All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 114 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6
Author Message
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 10th, 2017, 17:07 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9497
Location: Australia
I wonder if the following freeware Windows tool (up to Win2K) could dump the contents of your ZIP drive:

http://www.dubaron.com/cd2iso/

Quote:
CD2ISO is a simple tool to extract .iso images from your cd or dvd disk. It will read any drive as raw disk, so you can also use it to make a sector dump of a removable drive (cd, dvd or floppy).

Cd2iso works very straight-forward. It will dump raw sectors of a filesystem. You do not need any additional dll files.

http://www.dubaron.com/cd2iso/faq.txt

Quote:
CD2ISO will extract _any_ filesystem. Valid iso files are only made of CD images.
But.. CD2ISO can create a dump of a hard drive as well. This is allowed on purpose for you to be as flexible as possible.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 10th, 2017, 18:31 
Offline

Joined: October 16th, 2013, 13:21
Posts: 170
Location: Brazil
Winimage would possibly also work.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 10th, 2017, 21:42 
Offline

Joined: August 17th, 2015, 21:40
Posts: 38
Location: Adelaide, South Australia
fzabkar wrote:
I wonder if the following freeware Windows tool (up to Win2K) could dump the contents of your ZIP drive:


I got the version 1 of cd2iso and I also made a win98SE bootable DOS stick, but the issue is that I cant access the disk that is in the drive from win7 explorer/ DOS box: "Cannot determine the number of sectors on this volume" when trying to format.

ZIP is recognized in Device Manager as working properly, visible but not format-able or eject-able in Disk Manager.

cd2iso did an iso dump but it is 0kb

Might be missing a dedicated driver perhaps.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 10th, 2017, 22:22 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9497
Location: Australia
FWIW, I followed rogfanther's suggestion and managed to create an ISO from a DVD using WinImage.

Perhaps you could export the following registry key (or equivalent) to a file:

    HKEY_LOCAL_MACHINE\Enum\SCSI
    HKLM\SYSTEM\CurrentControlSet\Enum\SCSI\

I expect that this key will tell us how Windows sees your Zip drive. Go to Start -> Run and type REGEDIT.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 10th, 2017, 23:04 
Offline

Joined: August 17th, 2015, 21:40
Posts: 38
Location: Adelaide, South Australia
fzabkar wrote:

Perhaps you could export the following registry key (or equivalent) to a file:

    HKEY_LOCAL_MACHINE\Enum\SCSI
    HKLM\SYSTEM\CurrentControlSet\Enum\SCSI\



Neither of those keys exist on my install


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 0:18 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2876
Location: Adelaide, Australia
What drivers are loading currently in your DOS environment? If none then get some loading and you should be golden..

http://209.197.91.197/companies/513.htm?acd=3&rvd=5&thx=9&bng=7&o=2

this page may be better:

http://oldcomputer.info/media/zip/index.htm

Its been years since playing around with DOS drivers, but post any problems and I'm sure it will come back in vivid technicolour!
when you click on the more button, scroll to bottom of page for captchya. A bit of a pain but I guess it works...


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 0:36 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2876
Location: Adelaide, Australia
this page has example loading configs, helpful but design concept is a bit "how ya goin' " !

http://www.reocities.com/politalk/zip/index.html


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 2:15 
Offline

Joined: August 17th, 2015, 21:40
Posts: 38
Location: Adelaide, South Australia
Tried another ATAPIZIP250 drive and win7 can format a disk and mount as a portable device.

CD2ISO gives: ISO9960 not detected, writes an ISO but cannot be mounted

Winimage for win7 says it's installed but is not to be found in file directory or programs list

PFM will not open or mount the ZIP disk.

If @Haque is procuring a SalvationData card, he is welcome to try my SP-808EX and additional ATAPI250ZIP drive/disk to test...I'm getting nowhere unfortunately.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 2:49 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2876
Location: Adelaide, Australia
As soon as I have it I will let you know :)


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 3:00 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9497
Location: Australia
Can you show us sector 0 of the ISO?

