Harris ROP101692/CR3A CPU info wanted.

[merlin]

I am hunting for any information at all for the Harris ROP101692/CR3A brain.
At least what specific core or cores this chip is built on. I have pin functions for the QFP but that is all.
I know this is an obsolete chip, why documentation is unobtainium, but I have reason for this.
Thanks all
73s

 

[radiotech33]

Did you ever work in lynchburg va for ge ?

 

[merlin]

Did you ever work in lynchburg va for ge ?

No,,overqualified.

 

[TDR-94]

Now that's funny!

 

[merlin]

Now that's funny!

Yea, the laugh was on them after going to TRW DSSG at twice the salary.

 

[merlin]

Hey, I discovered the core is 8751, so this is gonna be easy.
73s

 

[RandrewThomas]

Heh, I bet I know what you're working on, merlin. 'cause I'm working on one too.

In my case I'm converting my L3/Harris/MA/COM/Tyco/GE M7100 to be an APRS digipeater. up to 110W of transceiver for $50 from ebay is a great deal if you can get it programmed somehow.

BTW, the microcontroller you were asking about was a Hitachi H8 8 bit job. Hitachi got out of that business and now Renasas owns their old IP. I believe you can still get the general family datasheets and programming tools - at least used.

I will first try to program the radio with their ProGrammer software to tune 144.39 MHz in conventional mode. If that doesn't work, I'll consider trying to pin an Arduino in place of the "HILLARY" chip and figure out how to program the VCO et al myself.

Failing that, I may just use the RF power amp board for all them Watts it's got.

How's your' project coming?

 

[merlin]

Yea, you can do that but none of the Orion/M7100s will full duplex. Reason is the PLL synthesizer can only TX OR RX. A pair wired with a controller maybe.
I have the H8 down good, and yea, if your 7100 is 136-174 bandsplit, just program the ham frequencies you want. The 150-174 takes a lot of hardware mods and the PA in these is the Toshiba 65 watt module and they roll off steep below 145 Mhz. the 136 countrpart uses Misubishi modules and they are good down to 140 Mhz.
My project is going outside the Harris box, hacking the full firmware to make my own so no limits other than hardware. Solving that nefarious encrypted features thing Harris clusterfu&%ed.
I did this years back with the Delta and Ranger, so I own those. With legs, I can make them dance the tango.
Into the LPE-200s too, 3, reworked with C4FM on ham bands and working on D-star.
PS: It would take rewoking the firmware and probably adding memory for full APRS operation.
73s

 

[RandrewThomas]

I shouldn't need full duplex for an APRS digipeater since they listen and - after deciding it's appropriate to repeat - transmit on the same frequency. Mine is the 136-174 split, thankfully.

Regarding firmware in my project, I don't think I'll need any of the features handled by the DSP if I just "conventional" mode and handle the data outside the radio. But a lot of modern microcontrollers should be at *least* as capable as that TI chip - for example I might be able to take the I2S compatible (?) serial analog data out of the CPLD and straight into a STM32 micro for processing. Basically bypass the TI DSP in the radio.

I've still got a lot of study and testing to do first, obviously.

 

[merlin]

That TMS320 DSP I have the full development platform for. How I fudgeg the DSP board in the LPEs.
I do think it can do the job.
Suitable brains can be the 80f51, the high end Arduino, or the 8/16 bit PIC
That Raspbery PI looks good to.
Thinking I might try wiring the LPE DSP board into the Orions. (I have plenty of each) that would make it a Frankenstein 7100 and cheaper than a palate of 7100s.
Again, back to the APRS, you will still need the firmware but your notion of porting I2S you can add the needed memory outboard.
More up my alley is liken to SDR, all band,,all mode with all the encoding/decoding.
If you get lazy, you can always get an APRS digipeater and use the PA for 110 watt or combine a pair for 200 watt.
73s

 

[RandrewThomas]

Hey merlin, I don't know if this would be helpful to your efforts with M7100 radios, but I've sussed out how "personality" data is stored in Flash and in EEPROM. I've also figured out the serial programming protocol (mainly pretty standard ASCII "DLE SOH" [data] "DLE "ETX" type packet wrappers with a handful of "actions" or commands implemented.

Anyway, attached is my first-pass at annotating the contents of "personality" data in Flash/EEPROM. In the next month or so I should be releasing an open-source programmer (ProGrammer replacement) written in C for LabWindows/CVI. I'll port it to Qt at some point, but I'm kinda rusty at Qt.

 

[merlin]

Not totally there yet, I did glean most of the commands. my target is that elusive encrypted features and how it is stored. When I get some more positive results, I will forward them to you. Thanks for your input, every little thing helps.
73s

 

[merlin]

I have seen this before, a bit different than my platform. This is just a part of the data segment where I work the entire flash. I use IDA and it will show these data structures.
I see the work you put into this, maybe look at it from the same perspective as the CPU and consider, embedded gets down to bit wise data.

