Is disassembly via simulated execution or just memory reads?

[iceblu3710]

I have a piece of test equipment running a z80 I want to repurpose. To figure out how to interface with its hardware I need to disassemble and map IO.

I tried traditional methods like IDA but the manufacture specifically chunked up the asm with random jumps and then filled the inter-spaces with valid opcodes to obfuscate things. To make it even harder there is a PAL that logs IO writes and does a CRC or something to give a jump offset as well.

Does the disassembly instruction run the memory through the processor core or is it just opcode conversion from raw memory? Would single-stepping disassembly be a true view of what the processor is doing?

[hoglet67]

A single-stepping disassebly is indeed a true view of what the processor is doing.

Do check out another of my projects that might be of use. It's called the Z80 Decoder:
https://github.com/hoglet67/Z80Decoder
https://stardot.org.uk/forums/viewtopic.php?f=3&t=15464

You need a cheap USB logic analyzer (16 bits) and a 40-pin DIP clip. You connect the logic analyzer up to DATA, IORQ, MREQ, M1, RD, WR and CLK pins. You set it to take a sample on the rising edge of the CLK. Capture a dump from the logic analyzer. This can be millions of instructions. Feed that dump through the Z80 decoder and you get an output like this:

0A6B : EB              : EX DE,HL             :  3 : A=FF F=  0 0    BC=0004 DE=4096 HL=4099 IX=0281 IY=4000 IR=1E13 M=0A6B SP=43FA
0A6C : E1              : POP HL               : 11 : A=FF F=  0 0    BC=0004 DE=4096 HL=0000 IX=0281 IY=4000 IR=1E14 M=0A6B SP=43FC
0A6D : 19              : ADD HL,DE            :  3 : A=FF F=  0 0    BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E15 M=0001 SP=43FC
0A6E :                 : NMI                  : 30 : A=FF F=  0 0    BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E17 M=0066 SP=43FA
0066 : 08              : EX AF,AF'            :  3 : A=FE F=S 1 1  C BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E18 M=0066 SP=43FA
0067 : 3C              : INC A                :  4 : A=FF F=S 1 1  C BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E19 M=0066 SP=43FA
0068 : FA 6D 00        : JP M,006Dh           : 11 : A=FF F=S 1 1  C BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E1A M=006D SP=43FA
006D : 08              : EX AF,AF'            :  3 : A=FF F=  0 0    BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E1B M=006D SP=43FA
006E : C9              : RET                  : 11 : A=FF F=  0 0    BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E1C M=0A6E SP=43FC
0A6E : D5              : PUSH DE              : 11 : A=FF F=  0 0    BC=0004 DE=4096 HL=4096 IX=0281 IY=4000 IR=1E1D M=0A6E SP=43FA
0A6F : ED B0           : LDIR                 : 14 : A=FF F=  1 1V   BC=0003 DE=4097 HL=4097 IX=0281 IY=4000 IR=1E1F M=0A70 SP=43FA
0A6F : ED B0           : LDIR                 : 21 : A=FF F=  1 1V   BC=0002 DE=4098 HL=4098 IX=0281 IY=4000 IR=1E21 M=0A70 SP=43FA
0A6F : ED B0           : LDIR                 : 21 : A=FF F=  0 0V   BC=0001 DE=4099 HL=4099 IX=0281 IY=4000 IR=1E23 M=0A70 SP=43FA
0A6F : ED B0           : LDIR                 : 21 : A=FF F=  1 1    BC=0000 DE=409A HL=409A IX=0281 IY=4000 IR=1E25 M=0A70 SP=43FA
0A71 : E1              : POP HL               : 12 : A=FF F=  1 1    BC=0000 DE=409A HL=4096 IX=0281 IY=4000 IR=1E26 M=0A70 SP=43FC
0A72 : C9              : RET                  : 10 : A=FF F=  1 1    BC=0000 DE=409A HL=4096 IX=0281 IY=4000 IR=1E27 M=048D SP=43FE
048D : 2A 14 40        : LD HL,(4014h)        : 16 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E28 M=4015 SP=43FE
0490 : FD 36 00 FF     : LD (IY+0),ffh        : 19 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E2A M=4000 SP=43FE
0494 : CD 66 07        : CALL 0766h           : 32 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E2B M=0766 SP=43FC
0766 :                 : NMI                  : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E2D M=0066 SP=43FA
0066 : 08              : EX AF,AF'            :  3 : A=FF F=S 1 1  C BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E2E M=0066 SP=43FA
0067 : 3C              : INC A                :  4 : A=00 F= Z0H0  C BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E2F M=0066 SP=43FA
0068 : FA 6D 00        : JP M,006Dh           : 11 : A=00 F= Z0H0  C BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E30 M=006D SP=43FA
006B : 28 02           : JR Z,006Fh           :  7 : A=00 F= Z0H0  C BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E31 M=006F SP=43FA
006F : 08              : EX AF,AF'            :  8 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E32 M=006F SP=43FA
0070 : F5              : PUSH AF              : 12 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E33 M=006F SP=43F8
0071 : C5              : PUSH BC              : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E34 M=006F SP=43F6
0072 : D5              : PUSH DE              : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E35 M=006F SP=43F4
0073 : E5              : PUSH HL              : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=4097 IX=0281 IY=4000 IR=1E36 M=006F SP=43F2
0074 : 2A 0C 40        : LD HL,(400Ch)        : 16 : A=FF F=  1 1    BC=0000 DE=409A HL=407D IX=0281 IY=4000 IR=1E37 M=400D SP=43F2
0077 : CB FC           : SET 7,H              :  7 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E39 M=400D SP=43F2
