I'm back in 32bit windows for this latest (not yet announced) project and GOOD LORD is a linear address space such a breath of fresh air. You can actually find things in memory and in the binary!
@foone i come from the world of "magic happens here" https://www.mrynet.com/DEC/PDP10/tops20/V7.0/documentation/rim10b..html
this was about the Wonder Tools Cruiser (and the software for it) which I've been hacking on for the last couple days.
Mainly on the software side so far: For the RomChip stream, it was running on old hardware rather than conversion to USB or anything, as that was all we could do in time
It plugs in via PS/2, but doesn't seen to be sending scancodes. I think it's either waiting for a special command to turn it on, or it's entirely out-of-band commands from the device.
I can't be sure until I get a chance to analyze the protocol
It uses a VXD driver which limits it to Windows 3.1 and Win95. The game itself talks to a DLL, so I'm working on replacing that DLL with my own. Eventually that'll talk to a custom adapter I'll build, probably just an arduino
I'm also going to make it a standard keyboard/controller, of course. so it can be used to play myst and doom and all that.
there is a certain type of programmer that thinks all problems can and should be solved with an additional layer of indirection
I'm currently 7 layers deep in trying to find where this game does a CD check, and all 7 layers are wrappers around MessageBox()
@foone I tend to take programmers like this and make them do pair programming, so I can ask them as a group to solve a problem.
god, Ghidra handling for C++ classes is a fucking mess. I've got vtables and I'm having to assign each function in them to the right class by finding them in the symbol list and dragging them, which requires a lot of scrolling.
I can't just right click -> assign to class X, or do the obvious thing and change the type of the this pointer, because that's FORBIDDEN
@foone I've had decent success using Pharos OOAnalyzer to search for classes. You can import the JSON into Ghidra using the Kaiju plugin.
The one downside is that it solves the class diagram using Prolog... In other words: "How much RAM does it take?" "Yes."
performance pro-tip: make all your member functions uninlinable by making sure to declare them virtual.
The good news: source available
The bad news: it’s Java. I’ve dived into idea source a couple times and swiftly remembered just how much I hate Java. It’s like Pascal and XML had a love child.
@foone Meanwhile me, watching at raw pointer math in the decompiler for vtable access
@foone wait can't some compilers can do some magic to inline one version but keep the jump table and... yeah never mind it hurts just thinking about it
@foone Keeps the CPU cool so the clock speed stays high for optimal performance.
@foone I use a janky script that copies the namespace from the first function pointer in a selection to the rest and sets all the functions to thiscall. Annoyingly I've had some issues where the decompilation doesn't update properly and still thinks this is void* but at least it's easier to fix than manually assigning the class for everything...
https://gist.github.com/TellowKrinkle/ecc46711913c97667735f03f17f688a6
The y-splitter that you connect the keyboard + Cruiser through. I suspected something weird was going on with this, but it's weirder than I thought. .
NOTHING! there's NOTHING in there! this is an entirely passive splitter!
the pinout is probably Special, but I'll have to wait until I can grab my multimeter and test that.
I don't really know why they designed this splitter. They could have just put a second PS/2 port onto the Cruiser itself, and let you plug the Cruiser directly into the PC
@foone maybe a kid could have pulled out the keyboard plug if it were that close?
@foone I would not be at all surprised if it was an afterthought where they made it far enough into production before somebody went "wait a minute, we'll be occupying a pretty important port that may be limited" and it was far cheaper to do a splitter than a hardware resdesign
@sudo_EatPant @foone I'd imagine they'd plan a whole line of "wonder tools" if this caught on - maybe it was for hot-swapping them? Maybe something in the manual?
@kirch @sudo_EatPant nah it's PS/2, hot-swap is not supported. They could have added some extra circuitry to make it hot-swappable, but they didn't
where did these fuckers find a 13-pin PS/2 port?
