Sam Trenholme's webpage
This article was posted to the Usenet group alt.hackers in 1995; any technical information is probably outdated.

fun with ROMs (was Re: Video Fader)


Article: 8902 of alt.hackers
From: Ralf Brown <ralf@telerama.lm.com>
Newsgroups: alt.hackers
Subject: fun with ROMs (was Re: Video Fader)
Date: 20 Oct 1995 11:23:37 GMT
Organization: Just me and my PC....
Lines: 184
Approved: :devorppA
Message-ID: 308648a6@ralf
NNTP-Posting-Host: b.gp.cs.cmu.edu
Summary: :yrammuS
Keywords: :sdrowyeK
In-Reply-To: <4621gh$s2j@aim.et.iupui.edu>
Originator: ralf@B.GP.CS.CMU.EDU
Status: RO

In article <4621gh$s2j@aim.et.iupui.edu>, khorton@tech.iupui.edu
(Kevin Horton) wrote:
}Obhack: I'm trying to program my own game on the Coleco Vision.  To
}program games on an essentially un-documented machine, you must first
}get to know it.  I built an adapter that plugs into my EPROM programmer
}that allows me to read CV carts.  It works great on my 'test carts',
}    [using adapter to read CV BIOS ROM]
}Bingo!  I have data!  I successfully read the
}ROM out and replace it back into my CV.  I then dis-assemble the code and
}found out all the interrupt vectors! ;-)

I just did something similar, but no hardware required, and I didn't even
have to open up the modem.

ObHack: disassembling the EPROM on my new Sportster Vi to find undocumented
AT commands.

Step 0: Some years ago, someone had mentioned a "poke" command
which turned
  an older version of a Sportster into a Courier (same motherboard, different
  price range...) -- ATGW<nnn>,<nn>.  So I tried ATGR<nnn>
  and got back 16
  lines like

    0000:0000    FF00 000F 0429 C000 10A7 C000 10AC C000

  Hmm, segmented addresses....	Sure enough, ATGR1000:1000 and ATGR1100:0000
  spit out the same values.  ATI7 reports a 256K EPROM, so not suprisingly,
  there is valid data from C000:0000 on up.  And the hex dump sure looked
  like 80x86 code, so I entered a few bytes into DEBUG and got back valid
  code.  All right, we've got an 8018x or 386EX in real mode!  (The strings
  in the ROM showed the processor to be an 80188)

Step 1: Copy the modem's RAM and ROM.  Create a file with copy/paste and
  search/replace (Emacs' narrow-to-region command came in very handy here)
  with all the ATGR commands to output the first 64K of the address space
  and C000:0000 to F000:FFFF.  Stuff this to the modem using RBcomm's
  "type"
  command and log the results to a file.

Step 2: Massage the captured data.  After a few passes of regex
  search/replace, the data was in a format that could be fed into DEBUG.
  Add the appropriate DEBUG commands to beginning and end of the file, then

    DEBUG sportrom.rom <sportrom.txt >nul

  Bingo!  A binary of the modem's ROM.

Step 3: Start peeking at the ROM with "strings", Turbo Debugger, etc.
  As it turns out, there is no way to alter the modem's memory, so it is no
  longer possible to turn a Sportster into the more expensive Courier.

Step 4: post the list of undocumented commands :-)




Sportster Vi / Courier HST undocumented commands
================================================

AT commands:
 g= [addr]	  : dump 100h memory locations starting at hex addr [0] (bytes)
 gb [addr]	  : dump 100h I/O ports starting at hex address [0]
 gi [addr]	  : read I/O port at hex addr [0] and return value in hex
 gn		  : set ?? flag
 go<addr>,<val>   : output hex value to I/O port at hex address [0]
 gr [addr]	  : dump 100h memory locations starting at hex addr [0] (words)
 gu		  : nop
 gx [addr]
 gy [addr]
 g<4 hex digits>
 g<8 hex digits>
 q3
 r		  : set ?? flag
 rs99?		  : print copyright string
 usr		  : print out credits
 y5		  : [checks something on phone line]
 y6		  : same as ATI6
 y7		  : check signal quality (only while connected)
 y8		  : dump compression dictionary (receive)
 y9		  : dump compression dictionary (xmit)
 y11		  : prints "Freq	 Level", plus listing if connected
 y12		  : prints "Recv	 Xmit", plus listing if connected
 y14		  : prints "000,000,018,007,010,000"
 -sto
 -sip
 -sic
 -ssq
 -sdt
 -stm
 -ser?
 &J0
 &J1
 &J2
 ~S?		  : print serial number
 ~S=		  : set serial number  (lost on next ATZ or power cycle)

 #MFR?		  : print modem manufacturer's name
 #MDL?		  : print modem model string
 #REV?		  : print revision string
 #VBQ?		  : print buffer sizes
 #VCI?		  : print modem ID string
 #VBT?		  :
 #VBT=?		  : list valid values (0-40)
 #VBT=<n>   :
 #BDR?		  :
 #BDR=?		  : print valid values (0,1,2,4,8,16,24)
 #BDR=<n>   :
 #VBS?		  :
 #VBS=?		  : list valid values (2,3,4)
 #VBS=<n>   :
 #VLS?		  :
 #VLS=?		  : list valid values (0,1,2,3,4)
 #VLS=<n>   :
 #VRA		  : NOP
 #VRN		  : NOP
 #VSD?		  :
 #VSD=?		  : list valid values (0,1)
 #VSD=<n>   :
 #VSK		  : NOP
 #VSP?		  :
 #VSP=?		  : list valid values (0-255)
 #VSP=<n>   :
 #VSR?		  :
 #VSR=?		  : list valid values (8000)
 #VSR=<n>   :
 #CID?		  :
 #CID=?		  : list valid values (0,1,2)
 #CID=<n>   :
 #VSS?		  :
 #VSS=?		  : list valid values (0,1,2,3)
 #VSS=<n>   :
 #VTD?		  :
 #VTD=?		  : list valid values (3F,3F,3F)
 #VTD=<n>   :
 #VTM		  :
 #VTS=[n,n]	  :
 #VTS=[n,n,n]	  :
 #VTS={n,n}	  :
 #VTS={n,n,n}	  :

 +fco
 +fvo
 +fdm
 +fhs:
 +fcs:
 +fis:
 +ftc:
 +fpo
 +fti:
 +fpi:
 +fnf:
 +fns:
 +fnc:
 +fet:
 +fps:
 +fht:
 +fhr:
 +fci:

(must follow +fclass in same command?)
 +fatx=
 +farx=
 +ftxd=
 +ftxt=
 +frxd=
 +frxt=
 +fpi="case-sensitive literal"
 +fli="case-sensitive literal"

(disabled on Sportster, available on some other models)
 c0		  : disable transmitter (modem is receive-only)
 c1		  : enable transmitter
 k0		  : modem clock in call-duration mode
 k1		  : modem clock in real-time mode
 &L0		  : normal phone line (doc. for Courier)
 &L1		  : leased line (doc. for Courier)
 &S2
 &S3
 &S4
 &Xn
 &ZC?
 &ZC=<number>

--
My employer will | I'net: ralf@telerama.lm.com	 Fido: Ralf Brown 1:129/26.1
deny knowing of  | "Man is the only kind of varmint sets his own trap,
baits
this message...  | it, then steps in it." -- John Steinbeck,
_Sweet_Thursday_



Back to index