0079 : 76              : HALT                 :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E3A M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E3C M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E3E M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E40 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E42 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E44 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E46 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E48 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E4A M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E4C M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E4E M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E50 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E52 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E54 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E56 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E58 M=400D SP=43F2
007A :                 : NOP                  :  4 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E5A M=400D SP=43F2
007A :                 : NMI                  : 25 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E5C M=0066 SP=43F0
0066 : 08              : EX AF,AF'            :  3 : A=00 F= Z0H0  C BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E5D M=0066 SP=43F0
0067 : 3C              : INC A                :  4 : A=01 F=  0 0  C BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E5E M=0066 SP=43F0
0068 : FA 6D 00        : JP M,006Dh           : 11 : A=01 F=  0 0  C BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E5F M=006D SP=43F0
006B : 28 02           : JR Z,006Fh           :  7 : A=01 F=  0 0  C BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E60 M=006D SP=43F0
006D : 08              : EX AF,AF'            :  3 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E61 M=006D SP=43F0
006E : C9              : RET                  : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E62 M=007A SP=43F2
007A : D3 FD           : OUT (FDh),A          : 11 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E63 M=FFFE SP=43F2
007C : DD E9           : JP (IX)              :  7 : A=FF F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E65 M=FFFE SP=43F2
0281 : ED 5F           : LD A,R               :  8 : A=67 F=  1 1    BC=0000 DE=409A HL=C07D IX=0281 IY=4000 IR=1E67 M=FFFE SP=43F2
0283 : 01 01 19        : LD BC,1901h          : 12 : A=67 F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E68 M=FFFE SP=43F2
0286 : 3E F5           : LD A,F5h             :  7 : A=F5 F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E69 M=FFFE SP=43F2
0288 : CD B5 02        : CALL 02B5h           : 17 : A=F5 F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E6A M=02B5 SP=43F0
02B5 : ED 4F           : LD R,A               :  7 : A=F5 F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EF5 M=02B5 SP=43F0
02B7 : 3E DD           : LD A,DDh             :  9 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EF6 M=02B5 SP=43F0
02B9 : FB              : EI                   :  3 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EF7 M=02B5 SP=43F0
02BA : E9              : JP (HL)              :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EF8 M=02B5 SP=43F0
C07D : 76              : HALT                 :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EF9 M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EFB M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EFD M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1EFF M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E81 M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E83 M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E85 M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E87 M=02B5 SP=43F0
C07E :                 : NOP                  :  4 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E89 M=02B5 SP=43F0
C07E :                 : INT                  : 14 : A=DD F=  1 1    BC=1901 DE=409A HL=C07D IX=0281 IY=4000 IR=1E8B M=0038 SP=43EE
0038 : 0D              : DEC C                :  3 : A=DD F= Z0 0 N  BC=1900 DE=409A HL=C07D IX=0281 IY=4000 IR=1E8C M=0038 SP=43EE
0039 : C2 45 00        : JP NZ,0045h          : 11 : A=DD F= Z0 0 N  BC=1900 DE=409A HL=C07D IX=0281 IY=4000 IR=1E8D M=0045 SP=43EE
003C : E1              : POP HL               : 10 : A=DD F= Z0 0 N  BC=1900 DE=409A HL=C07E IX=0281 IY=4000 IR=1E8E M=0045 SP=43F0
003D : 05              : DEC B                :  3 : A=DD F=  0 1 N  BC=1800 DE=409A HL=C07E IX=0281 IY=4000 IR=1E8F M=0045 SP=43F0
003E : C8              : RET Z                :  8 : A=DD F=  0 1 N  BC=1800 DE=409A HL=C07E IX=0281 IY=4000 IR=1E90 M=0045 SP=43F0
003F : CB D9           : SET 3,C              :  4 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1E92 M=0045 SP=43F0
0041 : ED 4F           : LD R,A               :  8 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EDD M=0045 SP=43F0
0043 : FB              : EI                   :  5 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EDE M=0045 SP=43F0
0044 : E9              : JP (HL)              :  4 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EDF M=0045 SP=43F0
C07E : 76              : HALT                 :  4 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EE0 M=0045 SP=43F0
C07F :                 : NOP                  :  4 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EE2 M=0045 SP=43F0
C07F :                 : NOP                  :  4 : A=DD F=  0 1 N  BC=1808 DE=409A HL=C07E IX=0281 IY=4000 IR=1EE4 M=0045 SP=43F0