IT ONLY HAS 6 PINS. SEVEN IF YOU WANT TO PUSH IT AND CALL THE SHIELD ONE
@foone ....i want to see the cursed 13 pin port
I have vague memories of seeing one years ago on something odd where it had the tiny pitch pins like a high density SCSI connector
@foone There is actually an easy way: rename the function and insert the fully qualified namespace and class before the name. So func would turn into namespace::Class::func. Ghidra's rename logic detects this and moves the function into the appropriate namespace/class, while stripping them from the actual 'name'
@foone Mini-DIN 13 is a thing, is this what it looks like? https://www.passion-radio.com/interface-cable/slusb-13i-1487.html
@RealDerekDahlsad no, it's a PS/2 port: only 6 pins. It's just the connector they have on the board has 13 pins, for some reason
@artandtechnic @foone add this one to the Cursed Connectors Bank. Ikegami RS-11 Remote Setup Unit.
I suspect the connector is a Hirose product, but what fresh hell is it? The remotes, sans cable, are as prevalent as Lego bricks on ebay.
@foone @artandtechnic oops I posted with no alt text, I think I properly edited and refrobnicated it. That or I completely broke this thread. Fnord.
@foone 13 pin mini-DIN? That is cursed. I’ve only seen them up to 10 and I don’t know how you’d fit any more pins into it than that.
To be clear, this just a 6-pin PS/2 connector, not some weird mini-din thing.
It's just got 13 pins soldered to the PCB
@foone I wonder if it's for extreme mechanical robustness because kids are kids. I know vtech did some similar things with their connectors - one of the Z80 based ones I tinkered with a while back had a power connector with metal tabs that went through the PCB, folded over, and soldered flat. glad I didn't need to desolder it.
@foone maybe it works like a headphone jack and some of the pins are connected together when nothing is inserted?
It's probably one of those wacky dual-port PS/2 connectors.
@foone It was very common back then. Like with Laptop only having a single PS/2 connector for both, Mouse and Keyboard.that way space was saved.
It further enabled using a single cable to a keyboard which then had the splitter so the mouse could be connected to the keyboard, giving he same comfortable setup as with a Mac using ADB.
Last but not leas, Fisher-Price/Compaq introduced several 'special' Keyboard/Mouse stations for young kids. Like for driving or flying or submarine simulation. Many more were planned. That way again a single cable was needed, reducing complexity for kids - or rather parents setting this up for their 5 year old:)
Going by the wikipedia pinout, pins 1,3,4,5 are connected directly (on both ports) as you'd expect from a keyboard splitter.
pin 6 is connected too, which doesn't make sense (that's clock data for a mouse on a splitter. there's no mouse here)
and pins 1 and 2 are commoned together. That's keyboard data and mouse data (splitter), which makes no sense.
@foone that's assuming the pins on that connector have the same footprint as the other. Which...one would hope they do, but still maybe not
@foone is this some sort of heinous switched connector?
like, if a keyboard is connected but no toy, it passes the keyboard signals straight to PC
but if toy is connected, one or more keyboard signals are disconnect from PC and remain connect to other pins on toy?
for toy to receive and pass on at its leisure?
@foone Can you plug this splitter also into the mouse PS/2 port instead of the keyboard one then? Maybe they tried to make it fool prove by allowing one to just use either one? Or it's for the older notebooks that just had one PS/2 port for both?
@agowa338 I don't believe so, the driver seems to only target the keyboard port
FINALLY, what I was hoping to do earlier today (before PG&E so rudely interrupted me with a power outage), I've got a logic analyzer on the ps/2 port of my Pentium!
Now that I know this works, I can plug in the Cruiser and push buttons and see what happens, if anything.
yep: NOTHING. No signals. This thing does not just send any commands unless prompted
okay I'm onto it. I don't got it fully, but I have an idea of how it works.
Here's the first fun part:
the joystick is repeatedly queried by the controller, every 400ms.
An example joystick query:
Host: 02
Key: E9
H: 02
K: FA
H: 05
K: FA
H: 03
K: FA
K: 02
K: 01
K: DA
Keypresses are different. Top-left key, the red triangle?
it sends multiple groups of 3 make codes,14ms apart.
