I spend a night disassembling the code. The processor itself is a pretty simple 6800 variant, but the code is written in a rather special way, making it not possible to use an automatic disassembling tool all the way. Here is a taste of it:
And sub_F66E looks like this. It is an address table jump handler. The instruction SUBB 0,Y; SBCA #0; subtracts Y from D, here Y is [$8054]
In other words, curiously, the assembly equivalent of a switch statement is seeking backwards for the target address.
The jump is performed thru stack. The target destination seems to be 1 byte ahead of what the disassembly seems to be.
Here’s how I found it out: The Error handler has this jump table associated with it. After jumping the hardcoded ASCII string is pushed to the display.
So far have just started working on the disassembly. I think not many people are still interested in the TCAD display RS-232 protocol (long obsolete). So I’ll probably stop here for now.
可惜我对PMOS工艺的了解完全是0，资料也几乎没法找到。在刚刚决定开始做逆向时我做的非常痛苦，因为相比于前一个结构非常清晰的CMOS，这个PMOS芯片没有任何标识：掺杂区、过孔、多晶硅长的完全一样，这几乎让我放弃了逆向，但考虑到pmonta.com上，站长已经发了他对ROM的逻辑部分的逆向结果，我觉得自己只要“Try Hard Enough”，总是能看明白的。在尝试了超过6个小时后我终于完全明白了这个芯片的工艺，我将我的探索过程发在这里。