Table of Contents
Global/Allied Signal GNS-X CDU display
This page documents my efforts to reverse-engineer a Global/Allied Signal GNS-X CDU display and make it do something useful…
Disassembly
- Remove front panel
- Loosen four Phillips screws (two on the left front, two on the right front) - these are captive
- Remove keyboard and display filter assembly: this is attached by a cable.
- Unplug cable
- PCBs
- The PCBs install left to right, in order:
- Red (CRT deflection)
- Yellow (CRT controller)
- Black (Keyboard interface)
- Blue (CPU)
- PCBs pull out via cable tie, which is screwed onto the PCB and formed into a loop.
- Outer chassis
- Remove the ten short black screws around the back edge of the main chassis
- The outer chassis pulls away
- CRT high voltage section
- Caution - there may be a large blob of silicone dielectric grease on the back of the module. This is extremely sticky and gets everywhere…
- Left side: two black screws in a line along the left side
- Bottom: two black screws in a line in the centre
- Push the block out of the back
Reassembly is the reverse of disassembly. Remember to get the boards in the right place!
Firmware
I've dumped the firmware ROM (CPU board U14): cpucard-rom-mbm27c64--816288-02_u-14_c038_9-19-91.bin
I'm currently using Ghidra to reverse-engineer it. The ROM loads at address 0x0000, for 8 kilobytes.
The code makes extensive use of the HL and DE registers for pointers, and inlined text strings after calls. Ghidra scripts are required to add references and fix up code (set fallthrough addresses and define text strings) to make the disassembly more readable. I've written a Ghidra script called the Inline String Processor which fixes up these function calls.
(TBD.)
Hardware overview
Memory map
| Start addr | End addr | Device |
|---|---|---|
0000 | 1FFF | CPU board - Program EPROM |
2000 | 3FFF |  - Possibly space for larger program EPROM. |
4000 | 5FFF | CPU board - 8K RAM |
6000 | 67FF | |
6800 | Unknown hardware device. Possibly keyboard. Addresses 6800 and 6808 read-only. Address 6810 and 6818 write-only. |
|
6900 | Unknown hardware device. Address 6900 write-only. |
|
6A00 | 6A01 | CRT board - HD6845 CRTC. Address 6A00 is CRTC register address. Address 6A01 is CRTC data. |
6B00 | Unknown hardware device. Possibly CRTC related (attributes?) Address 6B00 write-only. Rest of space unused. |
|
6C00 | Unknown. Not accessed. |
|
6D00 | 6D07 | Unknown hardware device. Linked to the /RSTA interrupt. |
6E00 | 6E01 | U13 ACIA (HD68A50). Initialised but not used. |
6F00 | 6F01 | U16 ACIA (HD68A50). |
7000 | 97FF | |
9800 | 9FFF | Filled with FF on startup. |
A000 | B7FF | |
B800 | BBFF | Possibly display memory |
BC00 | BFFF | Possibly display memory |
C000 | DFFF | |
E000 | FFFF | Expansion ROM . Checked for a jump instruction on boot. Ignored if this is not present. |
Interrupt map
| Interrupt | Source device | Notes |
|---|---|---|
/RSTA | Periodic? | Inverse of U6 (CD4520) Q3b (B counter, value 4) → From U4/HC04 pin 4 (inverter B out) → U4 pin 3 (inverter B in) → U6/CD4520 pin13 (Q3b) |
/RSTB | U16 UART | |
/RSTC | U13 UART | Interrupt returns immediately. |
Connector
| Pin | Function | Wire colour |
|---|---|---|
| A | n.c. | none |
| B | n.c. | none |
| C | 28V ground | Black |
| D | Purple | |
| E | Brown | |
| F | n.c. | none |
| G | White, blue stripe | |
| H | n.c. | none |
| J | White, yellow stripe | |
| K | 5V - Lighting - Backlight (A) | Red (thick) to front panel connector |
| L | n.c. | none |
| M | Yellow (thick) to front panel connector | |
| N | Earth | White, clear. Connects to back panel. |
| P | 5V - Lighting - Backlight (B) | Green (thick), to front panel power connector |
| R | White, orange stripe | |
| S | U16 UART transmit “Y” | White |
| T | U16 UART receive “+” | Purple |
| U | U16 UART receive “-” | White |
| V | White, red stripe | |
| W | +28V DC | White (thick). Diode anode (cathode to e). |
| X | U16 UART transmit “Z” | Green |
| Y | U13 UART transmit “Y” | White |
| Z | U13 UART transmit “Z” | Blue |
| a | Orange | |
| b | Black | |
| c | n.c. | none |
| d | Diode cathode | |
| e | Blue, plus loop to f |
|
| f | Blue, plus loop to e |
|
| g | U13 UART receive + | White |
| h | U13 UART receive - | Yellow |
| j | n.c. | none |
n.c. indicates no connection inside the CDU (unused pins). A blank column indicates that the function of the pin is unknown.