They all start 02 01
the third byte goes through: 06 86 A9 29 A9 29.
I have no idea what this means yet
ok I think a9 29 may be a glitch or something I don't understand yet. I think it's just sending make/break codes, just encoded differently.
The first three keys are:
06 0B 05, with the break versions being 86 8B 85.
I did a test where I hold the key down longer, and I got the first code, then later the second code
I'm documenting the scancodes there:
The spurious a9/29 turned out to be the phone. the on-hook button is 29. Apparently me pushing keys was wiggling a bad contact and it was going on-hook off-hook repeatedly!
and I was wrong about the scanning the joystick every 400ms. that's actually an animation playing on the LEDs
this joystick doesn't make much sense, unless it's an 8-way joystick or a 1.5-bit digital joystick.
oh good sometimes it sends the first two bytes and then juts gives up and never sends the third.
that'll be easy to handle in the protocol
throttle is way simpler than I thought. It's just four keys: off, low, medium, high. (39, 48, 4B, 50)
The wheel works similar, the joystick is mysterious.
But I have enough captured signals for now. I'm putting it down, and tomorrow I'm gonna work on adding my own support to an arduino project
I still gotta figure out the begin-command. It definitely doesn't start sending keys until the PC sends some kind of command
@foone oh there is! That's why I have a big black sticker with white text on my laptop saying "INDIRECTION IS NOT ABSTRACTION". I use it in design arguments ;oD
arduino setup and talking to it, but my initialization signal is not working. I think my copy of the initialization string is wrong, because I was logic-analyzing at the wrong resolution. FUCK now I gotta redo a lot of wiring
I'm looking at the disassembly of the VXD instead. That seems like less work at this point
ghira continues to not understand microsoft's incredibly terrible VXD calling convention. it keeps marking entire functions as not code because there's invalid instructions in them
OH GOODY this VXD is mix of different calling conventions and there's thunks that convert between them. Ghidra doesn't like this
SendByteToKeyboardWrapperWrapper
I swear to god if you compaq idiots wrap this function one more time, I'm coming back to 1996 to beat you up
oh good. writing 0x60 to the 8042 is documented as being an undocumented compaq thing.
ugh
maybe I'll modify dosbox to output what gets written to the 8042.
that'd be easier than hooking up the stupid logic analyzer again
hooked up the logic analyzer again.
my first capture said the command was 0x90... it was actually 0xD0
huh. it doesn't turn off. like when you launch the game, it sends some commands that make the cruiser start sending data, right?
but when you exit the game, it turns turn that off. the cruiser is still sending invalid keyboard keys, and will do so until you power down
huh. it sends a code (presumably a shutdown code) at windows shutdown.
you might think that's silly. This is an overgrown keyboard. Why turn it off when the computer is about to be powered off?
but this is windows 95!
so you could get to the "it is now safe to power off your computers*" screen and ctrl-alt-delete, and in that case the computer would boot with the cruiser active.
You could also do "reboot to MS-DOS" at the shutdown dialog, because it SOMETIMES DOESN'T REBOOT. You might end up with windows 95 just exiting instead.
and while the VXD presumably can filter out the weird scancodes/commands of the keyboard buffer before they go and confuse windows programs, the VXD isn't running in DOS. So a DOS program could easily be confused by the strange commands.
I wonder what happens if I hit the reset button while windows is running. Does it spy on keyboard-test commands and it'll power itself off when it sees the BIOS test the keyboard? or will it remain active?
oh nevermind, I've misinterpreted somehow. it does shutdown when you exit the game (maybe I crashed it or something?)
... what happens if I run a DOS keycode sniffer while the game is running? I can alt-tab out!
okay I have it like ALMOST working. There's an input underflow problem which means that my initialization sequence halts halfway through... but if you type something on the attached keyboard (not the cruiser, the regular keyboard!), it suddenly works.
I added timeouts to some of the initial commands which lets it pass. I don't know what values the keyboard is sending, which ones it's not sending, etc, but I know my current spam of commands works. Maybe later I'll understand what I'm doing
but it works. and I now have an arduino sketch that'll talk to the wondertools device and get back keyboard presses.
