Find out how the EPSON LCD-Controller is used

[Go4IT]

In order to find the routines handling the Display, the first thing to know is how the LCD-Controller is connected to the MAC7116.

This is the part:

s2d13a05f00a1_part.png

This is the pinout of it in the same orientation:

s1d13a05f00a1_pinout.png

In the datasheet of the chip we find that it has a 16 Bit data lines (DB0-DB15) and a 18 address lines (AB0-AB17). But what it really interesting is the CS# (chip-select) as this will handle when and if the EPSON is used. Without the CS# signal low, all it's IO-interface lines are high impedance.

The datasheet also notes that all IO-ports operating on 3.3V level. Now we know that MAC7116 uses 5V for IO-Voltage, so there must be a level shifting between them. This is where those three LCX16245 chips comes into play!

I traced down that CS# from EPSON goes via one of those level-shifters to /CS1 of the MAC. The chip selects are controlled within the EIM module (located from 0xFC00 8000 onwards). The MAC has a special register for handling that signal, it is the CSAR1 at 0xFC00 808C and the CSMR1 at 0xFC00 8090. The CSAR1 takes a 16 Bit value of the base address used to trigger CS1 going low. This 16 Bit value is compared to the higher half-word (Bis 31-16) if the address accessed.

Let's see if we can find a trace in firmware where this is setup!

With the knowledge that all memory mapped registers start at 0xFC00 0000 and this is the base used everywhere in the code, and that the base address of the chip select registers start at 0xFC00 8080 i searched for the direct value 0x8080 using ALT-I. IDA found a lot of them but right the first one in the PBL segment attracts my attention:

Code: Select all

PBL:00003484	sub_335c	LDR             R6, =0x8080

This subroutine seems to contain a looot of init commands for the MAC, so i renamed the function "mac_init". Down at the found location 0x3484 the code looks like:

Code: Select all

PBL:00003484                 LDR             R6, =0x8080
PBL:00003486                 ADDS            R5, R5, R6

at the beginning of the sub, R5 was set to 0xFC00 0000

Code: Select all

PBL:00003360                 LDR             R5, =0xFC000000

So after the ADDS, R5 holds the value 0xFC00 8080, which is the base of chip select registers. Getting closer...!

This is interesting, because R5+0xC is the address of the "Chip select address register—bank 1 (CSAR1)":

Code: Select all

PBL:0000349A                 LSLS            R2, R1, #13
PBL:0000349C                 STRH            R2, [R5,#0xC]

But what is the value of R2 the STRH stores at this address? The LSLS shifts the value of R1 bitwise 13 times to the left and feds R2. But was is the value of R1? Again, the answer is up in the code where R1 is set:

Code: Select all

PBL:00003372                 MOVS            R1, #1

So shifting a 1 thriteen times to left will result in 0x2000. So this is what get's loaded into the CS-Regsiter CSAR1.

Here the mask (Chip select mask register—bank 1 "CSMR1" at 0xFC00 8090) is set:

Code: Select all

PBL:0000349E                 LDR             R2, =0b1 0000 0000 0000 0001
PBL:000034A0                 STR             R2, [R5,#0x10]    ; 0xFC00 8090

From the docs these Bits mean:
Bit 0 (V) = 1 = Chip select configuration is valid
Bit 5-1 = 0 = The address space assigned to CS1 is available to the specified access type (all types)
Bit 8 (WP) = 0 = Both read and write accesses are allowed
Bit 19-16 = 0001 = 128 kb of address space

Ok, now we know that the external EPSON LCD-Controllers internal registers are mapped to the address locations:
0x2000 0000 - 0x2001 FFFF

We need to also find M/R# pin, as this decides if the display memory (SRAM) or the control registers of the EPSON are to be accessed.

