ROM card emulator for Mk.II Locators
Also known as the “Dragon Board”.
When reverse-engineering, it's helpful to have a way to load software onto a target device, without having to program and erase EPROMs. The Datatrak hardware is a little unique in that there's no easy way to get data into or out of it: the UARTs are both handled by the firmware, and attempting to take them over may well crash the RTOS.
To resolve these issues, I designed an EPROM emulator which is a little different in several ways:
- Form factor is similar to the Datatrak ROM cartridge, but extends further out of the unit.
- USB interface to host PC (via FTDI FT240XS FIFO controller)
- 4Mbit, 16-bit-wide SRAM (Alliance AS6C4016), mirroring the maximum available on a fully-loaded Datatrak ROM card (2x 2Mbit)
- Hidden debug port ('exfiltration mode') allows data to be passed from the target to the host, and vice versa.
- Control logic integrated into a Xilinx XC95144XL CPLD to allow the function to be tweaked as needed.
Debug port
The most obvious way of implementing a debug port would be to implement a single, writable I/O port in the EPROM space. Unfortunately this isn't an option, as the Datatrak ROM connector is read-only: it doesn't include a read-write pin.
To work around this, the Dragon Board decodes a bank of 256 ROM addresses. Reading from one of these addresses will cause the CPLD to write a byte into the FIFO, which the host PC can then read.
It's also possible to send data from the PC back to the target. For this, the Dragon Board decodes another block of 256 addresses, but only 2 ports are used. One provides a status bit which indicates when data is available to be read, while the other allows the data itself to be read.
This means that for the cost of 512 bytes of program memory, there is a means of transferring data to and from the target device, without using the serial ports. This is a powerful tool, and can be used for e.g. monitoring which interrupt handlers are being called.