Monthly Archives: July 2016

Roland dg dxy-1300 firmware exploration

I have extracted the ROM images from the two 27C512 chips inside the DXY-1300. I then passed them though a disassembler. This produced the asm files respectively below.

RolandDG_R15209223_LH53140H_8949E is the more interesting because it contains z80 code that starts at 0100h.

The asm files have beep passed as all code. However they need to be separated into data and code. As there is HPGL data starting around E000h in the R15209223 file and likely numerous other sections. This HPGL is the test image that is drawn when the device is powered on holding down the enter key.

boot sequence log

The goal for me is to use my Z80 ICE debugger from TauntekĀ http://www.tauntek.com/Z80-In-Circuit-Emulator.htm to analyze the memory until its booted.

An objective is to change and find how the pen speed works. As I have a laser burner I want to mount on it.

0100h is the default place the z80 jumps to for execution and called the ORG. I also expect Ill be able to use the boot test image at location “000e0e0” to print out back engineering debug info.

RolandDG_R15179881_LH2357H9_8943B.asm

RolandDG_R15209223_LH53140H_8949E.asm

RolandDG_R15179881_LH2357H9_8943B.BIN

RolandDG_R15209223_LH53140H_8949E.BIN

I am waiting until I receive some new 27512 chips in the post as it appears the originals in the plotter are ROM or in some way not writable by my EEPROM programmer lt866cs.

here Is a simple analysis of the most used sub routine calls within the code. I believe it identifies the main execution loop.