HxD - Freeware Hex Editor and Disk Editor:
https://mh-nexus.de/en/hxd/

    launch HxD
    File -> Open -> select ISO file
    Edit -> Select Block
      Start offset - 0
      Length 200
      hex
      OK
    Edit -> Copy as -> Editor view

    Select "Code" BBcode button in HDD Guru forum
    Paste (Ctrl-V) the clipboard into the "code" box

[code][/code] <- paste your hex dump in here

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 3:30 
Offline

Joined: August 17th, 2015, 21:40
Posts: 38
Location: Adelaide, South Australia
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  EB 3C 90 4D 53 44 4F 53 35 2E 30 00 02 08 02 00  ë<.MSDOS5.0.....
00000010  02 00 02 00 00 F8 EF 00 3F 00 FF 00 20 00 00 00  .....øï.?.ÿ. ...
00000020  1C 78 07 00 80 00 29 98 1F A8 08 4E 4F 20 4E 41  .x..€.)˜.¨.NO NA
00000030  4D 45 20 20 20 20 46 41 54 31 36 20 20 20 33 C9  ME    FAT16   3É
00000040  8E D1 BC F0 7B 8E D9 B8 00 20 8E C0 FC BD 00 7C  ŽÑ¼ð{ŽÙ¸. ŽÀü½.|
00000050  38 4E 24 7D 24 8B C1 99 E8 3C 01 72 1C 83 EB 3A  8N$}$‹Á™è<.r.ƒë:
00000060  66 A1 1C 7C 26 66 3B 07 26 8A 57 FC 75 06 80 CA  f¡.|&f;.&ŠWüu.€Ê
00000070  02 88 56 02 80 C3 10 73 EB 33 C9 8A 46 10 98 F7  .ˆV.€Ã.së3ÉŠF.˜÷
00000080  66 16 03 46 1C 13 56 1E 03 46 0E 13 D1 8B 76 11  f..F..V..F..Ñ‹v.
00000090  60 89 46 FC 89 56 FE B8 20 00 F7 E6 8B 5E 0B 03  `‰Fü‰Vþ¸ .÷æ‹^..
000000A0  C3 48 F7 F3 01 46 FC 11 4E FE 61 BF 00 00 E8 E6  ÃH÷ó.Fü.Nþa¿..èæ
000000B0  00 72 39 26 38 2D 74 17 60 B1 0B BE A1 7D F3 A6  .r9&8-t.`±.¾¡}ó¦
000000C0  61 74 32 4E 74 09 83 C7 20 3B FB 72 E6 EB DC A0  at2Nt.ƒÇ ;ûræëÜ 
000000D0  FB 7D B4 7D 8B F0 AC 98 40 74 0C 48 74 13 B4 0E  û}´}‹ð¬˜@t.Ht.´.
000000E0  BB 07 00 CD 10 EB EF A0 FD 7D EB E6 A0 FC 7D EB  »..Í.ëï ý}ëæ ü}ë
000000F0  E1 CD 16 CD 19 26 8B 55 1A 52 B0 01 BB 00 00 E8  áÍ.Í.&‹U.R°.»..è
00000100  3B 00 72 E8 5B 8A 56 24 BE 0B 7C 8B FC C7 46 F0  ;.rè[ŠV$¾.|‹üÇFð
00000110  3D 7D C7 46 F4 29 7D 8C D9 89 4E F2 89 4E F6 C6  =}ÇFô)}ŒÙ‰Nò‰NöÆ
00000120  06 96 7D CB EA 03 00 00 20 0F B6 C8 66 8B 46 F8  .–}Ëê... .¶Èf‹Fø
00000130  66 03 46 1C 66 8B D0 66 C1 EA 10 EB 5E 0F B6 C8  f.F.f‹ÐfÁê.ë^.¶È
00000140  4A 4A 8A 46 0D 32 E4 F7 E2 03 46 FC 13 56 FE EB  JJŠF.2ä÷â.Fü.Vþë
00000150  4A 52 50 06 53 6A 01 6A 10 91 8B 46 18 96 92 33  JRP.Sj.j.‘‹F.–’3
00000160  D2 F7 F6 91 F7 F6 42 87 CA F7 76 1A 8A F2 8A E8  Ò÷ö‘÷öB‡Ê÷v.ŠòŠè
00000170  C0 CC 02 0A CC B8 01 02 80 7E 02 0E 75 04 B4 42  ÀÌ..̸..€~..u.´B
00000180  8B F4 8A 56 24 CD 13 61 61 72 0B 40 75 01 42 03  ‹ôŠV$Í.aar.@u.B.
00000190  5E 0B 49 75 06 F8 C3 41 BB 00 00 60 66 6A 00 EB  ^.Iu.øÃA»..`fj.ë
000001A0  B0 42 4F 4F 54 4D 47 52 20 20 20 20 0D 0A 52 65  °BOOTMGR    ..Re
000001B0  6D 6F 76 65 20 64 69 73 6B 73 20 6F 72 20 6F 74  move disks or ot
000001C0  68 65 72 20 6D 65 64 69 61 2E FF 0D 0A 44 69 73  her media.ÿ..Dis
000001D0  6B 20 65 72 72 6F 72 FF 0D 0A 50 72 65 73 73 20  k errorÿ..Press
000001E0  61 6E 79 20 6B 65 79 20 74 6F 20 72 65 73 74 61  any key to resta
000001F0  72 74 0D 0A 00 00 00 00 00 00 00 AC CB D8 55 AA  rt.........¬ËØUª


