Find out how the EPSON LCD-Controller is used
Posted: 11 Nov 2021, 20:38
In order to find the routines handling the Display, the first thing to know is how the LCD-Controller is connected to the MAC7116.
This is the part: This is the pinout of it in the same orientation: In the datasheet of the chip we find that it has a 16 Bit data lines (DB0-DB15) and a 18 address lines (AB0-AB17). But what it really interesting is the CS# (chip-select) as this will handle when and if the EPSON is used. Without the CS# signal low, all it's IO-interface lines are high impedance.
The datasheet also notes that all IO-ports operating on 3.3V level. Now we know that MAC7116 uses 5V for IO-Voltage, so there must be a level shifting between them. This is where those three LCX16245 chips comes into play!
I traced down that CS# from EPSON goes via one of those level-shifters to /CS1 of the MAC. The chip selects are controlled within the EIM module (located from 0xFC00 8000 onwards). The MAC has a special register for handling that signal, it is the CSAR1 at 0xFC00 808C and the CSMR1 at 0xFC00 8090. The CSAR1 takes a 16 Bit value of the base address used to trigger CS1 going low. This 16 Bit value is compared to the higher half-word (Bis 31-16) if the address accessed.
Let's see if we can find a trace in firmware where this is setup!
With the knowledge that all memory mapped registers start at 0xFC00 0000 and this is the base used everywhere in the code, and that the base address of the chip select registers start at 0xFC00 8080 i searched for the direct value 0x8080 using ALT-I. IDA found a lot of them but right the first one in the PBL segment attracts my attention:
This subroutine seems to contain a looot of init commands for the MAC, so i renamed the function "mac_init". Down at the found location 0x3484 the code looks like:
at the beginning of the sub, R5 was set to 0xFC00 0000
So after the ADDS, R5 holds the value 0xFC00 8080, which is the base of chip select registers. Getting closer...!
This is interesting, because R5+0xC is the address of the "Chip select address register—bank 1 (CSAR1)":
But what is the value of R2 the STRH stores at this address? The LSLS shifts the value of R1 bitwise 13 times to the left and feds R2. But was is the value of R1? Again, the answer is up in the code where R1 is set:
So shifting a 1 thriteen times to left will result in 0x2000. So this is what get's loaded into the CS-Regsiter CSAR1.
Here the mask (Chip select mask register—bank 1 "CSMR1" at 0xFC00 8090) is set:
From the docs these Bits mean:
Bit 0 (V) = 1 = Chip select configuration is valid
Bit 5-1 = 0 = The address space assigned to CS1 is available to the specified access type (all types)
Bit 8 (WP) = 0 = Both read and write accesses are allowed
Bit 19-16 = 0001 = 128 kb of address space
Ok, now we know that the external EPSON LCD-Controllers internal registers are mapped to the address locations:
0x2000 0000 - 0x2001 FFFF
We need to also find M/R# pin, as this decides if the display memory (SRAM) or the control registers of the EPSON are to be accessed.
This is the part: This is the pinout of it in the same orientation: In the datasheet of the chip we find that it has a 16 Bit data lines (DB0-DB15) and a 18 address lines (AB0-AB17). But what it really interesting is the CS# (chip-select) as this will handle when and if the EPSON is used. Without the CS# signal low, all it's IO-interface lines are high impedance.
The datasheet also notes that all IO-ports operating on 3.3V level. Now we know that MAC7116 uses 5V for IO-Voltage, so there must be a level shifting between them. This is where those three LCX16245 chips comes into play!
I traced down that CS# from EPSON goes via one of those level-shifters to /CS1 of the MAC. The chip selects are controlled within the EIM module (located from 0xFC00 8000 onwards). The MAC has a special register for handling that signal, it is the CSAR1 at 0xFC00 808C and the CSMR1 at 0xFC00 8090. The CSAR1 takes a 16 Bit value of the base address used to trigger CS1 going low. This 16 Bit value is compared to the higher half-word (Bis 31-16) if the address accessed.
Let's see if we can find a trace in firmware where this is setup!
With the knowledge that all memory mapped registers start at 0xFC00 0000 and this is the base used everywhere in the code, and that the base address of the chip select registers start at 0xFC00 8080 i searched for the direct value 0x8080 using ALT-I. IDA found a lot of them but right the first one in the PBL segment attracts my attention:
Code: Select all
PBL:00003484 sub_335c LDR R6, =0x8080
Code: Select all
PBL:00003484 LDR R6, =0x8080
PBL:00003486 ADDS R5, R5, R6
Code: Select all
PBL:00003360 LDR R5, =0xFC000000
This is interesting, because R5+0xC is the address of the "Chip select address register—bank 1 (CSAR1)":
Code: Select all
PBL:0000349A LSLS R2, R1, #13
PBL:0000349C STRH R2, [R5,#0xC]
Code: Select all
PBL:00003372 MOVS R1, #1
Here the mask (Chip select mask register—bank 1 "CSMR1" at 0xFC00 8090) is set:
Code: Select all
PBL:0000349E LDR R2, =0b1 0000 0000 0000 0001
PBL:000034A0 STR R2, [R5,#0x10] ; 0xFC00 8090
Bit 0 (V) = 1 = Chip select configuration is valid
Bit 5-1 = 0 = The address space assigned to CS1 is available to the specified access type (all types)
Bit 8 (WP) = 0 = Both read and write accesses are allowed
Bit 19-16 = 0001 = 128 kb of address space
Ok, now we know that the external EPSON LCD-Controllers internal registers are mapped to the address locations:
0x2000 0000 - 0x2001 FFFF
We need to also find M/R# pin, as this decides if the display memory (SRAM) or the control registers of the EPSON are to be accessed.