[iceblu3710]

That's a really interesting project, I will definitely take a look as I have all the hardware required. I like the BusMon project for a more direct approach after a passive investigation.

If I add an AVR8 routine to the project I can single step, display the disassembly, and list the registers to make the same output as above. I am thinking of making the output dump and run a single step and log to a file. I can then load it in Ghidra and do some high-level analysis.

Most of my projects are old test equipment from the 80's and as such are very over engineered, no documentation and fun to make do things it was never designed for!

[iceblu3710]

Capture a dump from the logic analyzer

Is the Z80Decoder file just the capture file pulled from the sigrok project save file?

[hoglet67]

I don't know anyything about the project save file.

Originally I used sigrok-cli to generate a binary capture file:

sigrok-cli -d fx2lafw --config samplerate=12MHz:captureratio=1  -o data.bin -O binary  --samples=48M

But for most logic analyzers, sigrok only supports asyncronous capture, and it's generally much better to use synchronous capture (on the rising edge of the Z80 Clock).

What Logic Analyzer do you have?

What Operating Systems do you have access to?

[iceblu3710]

I have the same cypress dev kit logic analizer as you show in the post pictures. I use Linux primarily so it should work like a treat.

I will move future conversations onto that projects issues tracker.

[hoglet67]

FYI, If using Linux, I recommend using the fx2pipe capture tool to do synchronous captures (one sample taken on the specified clock edge).

Use the version of fx2pipe from the dev branch here (as it includes some recent fixes):
https://github.com/hoglet67/6502Decoder/tree/dev

To capture on the synchronously rising edge, use the following options:

fx2pipe -a -ifclk=i > data.bin

You connect the CLK signal to the RDY1 input, and PA4 needs to be connected to GND.

Dave

[iceblu3710]

These two other projects combined have been an AMAZING benefit to my hobby work over here. I modified fx2pipe to not output the streaming stats so I can pipe it directly into z80decoder. I then pipe that output to a grep or two and I can live stream IN A where the received data was NOT A=00.

../fx2pipe -a -d=0925:3881 -ifclk=i | ./decodez80 | grep "IN " | grep -v "A=00"

I mapped out an entire custom keypad in a few minutes.

[hoglet67]

Glad to hear you are finding this useful.

The original version of fx2pipe supports piping, because the streaming stats are written to standard error.

So this should work as well:

../fx2pipe -a -d=0925:3881 -ifclk=i 2> /dev/null | ./decodez80 | grep "IN " | grep -v "A=00"

I've used this method myself on occasion:
https://stardot.org.uk/forums/viewtopic.php?p=211500#p211500