Mattel Pixter
See also previous research on eLinux.
Tooling
JTAG
For the adapter, I used a CJMCU-232H, which is based on FT232H. These clones are cheap but well supported in OpenOCD. Other adapters might work as well, such as Raspberry Pi.
Connect the adapter to your PC, then power on the console. As documented in the datasheet, if TEST1 pin is pulled-down, and other JTAG pins are connected, embedded ICE mode is enabled. The console should be halted, waiting for the debugger to connect. To do this, run openocd -f ftdi.cfg -f lh79524.cfg
. You should get the message “accepting ‘telnet’ connection on tcp/4444”.
LH79524 memory maps can be directly read (verify in telnet by running mdw 0x44000000 10
), but as commented in the configs, you might need to halt at different stages depending on what’s being dumped:
- Boot ROM: According to “LH79524 User’s Guide - 3.1 Theory of Operation”, Boot ROM is unmapped from
0x80000000
after it finishes loading other ROMs. In OpenOCD, attempting to read it afterwards results in data aborts. This gets complicated with LH79524, since the first device presented in the JTAG daisy-chain is a boundary scan TAP, not the CPU core TAP (the one we can read memory maps).- I haven’t figured out how to configure OpenOCD to support multiple devices, and transfer control to the next one cleanly. A workaround is implemented in the script, which after connecting, will run
init
anddelay_halt
(custom command that pulses nTRST, but might leave the system in an unreliable state). If this doesn’t work, you can alternatively comment those two commands, and instead runsoft_reset_halt
. - Afterwards, run
dump_image 0x80000000.bin 0x80000000 0x2000
.
- I haven’t figured out how to configure OpenOCD to support multiple devices, and transfer control to the next one cleanly. A workaround is implemented in the script, which after connecting, will run
- Other ROMs: The procedure above should also work. Alternatively, you can run
reset
, wait for cart program to be executed, thenhalt
.- For CS1 ROM:
dump_image 0x44000000.bin 0x44000000 0x400000
. - For CS2 ROM:
dump_image 0x48000000.bin 0x48000000 0x400000
. Note that some carts might just be 2MB, so the second half will be mirrored. Unknown at this point if any use CS3, which can be seen in the expansion slot pinout (also on Pixter Color).
- For CS1 ROM:
Here are some sanity checks for validating cart ROM dumps:
- Starts with bytes
\xcc\x66\x55\xaa
(these are checked by CS1 program @0x4402b764
; - At offset
0x8
is an address to a pointer table, where its first entry usually points to an address right after the end of the table; - At offsets
0x20, 0x24, 0x28
are addresses to thumb mode subroutines; - Several instances of string “SUNPLUS SPEECH”;
PCB
- Model: H4651/J4287/J4288
- PCB Revision: PT1543A-BGA-4F2C 2005/04/30 Rev 4.2b