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 18:28 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9497
Location: Australia
That is a typical MSDOS FAT16 boot sector.

Code:
OEM identifier         "MSDOS5.0"
Bytes per Sector        512
Sectors per Cluster     8
Reserved Sectors        2
Number of FATs          2
Root Dir Entries        512
Total Sectors           0
Media Descriptor        F8h
Sectors per FAT         239
Sectors per Track       63
Number of Heads         255
Hidden Sectors          32
Total Sectors           489500
Drive Number            80h
Reserved                00h
Ext. Boot Sign. (0x29)  29h
Serial Number           08A81F98h
Volume Name            "NO NAME    "
File System Type       "FAT16   "
Boot Signature (0xAA55) AA55h

The fact that there are 32 Hidden Sectors suggests that Win7 has partitioned the drive as a single FAT16 volume beginning at physical sector #32. This means that CD2ISO has imaged the logical volume rather than the complete physical drive, ie it missed the first 32 sectors.

Is DMDE now able to read sector 0?

In any case this does not help us to see the Roland file system, whatever it is. ISTM that you will need to use SNARF and then HDAT2 to do this. You could run both tools from a bootable Win98 flash drive.

You can use MSINFO32.EXE to collect information about your system's hardware and software components. Go to Start -> Run and type MSINFO32. You can save all the info to a text file by selecting File -> Export. I would examine the text just in case you wish to restrict the information that you upload.

I recall a comment in another thread which suggested that the SP-808 may only support relatively low capacities. A figure of 512MB was anticipated. It was also suggested that any storage device which exceeded this limit may not be properly detected. An examination of the Roland file system may provide a clue to this limit.

Failing that, I propose to determine this limit by trial-and-error. To this end we could connect an external USB HDD enclosure to the SalvationData card. Prior to installing the HDD in its enclosure, we could reduce its capacity with a HPA.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: August 11th, 2017, 20:47 
Offline

Joined: August 17th, 2015, 21:40
Posts: 38
Location: Adelaide, South Australia
fzabkar wrote:
That is a typical MSDOS FAT16 boot sector

Quote:
In any case this does not help us to see the Roland file system, whatever it is

Quote:
I recall a comment in another thread which suggested that the SP-808 may only support relatively low capacities. A figure of 512MB was anticipated. It was also suggested that any storage device which exceeded this limit may not be properly detected. An examination of the Roland file system may provide a clue to this limit


Ok, what we wanted was to examine a zip disk that was formatted by the SP-808EX itself...didn't realize that.

Quote:
Failing that, I propose to determine this limit by trial-and-error. To this end we could connect an external USB HDD enclosure to the SalvationData card. Prior to installing the HDD in its enclosure, we could reduce its capacity with a HPA.


Yep ok, let's wait for the SalvationData and Mr HaQue's impeccable DOS skills to work it all out :)


Top
 Profile  
 
 Post subject: Re: Sniffing control flow between legacy devices over PATA/A
PostPosted: Today, 2:53 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2876
Location: Adelaide, Australia
The following is my initial look into the A6 OS. It isn't entirely relevant per se to the original goal, but it may preserve the grooundwork for future SP-808/A-6 hackers, and helps to get things clear in my head.


The MIDI files that hold the A6 OS update are interesting in their simplicity. I love the way Roland used an existing functionality to update the hardware.. MIDI interface = free serial interface!

the MIDI standard is simple and Roland haven't deviated from SMF (Standard MIDI File).

The Hitachi Processor is apparently upward compatible with H8/300H instruction set. What I've found id there are many ways to configure the CPU. CPU has 8 sections, I assume one MIDI file per section.

I parsed the MIDI file of the first MIDI file.

- The header chunk is standard MIDI and checks out. Nothing interesting there.

