CONNECT LCD sequence.scripts/connect_ok_matrix.py: real-device COM5/COM6 CONNECT: OK reproducibility matrix runner for single-frame, pair, order, gap, repeat, and hold tests.scripts/serial_table_dump.py: read-only COM5/COM6 command-1 table sweep for inferring live EEPROM-backed parameter state. Bench scripts default to38400 8E1.scripts/serial_scenario.py: JSON-driven COM5/COM6 bench scenario runner for chained probes, waits, read sweeps, and ACK-on-target experiments.scripts/state_map_runner.py: COM5/COM6 PT2 state-map proof runner and offline bench-log analyzer.