 

[RandrewThomas]

Yeah, I've been working toward the goal of creating an open source "ProGrammer" replacement, not quite your goal but I will have to work out a lot more on the bit level even for my purposes. I've looked at the data format differences between ProGrammer R18 and RPM created data and it mostly looks like a re-structuring of what I'm calling "headers". So ultimately I hope to be able to program personalities in radios with newer RPM-only compatible ROMs as well as the older ones. I've got several otherwise useless (to me) 800 MHz radios to play with for that. They also came with some Features enabled so that might be helpful for the following...

As far as chasing Features, from a ham perspective I'm not interested in any add-on features with the possible exception of "Preamp", which might be useful. However I've had some thoughts on the Features enabling and if the keys just unlock unencrypted H8 or DSP processor code, the "is this Feature enabled" logic should be findable and patchable.

I've used the free version of IDA for x86 code, but the full version costs many bucks. For this project have been using the disassembler included in the radio's own Hex Debug Tool (HDT) to look at the H8 code. It's also helped me figure out some of the Control Unit serial data. It's probably time for me to pause fooling around with data structs and start doing code analysis. In the past I've written Z80 and 68HC11 emulators and I wouldn't be afraid to do the same for the H8 if it'll help shake some clues out.

Questions:

Q1: is the "Patti" chip what they refer to as "ADI" when talking about ROMs?

Q2: is the "Patti" chip the 8051 compatible one that you were talking about? (I mistakenly said the H8 was 8051 compatible, it's not. It's a Hitachi designed RISC chip with some public docs, though this "Hillary" chip is custom, mainly as to qty and type of serial interfaces it seems).

 

[merlin]

Patti is a custom made chip (ASIC) that basically interfaces the radio hardware to the CPUs.
Up to the Orion radios, GE used Intel's MCS48 family CPUs. Orions had dual CPU in master/slave configuration these were usually TI chips with 8051 core?. M7100s used the H8. The Jaguar radios went with a 16 bit ARM CPU and TIs DSP.
As for programming, they all much work the same. A resistor in the programming cable determines the programming mode.(pers/keyload etc) Commands sent to the radio, the radio responds. Example: programmer sends 00h, radio sends ??h(depends on radio). Let me find my RS232 log, I will get it to you.
From an M-RK portable maybe. I had loading issues with my RS232 sniffer with some radios.
Back then, my notion was a universal programmer and get away from that Harris mess.

 

[merlin]

Chasing features. OK, say your radio has the hardware preamp(usually low band radios). that feature enabled, it can be controlled by firmware. a simple routine that latches a switch. Disabled, that routine is skipped.
That portion of firmware that handles all of that isn't encrypted, but the data block that determines features is.
It is also stored dynamically. Why I call it 'elusive'. One of Harris most closely guarded secrets, even from in house engineers.
You buy($$) A feature, Harris gives a hex string you edit into encrypted features.
A radio with everything enabled would be about priceless.

 

[TDR-94]

Chasing features. OK, say your radio has the hardware preamp(usually low band radios). that feature enabled, it can be controlled by firmware. a simple routine that latches a switch. Disabled, that routine is skipped.
That portion of firmware that handles all of that isn't encrypted, but the data block that determines features is.
It is also stored dynamically. Why I call it 'elusive'. One of Harris most closely guarded secrets, even from in house engineers.
You buy($$) A feature, Harris gives a hex string you edit into encrypted features.
A radio with everything enabled would be about priceless.

I wouldn't consider one,with all features enabled, priceless. I have an actual engineering/development/prototype VHF P7100P and it didn't cost much.

 

[merlin]

I wouldn't consider one,with all features enabled, priceless. I have an actual engineering/development/prototype VHF P7100P and it didn't cost much.

That would be a very rare radio, but my perspective is like a condom, 'better to have it and not need it, than to need it and not have it.'
The big box of P7100s I have won't do much for lack of features. A lot of wasted hardware.

 

[merlin]

Patti is a custom made chip (ASIC) that basically interfaces the radio hardware to the CPUs.
Up to the Orion radios, GE used Intel's MCS48 family CPUs. Orions had dual CPU in master/slave configuration these were usually TI chips with 8051 core?. M7100s used the H8. The Jaguar radios went with a 16 bit ARM CPU and TIs DSP.
As for programming, they all much work the same. A resistor in the programming cable determines the programming mode.(pers/keyload etc) Commands sent to the radio, the radio responds. Example: programmer sends 00h, radio sends ??h(depends on radio). Let me find my RS232 log, I will get it to you.
From an M-RK portable maybe. I had loading issues with my RS232 sniffer with some radios.
Back then, my notion was a universal programmer and get away from that Harris mess.

Ok, I blew it, 'Patti' is the TMS320 DSP chip and they are on the bottom of the 7100 control board. Must have confused them with Orion. And for commands for the radios, a haphazard part of what I have so far, (if you can figure this out) I sort of get lost with Harris ADI,RDI stuff, only clouds the issue.
These are all classed RISC processors for embedded control. H8 has a different instruction set than TI or Intel. Different memory map also which is important.

 

[merlin]

Curious how you launched the internal debug routines, do you have a command for that ?