Ryan TCAD 9900B Display Module Reverse Engineering – 1

ROM Dump:

PCB Analysis

Analysis of the PCB & System Architecture (Click to Zoom-in)

Disassembly

I spend a night disassembling the code. The processor itself is a pretty simple 6800 variant, but the code is written in a rather special way, making it not possible to use an automatic disassembling tool all the way. Here is a taste of it:

And sub_F66E looks like this. It is an address table jump handler. The instruction SUBB 0,Y; SBCA #0; subtracts Y[0] from D, here Y[0] is [$8054]

In other words, curiously, the assembly equivalent of a switch statement is seeking backwards for the target address.

The jump is performed thru stack. The target destination seems to be 1 byte ahead of what the disassembly seems to be.

Here’s how I found it out: The Error handler has this jump table associated with it. After jumping the hardcoded ASCII string is pushed to the display.

So far have just started working on the disassembly. I think not many people are still interested in the TCAD display RS-232 protocol (long obsolete). So I’ll probably stop here for now.

Leave a Reply