diff --git a/README.md b/README.md index e715149..69cee34 100644 --- a/README.md +++ b/README.md @@ -15,4 +15,27 @@ I am interested in seeing a frequency analysis into a dummy load of the radio on # TA3782F -Most of the components in this radio are well known off the shelf stuff. However this TA3782F MCU is not and there is practically no documentation for it. I initially believed this to be some MCU utilizing an Arm Cortex-M4 core, but now I'm almost convinced this is not the case. I'm leaning toward some kind of Intel 8051 MCU architecture as this is providing some meaningful disassembly in IDA Pro. +Most of the components in this radio are well known off the shelf stuff. However this TA3782F MCU is not and there is practically no documentation for it. I initially believed this to be some MCU utilizing an Arm Cortex-M4 core, but now I'm almost convinced this is not the case. I'm leaning toward some kind of Intel 8051 MCU architecture as this is providing some meaningful disassembly in IDA Pro. + +Here's a typical snippet of disassembly of the firmware image assuming Intel 8051 code architecture + +... +code:0000B98D code_B98D: ; CODE XREF: code_B949+5B↓j +code:0000B98D mov A, #0x52 ; 'R' +code:0000B98F add A, RAM_30 +code:0000B991 mov DPL, A ; Data Pointer, Low Byte +code:0000B993 clr A +code:0000B994 addc A, #4 +code:0000B996 mov DPH, A ; Data Pointer, High Byte +code:0000B998 movx A, @DPTR +code:0000B999 mov R7, A +code:0000B99A lcall code_F101 +code:0000B99D inc RAM_30 +code:0000B99F mov A, RAM_30 +code:0000B9A1 clr C +code:0000B9A2 subb A, #0x25 ; '%' +code:0000B9A4 jc code_B98D +code:0000B9A6 ret +... + +The structure and logic of this section does seem to make sense, it's performing some kind of loop, incrementing a ram pointer, until some condition is met then returning.