It is frankly amazing how long it took to get to this very basic point!
figuring out which parts of my initialization string are load-bearing by deleting them one by one and seeing if it still works afterwards
@foone i cannot wait for the adapter so we can hook a pt cruiser controller to a space or mech simulator 😁
okay my tester program let me figure out what all the keys are and what they mean.
@foone I don't really see an order, apart from two consecutive values here and there. How the hell did that happen?
@foone wait you could just press ctrl-alt-delete at the "it is now safe to power off your computer" screen? Never knew that worked.
@foone what happens at the MS-DOS level when you just hard crash win95 and the game? 🤔
Probably nothing good.
This thing is a "keyboard" designed in 1996.
I estimate the chances it's powered by an 8051 to be approximately 140%
ZILOG?! It's a Z80?!
P/N 0952-0002 gives nothing. This is presumably a custom z80+PROM made for Fisher Price.
@foone it would make sense, fisher price toys don't usually even need a processor, so
@RueNahcMohr could be a z8 too, yeah. I'll have to check the pinout to be sure
the "Toy 1950" is interesting. The FCC ID is CCT71950, so presumably 1950 is the internal model number.
the FCC seems to have lost all the documentation for this device. probably it's still on a floppy disk that no one ever imaged
@foone hmm hmm, i was surprised to come across a zilog mcu for some old keyboards that was the Z8602/14/15/C15/E23, wondering if it's similar at all
@RealGene yeah but I've seen FCC reports where they've done that, and they show them in the list but don't let you view them. Here there's nothing
@foone be funny if they just never got approval and nobody noticed until now!
@foone Wait - floppies need to be "digitized"? I thought they were already digital? Now I'm confused...
@foone I there a recognizable prom on the circuit board? If not this *could* be a Z280[?]
@SvenGeier good point. I was thinking in the archival sense where "digitized" is often used as shorthanded for "ingested into some archive"
annoyingly my adapter doesn't work if there's no keyboard connected. So for now you have to have a ps/2 keyboard connected, even if that ps/2 keyboard will not at all work
@foone because it’s the keyboard that generates the clock, not the host, yeah?
Oh thank fuck. I tried switching to a different microcontroller, had no luck, then realized I might have wired the +5/GND backwards. I switched back to the original microcontroller, no luck. I was afraid I fried it.
But I tested again this morning with the windows 95 machine directly, and it still works fine. So it's just an issue with my arduino setup, I didn't just fry this rare accessory
@jpm the clock in ps/2 is weird, I think any device (host, keyboard, or cruiser) can generate it
They really didn't care about the environment back then, did they?
so I think I fried one of my arduinos? weird. But I still can't talk to it with anything but an ancient arduino that I can't use to emulate a joystick/keyboard.
I'm gonna have to dig through a lot more microcontrollers until I get this stupid thing talking in a useful manner
@foone hold down reset until *just* as its connects and then release.
@foone maybe that’s the thing, the cruiser is relying on someone else to do the clock?
EVERYTHING IS BROKEN but I have it talking to a teensy 3.2 now. Finally!
REVERSE ENGINEER PRO-TIP:
if you're trying to capture the initialization commands for some hardware with a logic analyzer, it helps if you plug the logic analyzer into the cable the commands will go down. having it sit next to it but not connected, surprisingly, will not work
@foone and if for some reason it does work, get some gasoline and burn it down to ashes
@foone but but… what if you’re reverse engineering WIRELESS
I keep trying to slow down my code to make it work (I'm talking to a z80!), but after some testing, I think the problem is that the fucker is timing me out! I'm sending TOO SLOW
@foone the z80 is mocking you. Personally.
It’s laughing at ya in assembly.
You gonna stand for that?
FINALLY I understand the startup sequence.
okay, understand is possibly overstating it. but I've got it. It's this:
D9, D0, [C], [1]. With no keyboard connected, this works.