Connector: MIL-DTL-26482 series I style connector with MIL-STD-1560 "22-32" contact arrangement.
The connector on the CDU is the panel-mounting receptacle version, with male pins, ITT part number KPT02E22-32P.
The mating cable-mount connector should be the “plug” version, with socket contacts. A suitable plug would be e.g. the Amphenol PT06A-22-32S.
CPU board interconnects
- U13 UART
- Rx Data (2) → U17 SNK75182 “2OUT” (8)
- U17 2IN- (13) → Back panel
h - U17 2IN+ (11) → Back panel
g
- Tx Data (6) → U18 SNJ75183 “1D” (4)
- 1A,1B,1C tied high
- 1Y (5) → Back panel
Y - 1Z (6) → Back panel
Z
- IRQ (7) → NSC800 “RSTC” (24)
- U16 UART
- Rx Data (2) → U17 SNK75182 “1OUT” (6)
- U17 1IN- (1) → Back panel
U - U17 1IN+ (3) → Back panel
T
- Tx Data (6) → U18 SNJ75183 “2A” (10)
- 2B,2C,2D tied high
- 2Y (9) → Back panel
S - 2Z (8) → Back panel
X
- IRQ (7) → NSC800 “RSTB” (23)
References
- MSylvain59's videos:
- Z80 tools and references:
- Sydney Smith's Z80 emulator – useful for trying out chunks of code to check e.g. loop conditions.
Appendix: parts list by board
- Deflection board
-
- This may be for display brightness. Holding the
BRTbutton increases or decreases brightness.
- Harris HI3-201-5 analog switch
- Five adjustment pots: top to bottom, R1, R2, R56, R3, R4.
- CRT controller board
- The CRTC is similar to that on the Ferguson Big Board II, except the Big Board has two 2K-byte SRAMs while the CDU has a single 8K-byte SRAM.
- CRTC section
- Motorola MC68B45P CRT Controller
- SMC CRT8002 Video Attribute Controller
- Fujitsu MB8464A-10 8K-word, 8-bit wide RAM
- Motorola MC74HC541 Octal 3-State Noninverting Buffer (x4)
- Motorola MC54HC245 Octal 3-State Noninverting Bus Transceiver
- Harris CD54HC109 Dual J-K flip-flop with set and reset (x2)
- Motorola 54HC157 Quad 2-input multiplexer
- PLL section
- 31.5kHz TTL oscillator (clocks CD4060 pin 11, CD4520 pin 1)
- Exar XR210CN PLL
- CD4060 binary counter with built-in oscillator
- CD4520 dual binary up-counter
- Misc
- MC54HC32
- MC54HC138
- CD54HC160
- MC54HC04 x2
- CD54HC153
- CD54HC109 (x2)
- CD54HC299 (x3)
- MC54HC08
- LM160H high-speed comparator
- Keyboard interface board
- 54LS377 x2
- 54HC541
- DAC0808
- 54HC139
- MC14584B
- MC14027B
- MC14538B
- CD4011B
- LM140LAH-12 LDO regulator, mil-spec
- CPU board
- National Semiconductor NSC800 CPU. Z80 with 8048-style pinout.
- 36-pin (2×18) turned-pin connector
- Fujitsu MB8464A-10 8K-word, 8-bit wide RAM
- Fujitsu MBM27C64-25 8K-word, 8-bit wide EPROM
- Hitachi HD63A50P ACIA (x2)
- 4MHz TTL oscillator (likely CPU clock)
- 2.88MHz TTL oscillator (likely baud rate clock)
- MC54HC74
- MC54HC32
- MC54HC04
- MC54HC08
- CD4520B
- MC54HC4040
- MC54HC138 (x2)
- 54HC373
- 54HC245
- 54HC541
- 8464 RAM
Appendix: Ghidra scripts
These can be added to Ghidra with the Script Manager: in the Code Browser, Window → Script Manager.
Inline String Processor
This searches for inline strings placed after write-to-screen calls, and converts them to offset-string-terminator blocks. Fallthroughs are added to the CALL instruction to tell the Ghidra decompiler to ignore the string data when looking for the next instruction.