[Go4IT]

Looking (ALT-I) for 0x2000 0000 refers to these functions:

Code: Select all

Address	Function	Instruction
MAIN:00027B28	sub_27B16	MOVS            R5, #0x20000000
MAIN:00027C48	sub_27C36	MOVS            R5, #0x20000000
MAIN:00027DC2	sub_27D38	MOVS            R0, #0x20000000
MAIN:00029A02	sub_299F4	        MOVS            R2, #0x20000000
MAIN:00029A20	sub_29A10	MOVS            R2, #0x20000000
MAIN:0002A3D4	sub_2A3CE	MOVS            R1, #0x20000000

I would identify the first one as a function to load a LUT table into the controller:

Code: Select all

MAIN:00027B16 lcd_load_LUT                            ; CODE XREF: sub_27B8E+18↓p
MAIN:00027B16                                         ; sub_27B8E:loc_27BCC↓p ...
MAIN:00027B16                 PUSH            {R4-R7}
MAIN:00027B18                 LDR             R0, =byte_40004BDC
MAIN:00027B1A                 LDRB            R3, [R0,#(byte_40004BDE - 0x40004BDC)]
MAIN:00027B1C                 CMP             R3, #2
MAIN:00027B1E                 BHI             loc_27B6A
MAIN:00027B20                 MOVS            R4, #0xFF
MAIN:00027B22                 LDR             R6, =LUT_TABLE
MAIN:00027B24                 LSLS            R4, R4, #8
MAIN:00027B26                 MOVS            R0, #0
MAIN:00027B28                 MOVS            R5, #0x20000000 ; base address of EPSON LCD controller
MAIN:00027B2C
MAIN:00027B2C loc_27B2C                               ; CODE XREF: lcd_load_LUT+40↓j
MAIN:00027B2C                 LSLS            R1, R0, #2 ; Shift value 2 bits to the left means to multiply by 4
MAIN:00027B2E                 LDR             R1, [R6,R1] ; Load LUT value from offset 0x4000 1AF8 + R1 into R1
MAIN:00027B30                 LSLS            R2, R0, #8
MAIN:00027B32                 LSLS            R7, R1, #0x18
MAIN:00027B34                 LSRS            R7, R7, #0x18
MAIN:00027B36                 ORRS            R2, R7
MAIN:00027B38                 NOP
MAIN:00027B3A                 STRH            R2, [R5,#0x18] ; Set LUT Red Write Data
MAIN:00027B3C                 MOVS            R2, R1
MAIN:00027B3E                 MOVS            R7, #0xFF0000
MAIN:00027B42                 ANDS            R1, R7
MAIN:00027B44                 LSRS            R1, R1, #0x10
MAIN:00027B46                 ANDS            R2, R4
MAIN:00027B48                 ORRS            R1, R2
MAIN:00027B4A                 NOP
MAIN:00027B4C                 STRH            R1, [R5,#0x1A] ; Set LUT Green and Blue Write Data
MAIN:00027B4E                 ADDS            R0, #1
MAIN:00027B50                 LSLS            R0, R0, #0x10
MAIN:00027B52                 LSRS            R0, R0, #0x10
MAIN:00027B54                 CMP             R0, #0xFF
MAIN:00027B56                 BLS             loc_27B2C ; Shift value 2 bits to the left means to multiply by 4
MAIN:00027B58                 ADDS            R3, #1
MAIN:00027B5A                 LDR             R0, =byte_40004BDC
MAIN:00027B5C                 LSLS            R1, R3, #0x18
MAIN:00027B5E                 LSRS            R1, R1, #0x18
MAIN:00027B60                 STRB            R1, [R0,#(byte_40004BDE - 0x40004BDC)]
MAIN:00027B62                 CMP             R1, #2
MAIN:00027B64                 BLS             loc_27B6A
MAIN:00027B66                 MOVS            R1, #0
MAIN:00027B68                 STRB            R1, [R0,#(byte_40004BDE - 0x40004BDC)]
MAIN:00027B6A
MAIN:00027B6A loc_27B6A                               ; CODE XREF: lcd_load_LUT+8↑j
MAIN:00027B6A                                         ; lcd_load_LUT+4E↑j ...
MAIN:00027B6A                 POP             {R4-R7}
MAIN:00027B6C                 BX              LR