- There is a single track.

- The Track chunk also checks out, and has the same format through each file, except for the last one which is slightly different at the end.

- The Track itself consists of a list of Track events. These are separated by a time Delta value (Variable length value) and one of 3 main types of Events: MIDI Event, Meta Event and System Exclusive Event. Think of it as a list like this:

in [x] ticks,
we are going to do [x].
in [x] ticks
we are going to do [y].
in [x] ticks
we are going to say "xyz".

etc...


-The A6 OS has 3 Meta events to start with. each consist of the time delta of 0x0, 0xFF that denotes it is a Meta event, The type of meta event, the size (in variable length encoding), and the data.

event 1 (Track name):

Code:
00 FF 03 20 53 50 2D 38 30 38 20 56 65 72 20 31 2E 30 31 30 20 6D 6D 6D 20 64 64 20 79 79 79 79 20 31 2F 38


where:
0x00 = 0x0 time delta value
0xFF = Denotes this is a Meta Event
0x03 = Denotes this meta event is the Sequence/Track name
0x20 = The length of Data is 32 bytes
the rest = "SP-808 Ver 1.010 mmm dd yyyy 1/8"

event 2 is (copyright notice)

Code:
00 FF 02 20 28 43 29 31 39 39 35 2D 31 39 39 38 20 52 6F 6C 61 6E 64 20 43 6F 72 70 6F 72 61 74 69 6F 6E 2E


where:
0x00 = 0x0 time delta value
0xFF = Denotes this is a Meta Event
0x02 = Denotes this meta event is the Copyright notice.
0x20 = The length of Data is 32 bytes
the rest = "(C)1995-1998 Roland Corporation."

event 2 sets up the Tempo and the delta time is based off this value.

Code:
00 FF 51 03 07 A1 20


where:
0x00 = 0x0 time delta value
0xFF = Denotes this is a Meta Event
0x51 = Denotes this meta event is setting the Tempo
0x03 0x07 0xA1 0x20 = Set tempo to 50000 Microseconds per Quarter Note


After these 3 events, there are 348 System Exclusive events (SysEx).

SysEx events can be used in a couple of different ways, but here they are used like this:

[delta time value] [SysEx byte 0xF0] [length of Data in variable length encoding] [Data]

a quick note on Variable length Encoding. It allows one to specify a size in as many bytes as you need, but no more, and no more than 4 (to everything below a 32bit ceiling)
basically, you can use the low 7 bits of the byte for your value. If you dont have enough, you set the highest bit to 1, and continue with the next byte. if the highest bit is 0, you know it is the last byte of the length. Because you are expecting a length byte/bytes, AND you know if high bit is 0... you know when length value stops. Brilliant!

Each is made up of :

Code:
10 F0 <size> <DATA bytes> F7


0x10 = time delta (time from previous event. Guessing this could be a baud rate of sorts for file transfer
0xF0 = SysEv
0xF7 = stop byte or you could say end of DATA.

here is a list of the sizes of DATA bytes in each event in each MIDI file

A6-1.MID :

1 event 0x11
1 event 0x33
1 event 0x1E
344 events 0x816E
1 event 0x11

A6-2 to A6-7 have the same:

1 event 0x11
1 event 0x33
344 events 0x816E
1 event 0x11

A6-1.MID :

1 event 0x11
1 event 0x33
1 event 0x812E
336 events 0x816E
1 event 0x8126
1 event 0x0F
1 event 0x11


I have run oout of time today to add the rest of the research, but quickly.. I am thinking the first events setup processor firmware upgrade, the large chunks are the firmware, and the end is either checksup or some end routine.
I stripped the MIDI control bytes out of the first MIDI file and I am thinking the result of all data bytes as a blob is more than likely each part of the H8 CPU firmware (OS).