For the bracketed characters, you have to escape them, which is 01 01 XX, or 02 01 XX, depending on if there's a keyboard connected or not
the bracketed ones also will time you out if you take too long. this is because they hate you
So I think the boot code is the following:
Send D9. You should get C6 back. If you don't, try again until you do.
Send D0. You should get a 1 or 2 back. Remember that value for your escaped characters.
Send an escaped C. You should get an escaped 69 back.
send an escaped 1. You'll get an escaped DA back.
and then some spam as it initializes. An example value is 1 5 1b 39 29 3c 3c
@foone I read this as:
Send Diode 9, You should get Capacitor 6 back.
Send Diode 1 [...]
I hate having to define footprints in kicad so much. I'd do 20 times as much PCB design if I never had to deal with fucking footprints
@foone If the editor wasn't so gross and crude it wouldn't be so bad. But it's like some kind of 1970s primitive thing instead of easy to use like a mid '80s Mac draw program.
@foone I did find it somewhat nicer once I learned you can type numerical expressions in any of the size/position boxes. E.g. if you want to move something up by half of 18.4 mils, just append `+ 18.4/2` into its Y position box, and it does so.
@foone Funny, once you do enough of it it gets less horrible. But the question is WHY do I have to be so good at this?
If I download one more third party footprint that's actually wrong, I won't be held responsible for what I do. And I'm sick to death of part vendors that want you to download an executable program to get a footprint that should be in a simple standard format.
Sorry, triggered. I owe you one.
okay PCB seems to be done. It's a teensy + ps/2 port + two mosfet-based level shifters.
@foone What's the first task the cruiser will be put to?
oh hey this has a coin acceptor. I should play a mame game with it. pole position, maybe?
@foone hmm a homebrew game for one of the standardized arcade platforms that uses the money input as a gameplay element in novel ways could be interesting actually
I'm having a problem where my code thinks buttons are stuck down, but I don't think it's on my end. I think if you push keys too fast , the controller gets confused and fucks up the protocol
@foone solution. Glue the buttons down. Such that the hardware better matches the software :p
@phoenixgee I'm pretty sure it's doing debouncing in the z80 firmware, it's just not handling the output protocol properly
this mainly is going to make the joystick a nightmare to program. it keeps getting stuck thinking I'm doing like, up + down + down-left
I could solve the protocol problem by just accepting corrupted packets, EXCEPT one of the header bytes for the packet is also a position on the wheel, so every time you glitched the protocol by pushing keys too fast, it'd think you yanked the wheel to the right
oh god it might not be corrupted. I might just be misunderstanding the protocol. it might be saying "hey this packet has two keypresses"
yes lets read all 3 button presses from a 2 button packet
I'm sure that won't desync the everything
I swear to god if there's quadruple packets I'm going to.... return this device to the video game history foundation
okay I think I have it handling most packets. sometimes it decides to send a device=2 packet when I have only one device connected, which is extra questionable
When someone does invent a working time machine, "go back and kill Hitler" is going to be a long way down the list, behind about a thousand different cases of "go back and punch the idiot who designed this in the wiener".
👊 🌭
@cazabon oh, I'm well acquainted with the feeling of wanting to go back in time and do physical violence on the original designers of things.
IT LIVES! and works perfectly.
Just need to make a quick video of it playing Doom or somesuch and then I can send this back to the VGHF.
discovered the hardware has a ghosting problem: joystick up+right+horn gives phantom joystick-fire-button presses.
I am shocked, SHOCKED that this 30 year old toy is not up to mechanical keyboard standards
@foone Seems par for the course for the age / technology. The Amstrad CPC managed to have ghosting between the joystick and the keyboard, while the secondary joystick straight overlaps with the keyboard and can't be distinguished, on top of all the ghosting.
@techokami might be fixable by just adding diodes? it depends if the code will just work, or if it's running close to tolerances. Adding diodes might change the voltages the 8051 is seeing.
@foone yeah I was thinking diodes, but good point on voltage levels, didn't even think that could be an issue
