Boot code 0xF002 - 0xFFFF disassembly?

dartof

Has anyone disassembled the boot / spin code in the Propeller's ROM? I have downloaded the ROM bytes to a PC and ran them through a crude disassembler, but all I get is gibberish code, except for the Parallax copyright and URL text. It appears that the data lines are scrambled somehow. What does the Propeller do after a reset? What bytes of the ROM get loaded into COG 0?

One of my pipe dreams is to make a stand-alone development environment that runs on a Prop, so knowing how it boots and loads external programs (and how the spin interpreter function) would help greatly. I've seen another thread where the serial download protocol from the PC to the Prop is discussed, but nothing beats looking at the source code for understanding.

Mike Green

The Spin interpreter and the boot loader are encrypted and decoded as they're copied from the ROM into cog #0 for execution. The description of the serial download protocol is really all there is in terms of public documentation of the boot loader's functioning. The work done by Cliff Biffle and by asterick for GEAR is most of what exists for "clean room" documentation of the Spin byte codes. Parallax considers the details of the Spin interpreter to be strictly proprietary.

deSilva

Running encoded "proprietary code" is terribly in since Microsoft/Intel have addressed this in processor design. The discussions about it are however strongly influenced by non-technical considerations.

The interesting design feature, that a COG is literally opaque, frustrate some obvious decoding attacks..

I think it will be a strong selling point for some circles, when the the code of the SPIN interpreter can be kept disclosed resisting professional decoding attempts.

Post Edited (deSilva) : 9/19/2007 5:46:54 AM GMT

mpark

hippy's been deciphering byte code: http://forums.parallax.com/showthread.php?p=665019

hippy

@ mpark : I have to give much credit there to Robert Bryon Vandiver ( Gear ) and Cliff Biffle for their original efforts. I've really only been filling in the missing gaps and would have got nowhere as fast as I have without their valuable contributions.

Development there, and on my standalone Assembler/Compiler, has been put aside for the time being while I do some proper Propeller development. That will hopefully deliver something quite 'fantastic' ( for some anyway ). More news hopefully soon.

@ dartof : I expect that the interpreter code will at some point be decrypted, after all it's easy enough to get an dump of it, albeit encrypted, and there's only 496 longs of it. I've considered having a go at it for my own personal satisfaction but there's the moral ( and possibly legal ) issue of releasing any determined information in public.

If the hardware copy uses simplistic encryption ( bit switching, address re-ordering, XOR'ing ) it may be a relatively easy process, but it could potentially be a lot more complex. Any scheme where a decryption depends on previous decrypted results can be a pain without knowing a starting point. I'm no expert so I'd just try the obvious then throw in the towel; I haven't even taken a Rom dump.

hippy

dartof said...
I have downloaded the ROM bytes to a PC

Is it possible to provide the data you've downloaded to save other people the effort of doing that step ( although it shouldn't be hard and would be a learning exercise in itself ) ?

But first ...

To Parallax Staff / Forum Admins : Would posting such a dump be considered unacceptable behaviour ?

dartof

There's no need to post the dump, here's the program I used to capture the ROM data.

First program the serial boot prom, then start Windows Hyperterminal, set it to 9600 baud no flow control, set it to record the session, and then hit reset on the Prop. Stop the recording. The file that is produced is each nybble of the code stored as an ASCII byte from 0x40 through 0x4F ('@' - 'O'). The spin code is simple enough that one could save the code in any format one wished.


I can see that keeping the spin interpreter PROPrietary would give some code protection to those who wanted to keep their code from prying eyes, but since this CPU seems to be about sharing code objects, the closed nature of the ROM seems counterproductive.

Mike Green

I believe the encryption/decryption uses a linear feedback shift register (LFSR) much like the one used for the pseudorandom operator and the download handshake.

Peter Jakacki

hippy, are you talking about the binary dump of the rom? If so, you should be using Forth [noparse]:)[/noparse] I did this dump some time ago.

*Peter*

hippy

@ Mike : I thought that might be the case. It's a quick and easy way to have casual hackers give up early. That suggests the code loading may be linear, but any other tricks ( barrel shifting, LFSR added rather than XOR'd ) add more layers to break through.

@ Peter : Thanks.

@ dartof : The closed nature of the Spin Interpreter isn't really counter-productive for most users and a defence against anyone who might decide to implement a clone Propeller Cog of their own. The only real use for knowing the Interpreter code would be to do that, create an emulator, and to determine better what the Spin byte code was. Parallax are generous but not a charity for commercial enterprises who won't put their own effort in

deSilva

See my remarks on the benefits of this encryption. As the loading of the COGs cannot be much delayed the choice of algorithms is limited. However it maybe that the loading time of SPIN takes considerably longer than the loading of a "general" piece of memory.
This can easily be measured - has anyone done this?

There can be (and are!) fine differences between the two versions of COGNEW

Ale

The rom dump is included in Gear, and I included it also in the latest version of pPorpellerSim.
At the end of the 4KB, there are some instructions, for what I saw (around the Parallax Message), but I really did not look closer. I added the ROM thinking of that... and later forgot. What they do in 496 longs is pretty amazing!

dartof

I was hoping that the ROM assembly code code was released somewhere that I hadn't looked, but now I see Parallax is keeping it a secret. I guess I'll have to slog through the Delphi code Chip posted in another thread to see if I can translate it to Propeller assembly code. I wonder if we're going to see a different download protocol when the Prop II is released.

hippy

dartof said...
I was hoping that the ROM assembly code code was released somewhere that I hadn't looked, but now I see Parallax is keeping it a secret. I guess I'll have to slog through the Delphi code Chip posted in another thread to see if I can translate it to Propeller assembly code.

Note that the Spin Interpreter code in Rom is an entirely different thing to the Download Protocol, so porting the download code will not get you any closer to discovering what the Interpreter code is.

Chip has also ported that Delphi code into Spin. A forum search on 'download protocol' and similar should find a fair bit of discussion on that if you are interested in that area.

dartof said...
I wonder if we're going to see a different download protocol when the Prop II is released.

I expect it will be very similar and a super-set of the existing protocol at worst. There is a version number which is returned from the Propeller and it may be this is the only change needed, along with sending more bytes to be burnt to Ram/Eeprom. It may be necessary to alter some timeout values for people who have written their own downloaders but I do not expect there to be too much of a problem in supporting the Prop Mk-II.

Post Edited (hippy) : 9/20/2007 3:24:45 PM GMT

dartof

@ hippy : Thanks. The PropellerLoader.spin code (which was in the object exchange section of the main website) tells me what I needed to know.

Maybe someday the bootcode source will be released for those of us who are curious.