I tried disassembling based around H8s/300H instructions but I think there is a bit more work to do for disassembling such as finding the vector table, properly setting up the address space in the disassembler etc..
I havent looked at the blob a whole lot yet, but it does show some clear patterns. Here is the first few SysEx events (truncated a bit, with the MIDI stuff stripped away):

Code:
41 00 7C 12 01 02 00 00 00 00 00 00 00 07 00 76 F7
41 00 7C 12 01 03 00 00 00 00 00 00 53 50 2D 38 30 38 20 56 65 72 20 31 2E 30 31 30 20 6D 6D 6D 20 64 64 20 79 79 79 79 20 68 68 3A 6D 6D 3A 73 73 38 F7
41 00 7C 12 01 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 0C 00 00 00 00 71 F7
41 00 7C 12 00 00 01 00 00 00 00 00 5A 13 14 78 54 53 32 00 35 45 53 59 53 00 5D 00 03 72 61 04 0F 00 00 20 0C 00 00 52 6F 6C 61 00 6E 64 45 43 01 10 6D 00 72..
41 00 7C 12 00 00 01 00 00 00 0C 04 5C 00 01 30 0D 06 79 08 20 7F 7F 46 3C 19 66 30 7D 01 40 16 17 76 0F 42 40 0A 60 68 08 28 16 53 46 06 0C 58 16 58 47 02 0A..
41 00 7C 12 00 00 01 00 00 01 08 08 00 08 0D 60 6E 18 00 0A 09 79 00 00 01 1A 0E 00 4B 04 10 10 40 78 6A 02 09 70 5E 14 09 6A 09 35 70 5E 01 20 6D 76 54 60 70..
41 00 7C 12 00 00 01 00 00 02 04 0C 6E 68 00 08 70 28 6E 00 68 00 08 18 08 6E 68 45 00 09 79 00 00 01 1A 00 0D 4B 04 10 10 40 78 01 6A 09 70 5E 14 09 6A 1A 09..
41 00 7C 12 00 00 01 00 00 03 01 00 33 64 14 0D 0C 58 55 2A 2A 0D 06 1D 60 46 16 04 6A 2D 00 40 33 64 0C 02 58 55 1A 0D 06 1D 60 41 46 06 79 00 7F 7F 40 06 08..
41 00 7C 12 00 00 01 00 00 03 0D 04 68 08 28 16 46 5A 19 18 55 40 10 0D 50 17 70 01 0F 61 0A 01 68 19 29 29 7F 47 08 0B 55 79 25 40 00 04 4D 6A 79 25 00 08 04..
41 00 7C 12 00 00 01 00 00 04 09 08 0D 50 17 70 0F 61 0A 2A 01 78 7F 68 18 40 76 74 0D 50 17 70 7A 01 00 08 00 00 04 0A 61 0A 01 05 68 19 29 7F 46 26 17 18 75..
41 00 7C 12 00 00 01 00 00 05 05 0C 40 0E 0D 50 17 70 7A 02 16 00 00 00 08 0A 06 01 18 08 68 68 01 20 6D 28 76 01 10 6D 73 54 70 00 6A 28 00 40 10 01 47 00 04..
41 00 7C 12 00 00 01 00 00 06 02 00 0B 56 79 26 00 10 4D 00 40 5C 00 0C 3E 0D 00 40 58 70 00 3C 5E 12 62 08 10 04 40 7A 06 00 40 50 02 0C 7A 01 00 12 64 00 1C..
41 00 7C 12 00 00 01 00 00 06 0E 04 40 08 19 00 6B 20 00 02 40 10 1E 01 20 6D 76 00 01 10 6D 73 54 70 01 00 10 6D 74 0D 05 7A 04 10 00 40 10 00 6E 48 00 00 01..
41 00 7C 12 00 00 01 00 00 07 0A 08 00 40 10 1E 78 01 5C 04 00 0B 0A 0D 00 47 42 10 79 00 20 00 6B 20 00 12 60 00 0C 78 03 5C 00 08 0B 76 0D 00 47 2E 79 00 00..
41 00 7C 12 00 00 01 00 00 08 06 0C 79 40 00 20 5C 00 09 08 4C 6B 20 00 60 00 0C 50 78 11 68 68 79 00 00 68 11 5C 00 09 3A 6B 20 45 00 60 00 0E 5C 00 0B 00 20..
41 00 7C 12 00 00 01 00 00 09 03 00 7F 00 69 70 0D 40 79 4A 60 7F 00 6F 70 00 02 24 5A 10 0A 2C 01 00 6F 00 62 00 0E 78 01 6E 68 49 00 03 19 00 6B 20 00 02 40..
41 00 7C 12 00 00 01 00 00 09 0F 04 00 02 69 30 18 08 68 0A 68 40 28 6A 30 00 60 40 00 1C 73 30 47 44 5C 02 00 07 76 01 00 6F 60 00 00 0E 7A 10 00 00 01 00 00..


when I get time later I am going to have a closer look at the CPU manual and instruction set. Kind of starting make a little headway :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 114 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group